Author: Carl Stalhood

Delivery Controller 7.7

Last Modified: Nov 7, 2020 @ 6:35 am

27 Comments

Navigation

Preparation

Citrix Licensing – If you are going to use an existing Citrix Licensing Server, upgrade it to 11.13.1.2 build 16002. This is newer than what’s on the XenApp/XenDesktop 7.7 ISO.

SQL Databases

  • Citrix blog post Database Sizing Tool for XenDesktop 7 and Bugfix for Database Sizing Tool
  • Citrix article CTX114501 – Supported Databases for Citrix Products
  • There are typically three databases: one for the Site (aka farm), one for Logging (audit log) and one for Monitoring (Director).
    • The monitoring database name must not have any spaces in it. See CTX200325 Database Naming Limitation when Citrix Director Accesses Monitoring Data Using OData APIs
    • If you want Citrix Studio to create the SQL databases automatically, then the person running Studio must be a sysadmin on the SQL instances. No lesser role will work.
    • As an alternative, you can use Citrix Studio to create SQL scripts and then run those scripts on the SQL server. In that case you only need the dbcreator and securityadmin roles.
    • It is possible to create the databases in advance. However, you must use the non-default Latin1_General_100_CI_AS_KS collation. Then use Citrix Studio to configure the database tables.
  • Citrix recommends SQL Mirroring because it has the fastest failover.
    • SQL Mirroring requires two SQL Standard Edition servers and one SQL Express for the witness server.
    • You can setup SQL Mirroring either before installing XenDesktop or after installing XenDesktop. If after, then see Citrix CTX140319 to manually change XenDesktop’s database connection strings How to Migrate XenDesktop Database to New SQL Server.
    • To setup SQL Mirroring, see Rob Cartwright: Configure SQL Mirroring For Use With XenDesktop, XenApp, and PVS Databases.
    • If you try to stretch the mirror across datacenters, the SQL witness must be placed in a third datacenter that has connectivity to the other two datacenters. However, stretching a single XenApp/XenDesktop site/farm and corresponding SQL mirror across datacenters is not recommended.
  • AlwaysOn Availability Groups and SQL Clustering are also supported. However, these features require the much more expensive SQL Enterprise Edition.

Windows Features

  • Installing Group Policy Management on the Delivery Controller lets you edit GPOs and have access to the Citrix Policies node in the GPO Editor. Or you can install Studio on a different machine that has GPMC installed.
  • vSphere Web Client – if you will connect to vSphere Web Client from the Controller machine, Flash Player is only available for IE if you install the Desktop Experience feature. Or you can use Google Chrome.

vSphere

Delivery Controller Install

  1. A typical size for the Controller VMs is 2-4 vCPU and 8 GB of RAM.
  2. On two Delivery Controllers, install the Delivery Controller software from the XenApp/XenDesktop 7.7 media. Download it from XenApp Enterprise, XenApp Platinum, XenDesktop Enterprise, or XenDesktop Platinum, depending on your license. Go to the downloaded XenDesktop 7.7 ISO and run AutoSelect.exe.
  3. Click Start next to either XenApp or XenDesktop. The only difference is the product name displayed in the installation wizard.
  4. On the left, click Delivery Controller.
  5. You can install all components on one server or on separate servers. Splitting them out is only necessary in large environments or if you want to share the components (e.g. Licensing, StoreFront, Director) across multiple farms.
  6. In the Features page, uncheck the box next to Install Microsoft SQL Server 2012 SP1 Express and click Next.
  7. In the Summary page, click Install.
  8. In the Installation Successful page, click Finish. Studio will automatically launch.
  9. Ensure the two Controller VMs do not run on the same hypervisor host. Create an anti-affinity rule.

Citrix Studio 7.7 Hotfix 1

Without this fix, you can’t enter quotes in the command line arguments field of published apps.

  1. Go to the downloaded Citrix Studio 7.7 Hotfix 1 (DStudio770WX64001) and run DesktopStudio_x64.msi.
  2. In the Please read the Citrix Studio License Agreement page, check the box next to I accept the terms and click Install.
  3. In the Completed the Citrix Studio Setup Wizard page, click Finish.
  4. Programs and Features shows the updated version.

Create Site

There are several methods of creating the databases for XenApp/XenDesktop:

  • If you have sysadmin permissions to SQL, let Citrix Studio create the databases automatically.
  • If you don’t have sysadmin permissions to SQL then use Citrix Studio to generate SQL scripts and send them to a DBA.

Database Mirroring

If you are not using database mirroring then skip to the next section.

You can setup SQL Mirroring either before configuring XenDesktop or after configuring XenDesktop.

  • If before, then the empty databases (Site, Logging, Monitoring) must use the Latin1_General_100_CI_AS_KS collation, which is not the default.
  • If SQL Mirroring is already setup then XenDesktop will detect it and set the database connection strings accordingly. Or you can manually change the database connection strings later as detailed at Citrix CTX140319 How to Migrate XenDesktop Database to New SQL Server.
  • If you use Citrix Studio to create SQL scripts that populate the databases, then there will be separate SQL scripts for the Primary and Partner.

To verify mirroring after the XenDesktop configuration has completed, run the PowerShell cmdlet get-configdbconnection and ensure that the Failover Partner has been set in the connection string to the mirror.

 

Use Studio to Create Database Scripts

  1. Launch Citrix Studio. After it loads, click Deliver applications and desktops to your users.
  2. In the Introduction page, select An empty, unconfigured site. This reduces the number of pages in this Setup wizard. The other pages will be configured later.
  3. Enter a Site Name (aka farm name) and click Next. Only administrators see the farm name.
  4. In the Databases page, change the selection to Generate scripts to manually set up databases on the database server.
  5. Change the database names if desired.
  6. If you are building two Controllers, click Select near the bottom of the same page.
  7. Click Add.
  8. Enter the FQDN of the second Controller and click OK. Note: the Delivery Controller software must already be installed on that machine.
  9. Then click Save.
  10. If you hover your mouse over 2 selected, it will show both Controllers. Click Next.
  11. In the Summary page, click Generate scripts.
  12. A folder will open with six scripts. Edit each of the scripts.
  13. Near the top of each script are two lines to create the database. Uncomment both lines (including the go line). Then save and close the file.

  14. Once all of the scripts are edited you can send them to your DBA.
  15. On the Principal SQL Server, open the file Site_Principal.sql.

  16. Open the Query menu and click SQLCMD Mode.
  17. Then execute the script.
  18. If SQLCMD mode was enabled properly then the output should look something like this:
  19. If you have a mirrored database, run the second script on the mirror SQL instance. Make sure SQLCMD mode is enabled.


  20. Repeat for the Logging_Pricipal.sql script.
  21. You’ll have to enable SQLCMD Mode for each script you open.


  22. Repeat for the Monitoring_Principal.sql script.
  23. Once again enable SQLCMD Mode.


  24. The person running Citrix Studio must be added to the SQL Server as a SQL Login and granted the public server role.

  25. Back in Citrix Studio, click the Continue database configuration and Site setup button.
  26. In the Database page, enter the SQL server name and instance name and click Next.

  27. On the Licensing page, enter the name of the Citrix License Server and click Connect.
  28. XenApp/XenDesktop 7.7 requires the newest Licensing Server. If your server isn’t compatible, leave it set to localhost and fix it later.
  29. If the Certificate Authentication appears, select Connect me and click Confirm.
  30. Then select your license and click Next.
  31. In the Summary page, make your selection for Customer Experience Improvement Program and click Finish.
  32. It will take some time for the site to be created.

Verify Database Mirroring

If your database is mirrored, when you run get-brokerdbconnection, you’ll see the Failover Partner in the database connection string.

Second Controller

There are several methods of adding a second Controller to the databases for XenApp/XenDesktop:

  • If you have sysadmin permissions to SQL, let Citrix Studio modify the databases automatically.
  • If you don’t have sysadmin permissions to SQL then do use Citrix Studio to generate SQL scripts and send them to a DBA.

To use Citrix Studio to create the SQL Scripts:

  1. On the 1st Delivery Controller, if StoreFront is installed, delete the default StoreFront store (/Citrix/Store) and recreate it with your desired Store name (e.g. /Citrix/CompanyStore).
  2. On the 2nd Delivery Controller, install XenDesktop as detailed earlier.
  3. After running Studio, click Connect this Delivery Controller to an existing Site.
  4. Enter the name of the first Delivery Controller and click OK.
  5. If you don’t have elevated SQL permissions, click No when asked if you want to update the database automatically.
  6. Click Generate scripts.
  7. A folder will open with six scripts. If not mirroring, then the top three scripts need to be sent to a DBA. If mirroring, send all six.
  8. On the SQL Server, open open one of the .sql files.

  9. Open the Query menu and click SQLCMD Mode.
  10. Then execute the XenDesktop script.
  11. If SQLCMD mode was enabled properly then the output should look something like this:
  12. Back in Citrix Studio, click OK.
  13. In the Studio, under Configuration > Controllers, you should see both controllers.
  14. You can also test the site again if desired.

Studio – Slow Launch

From B.J.M. Groenhout at Citrix Discussions: The following adjustments can be made if Desktop Studio (and other Citrix management Consoles) will start slowly:

  • Within Internet Explorer, go to Tools – Internet Options – Tab Advanced – Section Security and uncheck the option Check for publisher’s certificate revocation

After adjustment Desktop Studio (MMC) will be started immediately. Without adjustment it may take some time before Desktop Studio (MMC) is started.

Registry setting (can be deployed using Group Policy Preferences):

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
    • State“=dword:00023e00

Database Maintenance

View Logging Database

To view the contents of the Logging Database, in Studio, click the Logging node. On the right is Create Custom Report. See Citrix article CTX138132 Viewing Configuration Logging Data Not Shown for more info.

Enable Read-Committed Snapshot

The XenDesktop Database can become heavily utilized under load in a large environment. Therefore Citrix recommends enabling the Read_Committed_Snapshot option on the XenDesktop databases to remove contention on the database from read queries. This can improve the interactivity of Studio and Director. It should be noted that this option may increase the load on the tempdb files. See Citrix article CTX137161 How to Enable Read-Committed Snapshot in XenDesktop for configuration instructions.

Change Database Connection Strings

Sometimes the database connection strings need to be modified:

  • When moving the SQL databases to a different SQL server
  • When enabling mirroring after the databases have already been configured in Studio.

CTX140319 How to Migrate XenDesktop Database to New SQL Server has the correctly ordered list of PowerShell commands to change the database connection strings. Make sure PowerShell is running as administrator before running these commands.

Step 5 assumes Site, Monitoring, and Logging are one database so you’ll need to adjust the commands if those databases are split. In particular, change $cs in Set-LogDBConnection -DataStore Logging -DBConnection $cs to the Logging database. And change $cs in Set-MonitorDBConnection -DataStore Monitor -DBConnection $cs to the Monitoring database. The other commands don’t need to be changed.

Director Grooming

If XenDesktop is not Platinum Edition then all historical Director data is groomed at 7 days.

For XenDesktop/XenApp Platinum Edition, by default, most of the historical Director data is groomed at 90 days. This can be adjusted up to 367 days by running a PowerShell applet.

  1. On a Delivery Controller, run PowerShell and run asnp Citrix.*

  2. Run Get-MonitorConfiguration to see the current grooming settings.
  3. Run Set-MonitorConfiguration to change the grooming settings.

Studio Administrators

Full Administrators

  1. In the Studio, under Configuration, click the Administrators node. The first time you access the node you’ll see a Welcome page. Feel free to check the box and then click Close.
  2. On the Administrators tab, right-click and click Create Administrator.
  3. In the Administrator and Scope page, specify a group (e.g. Citrix Admins or Help Desk) that will have permissions to Studio and Director. Click Next.
  4. On the Role page, select a role and then click Next. For example:
    • Full Administrator for the Citrix Admins group
    • Help Desk Administrator for the Help Desk group
    • Machine Catalog Administrator for the desktop team
  5. In the Summary page, click Finish.

Help Desk

  1. In the Studio, under Configuration, click the Administrators node. On the Administrators tab, right-click and click Create Administrator.
  2. In the Administrator and Scope page, specify a Help Desk group that will have permissions to Studio and Director. Click Next.
  3. On the Role page, select the Help Desk Administrator role and then click Next.
  4. In the Summary page, click Finish.
  5. When administrators in the Help Desk role log into Director, all they see is this.

    To jazz it up a little, add the Help Desk group to the read-only role.
  6. Right-click the Help Desk Administrator and click Edit Administrator.
  7. Click Add.
  8. In the Scope page, select a scope and click Next.
  9. In the Role page, select Read Only Administrator and click Next.
  10. In the Summary page, click Finish.
  11. Then click OK. Now Director will display the dashboard.

Provisioning Services w/Personal vDisk

From Citrix docs.citrix.com: The Provisioning Services Soap Service account must be added to the Administrator node of Studio and must have the Machine Administrator or higher role. This ensures that the PvD desktops are put into the Preparing state when the Provisioning Services (PVS) vDisk is promoted to production.

vCenter Connection

XenDesktop uses an Active Directory service account to log into vCenter. This account needs specific permissions in vCenter. To facilitate assigning these permissions, create a new vCenter role and assign it to the XenDesktop service account. The permissions should be applied at the datacenter or higher level. CTX214389 How to Define VMware vSphere User Privileges for XenApp and XenDesktop defines the minimum permissions needed for various activities in XenDesktop: MCS, PvS, Power Management, and AppDisks.  💡

Import vCenter Certificate

If you replaced the certificates on your vCenter server, then skip this section.

If vCenter is using a self-signed certificate, in order for Delivery Controller to trust the vCenter certificate, you must import the vCenter certificate on both Delivery Controllers.

  1. Open a browser and connect to your vCenter Server.
  2. Click the padlock and then view the certificate.
  3. On the Details tab, click Copy to File.
  4. Save the certificate in any format.

  5. On each Delivery Controller, run mmc.exe. Open the File menu and click Add/Remove Snap-in. If your server is Windows Server 2012 R2 or newer, you can skip a few steps by running certlm.msc.
  6. Move the Certificates snap-in to the right by highlighting it and clicking Add.
  7. Select Computer account and click Next.
  8. Select Local computer and click Finish.
  9. Click OK.
  10. After adding the snap-in, right-click the Trusted People node, expand All Tasks and click Import.
  11. In the Welcome to the Certificate Import Wizard page, click Next.
  12. In the File to Import page, browse to the certificate file you exported earlier. Click Next.
  13. In the Certificate Store page, click Next.
  14. In the Completing the Certificate Import Wizard page, click Finish.
  15. Click OK to acknowledge that the import was successful.
  16. Repeat these steps on the second Controller. It is important that you do both Controllers before adding the vCenter connection.

Hosting Resources

A Hosting Resource = vCenter + Cluster (Resource Pool) + Storage + Network. When you create a machine catalog, you select a previously defined Hosting Resource and the Cluster, Storage, and Network defined in the Hosting Resource object are automatically selected. If you need some desktops on a different Cluster+Storage+Network then you’ll need to define more Hosting Resources in Studio.

  1. In Studio, expand Configuration and click Hosting. Right-click it and click Add Connection and Resources.
  2. In the Connection page, select VMware vSphere as the Host type.
  3. Enter https://vcenter01.corp.local/sdk as the vCenter URL. The URL must contain the FQDN of the vCenter server. If the vCenter certificate is self-signed, ensure it is added to the Trusted People certificate store on all Delivery Controllers. Ensure the entered URL has /sdk on the end.
  4. Enter credentials of a service account. Click Next.
  5. Enter a name for the hosting resource. Since each hosting resource is a combination of vCenter, Cluster, Network, and Datastore, include those names in this field (e.g. vCenter01-Cluster01-Network01-Datastore01).
  6. In the Cluster page, click Browse and select a cluster or resource pool.
  7. Select a network and click Next.
  8. On the Storage page, select a datastore for the virtual machines. Maximum flexibility is achievable if you only select one datastore per hosting resource. Create additional hosting resources for each datastore.
  9. If desired, change the selection for personal vDisk to use a different storage. Click Next.
  10. In the Summary page, click Finish.

Citrix Director

Director on Standalone Server

If you are installing Director 7.7 on a standalone server, see Citrix CTX142260 Installing or Upgrading to Citrix Director 7.6.200

  1. If you intend to install Director on a standalone server, start with running AutoSelect.exe from the XenApp/XenDesktop 7.7 media.
  2. On the right, click Citrix Director.
  3. It will ask you for the location of one Controller in the farm. Then finish the installation wizard.
  4. In IIS Manager, go to Default Web Site > Director > Application Settings, find Service.AutoDiscoveryAddresses and make sure it points to a Controller and not to localhost.

  5. If you built multiple Director servers, then use NetScaler to load balance them.

Director Single Sign-on

You can configure Director 7.7 to support Integrated Windows Authentication (Single Sign-on). Note: there seem to be issues when not connecting from the local machine or when connecting through a load balancer.

  1. Run IIS Manager. You can launch it from Server Manager (Tools menu) or from the Start Menu or by running inetmgr.
  2. On the left, expand Sites, expand Default Web Site, and click Director.
  3. In the middle, double-click Authentication in the IIS section. 
  4. Right-click Windows Authentication and Enable it.
  5. Right-click Anonymous Authentication and Disable it.
  6. Pass-through auth won’t work from another computer until you set the http SPN for the Director server. See Director 7.7 Windows Authentication not working with NS LB at discussions.citrix.com.
  7. If Director is not installed on a Controller then you’ll need to configure Kerberos delegation.
  8. If you are load balancing Director then additional config is required. See Director 7.7 Windows Authentication not working with NS LB at discussions.citrix.com for more info.
    1. Create an AD service account that will be used as the Director’s ApplicationPoolIdentity.
    2. Create SPN and link it to the service account. 
      setspn -S http/loadbalanced_URL domain\user
    3. Trust the user account for delegation to any service (Kerberos only) (trust the Director servers for delegation is not necessary in this case). You have to create the SPN before you can do this step.
    4. In IIS manager, on the Application Pools (Director), specify the Identity as user we have created in step 1.
    5. In IIS manager, select Default Web Site and open the Configuration Editor.
    6. Use the drop-down to navigate to the following section:

      system.webServer/security/authentication/windowsAuthentication
    7. Set useAppPoolCredentials = True and useKernelMode = False. Click Apply on the top right.

  9. When you connect to Director you will be automatically logged in. You can change the login account by first logging off.
  10. Then change the drop-down to User credentials.

Director – Multiple XenDesktop Sites

  1. Run IIS Manager. You can launch it from Server Manager (Tools menu) or from the Start Menu or by running inetmgr.
  2. On the left, expand Sites, expand Default Web Site, and click Director.
  3. In the middle pane, double-click Application Settings.
  4. Find the entry for Service.AutoDiscoveryAddresses and double-click it.
  5. If Director is installed on a Controller, localhost should already be entered.
  6. Add a comma and the NetBIOS name of one of the controllers in the 2nd XenDesktop Site (farm). Only enter one Controller name. If you have multiple Director servers, you can point each Director server to a different Controller in the 2nd XenDesktop Site (farm).
  7. According to Citrix CTX200543 Desktop Director Access Fails After XenDesktop 7.5 is Upgraded to 7.6, the addresses should be NetBIOS names, not FQDN. Click OK.

Director Alerts and Notifications

Director 7.7 supports alert conditions and email notifications. This feature requires XenApp/XenDesktop to be licensed with Platinum Edition. See Citrix Blog Post Configuring & Managing Alerts and Notifications Using Director for more information.

  1. While logged into Director, at the top of the page click the Alerts button.
  2. Switch to the Email Server Configuration tab.
  3. Enter your SMTP information and click Send Test Message. Then click Save.

  4. Switch to the Citrix Alerts Policy tab.
  5. There are three high-level categories of alerts: Site Policy, Delivery Group Policy, and Server OS Policy. Click whichever one you want to configure.
  6. Then click Create.
  7. Give the alert a name.
  8. On the bottom left, select a condition and enter thresholds.
  9. On the bottom right, in the Notifications preferences section, click Add.
  10. Enter an email address and click Add.
  11. Click Save when done. Feel free to create more alerts and notifications.
  12. Citrix has an experimental Desktop Notification Tool. See Citrix Blog Post Desktop Notification Tool For Citrix XenDesktop. 💡
    ablogpic2

Director – SCOM Integration

Director 7.7 can display alerts from System Center Operations Manager 2012 R2. This feature requires XenApp/XenDesktop Platinum Edition.

  1. See Configure SCOM integration at docs.citrix.com for detailed configuration instructions. Also see Marius Sandbu Integrating Citrix XenDesktop 7.7 and System Center Operations Manager.
  2. If Director server or System Center Operations Manager server is 2008 R2, then login to the 2008 R2 server, open PowerShell and run Enable-PSRemoting. Yes to everything. This is not needed on Windows Server 2012 R2 servers.
  3. On Director 7.7 server, run C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /configscom
  4. FYI, the DirectorConfig.exe /configscom command enables the following features on the Director server: /FeatureName:IIS-NetFxExtensibility45 /FeatureName:IIS-ASPNET45 /FeatureName:WCF-HTTP-Activation45
  5. FYI, the System Center Operations Manager server is listed in IIS Manager at Default Web Site > Director > Application Settings (middle pane) > Connector.SCOM.ManagementServer.
  6. On the System Center Operations Manager server, edit Remote Management Users local group and add Citrix Admins and other Director users.
  7. In System Center Operations Manager Console, go to Administration > User Roles and edit Operations Manager Operators. Add the Citrix Admins and other Director users.
  8. See Citrix Blog Post SCOM Alerts in Citrix Director for information on how to view System Center Operations Manager alerts in Director.

Director Tweaks

Prepopulate the domain field

From http://www.xenblog.dk/?p=33: On the Controllers having the Director role installed, locate and edit the ‘LogOn.aspx’ file. By default you can find it at “C:\inetpub\wwwroot\Director\Logon.aspx”

In line 450 you will have the following. To find the line, search for ID=”Domain”. Note: onblur and onfocus attributes were added in newer versions of Director.

<asp:TextBox ID="Domain" runat="server" CssClass="text-box" onfocus="showIndicator(this);" onblur="hideIndicator(this);"></asp:TextBox>

In the ID=”Domain” element, insert a Text attribute and set it to your domain name. Don’t change or add any other attributes. Save the file.

<asp:TextBox ID="Domain" runat="server" Text="Corp" CssClass="text-box" onfocus="showIndicator(this);" onblur="hideIndicator(this);"></asp:TextBox>

This will prepopulate the domain field text box with your domain name and still allow the user to change it, if that should be required. Note: this only seems to work if Single Sign-on is disabled.

Session timeout

By default the idle time session limit of the Director is 245 min. If you wish to change the timeout, here is how to do it.

  1. Log on to the Director Server as an administrator
  2. Open the ‘IIS Manager’
  3. Browse to ‘SitesDefault Web SiteDirector’ in the left hand pane.
  4. Open ‘Session State’ in the right hand pane
  5. Change the ‘Time-out (in minutes)’ value under ‘Cookie Settings’
  6. Click ‘Apply’ in the Actions list

SSL Check

From http://euc.consulting/blog/citrix-desktop-director-2-1: If you are not securing Director with an SSL certificate you will get this error at the logon screen.

To stop this:

  1. Log on to the Director Server as an administrator
  2. Open the ‘IIS Manager’
  3. Browse to ‘SitesDefault Web SiteDirector’ in the left hand pane.
  4. Open ‘Application Settings’ in the right hand pane
  5. Set EnableSslCheck to false.

Disable Activity Manager

From docs.citrix.com: By default, the Activity Manager in Director displays a list of all the running applications and the Windows description in the title bars of any open applications for the user’s session. This information can be viewed by all administrators that have access to the Activity Manager feature in Director. For Delegated Administrator roles, this includes Full administrator, Delivery Group administrator, and Help Desk Administrator.

To protect the privacy of users and the applications they are running, you can disable the Applications tab from listing running applications.

  • On the VDA, modify the registry key located at HKLM\Software\Citrix\Director\TaskManagerDataDisplayed. By default, the key is set to 1. Change the value to 0, which means the information will not be displayed in the Activity Manager.
  • On the server with Director installed, modify the setting that controls the visibility of running applications. By default, the value is true, which allows visibility of running applications in the Applications Change the value to false, which disables visibility. This option affects only the Activity Manager in Director, not the VDA. Modify the value of the following setting:
    UI.TaskManager.EnableApplications = false

Large Active Directory

From CTX133013 Desktop Director User Account Search Process is Slow or Fails: By default, all the Global Catalogs for the Active Directory Forest are searched using Lightweight Directory Access Protocol (LDAP). In a large Active Directory environment, this query can take some time or even time out.

  1. In Information Server (IIS) Management, under the Desktop Director site, select Application Settings and add a new value called ActiveDirectory.ForestSearch. Set it to False. This disables searching any domain except the user’s domain and the server’s domain.
  2. To search more domains, add the searchable domain or domains in the ActiveDirectory.Domains field.

Site Groups

From Citrix Blog Post Citrix Director 7.6 Deep-Dive Part 4: Troubleshooting Machines:

If there are a large number of machines, the Director administrator can now configure site groups to perform machine search so that they can narrow down searching for the machine inside a site group. The site groups can be created on the Director server by running the configuration tool via command line by running the command:

C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /createsitegroups

Then provide a site group name and IP address of the delivery controller of the site to create the site group.

Director – Saved Filters

From Scott Osborne and Jarian Gibson at Citrix Discussions: In Director, you can create a filter and save it.

The saved filter is then accessible from the Filters menu structure.

The saved filters are stored on each Director server at C:\Inetpub\wwwroot\Director\UserData. Observations:

  • Each user has their own saved filters.
  • The saved filters are not replicated across Director servers. You can schedule a robocopy script to do this automatically.
  • When upgrading Director, the saved filters are deleted?

Director – Custom and Scheduled Reports

The Monitoring database contains more data than is exposed in Director. To view this data, the Monitoring service has an OData Data Feed that can be queried.

You can use Excel to pull data from the OData Data feed. See Citrix Blog Post – Citrix Director – Analyzing the Monitoring Data by Means of Custom Reports. This particular blog post shows how to use an Excel PivotChart to display the connected Receiver versions.

Or for Linqpad, see Citrix Blog Post – Creating Director Custom reports for Monitoring XenDesktop using Linqpad

Go to Citrix Blog Post Obtain XenDesktop Custom report through Citrix Director and download the tool. Once installed you can create custom reports from within Director.

Citrix Licensing Server

Upgrade

Upgrade Citrix Licensing to 11.13.1.2. This is newer than what’s on the XenApp/XenDesktop 7.7 ISO.  💡

  1. Go to the downloaded Citrix Licensing 11.13.1.2 build 16002 and run CitrixLicensing.exe.
  2. Click Upgrade.
  3. Click Finish.
  4. If you go to Programs and Features, it should now show version 11.1.0.16002.
  5. If you login to the license server web console, on the Administration tab, it shows it as version 11.13.1 build 16002.
  6. You can also view the version in the registry at HKLM\Software\Wow6432Node\Citrix\LicenseServer\Install.

Licensing Server HA using GSLB

From Dane Young – Creating a Bulletproof Citrix Licensing Server Infrastructure using NetScaler Global Server Load Balancing (GSLB) and CtxLicChk.ps1 PowerShell Scripts. Here is a summary of the configuration steps. See the blog post for detailed configuration instructions.

  1. Build two License Servers in each datacenter with identical server names. Since server names are identical, they can’t be domain-joined.
  2. Install identical licenses on all License Servers.
  3. Set the DisableStrictNameChecking registry key on all Citrix Licensing servers.
  4. Synchronize the certificate files located at C:\Program Files (x86)\Citrix\Licensing\WebServicesForLicensing\Apache\conf. They must be identical on all Licensing Servers.
  5. Download CtxLicChk.exe from http://support.citrix.com/article/CTX123935 and place on all Licensing Servers.
  6. Schedule the PowerShell script CtxLicChk.ps1 on all Licensing Servers. Get this script from the blog post linked above.
  7. Configure NetScaler:
    1. Configure GSLB ADNS services.
    2. Add wildcard Load Balancing service for each Citrix Licensing Server.
    3. Configure service TCP monitoring for ports 27000, 7279, 8082, and 8083.
    4. Create Load Balancing Virtual Server for each Licensing Server.
    5. Set one Load Balancing Virtual Server as backup for the other.
    6. Repeat in second datacenter.
    7. Configure GSLB Services and GSLB Monitoring.
    8. Configure GSLB Virtual Servers. Set one GSLB Virtual Server as backup for the other.
  8. Delegate the Citrix Licensing DNS name to the ADNS services on the NetScaler appliances.
  9. Configure Citrix Studio to point to the GSLB-enabled DNS name for Citrix Licensing.

Citrix License Server Monitoring

Citrix Licensing 11.13.1 and newer has historical usage reporting:  💡

  1. Run Citrix Licensing Manager from the Start Menu. Or use a browser to connect to https://MyLicenseServer:8083
  2. Use the drop-down menus to select a license type, select dates, and export to a .csv file.
  3. On the top right is a gear icon where you can set the historical retention period.

http://www.jonathanmedd.net/2011/01/monitor-citrix-license-usage-with-powershell.html.

Lal Mohan – Citrix License Usage Monitoring Using Powershell

Jaroslaw Sobel – Monitoring Citrix Licenses usage – Graphs using WMI, Powershell and RRDtool. This script generates a graph similar to the following:

CtxLicUsage-1d_

Remote Desktop Licensing Server

Install Remote Desktop Licensing Server

Do the following on your XenDesktop Controllers:

  1. In Server Manager, open the Manage menu and click Add Roles and Features.
  2. Click Next until you get to the Server Roles page. Check the box next to Remote Desktop Services and click Next.
  3. Click Next until you get to the Role Services page. Check the box next to Remote Desktop Licensing and click Next.
  4. Click Add Features if prompted.
  5. Then finish the wizard to install the role service.

Activate Remote Desktop Licensing

  1. After RD Licensing is installed, in Server Manager, open the Tool menu, expand Terminal Services and click Remote Desktop Licensing Manager.
  2. The tool should find the local server. If it does not, right-click All servers, click Connect and type in the name of the local server. Once the local server can be seen in the list, right-click the server and click Activate Server.
  3. In the Welcome to the Activate Server Wizard page, click Next.
  4. In the Connection Method page, click Next.
  5. In the Company Information page, enter the required information and click Next.
  6. All of the fields on the Company Information page are optional so you do not have to enter anything. Click Next.
  7. In the Completing the Activate Server Wizard page, uncheck the box next to Start Install Licenses Wizard now and click Finish. Since the session hosts will be configured to pull Per User licenses, there is no need to install licenses on the RD Licensing Server.
  8. In RD Licensing Manager, right-click the server and click Review Configuration.
  9. Ensure you have green check marks. If the person installing Remote Desktop Licensing does not have permissions to add the server to the Terminal Server License Servers group in Active Directory, ask a domain admin to do it manually. If you have the proper permissions, click Add to Group.
  10. Click Continue when prompted that you must have Domain Admins privileges.
  11. Click OK when prompted that the computer account has been added.
  12. Click OK to close the window.

Health Check

Andrew Morgan – New Free Tool: Citrix Director Notification Service: The Citrix Director Notification service sits on an edge server as a service (or local to the delivery controller) and periodically checks the health of:

  • Citrix Licensing.
  • Database Connections.
  • Broker Service.
  • Core Services.
  • Hypervisor Connections.

And if any of these items fall out of bounds, an SMTP alert is sent to the mailbox of your choice for action. The tool will also send “All Clear” emails when these items are resolved, ensuring you are aware when the service has resumed a healthy state.

Related Pages

VMware vRealize Operations for Horizon 6.4

Last Modified: Nov 7, 2020 @ 6:34 am

13 Comments

Navigation

This post is for 6.4 and older. See vRealize Operations for Horizon 6.5 and newer.

💡 = Recently Updated

Planning

What’s New: VMware vRealize Operations 6.5:

  • Log Insight integration
  • vRealize Business for Cloud integration
  • Automatic upgrade of in-guest End Point Operations agents
  • Higher scalability
  • Webhooks for connections with other platforms (e.g. Slack)

VMware Blog Post VMware vRealize Operations for Horizon and Published Applications 6.4, Part 1: What’s New: In this release, you will find the following features:

vROps Webinar Series 2016 – Part 12 – What’s New with vROps 6.4 – 1 hour, 13 minute YouTube video.

vRealize Operations 6.3: What’s New, Hint it just got even better at VMware Blogs contains screenshots of the new features in vROps 6.3.

VMware 2146615 vRealize Operations Manager 6.3 Sizing Guidelines:

Download Files

  1. Download vRealize Operations Manager 6.4 appliance, which is listed on vROps for Horizon download page. Or download vRealize Operations Manager 6.5 appliance. VMware’s Product Interoperability Matrix indicates that both versions are compatible.

  2. Go to the download page for vRealize Operations for Horizon 6.4.
  3. Download the vRealize Operations for Horizon Adapter.
  4. Download the vRealize Operations for Horizon Broker Agent 64-Bit.
  5. Download the vRealize Operations for Horizon Desktop Agent.

Deploy Appliance

  1. In vSphere Web Client, navigate to the vCenter object, right-click it, and click Deploy OVF Template.
  2. In the Select Source page, select Local file, browse to the vRealize Operations 6.4 .ova file, or vRealize Operations 6.5 .ova file, and click Next.
  3. In the Review details page, click Next.

  4. If you see a Accept EULAs page, click Accept, and then click Next.
  5. In the Select name and folder page, enter a name for the appliance, select a folder, and click Next.
  6. If you see a Deployment Configuration page, select a size, and then click Next.
  7. In the Select a resource page, select a cluster, and then click Next.
  8. In the Storage page, select Thin Provision, select a datastore, and then click Next.
  9. In the Setup networks page, select a port group and click Next.
  10. In the Customize template page, select a time zone.
  11. Expand Networking Properties.
  12. Enter the IP address information for the appliance. You can also specify the time zone. Then click Next.
  13. In the Ready to Complete page, check the box next to Power on after deployment, and then click Finish.

Create Cluster

  1. Power on the new virtual appliance.
  2. Wait for the appliance to start.
  3. Use a browser to go to https://IPAddress/admin. If you see a Service unavailable message, wait a couple minutes and try again.
  4. You might also see this message. Try again.
  5. On the bottom of the page, click New Installation.
  6. In the Getting Started page, click Next.
  7. In the Set Administrator Password page, enter a password based on the listed requirements. Click Next.
  8. In the Choose Certificate page, you can upload a PEM certificate.

    The Certificate file must have .pem extension. It will not accept any other extension. Also, make sure the certificate file has both the certificate and keyfile.  If there are intermediate Certificate Authorities, add them to the PEM file. Click Next when done.
  9. In the Deployment Settings page, enter a name for the master node.
  10. Enter a NTP Server Address and click Add. Then click Next.
  11. In the Ready to Complete page, click Finish.

Start Cluster

  1. From the https://IPAddress/admin page, click Start vRealize Operations Manager.
  2. Click Yes. This will take several minutes.
  3. Log into the appliance.
  4. On the Welcome page, click Next.
  5. In the Accept EULA page, check the box next to I accept the terms, and click Next.
  6. In the Enter Product License Key page, enter the vRealize Operations license key, click Validate License Key, and click Next. Note: there is a separate license for vROps for Horizon that will be entered later.
  7. In the Customer Experience Improvement Program page, make a choice, and click Next.
  8. In the Ready to Complete page, click Finish.

Patch/Upgrade Appliance

  1. Download the Upgrade Pack or Hot Patch from the vRealize Operations 6.4 download page or vRealize Operations 6.5 download page.
  2. Use a browser to go to https://vROpsIP/admin and login as admin.
  3. On the left, switch to the Software Update page.
  4. On the right, click Install a Software Update.
  5. Click Browse and browse to an upgrade or Hot Patch .pak file downloaded from vmware.com. You must upgrade the operating system first (.pak file name containing VA-OS), and then upgrade vRealize Operations Manager (file name without OS in it).
  6. Click Upload.

  7. Click Next.

  8. In the End User License Agreement page, check the box next to I accept the terms and click Next.
  9. Installation begins.
  10. After rebooting and logging in again, the Software Update page shows that the update has been completed.

  11. After upgrading both the OS and vROps, the System Status page should show version 6.4.0.4276418.

Configure vSphere Adapter

  1. Login to the appliance.
  2. Go to Administration > Solutions.
  3. Highlight the VMware vSphere Solution, and click the Configure button in the toolbar.
  4. In the Configure adapters page, highlight the vCenter Adapter.
  5. On the bottom, enter a name for the vCenter adapter.
  6. Enter the address of the vCenter server.
  7. Click the plus icon to add a Credential.
  8. Enter credentials for the vCenter server, and click OK.
  9. Click Test Connection.
  10. Click OK to accept the certificate.
  11. Click OK to acknowledge that the test was successful.
  12. Click Save Settings when done.
  13. Click OK to acknowledge that adapter instance was successfully saved.
  14. Click Close.
  15. Note: it takes four weeks for vRealize Operations to determine dynamic thresholds.
  16. Additional adapters can be downloaded from VMware Solution Exchange – https://solutionexchange.vmware.com/store

vSphere SSON

  1. In the vRealize Operations console, go to Administration > Authentication Sources.
  2. On the right, click the green plus icon.
  3. Enter a display name.
  4. From the Source Type drop-down select SSO SAML.
  5. Enter the FQDN of the Platform Services Controller.
  6. Enter credentials of an account that is in the Single Sign-on Admins group.
  7. Select Grant administrator role to vRealize Operations Manager for future configuration.
  8. Click Test.
  9. Check the box to Accept this Certificate, and click OK.
  10. Click OK to acknowledge that the test was successful.
  11. Click OK.
  12. The Import User Groups wizard launches automatically. In the Import User Groups page, enter a group name, click Search, and then select the group. Click Next.
  13. On the Roles and Objects page, from the Select Role drop-down select Administrator.
  14. Check the box next to Assign this role to the group.
  15. Check the box next to Allow access to all objects in the system. Click Finish.
  16. You can now login using a vCenter Single Sign-on account.

Session Timeout

  1. The vRealize Operations webpage defaults to 30 minutes timeout. To change it, go to Administration > Global Settings and click the pencil icon.
  2. The maximum value for Session Timeout is 34560. Click OK.

Alerting

  1. In vRealize Operations console, go to Administration > Outbound Settings.
  2. On the right, click the green plus icon.
  3. From the Plugin Type drop-down select Standard Email Plugin.
  4. Give the Instance a name.
  5. Enter the SMTP information and click Test.
  6. Click OK to acknowledge that the test was successful.
  7. Then click Save.
  8. You can then go to Content > Notifications, and create notifications.
  9. Give the rule a name.
  10. For Method, select the Standard Email Plugin and the instance you created earlier.
  11. Enter recipients.
  12. Select Triggers and Criticality. Click Save.

Install Horizon Adapter 6.4 PAK File

  1. Login to the vRealize Operations appliance web page.
  2. Go to Administration > Solutions.
  3. On the right, click the green plus icon.
  4. In the Select Solution page, click Browse.
  5. Browse to VMware-vrops-viewadapter-6.4…pak and select it.
  6. Click Upload.
  7. Click Next.
  8. In the End User License Agreement page, check the box next to I accept the terms, and click Next.
  9. After it’s done installing, in the Install page, click Finish.

Horizon Adapter Licensing

  1. In the vRealize Operations web page, go to Administration > Licensing.
  2. On the right, click the green plus icon.
  3. Select VMware Horizon.
  4. Enter the vROps for Horizon license key and click Validate. Note: this key is different than the vRealize Operations key.
  5. Click Save.

Configure Horizon Adapter

Here are some guidelines regarding the Horizon adapter:

  • You can only have one Horizon adapter per vRealize Operations appliance.
  • Each adapter can handle up to 10,000 virtual desktops.
  • Multiple Horizon pods can point to a single adapter.

Do the following to create and configure a Horizon adapter:

  1. In vRealize Operations Manager, go back to Administration > Solutions.
  2. On the right, highlight the VMware Horizon adapter, and click the Configure icon.
  3. On the top part, highlight the Horizon Adapter.
  4. On the bottom, give the adapter a Display Name and an Adapter ID.
  5. Click the green plus icon to add a credential.
  6. Give the credential a name. Enter a new password (shared key), and click OK. You’ll use this password later.
  7. Click Test Connection.
  8. Click OK to acknowledge that the test was successful.
  9. On the bottom right, click Save Settings.
  10. Click OK.
  11. Then click Close.

Enable SSH

VMware Knowledgebase article – Enabling SSH access in vRealize Operations Manager 6.0.x (2100515):

  1. Connect to the vRealize Operations Manager virtual machine console.
  2. Press Alt+F1, and login as root.
    Note: By default there is no root password configured.
  3. Start the SSH service by running the command:
    service sshd start
  4. To configure SSH to start automatically run this command:
    chkconfig sshd on

Appliance Firewall for Horizon Adapter

  1. Login as root to the CLI of the appliance using SSH, or the virtual machine console.
  2. Use vi to edit the file /opt/vmware/etc/vmware-vcops-firewall.conf.
  3. Look for the TCPPORTS line that adds 3091:3094. Right below that line, add a new line containing TCPPORTS=”$TCPPORTS 3099:3101″. In vi, press i to enter insert mode and then press <Esc> to exit insert mode.
  4. Enter :wq to save the file and exit.
  5. Run /etc/init.d/vmware-vcops-firewall restart.
  6. If you have vRealize Operations for Horizon Desktop Agents that are older than 6.2, then you’ll need to enable TLS 1.0 by editing the properties file. See Create an Instance of the Horizon Adapter at pubs.vmware.com for more information.
  7. If you have more than 1,000 Desktop Agents, see VMware 2096607 Adjusting the ARP cache on a vRealize Operations Manager remote collector node

Install Horizon Broker Agent

  1. Login to one View Connection Server in your pod. Only install the Broker Agent on one View Connection Server in each pod.
  2. Run the downloaded VMware-v4vbrokeragent-x86_64-6.4.0.exe.
  3. In the Welcome to the VMware vRealize Operations for Horizon Broker Agent Setup Wizard page, click Next.
  4. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  5. In the Ready to install the Broker Agent page, click Install.
  6. In the Completed the VMware vRealize Operations for Horizon Broker Agent Setup Wizard page, click Finish.

Configure Horizon Broker Agent

  1. The Configuration tool will appear immediately after installation. Or launch vRealize Operations View Broker Agent Settings from the Start Menu.
  2. In the Pair Adapter page, enter the IP address of the vRealize Operations appliance, enter 3091 for the port, enter the adapter password, and click Pair.
  3. After broker pairing is successful, click Next. If this doesn’t work, make sure the firewall ports are opened on the vRealize Operations appliance.
  4. In the View Connection Server page, enter credentials for Horizon View, and click Test.
  5. Then click Next.
  6. In the Event DB and Desktop page, enter the SQL credentials to access the Events database, and click Test.
  7. Then click Next.
  8. In the Configure App Volumes Managers to Monitoring page, enter the App Volumes info and click Test. Click the plus icon to move it to the bottom. Then click Next.
  9. In the Monitor Access Point with Broker Agent page, enter a name, enter the Access Point IP, enter 9443 as the port, enter the admin credentials, and click Test.
  10. Click the plus icon to move the Access Point appliance to the bottom. Then click Next.
  11. In the Intervals and Timeouts page, click Next.
  12. In the Configure the Logging parameters page, click Next.
  13. In the Broker Agent Service page, click Start. Then click Next.
  14. In the Review changes page, click Finish.
  15. In the vRealize Operations web console, from the Home page, you can view the Horizon Adapter Self Health dashboard to verify that the adapter and broker agent are functional.

Desktop Agent

The Desktop Agent should be installed on every Horizon Agent machine. Horizon 7 Agents come with vROps Desktop Agents. If you’re not running the latest version of Horizon 7 Agent, then upgrade the vROps Desktop Agent on those machines.

  1. Run the downloaded vRealize Operations for Horizon Desktop Agent 6.4.0 (VMware-v4vdeskopagent-x86_64-6.4.0.exe).
  2. In the Welcome to the VMware vRealize Operations for Horizon Desktop Agent Setup Wizard agent, click Next.
  3. In the End-User License Agreement page, check the box next to I accept the terms in the License Agreement and click Next.
  4. In the Ready to install the Desktop Agent page, click Install.
  5. In the Completed the VMware vRealize Operations for Horizon Desktop Agent Setup Wizard page, click Finish.
  6. If you go to C:\Program Files\VMware\VMware View\Agent\bin and view the properties of the v4pa_agent.exe file, then you’ll see the installed version of the Desktop Agent.

Related Pages

NetScaler Scripting

Last Modified: Nov 7, 2020 @ 6:34 am

72 Comments

Navigation

💡 = Recently Updated

Changelog

  • 2019 Mar 11 – Script to Extract Configuration – rewrote the section in instructional format
  • 2018 Dec 2 – Configuration Extractor – added a nFactor visualizer
  • 2018 Nov 17 – Configuration Extractor – Out-GridView (GUI) for vServer selection
  • 2018 Sep 19 – Configuration Extractor – several fixes
  • 2018 July 4 – Configuration Extractor
    • Added “*” to select all vServers
    • Updated for 12.1 (SSL Log Profile, IP Set, Analytics Profile)
    • Extract local LB VIPs from Session Action URLs (e.g. StoreFront URL to local LB VIP)
    • Extract DNS vServers from “set vpn parameter” and Session Actions
  • 2018 Jan 4 – Configuration Extractor, Sirius’ Mark Scott added code to browse to open and save files. Added kcdaccounts to extraction.
  • 2018 Jan 3 – new Powershell-based NetScaler Configuration Extractor script

NetScaler ADC Configuration Extractor

NetScaler ADC Configuration Extractor extracts every NetScaler ADC CLI command needed to rebuild one or more Virtual Servers. Here’s how to use the script:

  1. The extraction script loads a NetScaler ADC Configuration file and parses it. To get a NetScaler ADC Configuration file:
    1. On your NetScaler ADC, go to System > Diagnostics > Running Configuration and then click the link on bottom to save text to a file.

  2. To download the extraction script, point your browser to https://github.com/cstalhood/Get-ADCVServerConfig/blob/master/Get-ADCVServerConfig.ps1, right-click the Raw button, and Save link as.
  3. Run the extraction script in PowerShell. One option is to right-click the script file and click Run with PowerShell. (note: the script doesn’t seem to work on Windows 7)
  4. Browse for the Running Configuration file that you saved from an appliance.
  5. The script will prompt you to select one or more Virtual Servers.
  6. The script then enumerates all objects linked to the chosen Virtual Servers (e.g. Responder Policies) and provides their configuration too.
  7. The script also outputs global settings that might affect the operation of the chosen Virtual Servers.
  8. The CLI output is listed in proper order. For example, create monitors before binding them to Service Groups.
  9. If the config includes an “authentication vserver”, then a nFactor Visualizer will be shown.
  10. The extracted Virtual Server CLI configuration can be used for documentation
  11. Or you can apply the outputted configuration to a different NetScaler ADC appliance:
    1. To import this output to a different NetScaler ADC, first change the IP addresses of the outputted Virtual Servers so there won’t be any IP Conflict after you import.
    2. SSH (Putty) to the other NetScaler ADC.
    3. Then simply copy the outputted lines and paste them into the SSH prompt.
    4. Alternatively, for longer output file, you can upload the output file to the other NetScaler ADC (e.g. upload to /tmp directory), and then run batch -fileName on the new NetScaler ADC while specifying the uploaded filename (e.g. /tmp/nsconfig.conf).
      • Note: the batch command requires that the input file name be in lower case only and without any spaces in the file name.

I originally attempted a dynamic extraction using complicated regular expressions, but there wasn’t enough control over the extraction and output process. The new PowerShell script explicitly enumerates specific objects, thus providing complete control over the output. For example, before binding a cipher group to a Virtual Server, the current ciphers must first be removed.

The script uses several techniques to avoid false positive matches, primarily substring matches.

Let me know what bugs you encounter.

Configure NetScaler ADC from PowerShell

You can use any scripting language that supports REST calls. This section is based on PowerShell 3 and its Invoke-RestMethod cmdlet.

Brandon Olin published a PowerShell module for NetScaler at Github.  💡

CTP Esther Barthel maintains a PowerShell module for NetScaler at https://github.com/cognitionIT/PS-NITRO. See Citrix Synergy TV – SYN325 – Automating NetScaler: talking NITRO with PowerShell for an overview.

The below NetScalerPowerShell.zip contains PowerShell functions that use REST calls to configure a NetScaler appliance. It only takes a few seconds to wipe a NetScaler and configure it with almost everything detailed on this site. A glaring omission is file operations including licenses, certificate files, and customized monitor scripts and the PowerShell script assumes these files are already present on the appliance.

[sdm_download id=”1909″ fancy=”0″]

Most of the functions should work on 10.5 and 11.0 with a few obvious exceptions like RDP Proxy. Here are some other differences between 10.5 and 11.0:

  • PUT operations in NetScaler 11 do not need an entity name in the URL; however 10.5 does require entity names in every PUT URL.
  • https URL for REST calls works without issue in NetScaler 11, but NetScaler 10.5 had inconsistent errors. http works without issue in NetScaler 10.5.

Nitro REST API Documentation

NetScaler Nitro REST API documentation can be found on any NetScaler by clicking the Downloads tab. The documentation is updated whenever you upgrade your firmware.

Look for the Nitro API Documentation.

Extract the files, and then launch index.html.

Start by reading the Getting Started Guide, and then expand the Configuration node to see detailed documentation for every REST call.

The Nitro API is also documented at REST Web Services at Citrix Docs.

Windows Server 2008 R2 Post-SP1 Hotfixes

Last Modified: Sep 2, 2018 @ 7:47 am

20 Comments

Convenience Rollup

On May 17, 2016, Microsoft released a Convenience Rollup for Windows 2008 R2 and Windows 7. This Rollup includes almost all fixes released after SP1 through April 2016. See the article for the list of excluded hotfixes.

  1. If you have not yet run Windows Updates, download and install 3020369.
  2. Then install the Convenience Rollup hotfix by running AMD64-all-windows6.1-kb3125574-v4-x64.msu. This hotfix is 476 MB.
  3. Click Yes to install the software update.

Individual Hotfixes

Alternatively, you can install individual hotfixes. These hotfixes are specific to Remote Desktop Session Host, group policies, printing, and SMB redirector and are not included in the normal Windows Update process. To get the hotfix go to the Microsoft KB article’s webpage. There is a link at the top of the page that takes you to a form where you can request the hotfix.

Available Updates for Remote Desktop Services (Terminal Services) on Windows Server 2008 R2 Service Pack 1https://support.microsoft.com/kb/2601888.

Citrix CTX129229 Recommended Hotfixes for XenApp 6.x on Windows Server 2008 R2. Scroll down to the Microsoft Hotfixes section.

Here is the list of hotfixes:

XenApp 6.5 Updates

Last Modified: Sep 2, 2018 @ 7:53 am

59 Comments

This page contains a list of available XenApp 6.5 updates. It it not meant to be a comprehensive build procedure. Many of the updates are Limited Release and thus are only accessible to Citrix Partners and Citrix Support.

Navigation

💡 = Recently Updated

XenApp 6.5 Hotfix Rollup Pack 7

From CTX120842 Best Practices for Citrix XenApp Hotfix Rollup Pack Installation and Deployment: Citrix recommends the following order of deployment:

  • Zone data collector
  • Backup zone data collectors
  • Database connection server (Applies only to Resource Manager for XenApp 5 for Microsoft Windows Server 2003)
  • Primary farm metric server (Applies only to Resource Manager for XenApp 5 for Microsoft Windows Server 2003)
  • Backup farm metric server (Applies only to Resource Manager for XenApp 5 for Microsoft Windows Server 2003)
  • Member servers

To install a Hotfix Rollup Pack, do the following:

  1. Go to the downloaded Hotfix Rollup Pack 7, shift+right-click XA650W2K8R2X64R07.msp and click Copy as path.
  2. Run cmd.exe elevated.
  3. Right-click the command prompt and paste the path. Then press <Enter> to run it.

  4. In the Welcome to the Citrix XenApp 6.5 Hotfix Rollup Pack 7 Installation Wizard page, click Next.
  5. In the Citrix XenApp has been successfully configured page, click Close.
  6. Click OK when prompted to reboot.

XenApp 6.5 Hotfixes

Download post-R07 hotfixes from support.citrix.com by searching for XA650R07*. For example, Hotfix 11 contains a fix for the Citrix Print Management Service.  💡

Citrix CTX129229 Recommended Hotfixes for XenApp 6.x on Windows Server 2008 R2.

If you have several hotfixes to install, create a script similar to the following to install the hotfixes automatically.

for /f %%i in ('dir /b "%~dp0*650W2K8R2R07*.msp"') do (
start /wait msiexec /p "%~dp0%%i" /passive /norestart /l*v "%temp%\%%i.log"
timeout /t 3 /NOBREAK
)
pause

Then run the script elevated.

AppCenter 6.5.13

  1. Go to the downloaded Citrix AppCenter 6.5 Hotfix 13 (DSCXAMx650W013) and run XenAppMx.msi.
  2. If you see this message, click OK.
  3. After installation, in Programs and Features, Citrix XenApp Management will be shown as version 6.5.13.0.

XenApp Commands Hotfix 4

  1. Go to the downloaded XenApp Commands Hotfix 4 (DSCXACmd650WX64004) and run XenApp.Commands.Install_x64.msi.
  2. In the Please read the Citrix XenApp Commands License Agreement page, check the box next to I accept and click Install.
  3. If you see a Files in Use page, click OK.
  4. In the Completed the Citrix XenApp Commands Setup Wizard page, click Finish.
  5. Programs and Features lists Citrix XenApp Commands as version 6.5.4.1.

Citrix Group Policy Management 1.7.11

  1. Go to the downloaded Citrix Group Policy Management 1.7.11 (GPMx170WX64011) and run CitrixGroupPolicyManagement_x64.msi. It installs automatically.  Note: this hotfix might break AD GPOs.
  2. Programs and Features shows it as version 1.7.11.0.
  3. This update adds a new Citrix Policy setting at Computer > Server Settings > Graceful session logoff: ignore process. This is equivalent to LogoffCheckSysModules.

Uninstall Citrix Single Sign-on Console

If you have no desire to implement Citrix Single Sign-on then uninstall the console.

  1. Go to Programs and Features, right-click Citrix Single Sign-on Console and click Change.
  2. On the Application Maintenance page, select Remove and click Next.
  3. On the Citrix Single Sign-On Console Uninstall page, click Next.
  4. On the Citrix Single Sign-on Console 5.0 has been successfully uninstalled page, click Finish.

HDX WMI Provider Update 1

  1. Run Programs and Features, right-click Citrix HDX WMI Provider and click Uninstall. Notice that the version is currently 2.0.0.0
  2. Go to the downloaded Citrix HDX WMI Provider Update 1 (HDXWMIPROV620W2K8R2X64001) and run CitrixHDXWMIProvider-x64.msi. It installs automatically.
  3. Programs and Features will now show it as version 2.0.1.0.

HDX MediaStream for Flash 2.0 Hotfix 9

  1. Run Programs and Features, right-click Citrix HDX MediaStream for Flash – Server and click Uninstall. Notice that the version is currently 2.0.0.0
  2. Go to the downloaded HDXFlash200WX64009 and run CitrixHDXMediaStreamForFlash-ServerInstall-x64.msi.
  3. If you refresh Programs and Features, it now shows the version as 2.0.9.0.
  4. The article details a registry key that needs to be configured.

Server Configuration Tool 1.2 Hotfix 3

  1. Go to the downloaded Server Configuration Tool 120.003 and run ServerConfigurationInstall.msi. It installs automatically without prompting.
  2. You can verify installation by looking in Programs and Features. Citrix XenApp Server Configuration Tool should be version 1.2.3.0.

Service Provider Automation Tools

  1. Run the downloaded CitrixAppDeliverySetupTools.exe.
  2. Click OK once installation is complete.
  3. Programs and Features lists Citrix App Delivery Setup Tools as version 1.0.2.300.

Citrix Receiver Enterprise 3.4 Update 5

  1. Run the downloaded Citrix Receiver Enterprise 3.4 Cumulative Update 5 (CitrixReceiverEnterprise.exe).
  2. On the Welcome to Citrix Receiver Setup page, click Install.
  3. Click Yes to reboot when prompted.
  4. Programs and Features lists Citrix Receiver (Enterprise) as version 13.4.500.4.

Offline Plug-in 6.7.6

  1. Go to the downloaded Offline Plug-in 6.7.6 and run CitrixOfflinePlugin.exe.
  2. In the Welcome to the Citrix Offline plug-in Setup page, click Next.
  3. In the License Agreement page, select I accept the license agreement and click Next.
  4. In the Client Upgrade Options page, click Next.
  5. Click OK if prompted that a reboot is required.
  6. In the Citrix Offline plug-in has been successfully installed page, click Finish.
  7. Click Yes when prompted to restart.
  8. Programs and Features lists Citrix Offline Plug-in as version 6.7.6.1.

Citrix Profile Management 5.7

  1. Download Profile Management 5.7. Expand Components that are on the product ISO but also packaged separately to find it.
  2. Run profilemgt_x64.msi.
  3. In the Welcome to the Citrix Profile management Setup Wizard page, click Next.
  4. In the End-User License Agreement page, check the box next to I accept the terms in the License Agreement and click Next.
  5. In the Destination Folder page, click Next.
  6. In the Ready to install Citrix Profile management page, click Install.
  7. In the Completed the Citrix Profile management Setup Wizard page, click Finish.
  8. Click Yes when prompted to restart.
  9. Programs and Features lists Citrix Profile Management as version 5.7.0.13003.

Universal Print Server Client 7.6 Hotfix 1

  1. Go to the downloaded Universal Print Server Client 7.6 Hotfix 1 and run UpsClient760WX64001.exe.
  2. In the License agreement page, check the box next to I accept the terms and click Install.
  3. In the Completed the Citrix Universal Print Client Setup Wizard page, click Finish.
  4. Programs and Features lists Citrix Universal Print Client as version 7.6.1.0.

Citrix Group Policy Client Side Extension 1.7 Hotfix 9

  1. Go to the downloaded Citrix Group Policy Client Side Extension 1.7 Hotfix 9 (GPCSExt170W28KR2X64009) and run CitrixCse_x64.msi. It installs without prompting.
  2. If you look in Programs and Features, it should show version 1.7.9.0.

EdgeSight 5.4 Agent Hotfix 7 for XenApp 6

  1. Make sure EdgeSight 5.4 Server Hotfix 5 (ES540ServerWX64005) is installed on the EdgeSight Server.
  2. Go to the downloaded EdgeSight 5.4 Agent Hotfix 7 for XenApp 6 and run EdgeSightXA6Agentx64.msi.
  3. In the Welcome to the EdgeSight for XenApp x64 Setup page, click Next.
  4. In the End-User License Agreement page, select I accept the terms in the License Agreement and click Next.
  5. In the Product Information page, enter the company name specified on the EdgeSight web server and click Next.
  6. The Agent Location page appears. If you are installing the EdgeSight Agent on a XenApp server that will be converted to a Provisioning Server vDisk, change the path for the data files so they reside on the cache disk (D:). If this is a normal XenApp server that boots from the C: drive, leave the data files in their default path. Click Next when done.
  7. In the Network Settings page, enter the name of your EdgeSight server and click Next.
  8. In the Ready to Install page, click Install.
  9. In the EdgeSight for XenApp x64 Setup Complete page, click Finish.
  10. Click Yes when prompted to reboot.
  11. Programs and Features displays the version as 5.4.21.3.
  12. Check out article http://support.citrix.com/article/ctx111062 for information on how to configure antivirus for the EdgeSight Agent. Do not skip this step.

Web Interface 5.4 Hotfix 2

Only run this on your Web Interface servers.

  1. Run the downloaded Web Interface 5.4 Hotfix 2 WebInterface.exe from WI540MSI002.
  2. In the Select Language page, click OK.
  3. In the Welcome to the Web Interface Installation Wizard page, click Next.
  4. In the License Agreement page, select I accept and click Next.
  5. In the Installation Location page, click Next.
  6. In the Location of Clients page, change the selection to Copy the clients to this computer. Then browse to the Citrix Receiver and Plug-ins folder on the XenApp 6.5 DVD and click Next.
  7. In the Ready to Install page, click Next.
  8. In the Web Interface Was Successfully Install page, click Finish.

VMware Workspace ONE Access Load Balancing

Last Modified: Oct 19, 2022 @ 5:49 pm

39 Comments

This topic assumes you’ve already set up one VMware Workspace ONE appliance as detailed at https://www.carlstalhood.com/vmware-access/

Navigation

💡 = Recently Updated

Change Log

Citrix ADC Configuration

VMware recommends a minimum of three VMware Access nodes. See Recommendations for Workspace ONE Access Cluster at VMware Docs.

Setup the load balancing before you clone the appliance. GUI instructions in this section. Or skip to the CLI Commands.

  1. In your Citrix ADC, go to Traffic Management > Load Balancing > Monitors, and add a monitor.
  2. Give the monitor a name and select HTTP-ECV as the Type. (Source = Proper VMware Identity Manager Node Monitoring when using F5 BIG-IP Appliances-UPDATED at VMware Communities)
  3. In the Basic Parameters section:
    1. In the Send String field, enter GET /SAAS/API/1.0/REST/system/health/heartbeat
    2. In the Receive String field, enter ok
    3. Check the box next to Secure. Ignore the SSL Profile field.
  4. Scroll down and click Create.
  5. Go to Traffic Management > Load Balancing > Servers and add three servers that point to the IP addresses of your planned three VMware Access appliances. These don’t have to exist yet.


  6. Go to Traffic Management > Load Balancing > Service Groups and add a Service Group.

    1. Give the Service Group a name.
    2. The protocol is SSL. Note: if you configured certificate-based client authentication in VMware Access, then use SSL_BRIDGE instead of SSL.
    3. Scroll down and click OK to close the Basic Settings section.
    4. Bind three members to it and specify port 443.
    5. Click OK to finish adding members.
    6. On the left, in the Settings section, click the pencil icon.
    7. Check the box for Client IP and enter X-Forwarded-For in the Header field.
    8. Bind a monitor, and select the Access monitor you created earlier.
    9. If you click the three members, then one of them should be UP.
  7. Go to Traffic Management > SSL > Certificates > Server Certificates and install a certificate that matches your VMware Access FQDN.
  8. Go to Traffic Management > Load Balancing > Virtual Servers and add a Virtual Server.

    1. Give the Load Balancing Virtual Server a name.
    2. Protocol = SSL. Note: if you configured certificate-based client authentication in VMware Access, then use SSL_BRIDGE instead of SSL.
    3. Enter a new VIP.
    4. Click OK to close the Basic Settings section.
  9. Bind the Service Group created earlier.
  10. Bind the certificate. This certificate must match the name users will use to access VMware Access.
  11. Configure Persistence:
    1. While still editing the Virtual Server, on the right, in the Advanced Settings column, click Persistence to move it to the left.
    2. On the left, in the Persistence section, select SOURCEIP, and give it a timeout of 60 minutes or more. COOKIEINSERT might not work with some mobile devices.
    3. Click OK to save the Persistence settings. If you don’t click OK, then your persistence settings won’t be saved.
  12. Enable WebSockets for Outbound Connectors:
    1. While still editing the Virtual Server, on the right, in the Advanced Settings column, click Profiles to move it to the left.
    2. On the left, in the Profiles section, next to HTTP Profile, click Add.
    3. The primary purpose of this HTTP Profile is to enable WebSockets so name it accordingly.
    4. As you scroll down, optionally check the box next to HTTP/2.
    5. Scroll down to the bottom and optionally check the boxes next to Mark HTTP/0.9 requests as invalid, Mark CONNECT Requests as Invalid, Mark TRACE Requests as Invalid, and Drop Invalid HTTP requests,
    6. At the bottom right, check the box next to Enable WebSocket connections.
    7. Click Create to finish creating the HTTP Profile.
    8. Back in the Profile section, make sure your new HTTP Profile is selected, and then click OK to close the Profiles section. Make sure you click OK in this section, or your new HTTP Profile won’t be enabled.
  13. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, disable TLSv1, disable TLSv11, bind an A+ Cipher Group, and enable Strict Transport Security. You can do these settings in the GUI in the SSL Parameters and SSL Ciphers sections of the Virtual Server. 
    set ssl vserver MyvServer -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls12 ENABLED

unbind ssl vserver MyvServer -cipherName DEFAULT

bind ssl vserver MyvServer -cipherName SSLLabs-APlus

bind ssl vserver MyvServer -eccCurveName ALL
  14. Create another Load Balancing Virtual Server on HTTP port 80 and configure it to redirect HTTP to HTTPS.


CLI Commands

Here are the CLI Commands for the configuration shown above:

add server Access01 10.2.2.151
add server Access02 10.2.2.152
add server Access03 10.2.2.153
add lb monitor lbmon-access HTTP-ECV -send "GET /SAAS/API/1.0/REST/system/health/heartbeat" -recv ok -secure YES
add service AlwaysUp 1.1.1.1 HTTP 80 -healthMonitor NO
add serviceGroup svcgrp-Access SSL -cip ENABLED X-Forwarded-For
bind serviceGroup svcgrp-Access Access01 443
bind serviceGroup svcgrp-Access Access02 443
bind serviceGroup svcgrp-Access Access03 443
bind serviceGroup svcgrp-Access -monitorName lbmon-Access
add ns httpProfile httpProfile-WebSockets -dropInvalReqs ENABLED -markHttp09Inval ENABLED -markConnReqInval ENABLED -markTraceReqInval ENABLED -webSocket ENABLED -http2 ENABLED -builtin MODIFIABLE
add lb vserver lbvip-Access-SSL SSL 10.2.5.207 443 -persistenceType SOURCEIP -timeout 60 -httpProfileName httpProfile-WebSockets
add lb vserver lbvip-Access-HTTP-SSLRedirect HTTP 10.2.5.207 80
add responder action http_to_ssl_redirect_responderact redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE"
add responder policy http_to_ssl_redirect_responderpol HTTP.REQ.IS_VALID http_to_ssl_redirect_responderact
bind lb vserver lbvip-Access-HTTP-SSLRedirect AlwaysUp
bind lb vserver lbvip-Access-SSL svcgrp-Access
bind lb vserver lbvip-Access-HTTP-SSLRedirect -policyName http_to_ssl_redirect_responderpol -priority 100 -gotoPriorityExpression END -type REQUEST
set ssl vserver lbvip-Access-SSL -sslRedirect ENABLED -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED
bind ssl vserver lbvip-Access-SSL -cipherName SSLLabs-APlus
unbind ssl vserver lbvip-Access-SSL -cipherName DEFAULT
bind ssl vserver lbvip-Access-SSL -certkeyName WildCorpCom
bind ssl vserver lbvip-Access-SSL -eccCurveName ALL

VMware Access Load Balancing FQDN

VMware Access must be able to connect to the Load Balanced FQDN on HTTPS 443. The load balancing certificate must match the Load Balanced FQDN and must be trusted by VMware Access. See below to import a root certificate to VMware Access.

  1. In the VMware Access appliance, go to Monitor> Resiliency.
  2. Select an appliance. Then in the top right, click VA Configuration.
  3. On the left, click Install SSL Certificates.
  4. On the right, switch to the tab named Trusted CAs.
  5. Paste in the CA root certificate in PEM (Base64) format. This is the CA cert that signed the server cert that is bound to the load balancing VIP. Click Add.
  6. Click Restart Service.

  7. On the left, click the Workspace ONE Access FQDN page.
  8. Enter the FQDN that resolves to the VIP on the load balancer and click Save.
  9. The appliance will restart.
  10. Connect to the load balanced DNS name, select System Domain, and login as admin.
  11. In 22.09 and newer, go to Settings > New End User Portal UI and enable it if it’s not already enabled.
  12. In older VMware Access:
    1. Go to Catalog > Settings.
    2. On the left, click New End User Portal UI.
    3. On the right, click Enable New Portal UI if it’s not already enabled.

Clone Appliance

In Identity Manager 2.7 and newer, VMware recommends a minimum of three nodes. See Recommendations for Workspace ONE Access Cluster at VMware Docs.

  1. Login to the appliance console.
  2. If you see the file /etc/udev/rules.d/70-persistent-net.rules, delete it.
  3. Shut down the original VMware Access appliance.
  4. Right-click the VMware Access appliance and clone it to a new Virtual Machine.
  5. Give the cloned appliance a name.
  6. In the Select clone options page, do not customize, and do not power on the machine. The original VM should be powered on before powering on the new VM. Click Next.
  7. In the Customize vApp properties page, expand Networking Properties and change the IP Address and Host Name (FQDN). Click Next and then click Finish.
  8. After cloning is complete, power on the original VMware Access appliance. Don’t power on the cloned appliance until the original is fully functional.
  9. Wait for the original appliance to fully boot (you see the blue screen).
  10. Once the original appliance is running (the blue login screen is shown), you can power on the new cloned appliance.
  11. Once both appliances are booted, login to one of them and run curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'. Make sure it says two nodes and status is green. It might take a couple minutes before the two nodes become clustered. You might have to reboot the cloned node before it joins the cluster.
  12. In VMware Access Admin Console, go to Monitor > Resiliency.
  13. All nodes should be shown with green check mark status.
  14. Repeat this entire section to clone to a third appliance.

Add Cloned Appliances to NetScaler ADC

  1. In Citrix ADC, go to Traffic Management > Load Balancing > Servers, and add a Server for the new appliance.
  2. Go to Traffic Management > Load Balancing > Service Groups and edit the existing VMware Access Service Group.
  3. Click the Members section.
  4. Bind a new Member and select the new appliance on Port 443. The rest of Load Balancing should already have been configured.

Multi-datacenter

For multi-datacenter, see Component Design: Multi-site Design at Workspace ONE Access Architecture at VMware Tech Zone.

Also see Setting up a Secondary Data Center for Workspace ONE Access at VMware Docs.

  • The database in the primary datacenter is replicated to the secondary datacenter.
  • The VMware Access appliances in the secondary datacenter have read-only connectivity to the database in the secondary datacenter.
  • Active-active data centers is not supported. The secondary data center is a hot stand-by.
  • Horizon Connection Server groups are configured in failover order.
  • Citrix ADC GSLB or F5 GTM handles failover of the VMware Access DNS name.

VMware Workspace ONE Access 23.09

Last Modified: Nov 7, 2023 @ 5:39 am

184 Comments

Navigation

💡 = Recently Updated

Change Log

Planning

VMware Workspace ONE Access (formerly known as Identity Manager) is a component of VMware Workspace ONE.

  • For Horizon, VMware Workspace ONE Access enables integration of additional apps from Citrix and the web (e.g., SaaS).
  • For full functionality, VMware Workspace ONE Access should be paired with VMware Workspace ONE UEM (aka AirWatch; not detailed in this article).

Workspace ONE Access System and Network Configuration Requirements at VMware Docs.

From Workspace ONE Access Architecture in the VMware Workspace ONE and VMware Horizon Reference Architecture:

Single data center:

Multiple data centers:

Outbound firewall requirements are detailed at VMware Docs.

Upgrade Appliance

Version 19.03 and newer no longer include the embedded Connector so you must deploy one or two Windows machines to run the external connector. The embedded Connector version 19.03 can be migrated to the external Windows Connector 23.09.

See Supported Upgrade Paths at VMware Docs:

For clusters, remove all nodes except one from the load balancer and upgrade the node that is still connected to the load balancer. Then upgrade the remaining nodes.

If you have the older 19.03 Identity Manager Connectors, then see Migrating to VMware Workspace ONE Access Connector 22.09 at VMware Docs.

To upgrade an appliance:

  1. Ensure SQL is version 2014 or newer.
  2. Backup the database.
  3. Make sure the VMware Access SQL Service Account is a db_owner on the VMware Access database.
  4. In the Access admin console, go to Dashboard > System Diagnostics Dashboard to verify no issues with the appliance.
  5. SSH (e.g., Putty) to the appliance as sshuser and then run su to elevate to root user.
  6. Run df -h to verify at least 4 GB of free space on the / partition.
  7. For online updates, verify that the virtual appliance can resolve and reach vapp-updates.vmware.com on ports 80 and 443.
  8. If your appliance is version 21.08.0.1 (not 21.08.0.0), then download update-fix.tgz and install it as detailed at VMware Docs.

  9. Run /usr/local/horizon/update/updatemgr.hzn check to verify that an update is available.
  10. Snapshot the appliance.
  11. Run /usr/local/horizon/update/updatemgr.hzn updateinstaller
  12. Run /usr/local/horizon/update/updatemgr.hzn update. Updating will take several minutes.
  13. On the first node, enter y to perform a reindex. Enter n on other nodes.
  14. Reboot the VM when done.
  15. Upgrade log files are in the /opt/vmware/var/log directory, or https://WS1AccessHostnameFQDN:8443/cfg/logs
  16. Run the check command again to see if there are any other updates available.
  17. Repeat the upgrade on the remaining nodes.
  18. See Post-upgrade Configuration of Workspace ONE Access at VMware Docs to reinstall the provisioning adapters, refresh People Search Configuration, update Log4j Configuration Files, and fix Cluster ID in second data center
  19. Upgrade your Connectors to a version that is the same or older than the appliance. You might need a new es-config.json file to add support for Virtual Apps Collections.
    1. Before upgrading, suspend all the connector services at Integrations > Connectors > Manage
    2. RSA needs changes if upgrading from Connector 20.10 and older

New Deployment Preparation

DNS Configuration

If you intend to build multiple appliances (3 or more) and load balance them, specify a unique DNS name for each appliance. The Load Balancing DNS name is different from the appliance DNS names. For example:

  • Appliance 1 = access01.corp.local
  • Appliance 2 = access02.corp.local
  • Appliance 3 = access03.corp.local
  • Load Balancing Name = access.corp.com. This name is used both internally and externally.

VMware Workspace ONE Access DNS names are separate from Horizon DNS names.

You’ll need SSL certificates that match these names.

Each of these DNS names must have a corresponding reverse DNS pointer record.

  1. Create DNS records for the virtual appliances.
  2. Create reverse pointer records too. Reverse pointer records are required.

LDAP Accounts

  1. All accounts synced with VMware Workspace ONE Access must have First Name, Last Name, and E-mail Address configured, including the Bind account.
  2. Create a new Active Directory group for your VMware Workspace ONE Access users. Assign this group to your pools instead of assigning Domain Users.

SQL Database

If you want to build multiple Identity Manager appliances and load balance them, configure them with an external database (e.g. Microsoft SQL).

For a script that performs all required SQL configuration, see Configure a Microsoft SQL Database at VMware Docs.

  1. In SQL Management Studio, create a New Query.
  2. Copy the SQL commands from VMware Docs and paste them into the New Query window.
    1. For Windows Authentication, copy the commands from Configure the Microsoft SQL Database with Windows Authentication Mode.
    2. For SQL Authentication, copy the commands from Configure Microsoft SQL Database Using Local SQL Server Authentication Mode.
    3. Change the values in the brackets and remove the brackets. Don’t forget the collation at the top of the script.
  3. Then click Execute.
  4. Configure SQL Autogrowth to 128 MB as detailed at VMware Docs.

OVF Deployment

  1. Download the VMware Workspace ONE Access 23.09 Virtual Appliance OVA file.
  2. In the vSphere Web Client, right-click a cluster and click Deploy OVF Template.
  3. In the Select source page, browse to the identity-manager-23.09.0.0_OVF10.ova file, and click Next.
  4. In the Select name and location page, enter a name for the VM, and click Next.
  5. In the Select a resource page, select a cluster, and click Next.
  6. In the Review details page, click Next.
  7. In the Accept License Agreements page, click Accept, and then click Next.
  8. In the Configuration page, select a size and click Next. 4 vCPU and 8 GB of RAM are sufficient for 25,000 users.
  9. In the Select storage page, select Thin Provision, select a datastore, and click Next.
  10. In the Select networks page, select the network for the appliance. You can deploy it either internally, or in the DMZ. If in the DMZ, you can later install Workspace ONE Access Connectors in the internal network in outbound only mode. Click Next.
  11. In the Customize template page:
    1. Select a time zone.
    2. Expand Networking Properties if it’s not already expanded.
    3. Host Name – Enter a hostname for the first appliance.
      • If you intend to build multiple appliances and load balance them, then each appliance needs a unique name that does not match the load balanced name. If you only want to build one appliance, then the appliance Host Name should match whatever users will use to access Identity Manager.
    4. DNS and Gateway – In the Networking Properties section, enter the standard DNS and Gateway information.
    5. According to Install the Workspace ONE Access OVA File at VMware Docs, the Domain Name and Domain Search Path fields are not used.
    6. IP Address – Enter the IP address that is configured in DNS for the host name. DNS reverse lookup for this IP address must resolve to the appliance Host Name.
  12. Click Next.
  13. In the Ready to complete page, click Finish.

Setup Wizard

  1. Power on the appliance.
  2. Wait for the appliance to power on and fully boot.
  3. Go to https://myAccessFQDN to access the Access Setup Wizard.
    You must connect to the DNS name. Connecting to the IP address will cause problems during the database setup process.
  4. In the Set Passwords page, enter passwords for the three accounts and click Continue. Notice that two of the passwords must be 14 characters or longer.
  5. In the Select Database page, change it to External Database.

    Note: this page will only function properly if your address bar has a DNS name instead of an IP address.
  6. For Windows authentication, enter a JDBC URL similar to the following (VMware Docs), enter credentials for the Horizon Windows service account, and then click Continue. The connection string changed in version 22.09. 
    jdbc:sqlserver://sql03.corp.local:1533;DatabaseName=VMwareAccess;integratedSecurity=true;authenticationScheme=NTLM;domain=corp
  7. For SQL authentication, enter a JDBC URL similar to the following, enter the credentials for the Horizon SQL account, and then click Continue. Access 21.08 and newer has an option to encrypt the database connection. 
    jdbc:sqlserver://mysqlserver.corp.local;DatabaseName=saas;multiSubnetFailover=true

  8. The database will be configured.
  9. In the Setup Review page, click the link to log in to the Admin Console.

SSH – Enable Root Access

This is optional. Enabling root access lets you use root credentials when using WinSCP to connect to the appliance.

  1. Putty to the VMware Workspace ONE Access appliance.
  2. Login as sshuser.
  3. Run su – and enter the root password.
  4. Run vi /etc/ssh/sshd_config.
  5. Scroll down to line containing PermitRootLogin.
  6. Press <i> on the keyboard to change to insert mode.
  7. Go to the end of the line and change no to yes.
  8. Press <ESC> to exit insert mode.
  9. Type :x to save the file and exit.
  10. Run systemctl restart sshd.

VMware Access Certificate

The Windows Connectors require the VMware Access certificate to be trusted. Generate a new appliance certificate using a trusted Certificate Authority and install the certificate on the appliance.

  1. Login to the Identity Manager web page as the admin user in the System Domain.
  2. Click Monitor and then click Resiliency.
  3. Click the VA Configuration button next to the appliance name.
  4. On the left, click the page named Install SSL Certificates.
  5. On the right, click Choose File next to Import Certificate File.
  6. .pfx files are supported.
  7. In the Password field, enter the .pfx password.
  8. Click Save.
  9. It will take several minutes for the certificate to be installed and the appliance to restart.

Load Balancing

VMware Access can be cloned, clustered, load balanced, and globally load balanced as shown below. Source = Multi-site Design in the Workspace ONE Access Architecture.

To clone multiple VMware Access appliances and load balance them, see one of the following:

Windows Connector

All VMware Access Connectors are Windows Servers.

VMware Access supports Connectors that are the same version or older than the VMware Access appliance.

A Connector with 4 vCPU and 8 GB RAM supports 100,000 users.

  1. Load balance your VMware Access appliances so the Connector can connect to the Load Balanced FQDN instead of a single VMware Access appliance.
  2. Build one or more Windows machines on the internal network that will host the Windows connector. The Windows machines must be joined to the domain.
  3. The VMware Access certificate must be trusted by the Connector servers.
  4. Login to the VMware Access administration console through the load balanced FQDN as the admin user in the System Domain.
  5. In 22.09 and newer, go to Integrations > Connectors and click New.
  6. In older Access:
    1. On the top tabs, switch to Identity & Access Management.
    2. On the sub-menu bar, on the far right, click Setup.
    3. On the sub-menu bar, on the left, click Connectors.
    4. Click the blue NEW button.
  7. In the Select the Connector page, select the Latest Workspace ONE Access Connector and click OK.

  8. Click Confirm.
  9. In the Download Installer page, click the button to Go to myvmware.com and download the connector installer if you haven’t downloaded it already. Then click Next.
  10. In the Download Configuration File page, enter a 14-character password, click Download Configuration File, and save it somewhere. Then click Next.
  11. In the Summary page, click Close.
  12. See Workspace ONE Access Connector Systems Requirements at VMware Docs for sizing guidelines. For example, installing all components on a single server requires 12 GB of RAM.
  13. On the Windows machine, run Workspace-ONE-Access-Connector-Installer-22.09.1.0.exe.
  14. Click Install to install .NET Framework 4.8.
  15. Click Yes to restart.
  16. The Connector installer should automatically launch again. If not, you can launch it manually.
  17. In the Welcome to the Installation Wizard for Workspace ONE Access Connector page, click Next.
  18. In the License Agreement page, click I accept the terms, and then click Next.
  19. In the Service Selection page, click Next.
  20. In the Specify configuration file page, browse to the es-config.json file downloaded earlier and then click Next.
  21. In the Select Default or Custom Installation page, choose Custom and then click Next.
  22. In the Specify Proxy Server Information page, click Next.
  23. In the Specify Syslog Server Information page, click Next.
  24. In the Citrix Configuration page, click Next.
  25. In the Install Trusted Root Certificates page, click Browse and upload your CA and Intermediate certificates that signed the VMware Access certificate. Java uses different root certificates than Windows so you’ll need to upload them here so Java can use them. Click Next.
  26. In the Specify Ports page, click Next.
  27. If you are installing the Kerberos Auth Service, then select a .pfx certificate that clients will trust and click Next.
  28. In the Specify Service Account page, enter service account credentials and then click Next.

    • The service account must be added to the local Administrators group.
  29. In the Ready to Install the Program page, click Install.
  30. In the Installation Wizard Completed page, click Finish
  31. In VMware Access, go to Integrations > Connectors to see the new Connector. If you don’t see it, then check C:\Program Files\Workspace ONE Access\Virtual App Service\logs\eis-service.log on the Connector server.
  32. Repeat these steps to add another connector. You can use the same es-config.json file.

Configuration

  1. Login to the VMware Access web page as the admin user in the System Domain.
  2. In 22.09 and newer, go to Settings > User Attributes.

    1. In older VMware Access, switch to the Identity & Access Management tab.
    2. On the top right, switch to the Setup view.
    3. On the left, switch to the User Attributes sub-tab.
  3. In the Default Attributes section, check the boxes next to distinguishedName and userPrincipalName. These are needed for Horizon.

  4. In the Custom Attributes section, click Add Row and enter objectGUID.
  5. Add another row and enter mS-DS-ConsistencyGuid. These are needed for Office 365 integration.

    • In older VMware Access, in the Add other attributes to use section, click the plus icon and enter objectGUID.
    • Click the green plus and add mS-DS-ConsistencyGuid. These are needed for Office 365 integration.
  6. At the top of the page, click Save.
  7. In 22.09 and newer, go to Integrations > Directories and click Add Directory > Active Directory at the top right of the page.

    1. In older VMware Access, on the top right, switch to the Manage view.
    2. On the Directories tab, click Add Directory > Active Directory.
  8. Enter a Directory Name.
  9. Change it to Active Directory over integrated Windows Authentication.
  10. Select one or more Connectors as Directory Sync Hosts and User Auth Hosts.
  11. Select which attribute users should enter as their User Name.
  12. Scroll down.
  13. Enter the LDAP Bind credentials. Click Save & Next.
  14. Select the domains you want to sync and click Next.
  15. In the Map User Attributes page, scroll down, enter Active Directory attribute names for any missing attribute, and click Next.
  16. In the Select the Groups page, click the plus icon to add a DN.
  17. Enter a Base DN in LDAP format and then click Select Groups.
  18. Search for your Access Users group, select it, and click Save.
  19. Click Next.
  20. In the Select the Users page, click Next.
  21. In the Sync Frequency field, make a selection and then click Sync Directory.
  22. You can click the link to view the Sync log.
  23. Or from the main directories list, you can click the directory name, and then click the tab named Sync log to view the log.

  24. Sync Settings can be changed by clicking the button on the right.

Sync Connector Redundancy

If you build another Windows Connector, you can add it to the Directory as another Sync Service.

  1. In VMware Access 22.09 and newer, at Integrations > Directories, click the directory.

    1. Or in older VMware Access, in the VMware Access console, in the Identity & Access Management page, on the left, click the Directories link.
    2. Click the link for your Active Directory domain.
  2. On the right, click the Sync Settings button.
  3. Switch to the Sync Service tab.
  4. Select the new connector and click the plus icon to move it to the bottom.
  5. You can order the connectors in failover order. Click Save.

Sync Group Membership

By default, VMware Access does not synchronize group members. You can force a sync.

  1. In VMware Access 22.09 and newer, go to Accounts > User Groups.

    1. In older VMware Access, go to Users & Groups > Groups.
  2. Notice that the groups are Not Synced. Click the link for a group.
  3. Switch to the Users tab. Then click the Sync Users button.

Logon Experience

  1. In VMware Access 22.09 and newer, go to Settings > Login Preferences and click Edit.

    1. Or in older VMware Access, go to Identity & Access Management > Setup > Preferences.
  2. On the bottom, you can optionally hide the Domain Drop-Down menu. Then select the unique identifier that Identity Manager will use to find the user’s domain (typically UPN if multiple domains). VMware Access can show a Domain Drop-Down if a unique domain cannot be identified.
  3. The user will be prompted to enter the unique identifier.

Administrators

  1. Sync the user that you want to assign the role to. Or sync the group that the user is a member of. If syncing a group, also sync the members of that group.
  2. You can assign a role from the Accounts > Users page by clicking a user and then clicking Edit Roles.

  3. To add a role, in VMware Access 22.09 and newer, go to Accounts > Roles.

    1. In older VMware Access, go to the Roles tab.
  4. You can add a Role. See VMware Blog Post Introducing Role-Based Access Control (RBAC) in VMware Identity Manager 3.2.
  5. Then you can assign synced users to a role (e.g., Super Admin) by selecting the role and then clicking Assign.
  6. Search for a synced user and then click Save.

License

  1. In VMware Access 22.09 and newer, go to Settings > Appliance and then switch to the tab named License.

    1. Or in older VMware Access, switch to the tab named Appliance Settings.
    2. Switch to the sub-tab named License.
  2. Enter the license key and click Save. The Workspace ONE Access license is separate from your Horizon license.

SMTP

  1. In VMware Access 22.09 and newer, go to Settings > Appliance and click the tab named SMTP.

    1. In older VMware Access, on the top, click the Appliance Settings tab,
    2. Click the sub-tab named SMTP.
  2. Enter your mail server information and click Test Connection and then click Save.

Kerberos Authentication

Kerberos lets users Single Sign-on to the VMware Access web page. Some notes on Kerberos authentication:

  • It only works for Windows clients.
  • The clients connect to the Connectors, so firewall must permit the inbound connection to the Connectors on TCP 443.
    • For High Availability, load balance your Connectors.
  • The Connector (or load balancer) must have a valid, trusted certificate.
  • The Connector’s FQDN (or load balancer FQDN) must be in Internet Explorer’s Local Intranet zone.

Connector Certificate

To upload a certificate to the Connector:

  1. On the Windows Connector machine, run the Connector installer.
  2. In the Program Maintenance page, leave it set to Add/Remove Services and click Next.
  3. Keep clicking Next until you get to the Install SSL Certificate for Kerberos Auth Service page. Browse to the .pfx, enter the password, and then finish the wizard.

TCP 443 Inbound

TCP 443 must be opened inbound to the Connectors. You might have to add TCP 443 to a Windows Firewall rule.

Enable Kerberos authentication

  1. In VMware Access 22.09 and newer, go to Integrations > Connector Authentication Methods. Click New and then click Kerberos.

    1. On in older VMware Access, on the top, go to the Identity & Access Management tab.
    2. Click the sub-tab named Enterprise Authentication Methods.
    3. Click the New button and then click Kerberos.
  2. In the Directory and Hosts page, select the Connectors. Then click Next.
  3. In the Configuration page, if you plan to load balance the Connectors, then change Enable Redirect to Yes. Then finish the wizard.
  4. In VMware Access 22.09 and newer, go to Integrations > Identity Providers.

    1. Or in older VMware Access, go to Identity & Access Management > Identity Providers.
  5. On the top right, click Add Identity Provider and then click Create Workspace IDP.
  6. Give the IDP a name.
  7. In the Users field, select the directory.
  8. In the Authentication Method field, select Kerberos.
  9. In the Network field, check the box next to ALL RANGES.
  10. In the IdP Hostname field, enter the FQDN that is load balanced to the Connectors. Click Add.

Configure Policy to use Kerberos

  1. In VMware Access 22.09 and newer, go to Resources > Policies and click the Network Ranges button.

    1. Or in older VMware Access, go to Identity & Access Management > Manage > Policies and click Network Ranges.
  2. Add a Network Range for internal networks if you haven’t already.
  3. At Resources > Policies, click Edit Default Policy.

    1. Or in older VMware Access, go to Identity & Access Management > Manage > Policies.
    2. Click Edit Default Policy.
  4. Click Next to go to the Configuration page.
  5. Click Add Policy Rule. Or click the plus icon to add a Policy Rule.
  6. Select a Network Range for the internal network.
  7. For and the user accessing content from, set it to Web Browser.
  8. Optionally configure and user belongs to group(s). When enabled, VMware Access asks the user for username only, and then looks up group membership to determine which authentication methods should be used. See Access Policy Settings at VMware Docs.
  9. Select Kerberos as the first authentication method.
  10. Select Password (cloud deployment) as the second authentication method. Click Save or OK.
  11. Drag the new Policy Rule to move it to the top. Then click Next and Save.
  12. If you break your config such that you can’t login anymore, then see Enabling Break-Glass URL Endpoint /SAAS/Login/0 in Workspace ONE Access at VMware Docs.

Customize Appearance

  1. You can change the browser’s title and favicon at Settings > Branding.

    1. Or in older VMware Access, go to Identity & Access Management > Setup > Custom Branding, on the Names & Logos tab.

  2. The Sign-In Screen section lets you upload a logo, upload an image, and change colors.
  3. If you go to Settings > Password Recovery, you can configure a link to a password recovery tool or change the Forgot Password message.

    1. In older VMware Access, find it at Identity & Access Management > Manage > Password Recovery Assistant.
  4. If you scroll down, you can optionally Show detailed message to End User when authentication fails.
  5. For branding of the user portal, go to Integrations > Hub Configuration and click Launch.
  6. Then go to the Branding page from inside Hub Services.

    1. Or in older VMware Access, click Catalog, and then click Settings.
    2. On the left, click User Portal Branding.
  7. Make changes to Logos, colors, etc.
  8. On the top right, click Log out of Hub Services to return to the VMware Access administration console.

Resources

Horizon Console – Enable SAML Authentication

  1. Login to Horizon Console.
  2. On the left, under Settings, click Servers.
  3. On the right, switch to the Connection Servers tab.
  4. Select a Connection Server and click Edit.
  5. On the Authentication tab, change Delegation of authentication to VMware Horizon to Allowed.
  6. Click Manage SAML Authenticators.
  7. Click Add.
  8. In the Label field, enter a descriptive label.
  9. In the Metadata URL field, enter the VMware Access FQDN.
  10. In the Administration URL field, enter the VMware Access FQDN, and click OK.
  11. If you see a certificate error, click View Certificate, and then click Accept.
  12. Click OK to close the Manage SAML Authenticators window.
  13. There’s a Workspace ONE mode, which forces all Horizon Clients to connect through VMware Access instead of directly to the Connection Servers. Delegation of authentication must be set to Required before Workspace ONE mode can be enabled.

VMware Access – Virtual Apps Collection for Horizon

  1. In the VMware Access Admin Portal, go to Resources > Virtual Apps Collections.

    1. Or in older VMware Access, in the VMware Access Admin Portal, click the Catalog tab, and then click Virtual Apps Collection.
  2. If you see Introducing Virtual Apps Collection page, click Get Started.
  3. Click the SELECT link in the Horizon box. Note: Horizon Cloud is only for Single Pod brokers. For Universal Broker, configure it from inside Horizon Cloud.
  4. Give the Horizon Connection a name.
  5. Arrange the Sync Connector appliances in priority order. Click Next.
  6. Click Add a Pod.
  7. Enter the FQDN of a Connection Server in the Pod.
  8. Enter Horizon View admin credentials in UPN format. The account needs at least Read Only Administrator access to Horizon.
  9. There’s a True SSO option if you enabled a password-less authentication (e.g., SAML) to VMware Access.
  10. Click Add.
  11. You can optionally add more pods and then enable the Cloud Pod Architecture option. Click Next when done.
  12. Change the Sync Frequency and Safeguards as desired.
  13. Click Next when done.
  14. Click Save & Configure. The connection is tested at this time.
  15. The URLs for accessing Horizon are defined in each Network Range. For each Horizon URL, create Network Ranges. Or click All Ranges.
  16. Near the bottom, in the Client Access FQDN field, enter the FQDN that users in this Network Range use to login to Horizon. Then click Save. Note: the Horizon FQDN is different than the VMware Access FQDN.
  17. After the Horizon Virtual Apps Collection is added, switch to the Overview tab, select the collection, and click Sync without safeguards.

    • Note: whenever you make a change to the pools in Horizon Administrator, you must either wait for the next automatic Sync time, or you can return to this screen and click Sync.
  18. You can click the alert icon to see issues.
  19. If you go to Resources > Virtual Apps, you will see your synced Application and Desktop pools

Horizon Pools Catalog

  1. In the VMware Access Admin console, at Resources > Virtual Apps, you can see the Horizon View icons. Only the pools in the root Access Group are synced.
  2. Click an icon, and then click View Assignments.
  3. Make sure entitlements are listed. Entitlements are assigned in Horizon Console, and not in VMware Access. VMware Access merely syncs the entitlements from Horizon.
  4. Only AD groups synced to VMware Access will be displayed. Domain Users are not synced by VMware Access and thus won’t be displayed here.
  5. If you make changes in Horizon Console, then manually sync the Virtual Apps Collection so the changes are reflected in VMware Access.
  6. Back in the Virtual Apps list, if you check the box next to one of the icons, you can place the icon in a Category by clicking the Categories menu.
    • You can select or more existing categories.
    • Or type in a new category name at the top of the list.
      3The category is then displayed next to the catalog item.
  7. There’s also a Recommended category.

    • Recommended icons can be found in the User Portal at Apps > Recommended. Users can click the Categories drop-down to see other categories. Users have to logoff and log back in to see Category changes.
  8. In VMware Access 22.09 and newer, user portal settings are configured in Hub Services. Launch it from Integrations > Hub Configuration.
  9. The App Catalog page has some settings for the Catalog Layout.
  10. Or in older VMware Access:
    1. Go to Catalog > Settings.
    2. On the left, click User Portal Configuration.
    3. From this screen, you can control tab visibility, and put recommended apps in the Bookmarks tab. Click Save when done.

User Portal

The User Portal (aka Intelligent Hub) is the interface that non-administrators see after logging in. Administrators can switch to the User Portal by clicking the username on the top right and clicking User Portal.

Administrators in the User Portal can switch to the Workspace ONE Access Console by clicking the username on the top right.

Some User Portal features:

  1. When a user logs in to the VMware Access web page the pool icons will be displayed.
  2. When the user clicks an icon, you can use either Horizon client or Browser for opening a pool.
  3. To set the default launch method:
    1. On the top right, click your name, and click Account.
    2. In the Horizon Remote Apps section, click either Horizon Client or click Browser.
    3. The Horizon Client option has a link to download and Install the Horizon Client.
  4. Back in the Apps list, to mark an icon as a Favorite, click the three dots next to an icon and then click Add to Favorites.
  5. Or open an app’s Details page, and then click the star icon.
  6. Then you can click Favorites tab to display only icons that are marked as Favorites.
  7. If you configured Categories, they are listed in the Apps tab in the Categories drop-down.

Citrix AppDNA 7.18

Last Modified: Sep 2, 2018 @ 7:53 am

86 Comments

Navigation

This article applies to all versions, including 7.18, and 7.15

Change Log

Planning

Your Citrix License Server must have XenApp or XenDesktop Platinum Edition licenses. If you don’t have Platinum Edition licenses, then work with a Citrix Partner to perform AppDNA analysis.

AppDNA server should have the following:

  • 12 GB of RAM
  • 80 GB free disk space for up to 200 applications. 150 GB if more applications.
  • Cannot be installed on a Delivery Controller. Must be a separate machine.

SQL Server:

  • SQL 2008 R2, 2012, 2014, or 2016. SQL Express is not supported.
  • AppDNA generates load on SQL during install (duration = few hours) and during import and analysis.
  • See Optimize AppDNA > Optimize SQL Server at Citrix Docs.
  • Disk space could easily be 20+ GB.

AppDNA can directly import and analyze .msi installers. For non-.msi installers, you’ll need a machine to capture the install process. The machine(s) should be the same operating system as what you are migrating from. The machine can either be directly accessible through a hypervisor, which means AppDNA can automate the capture process. Or it can be any machine where a user can perform Self Provisioning.

Server Prerequisites

  1. On the AppDNA Server, open Computer Management. Edit the Administrators group, and add the service account.
  2. In Server Manager, start the Add Roles and Features Wizard.
  3. In the Select features page, select .NET Framework 3.5. Click Next.
  4. In the Confirm installation selections page, click Specify an alternate source path.
  5. Browse to the sources folder on the Windows Server 2012 R2 or newer DVD, and click OK.
  6. Click Install.

Server Installation/Upgrade

The same installation process is used for both new installs and upgrades.

  1. On the AppDNA server, run the downloaded AppDNA 7.18 (Citrix-AppDNA.msi).

  2. It takes a few minutes to launch.
  3. In the Welcome to the Installation Wizard for Citrix AppDNA 7.18 page, click Next.
  4. In the License agreement page, select I accept the terms, and click Next.
  5. In the Citrix AppDNA Installation Type page, select Complete, and click Next.
  6. In the Citrix AppDNA installation locations page, click Next.
  7. In the Ready to install Citrix AppDNA page, click Install.
  8. In the Installation Wizard Completed page, click Finish.

SQL Database

Instructions from CTP Eric Haavarstein Configure Citrix AppDNA 7.11 in Minutes instead of Hours:

  1. If you are upgrading an existing installation, then skip to the Configuration Wizard.
  2. If this is a new installation, on the AppDNA server, go to C:\Program Files (x86)\Citrix\AppDNA\Server\Bin, and extract the AppDNA.bz2 file.
  3. Rename the extracted file with a .bak extension.
  4. Copy the file to the backup folder on the SQL server.
  5. In SQL Studio, right-click Databases, and click Restore Database.
  6. Change the Source to Device, and click the ellipsis.
  7. Click Add.
  8. Select the AppDNA.bak file, and click OK twice.
  9. Change the destination database name as desired, and click OK to begin the restore.

  10. Add a service account to SQL logins.
  11. On the Server Roles page, add the service account to the bulkadmin role.
  12. Give the service account db_owner permission to the AppDNA database.

Configuration Wizard

  1. The Configuration wizard launches. Or you can launch Configure AppDNA from the Start Menu.
  2. In the Prerequisites page, click Enable.
  3. In the Configure AppDNA page, if you are upgrading, select the Upgrade installation option, and click Next. The remaining wizard screens will be different but similar.

    1. Or leave it set to Configure new installation, and click Next.
  4. If you are upgrading, on the Choose database page, after selecting your database and clicking Next, if you see a message about Subscription Advantage expiration, click OK, and go back a couple pages.

    1. Back on the Configure AppDNA page, change the selection to Licensing, and click Next.
    2. In the License management page, leave the selection set to Activate, and click Next.
    3. In the Choose database page, click Next.
    4. In the License database page, enter your license server name, and click Next.
    5. In the System check page, click Activate.
    6. In the Progress page, click Close, which closes the wizard.
    7. Relaunch the Configure AppDNA wizard and attempt the upgrade again.
  5. If this is a new installation, in the Create database page, enter the SQL server name, enter the database name, and click Next. Note: in order for the Configure AppDNA wizard to create the database, the person running the wizard must have sysadmin permissions on the SQL Server.
  6. In the Connect to database page, enter the credentials of your service account, and click Next. AppDNA will use this service account to connect to the database.
  7. If this is a new installation, in the License database page, enter the address of a Citrix License server that has XenApp/XenDesktop Platinum Licenses, and click Next.
  8. In the CEIP page, make a selection, and click Next.
  9. In the Firewall page, click Next.
  10. In the System check page, click Fix next to any errors it finds. Then click NextConfigure, or Upgrade.

  11. It will take several minutes to update the database.
  12. Click Close when done.
  13. See Optimize AppDNA > Optimize IIS at Citrix Docs.

Note: Database and License Configuration can also be run from the command line: “C:\Program Files (x86)\Citrix\AppDNA\Server\Bin\AppDNAConfig.exe

Logging

CTX219766 Understanding Logging in AppDNA explains how to enable the various logs, and where to find the logs.

  • Verbose logs
    • On the client
    • On the server, including Configuration Wizard
  • QueueProcessor Verbose logs
  • Event logs
  • Application Import logs
  • Other miscellaneous logs

SSL/TLS

See Citrix CTX222781 Configuring AppDNA for SSL/TLS:

  1. "%windir%\system32\inetsrv\appcmd.exe" set config -section:system.webServer/serverRuntime /uploadReadAheadSize:"104857600" /commit:apphost
  2. Import a certificate, and in IIS, bind it to the Default Web Site.
  3. Edit the file C:\Program Files\Citrix\AppDNA\Server\web.config. Adjust ReportBaseUrl to https and port 443.
  4. Configure the AppDNA Client to connect using https.

 Launch and Login

  1. Launch AppDNA from the Start Menu.
  2. Login as administrator and apps3cur3.

Configure Modules Wizard

  1. In the Welcome page, click Next.
  2. This wizard lets you select which modules to enable. The more modules you enable, the longer it takes to analyze an application. Go through each page and make your selections.
  3. AppDNA 7.11 and newer support analysis of Windows Server 2016.


  4. Then click Configure.
  5. And click Close.
  6. AppDNA 7.9 adds a new Compliance Manager module. The module was enhanced in AppDNA 7.14 to check for FIPS compliance, NTLM, and Credential Guard.

  7. You can use the Module Manager (Configure > Modules > Management) to see what each module is checking for.
  8. Click Groups next to one of the modules.
  9. Notice that not every analysis rule is enabled.

Customer Experience Improvement Program

Do the following to disable CEIP:

  1. Open the Edit menu, and click Settings.
  2. On the CEIP page, uncheck both boxes next to Continue participating. Click Save. Google Analytics was added in AppDNA 7.16.
  3. See https://www.carlstalhood.com/delivery-controller-7-16-and-licensing/#ceip for additional places where CEIP is enabled.

Users

  1. Open the Administration menu, expand User Management, and click Users.
  2. In the toolbar, click Add from AD.
  3. Select your Citrix Admins group, and click OK.
  4. On the right, notice that Administrators role is selected by default.
  5. Open the File menu and click Exit.
  6. Launch AppDNA again.
  7. On the login page, click Options.
  8. You can check the box next to Integrated Login and click Log On.
  9. Note: if you enable Auto Login and want to disable it, edit the registry.
  10. Go back to Administration > User Management > Users.
  11. Edit the administrator account.
  12. And change its password.
  13. Then click Save.

Direct Import

  1. Switch to the Import workspace.
  2. On the left, under Import, click Applications.
  3. On the right, switch to the Direct Import tab.
  4. Click Browse in the toolbar. Then browse to an .MSI file.
  5. The .msi files are shown in the list. Select one or more, right-click, and click Import to begin analysis.
  6. You can select one or more modules for analysis. Note: it might take a few seconds for the list to appear. Click Import.
  7. The Server Queue is displayed. If needed, you can cancel a task in the Server Queue.
  8. If you close the Server Queue, you can reopen it by clicking the View Server Queue link on the bottom right.
  9. Analysis is performed against the modules you selected.
  10. After analysis is complete, switch to the Reports: Applications workspace.
  11. On the left, select a report you want to view.
  12. You might be prompted to select applications. If you want to change this selection later, there’s a Change Selection button on the toolbar.

  13. The report displays a list of applications with color coding. Click the colored boxes to view more details.

Install Capture

Install Capture lets you import application installers that are not available as MSI files. AppDNA uses a hypervisor connection to automate the Install Capture process. Alternatively, you can do a manual capture using the Self Provisioning process.

Prepare Install Capture Machine

  1. Create a share on the AppDNA machine. The captured data is stored in this share.


  2. The operating system of the Install Capture machine should match the operating system version you are migrating from.
  3. On the Install Capture machine, make sure Remote Desktop is enabled.
  4. On the Install Capture machine, browse to the AppDNA server in the \\AppDNAServer\C$\Program Files\Citrix\AppDNA\Tools folder, and run Citrix AppDNA VM Configuration.msi.
  5. In the Welcome to the Installation Wizard for Citrix AppDNA VM Configuration page, click Next.
  6. In the License Agreement page, select I accept the terms and click Next.
  7. In the Ready to Install the Program page, click Install.
  8. In the Installation Wizard Completed page, click Finish.
  9. Click Yes when prompted to reboot.
  10. Citrix Blog Post How to Speed Up AppDNA Install Capture by Using a Pre-captured Before Snapshot details how to take an Install Capture Snapshot manually, store it in the Install Capture machine, and then configure the Install Capture profile to skip taking an Install Capture snapshot. This Install Capture snapshot process is separate from hypervisor snapshot. 
    "C:\Program Files\Citrix\AppDNA\VM Configuration\ossnapshot.exe" -cfg:"C:\Program Files\Citrix\AppDNA\VM Configuration\cfg.xml" -out:"c:\windows\temp\before.snap" -diff
  11. You can either take a snapshot now, or AppDNA will do it for you.

Configure AppDNA for Install Capture

  1. In the AppDNA Console, open the Edit menu and click Settings.
  2. On the left, switch to the Install Capture page.
  3. On the right, click New.
  4. In the Virtual Machine Configuration Wizard page, click Next.
  5. In the Virtual machine details page, give the configuration a name.
  6. Select vSphere and click Next.
  7. In the vSphere Host Details page, in the Single Sign-on Server field, enter the Platform Services Controller hostname
  8. In the Port field, enter 7443.
  9. In the vCenter Server field, enter the hostname of the vCenter server.
  10. Enter credentials that can snapshot and perform power operations on the Install Capture machine. Click Test and then click Next.
  11. In the vSphere Virtual Machine page, in the list of machines, select the Install Capture machine and click Next.
  12. In the vSphere Snapshot selection page, if there are no snapshots, click Take Snapshot.

  13. Click Test. At least confirm that the machine can be reverted to snapshot. Don’t worry if the console doesn’t open. Click Next.
  14. In the Virtual machine connection page, enter the hostname of the Install Capture machine, and click Test. Note: the RemoteAdmin.exe process only runs while somebody is logged into the machine. Click Next.
  15. In the Capture output location page, enter the UNC path to the file share on the AppDNA server, and click Test. Then click Next.
  16. In the Virtual machine state page, make a selection, and click Next.
  17. In the Virtual machine configuration summary page, click Finish.
  18. Citrix Blog Post How to Speed Up AppDNA Install Capture by Using a Pre-captured Before Snapshot details how to take an Install Capture Snapshot manually, store it in the Install Capture machine, and then configure the Install Capture profile to skip taking an Install Capture snapshot. This Install Capture snapshot process is separate from hypervisor snapshot.
  19. Click Save to close the Settings window.

Perform Install Capture

  1. Switch to the Import workspace.
  2. On the left, under Import, click Applications.
  3. On the right, switch to the Install Capture tab. Click Browse and find an installer you want to import using Install Capture.
  4. If you have more than one Install Capture machine, use the drop-down to select the one you want to use.
  5. Select the apps. Then right-click, and click Import.

  6. Select the modules for analysis. Then click Import.
  7. The Install Capture VM will be started.
  8. Eventually you’ll be prompted to RDP to the Install Capture machine.
  9. The capture process begins with a snapshot of the Install Capture machine.
  10. Then the application is installed. This should happen automatically.
  11. Then a differencing snapshot is taken and uploaded to AppDNA Server.
  12. Analysis is performed against the modules you selected.
  13. After analysis is complete, switch to the Reports: Applications workspace.
  14. On the left, select a report you want to view.

Self Provisioning

Self Provisioning is very similar to Install Capture except there’s no need for direct connectivity between AppDNA server and the hypervisor that hosts the Self Provisioning machine. Once the process is started in the AppDNA console, a different user can complete the snapshot process on the Self Provisioning machine.

Prepare Self Provisioning Machine

  1. Make sure AppDNA VM Configuration is installed first.
  2. On the Self Provisioning machine, browse to the AppDNA server in the C$\Program Files\Citrix\AppDNA\Tools folder, and run Citrix AppDNA Self Provisioning Client.msi.
  3. In the Welcome to the Installation Wizard for Citrix AppDNA Self Provisioning Client page, click Next.
  4. If you see the Pre-Requisites Check page, stop the installer, install the AppDNA VM Configuration Client and then restart this installer.
  5. In the License Agreement page, select I accept the terms, and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Ready to Install the Program page, click Install.
  8. In the Installation Wizard Completed page, click Finish.
  9. Take a snapshot of the Self Provisioning machine.

Perform Self Provisioning Capture

  1. In the AppDNA Console, switch to the Import workspace.
  2. On the left, click Applications.
  3. On the right switch to the Self Provisioning tab.
  4. Then click the Configuration icon in the toolbar.
  5. In the Self Provisioning page, enter the UNC path to a share that both machines (AppDNA server and Self Provisioning machine) can access.
  6. In the toolbar click Browse and browse to the application installer.
  7. Click Publish to push the files to the file share.

  8. Click in the PublishedFile column to access the full path and copy it to the clipboard.
  9. On the Self Provisioning machine, run the Self Provisioning Client from the Start Menu.
  10. Paste in the path and click Start.
  11. After the snapshot is taken, click the Start button and install the application.
  12. Once the install is complete, another snapshot will be taken and the results will be uploaded to the share. Click Close.
  13. Back in the AppDNA console, click Refresh Status and make sure the status changes to Complete.
  14. Make sure the application is selected and then on the right side of the toolbar click Move to Import.
  15. This moves the application to the Direct Import tab where you can select the application and click Import & queue for analysis button to begin analysis.

Solutions

CitrixTV XenApp Upgrades with AppDNA demonstrates the Solutions feature of AppDNA 7.6 including: XenApp upgrades, operating system image upgrades, and application interoperability.

Other links on Solutions:

Here are generic instructions for adding a Solution:

  1. For some of the solutions it is helpful to import operating system images of the machines you are moving from and the machines you are moving to..
  2. In the Import workspace, on the left click Operating Systems.
  3. On the right, click Download Snapshot Manager. Run this on a operating system image that you want to import.
  4. Then click Import from MSI to import the MSI file generated by the Snapshot Manager.
  5. Switch to the Solutions workspace.
  6. On the top left click Add solution.
  7. In the Solutions Templates page, select a solution and click Next.
  8. In the Solution name page, give the solution a name and click Next.
  9. In the Platform name page, choose the platform you are migrating from and click Next.
  10. In the Applications page, select the applications you want to analyze and click Next.
  11. In the Solution platforms page you can change the Target platforms or add more platforms.
  12. Click Build.

VMware Horizon 6 – Cloud Pod Architecture

Last Modified: Sep 2, 2018 @ 7:50 am

3 Comments

Navigation

Planning

Cloud Pod Architecture lets you create a single icon that load balances connections across multiple pools in multiple pods in multiple sites (datacenters).

  • Entitlements can be local or global. Local means pools only in a single pod. Global means merging pools from multiple pods into a single entitlement.
    • Don’t configure both global and local entitlements for the same pool.
    • A single pool can only belong to one global entitlement.
    • Global Entitlements work in a single pod (good for large pools). Or you can you have multiple pods and multiple sites.
    • Horizon 6.2 supports Global Entitlements for applications. However, it’s one application per global entitlement.
  • Use NetScaler GSLB or F5 GTM to connect Horizon Clients to a Horizon 6 Connection Server. The Horizon 6 Connection Server then uses Global Entitlements to select a pod/pool/desktop.
  • By default, pools in pods in the same site as the Horizon 6 Connection Server that the View Client is connected to are preferred over pools in remote sites. Use Home Sites to override this behavior. Home Sites are assigned to Active Directory user groups.
  • For Dedicated Assignment pools, global entitlement only helps with the initial connection. Once the user is assigned to a desktop then that desktop is always selected. Users are not automatically provided with a desktop from another site if the site containing their dedicated desktop has gone down. The desktop request will fail because the dedicated desktop isn’t available. The administrator could configure a separate Global Entitlement for the users to provide a floating desktop until such time the original site recovers. That floating entitlement should be arranged to deliver desktops from other sites as required.
  • The Horizon 6 Connection Servers participating in Cloud Pod Architecture communicate with each other over TCP 22389 and TCP 8472. Make sure these ports are open.
  • View Administrator includes a new administrator privilege: Manage Global Sessions. The regular Administrators role has access to multiple pods. The new Local Administrators role can only manage the local pod.

Limits:

  • Max users = 20,000
  • Max Pods = 4
  • Max Sites = 2
  • Max Horizon 6 Connection Servers = 20

Traffic flow (Rob Beekmans – VMware Horizon View Cloud Pod – unwanted routing?):

  • Use F5 GTM or NetScaler GSLB to connect users to a Horizon 6 Connection Server in any pod. If active/active, use proximity load balancing to control which pod is initially accessed.
  • The Horizon 6 Connection Server looks up the Global Entitlements to determine the destination pod for the Pool.
  • User’s PCoIP session goes through the initially connected Horizon 6 Connection Server and across the DCI (Datacenter Interconnect) circuit to the remote pod. There’s no way to re-route PCoIP through a Horizon 6 Connection Server in the remote pod. In fact, the Horizon 6 Connection Servers in the remote pod are never accessed. You need sufficient DCI bandwidth to handle this PCoIP traffic.

Initialize First Pod

  1. In View Administrator, on the left, expand View Configuration and click Cloud Pod Architecture.
  2. On the right, click Initialize the Cloud Pod Architecture feature.
  3. Click OK to initialize.
  4. A status page is displayed.
  5. Click OK to reload the client.
  6. On the left, expand View Configuration and click Cloud Pod Architecture.
  7. Feel free to rename the federation.

  8. On the left, expand View Configuration and click Sites.
  9. Rename the Default First Site to be more descriptive.

  10. If you click the site to highlight it, you can rename the Pod to make it more descriptive.

  11. If you add a Replica server after global entitlements are enabled, see Setting up the Cloud Pod Architecture feature on a replicated View Connection Server instance.
  12. See Restoring View Connection Server instances in a Cloud Pod Architecture pod federation.

Additional Pods – Join Federation

  1. Connect to View Administrator in the 2nd pod.
  2. On the left, expand View Configuration and click Cloud Pod Architecture.
  3. On the right, click Join the pod federation.
  4. Enter the name of an existing Horizon 6 Connection Server that is already joined to the federation.
  5. Enter credentials and click OK.
  6. The Join status is displayed.
  7. Click OK to reload the client.
  8. On the left, expand View Configuration and click Sites.
  9. If this pod is in a different site then click Add to create a new site.
  10. Give the site a name and click OK.
  11. Highlight the 1st site.
  12. On the bottom, highlight the new pod and click Edit.
  13. Rename the pod and put it in the 2nd site. Click OK.

Global Entitlements

Do not create both global and local entitlements for the same pool otherwise users might see two icons.

  1. In View Administrator, on the left, expand Catalog and click Global Entitlements.
  2. On the right, click Add.
  3. In the Type page, select Desktop Entitlement or Application Entitlement and click Next.
  4. In the Name and Policies page, give the entitlement (icon) a name. For Application Entitlements, it’s one entitlement per application so include the application name.
  5. Make other selections. The Use home site checkbox tells the global entitlement to respect user home sites but the user home sites can only be configured at the command line (lmvutil). Click Next.
  6. If creating a Desktop Entitlement then there are more options.
  7. In the Users and Groups page, add users that can see the icon. Click Next.
  8. In the Ready to Complete page, click Finish.
  9. Double-click the new global entitlement.
  10. On the Local Pools tab, click Add.
  11. Select the pools you want to add and click Add. Remember, only one app per Global Entitlement.
  12. Go to another pod and view the Global Entitlements.
  13. On the right, double-click the Global Entitlement.
  14. On the Local Pools tab, click Add to add pools from this pod.

Monitoring

  1. Once Global Entitlements are enabled, a new Search Sessions node is added to View Administrator. This allows you to search for sessions across federated pods.
  2. The Dashboard shows the health of remote pods.

Home Sites

Home sites can’t be specified in View Administrator so use lmvutil instead:

  • lmvutil provides almost no feedback.
  • Its parameter names are case sensitive.
  • It requires you to authenticate for every single command.
  • There are different commands for groups vs users.
  • Home sites for groups don’t understand nesting.

Do the following to create home sites and assign them to users:

  1. Run Command Prompt as administrator.
  2. To create home sites for users, see pubs.vmware.com.

Related Pages

VMware Horizon 6 – Virtual Desktop Pools

Last Modified: Sep 2, 2018 @ 7:50 am

Leave a comment

This topic details View configuration for Virtual Desktop Agents. RDS Farms are detailed at https://www.carlstalhood.com/horizon-6-rds-farmspools/.

Navigation

Prep

  • Each pool points to one vSphere cluster. 32 hosts maximum. If Virtual SAN, 20 hosts maximum.
  • Ensure vSwitch has sufficient ports for the new virtual desktops.
  • Ensure the VLAN has enough DHCP addresses for the desktop pool.
    • Lower the DHCP lease time too.
  • KMS Licensing is required for Windows 7+ and/or Office 2010+
  • The virtual desktop pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master virtual desktop. Adjust accordingly.
  • The parent image should be in the same cluster where the linked clone virtual desktops will be created.

Disk space:

  • One or more LUNs for storage of the virtual desktops. Maximum of 140 desktops per VMFS5 LUN. Up to 250+ desktops per NFS LUN.
  • By default, Replicas are copied to each LUN that contains virtual desktops. It’s possible to place the Replica and the linked clones on separate LUNs. If you use a dedicated Replica LUN, then there is only one copy of the Replica no matter how many LUNs are used for storing virtual desktops. Note: NFS VAAI requires Replica to be copied to each virtual desktop LUN.
  • Persistent disks can be used to store the user’s profile (but not user-installed applications). To enable Persistent disks, the pool must be Dedicated Assignment. You can place the persistent disks on a LUN that is separate from the linked clones LUN. A better option is to use View Persona or User Environment Manager instead of Persistent disks.
  • Disposable disks. In Dedicated Assignment pools, you have the option of creating Disposable Disks. These disks are always stored with the virtual desktop (you can’t choose a dedicated disposable disk LUN). If you’re planning to frequently refresh the desktops, there’s no point in using Disposable disks.
  • .vswp files. Allocate disk space for memory swap and graphics memory overhead. Any unreserved memory will result in a .vswp file. For example, if the master virtual desktop has 2 GB of RAM configured and none of it is reserved then each linked clone will have a 2 GB .vswp file.

Floating (Non-Persistent) Desktop Pool

  1. In View Administrator, on the left, expand Catalog and click Desktop Pools.
  2. On the right, you can clone an existing pool. This copies many of the settings from the existing pool into the new pool.
  3. Or just click Add.
  4. In the Type page, select Automated Desktop Pool and click Next.
  5. In the User Assignment page, select Floating and click Next.
  6. In the vCenter Server page, select View Composer linked clones. Select the vCenter server and click Next.
  7. In the Pool Identification page, enter a name for the pool. A VM folder with the Pool ID as the name will be created in vCenter. Also, assign the pool to an Access group to restrict delegated administration. Note: If you intend to integrate with VMware Identity Manager, then make sure you select the root Access group. Other Access Groups won’t work. Click Next.
  8. In the Pool Settings page do the following:
    1. Change the selection for Automatically logoff after disconnect to After and specify a disconnect timer.
    2. Change the selection for Delete or refresh desktop on logoff to Refresh Immediately.
    3. Change the selection for Allow users to choose protocol to No. Then make your desired choices for 3D rendering and Maximum monitors. If not using 3D, max out the number of monitors and the resolution. This will grant more video RAM for each desktop if their video card is set to automatic.
    4. Note: Windows 7 MMR (H.264 only) requires 3D rendering to be enabled.
    5. Scroll down.
    6. Check the box next to HTML Access.
    7. HTML Access requires monitor resolution to be 1920×1200 or higher.
    8. Click Next.
  9. In the Provisioning Settings page, enter a naming pattern. You can use {n:fixed=3} to specify the location for the incremented numerals. Make sure the naming pattern does not conflict with any existing machines.
  10. Enter the maximum number of desktops to create. You can create all of them now or wait to create them as users connect. When a user connects to one of these desktops, View immediately creates another desktop (up to the maximum) and powers it on.
  11. Enter the number of spare (idle, unassigned, unused) desktops you want powered on. View maintains this number up to the maximum number of desktops.
  12. In Horizon 6.2, the maximum number of desktops per pool is 2,000. Ensure that the DHCP scope has enough addresses for the Max number of desktops specified here. Click Next.
  13. In the Disposable File Redirection page, select Do not redirect disposable files and click Next. Since we’re refreshing the desktops on logoff, there’s no need for a separate disposable disk.
  14. In the Storage Optimization page, check the box for Select separate datastores for replica and OS disk if you want to use storage tiering. Click Next.
  15. In the vCenter Settings page, most of these are self-explanatory. Click Browse next to each option and make your selection.
  16. If the Parent VM is not showing up in the list then check the box next to Show all parent VMs and click the next to the VM to see the issue.
  17. For Linked clone datastores, select one or more datastores on which the virtual desktops will be placed. Select your Storage Overcommit preference. Since you are refreshing desktops on every logoff, they should stay small so Unbounded is probably acceptable. VMware recommends no more than 140 virtual desktops per VAAI-enabled LUN. If the LUN is not VAAI enabled, 64 is the maximum. Click OK when done.
  18. For Select Replica Disk Datastores, select one datastore for the replica and then click OK.
  19. Then click Next.
  20. In the Advanced Storage Options page, be aware of the following:
    • View Storage Accelerator creates digest files, which consumes disk space. Creation of the digest files requires IOPS. Make sure to set the blackout times so that this digest creation does not happen during peak hours.
    • Reclaim VM disk space is not useful for non-persistent desktops.
  21. If you scroll down, there’s a new Transparent Page Sharing Scope. The default is no sharing. Use one of the other options to enable sharing. Click Next.
  22. In the Guest Customization page, next to AD container, click Browse and select the OU where virtual desktop computer objects will be placed.
  23. Consider checking the box next to Allow reuse of pre-existing computer accounts. Click Next.
  24. In the Ready to Complete page, you may entitle users now or later. Click Finish.
  25. To check the status of the virtual desktops, go to Catalog > Desktop Pools.
  26. Double-click the pool name.
  27. On the Inventory tab, click Desktops (View Composer Details). There’s a refresh button.
  28. You can also view the status of the desktops by looking at the Dashboard.
  29. Your VMs should eventually have a status of Available.
  30. If you encounter issues with View Composer, see VMware 2087379 VMware Horizon View Composer help center

Entitle Virtual Desktops

To make a pool accessible by a user, it must be entitled.

  1. Go to Catalog > Desktop Pools.
  2. Double-click the pool name.
  3. On the Settings tab, click Entitlements.
  4. In the Entitlements window, click Add.
  5. Find a group that will have permission to log into these desktops and click OK.
  6. Then click OK.
  7. For a Persistent pool, go to the Inventory tab to see the desktops. Select a desktop and under More Commands click Assign User.
  8. Find the user and click OK. Repeat to assign users to additional desktops.

Update a Pool

  1. Power on the master/parent virtual desktop.
  2. After making your changes, shut down the master virtual desktop.
  3. Right-click the virtual machine and take snapshot. You must create a new snapshot.
  4. Name the snapshot and click OK.
  5. If you do this often, you’ll need to periodically delete the older snapshots. Right-click the master VM and click Manage Snapshots.
  6. Delete one or more of the snapshots.
  7. In View Administrator, go to Inventory > Pools.
  8. Double-click a pool name.
  9. On the Settings tab, click View Composer and then click Recompose.
  10. In the Image page, select the new snapshot and click Next.
  11. In the Scheduling page, decide when to apply this new image and then click Next.
  12. In the Ready to Complete page, click Finish.
  13. On the Inventory tab, you can click Desktops (View Composer Details) to check on the status of the recompose task.

Related Pages