Citrix Provisioning Master Device – Convert to vDisk

Last Modified: Dec 4, 2024 @ 3:56 am

Navigation

This article applies to all 7.x versions of Citrix Provisioning, including 2411, 2402 LTSR, and 2203 LTSR.

đź’ˇ = Recently Updated

Change Log

PXE Tester

If you will use PXE, download CTX217122 PXEChecker to the master machine.

The TFTP portion won’t work unless the client-side firewall is disabled.

To verify functioning PXE, run PXEChecker, and Run Test in Legacy BIOS mode. Or you can do a BDM Test (see the article for details).

Convert to vDisk – Imaging Wizard Method

The Imaging Wizard connects to a Citrix Provisioning server to create a vDisk (.vhdx file) and a device (database entry with device’s MAC address). Once that’s done, the machine reboots and the conversion process begins. You can also do all of these steps manually.

  1. In the Citrix Provisioning Console, create a Store to hold the new vDisk.
  2. In the Citrix Provisioning Console, create a Device Collection to hold the new Target Device. This could be a Device Collection for Updater machines.
  3. The Imaging Wizard will ask you to enter a new machine name. You can’t use the existing machine name because Citrix Provisioning needs to create a new Active Directory account so Citrix Provisioning will know the new machine’s computer password.
  4. If the Imaging Wizard is not already running, launch it from the Start Menu.
  5. In the Welcome to the Imaging Wizard page, click Next.
  6. In the Connect to Citrix Provisioning Site page, enter the name of a Citrix Provisioning server, and click Next.
  7. In the Imaging Options page, click Next to create a new vDisk. Alternatively, you can select Create an image file.
  8. In the Add Target Device page, enter a new unique name for the new Target Device.
  9. Select a Collection name and click Next.
  10. In the New vDisk page:
    1. Enter a name for the vDisk.
    2. Select an existing Store name.
    3. Leave vDisk type set to Dynamic and VHDX.
  11. Click Next
  12. In the Microsoft Volume Licensing page, select None, and click Next. We’ll configure this later when switching to Standard Image mode.
  13. In the What to Image page, leave it set to Image entire boot disk, and click Next.
  14. In the Optimize Hard Disk for Citrix Provisioning page, click Next.

    • Shown below are the optimizations it performs.
  15. In the Summary page, click Create.
  16. In the Restart Needed page, click Continue.
  17. When asked to reboot, click No.
  18. Then click Yes to shut down the machine. This gives you time to reconfigure the machine to boot from the network or ISO. The vDisk conversion process cannot continue until you are booted from Citrix Provisioning.
  19. If you look in the Citrix Provisioning console, in the Store, you will see a new vDisk in Private Image mode. Currently there is nothing in this vDisk. The new vDisk is sized the same as the machine you ran Imaging Wizard from. You might have to Refresh the display to see the new vDisk.
  20. In the chosen Device Collection, you will see a new Target Device record that is configured to boot from Hard Disk, and is assigned to the new vDisk. You might have to Refresh the display to see the new Device.

Boot from Network or ISO

  1. Power off the Target Device.
  2. If the Target Devices are on the same subnet as the Provisioning Servers, then you don’t need to configure DHCP Scope Options 66 or 67.
  3. If the Target Devices are on a different subnet than the Provisioning Servers, then machines can use a Boot ISO that has UEFI enabled. Or configure DHCP Scope Options 66 and 67.
    1. For DHCP Scope option 66, you can only configure one TFTP Server address. For HA, you can enter a DNS name that does DNS round robin to multiple Citrix Provisioning servers. Or use Citrix ADC to load balance the TFTP service on the PVS servers.
    2. Configure DHCP scope option 67 with the correct file name. For the EFI file name. See Unified Extensible Firmware Interface (UEFI) pre-boot environments at Citrix Docs.
  4. For vSphere Client, edit the settings of the virtual machine.
  5. Switch to the VM Options tab.
  6. In the Boot Options section, check the box to Force EFI Setup, or Force BIOS Setup.

  7. If vSphere, and booting from an ISO:
    1. Switch to the Virtual Hardware tab.
    2. Expand CD/DVD drive 1 and connect the virtual machine’s CD to the Datastore ISO File named PvSBoot.iso.
    3. Make you check Connect At Power On.
    4. Make sure the CD-ROM is IDE, and not SATA.
    5. Also, remove any SATA controller.
    6. Click OK to close the virtual machine settings.
  8. If Hyper-V:
    1. In VMM, edit the virtual machine properties
    2. Switch to the Hardware Configuration page.
    3. If booting from ISO, in the Virtual DVD drive page, assign the ISO from the library.
    4. Switch to the Hardware Configuration > Firmware page
    5. Move PXE Boot or IDE Hard Drive to the top.
    6. Click OK to close the virtual machine properties.
  9. Power on the virtual machine.
  10. If vSphere EFI:
    1. Boot the virtual machine.
    2. In the Boot Manager, don’t select a boot option. Instead, go to Enter Setup.
    3. Go to Configure boot options.
    4. Go to Change boot order.
    5. Press <Enter> on Change the order.
    6. Use the plus icon on your number pad to move EFI Network to the top.
    7. Commit changes and exit.
    8. Exit the Boot Maintenance Manager.
    9. Now boot from EFI Network.
  11. If vSphere BIOS:
    1. Boot the virtual machine.
    2. In the Virtual Machine’s console, on the Boot tab, move Network boot or CD-ROM Drive to the top.

    3. Press F10 to close the BIOS Setup Utility.
  12. You should see the virtual machine boot from a Citrix Provisioning server and find the vDisk.

  13. Once the machine has booted, login. If you see a Format Disk message, just ignore it, or click Cancel. The Imaging Wizard will format it for you.
  14. The conversion wizard will commence. It will take several minutes to copy the files from C: drive (local hypervisor disk) to vDisk (Citrix Provisioning disk) so be patient.

    1. If the Imaging Wizard does not successfully copy the local drives to the vDisk, first make sure the vDisk is mounted by opening the systray icon.

    2. Then you can manually start the conversion by running C:\Program Files\Citrix\Provisioning Services\P2PVS.exe.

  15. When done, click Done. It might prompt you to reboot. Reboot it, log in, and then shut it down.

Master Target Device – Join to Domain

Citrix Provisioning must learn the password of the Target Device’s Active Directory computer account. To achieve this, use the Citrix Provisioning Console to create or reset the computer account.

Do not use Active Directory Users & Computers to manage the Target Device computer account passwords. Creating, Resetting, and Deleting Target Device Active Directory computer objects must be done from inside the Citrix Provisioning Console so Citrix Provisioning will know the computer’s password. Citrix Provisioning will automatically handle periodic (default 7 days) changing of the computer passwords.

  1. In the Citrix Provisioning Console, right-click the new Target Device, expand Active Directory, and click Create Machine Account.
  2. Select the correct OU in which the Active Directory computer object will be placed, and click Create Account.
  3. Then click Close.

Boot from vDisk

  1. In the Citrix Provisioning Console, go to the Device Collection.
  2. Right-click the new device, and click Properties.
  3. On the General tab, set Boot from to vDisk.
  4. Restart the Target Device.
  5. At this point it should be booting from the vDisk. To confirm, in the systray by your clock is an icon that looks like a disk. Double-click it.
  6. The General tab shows it Boot from = vDisk, and the Mode = Read/Write.

vDisk – Save Clean Image

If you have not yet installed applications on this image, you can copy the VHDX file and keep it as a clean base image for future vDisks.

  1. If this vDisk is in Private Image mode, first power off any Target Devices that are accessing it.
  2. Then you can simply copy the VHDX file and store it in a different location.

If you later need to create a new vDisk, here’s how to start from the clean base image:

  1. Copy the clean base image VHDX file to a new folder.
  2. Rename the file to match your new Image name.
  3. In the Citrix Provisioning Console, create a new Store, and point it to the new folder.
  4. Give the new Store a name.
  5. On the Servers tab, select all Provisioning servers.
  6. On the Paths tab, enter the path to the new folder. Click OK.
  7. Click OK when asked to create the default write cache.
  8. Right-click the new store and click Add or Import Existing vDisk.
  9. Click Search.
  10. Click OK if prompted that a new property file will be created with default values.
  11. Click Add, click OK, and then click Close.

  12. You can now assign the new vDisk to an Updater Target Device and install applications.

KMS

Skip this section if you are using Active Directory-based Activation instead of KMS Server.

This only needs to be done once. More information at CTX128276 Configuring KMS Licensing for Windows and Office.

  1. Make sure the Citrix Provisioning services are running as an account that is a local administrator on the Provisioning Servers. Citrix Provisioning needs to mount the vDisk but only local administrators can mount VHDX files.
  2. In the Citrix Provisioning Console, right-click on the virtual disk, and select Properties.
  3. Click on the tab named Microsoft Volume Licensing, and set the licensing option to None. Click OK.
  4. Boot an Updater device from the vDisk in Private Image mode.
  5. Login to Windows and rearm the system for both Windows and Office, one after the other.
    1. For Windows Vista, 7, 2008, and 2008R2: Run cscript.exe slmgr.vbs -rearm
    2. For Office (for 64-bit client): C:\Program Files(x86)\Common Files\Microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE
    3. For Office (for 32-bit client): C:\Program Files\Common Files\Microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE
  6. A message is displayed to reboot the system, DO NOT REBOOT- Instead, run sealing tasks and then shut down the Target Device.
  7. In the Citrix Provisioning Console, right-click on the virtual disk, and select Properties.
  8. Click on the tab named Microsoft Volume Licensing, and set the licensing option to Key Management Services (KMS).
    • In Citrix Provisioning 1906 and newer, also check the box next to Accelerated Office Activation.
  9. Click OK.

Note: After streaming the vDisk to multiple Target Devices, Administrators can validate that the KMS configuration was successful by verifying that the CMID for each device is unique.

  • For Windows: Run cscript.exe slmgr.vbs –dlv
  • For Office: Run C:\Program Files\Microsoft Office\Office16\cscript ospp.vbs /dcmid

Also see Citrix Blog Post Demystifying KMS and Provisioning Services

vDisk – Seal

Do the following sealing steps every time you switch from Private Image mode to Standard Image mode, or promote a Maintenance Image to Test or Production.

  1. Run antivirus sealing tasks. See VDA > Antivirus for links to various antivirus vendor articles.
  2. Citrix Blog Post Sealing Steps After Updating a vDisk contains a list of commands to seal an image for Citrix Provisioning.
  3. Citrix Blog Post PVS Target Devices & the “Blue Screen of Death!” Rest Easy. We Can Fix That has a reg file to clear out DHCP configuration.
  4. Shut down the target device.
  5. Note: Base Image Script Framework (BIS-F) automates many sealing tasks. The script is configurable using Group Policy.

Defrag the vDisk

In the Citrix Blog Post Size Matters: PVS RAM Cache Overflow Sizing, Citrix recommends defragmenting the vDisk.

If the vDisk was created by App Layering ELM, then Gunther Anderson at Performance considarations? at Citrix Discussions says there’s no point in doing a defrag.

  1. While still in Private Image mode, right-click the vDisk, and click Mount vDisk.
  2. In File Explorer, find the mounted disk, right-click it, and click Properties.
  3. On the Tools tab, click Optimize.
  4. Highlight the mounted drive and click Optimize.
  5. When done, back in Citrix Provisioning Console, right-click the vDisk, and click Unmount vDisk.

Standard Image Mode

  1. In the Citrix Provisioning Console, go to the vDisk store, right-click the vDisk, and click Properties.
  2. On the General tab:
    1. Change the Access Mode to Standard Image.
    2. Set the Cache Type to Cache in device RAM with overflow on hard disk. Don’t leave it set to the default cache type or you will have performance problems. Also, every time you change the vDisk from Standard Image to Private Image and back again, you’ll have to select Cache in device RAM with overflow on hard disk.
    3. Change the Maximum RAM size to a higher value. For virtual desktops, set it to 512 MB or larger. For Remote Desktop Session Hosts, set it to 4096 MB or lager. Make sure your Target Devices have extra RAM to accommodate the write cache.
    4. On the bottom of the General tab is a new checkbox to disable cleanup of cached secrets. By default, Citrix Provisioning 7.12 and newer will delete any cached credentials. This behavior can be disabled by checking the box.
  3. Click OK when done.

vDisk – High Availability

  1. In the Citrix Provisioning Console, right-click the vDisk, and click Load Balancing.
  2. Ensure Use the load balancing algorithm is selected. Check the box next to Rebalance Enabled. Click OK.
  3. Go to the physical vDisk store location (e.g. D:\Win2016Common) and copy the .vhd and .pvp vDisk files for the new vDisk. Do not copy the .lok file.
  4. Go to the same path on the other Provisioning Server and paste the files. You must keep both Provisioning Servers synchronized.
  5. Another method of copying the vDisk files is by using Robocopy:
    Robocopy D:\vDisks\ \\pvs2\d$\vDisks *.vhd *.avhd *.pvp *.vhdx *.avhdx /b /mir /xf *.lok /xd WriteCache /xo
  6. Citrix Blog Post The vDisk Replicator Utility is finally finished! has a GUI utility script that can replicate vDisks between Citrix Provisioning Sites and between Citrix Provisioning Farms.

  7. In the Citrix Provisioning Console, right-click the vDisk, and click Replication Status.
  8. Blue indicates that the vDisk is identical on all servers. If they’re not identical then you probably need to restart the Citrix PVS Stream Service and the Citrix PVS SOAP Service. Click Done when done.

Cache Disk – vSphere

Here are vSphere instructions to remove the original C: drive from the Master Target Device, and instead add a blank cache disk.

  1. In vSphere Client, right-click the Master Target Device, and click Edit Settings.
  2. Select Hard disk 1, and click the x icon. Click OK.
  3. Edit the Settings of the virtual machine again.
  4. On the top right, click Add New device, and select Hard Disk.
  5. This is your cache overflow disk. Size is based on the type of VDA.
    • 40 GB is probably a good size for session hosts.
    • For virtual desktops this can be a smaller disk (e.g. 5 GB).
    • Note: the pagefile must be smaller than the cache disk.
  6. Expand the newly added disk, and set Disk Provisioning to Thin provision if desired. Click OK when done.
  7. Configure group policy to place the Event Logs on the cache disk.
  8. Boot the Target Device and Verify the Write Cache Location.

Cache Disk – Hyper-V

Remove the original C: drive from the Target Device and instead add a cache disk.

  1. Edit the settings of your Citrix Provisioning master virtual machine and remove the existing VHD.
  2. Make a choice regarding deletion of the file.
  3. Create a new Disk.
  4. This is your cache overflow disk. 15-20 GB is probably a good size for session hosts. For virtual desktops this can be a smaller disk (e.g. 5 GB). Note: the pagefile must be smaller than the cache disk. Click OK when done.
  5. Configure group policy to place the Event Logs on the cache disk.

Verify Write Cache Location

  1. Boot the target device virtual machine.
  2. Open the Virtual Disk Status window by clicking the Citrix Provisioning disk icon in the system tray by the clock.
  3. Make sure Mode is set to Read Only and Cache type is set to  device RAM with overflow on local hard drive.
  4. If Cache type says server, then follow the next steps:

    1. For the cache disk, if machine uses BIOS, then only MBR is supported. GPT only works with EFI/UEFI machines.
    2. The cache disk must be a Basic disk, not Dynamic.
    3. Format the cache disk with NTFS.
    4. Make sure the pagefile is smaller than the cache disk. If not it will fail back to server caching.
  5. After fixing the problem and rebooting, the Cache Type should be device RAM with overflow on local hard drive.
  6. To view the files on the cache disk, go to Folder Options, and deselect Hide protected operating system files.
  7. On the cache disk, you’ll see the pagefile, and the vdiskdiff.vhdx file, which is the overflow cache file.

Related Pages

Citrix Provisioning Master Device – Preparation

Last Modified: Dec 4, 2024 @ 3:54 am

Navigation

This article applies to all 7.x versions of Citrix Provisioning, including 2411, 2402 LTSR, and 2203 LTSR.

đź’ˇ = Recently Updated

Change Log

General Preparation

  1. In Provisioning 2311 and newer, make sure the VDA machine is UEFI instead of BIOS. If not, see Converting BIOS vDisks to UEFI at Citrix Docs.
  2. Build the VDA like normal.
  3. Update VMware Tools.
  4. Join the machine to the domain.
  5. Chrome and Edge – CTX212545 PVS 7.6 CU1: Write cache getting filled up automatically recommends disabling Google Chrome automatic updates.

Pagefile

Ensure the pagefile is smaller than the cache disk. For example, if you allocate 20 GB of RAM to your Remote Desktop Session Host, and if the cache disk is only 15 GB, then Windows will have a default pagefile size of 20 GB and Citrix Provisioning will be unable to move it to the cache disk. This causes Citrix Provisioning to cache to server instead of caching to your local cache disk (or RAM).

The cache disk size for a session host is typically 15-20 GB. The cache disk size for a virtual desktop is typically 5 GB.

  1. Open System. In 2012 R2 and newer, you can right-click the Start button, and click System.
  2. For older versions of Windows, you can click Start, right-click the Computer icon, and click Properties. Or find System in the Control Panel.
  3. Click Advanced system settings.
  4. On the Advanced tab, click the top Settings button.
  5. On the Advanced tab, click Change.
  6. Either turn off the pagefile or set the pagefile to be smaller than the cache disk. Don’t leave it set to System managed size. Don’t forget to click the Set button. Click OK several times.

VMware ESXi/vSphere

VMXNET3

E1000 is not supported – For VMware virtual machine, make sure the NIC is VMXNET3. E1000 is not supported and will affect performance.

View hidden adapters in Device Manager and delete any ghost VMXNET3 NICs.

  1. At the command prompt, type the following lines, pressing ENTER after each line
    set devmgr_show_nonpresent_devices=1
    start devmgmt.msc
    
  2. Open the View menu, and click Show hidden devices.
  3. Expand Network adapters, and look for ghost NICs (grayed out). If you see any, remove them.

SATA Controller

Citrix Provisioning does not support the SATA Controller that became available in ESXi virtual machine hardware Version 10. Change the CD/DVD Drive to IDE instead of SATA.

Then remove the SATA Controller.

NTP

Ensure that the ESXi hosts have NTP enabled.

DHCP

After creating the vDisk, follow the instructions at Provisioning Services 6 Black Screen Issue to clear any DHCP address in the vDisk.

Slow Boot Times

Citrix Provisioning Target Devices in VMware ESX boot slow intermittently after upgrading the ESX hosts from 5.0 to 5.1.

Citrix CTX139498 Provisioning Services Target Devices Boot Slow in ESX 5.x: Use the following command to disable the NetQueue feature on the ESX hosts:

esxcli system settings kernel set -s netNetqueueEnabled -v FALSE

Hyper-V

  1. Generation 2 support is available in Citrix Provisioning 7.8 and newer.
  2. If Generation 1, each Hyper-V Citrix Provisioning Target Device must have a Legacy network adapter. Legacy NIC supports Network Boot, while the Synthetic NIC does not.
  3. Give the Legacy Network Adapter a Static MAC address. If you leave it set to all zeros then VMM will generate one once the VM is deployed.
  4. When you reopen the virtual machine properties there will be a Static MAC address.
  5. Set the Action to take when the virtualization server stops to Turn off virtual machine. This prevents Hyper-V from creating a BIN file for each virtual machine.
  6. To set a VLAN, either create a Logical Network and Network Site.
  7. Or use Hyper-V Manager to set the VLAN on each virtual machine NIC.

Antivirus Best Practices

Citrix’s Recommended Antivirus Exclusions

Citrix Tech Zone: Endpoint Security, Antivirus, and Antimalware Best Practices.

Citrix Blog Post Citrix Recommended Antivirus Exclusions: the goal here is to provide you with a consolidated list of recommended antivirus exclusions for your Citrix virtualization environment focused on the key processes, folders, and files that we have seen cause issues in the field:

  • Set real-time scanning to scan local drives only and not network drives
  • Disable scan on boot
  • Remove any unnecessary antivirus related entries from the Run key
  • Exclude the pagefile(s) from being scanned
  • Exclude Windows event logs from being scanned
  • Exclude IIS log files from being scanned

See the Blog Post for exclusions for each Citrix component/product including StoreFront, VDA, Controller, and Provisioning. The Blog Post also has links to additional KB articles on antivirus.

Sophos

Sophos Anti-Virus for Windows 2000+: incorporating current versions in a disk image, including for use with cloned virtual machines: This procedure will make sure that the produced target/cloned computers:

  • Get their distinct identity with Enterprise Console, under which they can be subsequently managed.
  • Have the desired version of Sophos Anti-Virus already installed and configured on the created image.

Kaspersky

CTX217997 BSOD Error: “STOP 0x0000007E CVhdMp.sys with Kaspersky antivirus: install Kaspersky Light Agent using the /pINSTALLONPVS=1 switch.

Boot ISO

You can create a Citrix Provisioning boot ISO for your Target Devices. This is an alternative to PXE.

  1. On the Provisioning server, run Citrix Provisioning Boot Device Manager.
  2. In the Specify the Login Server page, add the IP addresses of Provisioning servers.
  3. Check the box next to Target device is UEFI firmware. Click Next.
  4. In the Set Options page, check the box next to Verbose Mode, and click Next.
  5. In the Burn the Boot Device page, do not click Burn. If you do, then you will have a very bad day. Instead, look in the Boot Device section, and change it to Citrix ISO Image Recorder. Then you can click Burn.
  6. Save the iso and upload it to a datastore or VMM library.
  7. You can now configure your Target Devices to boot from this ISO file.

Target Device Software Installation

The Target Device Software version must be the same or older than the Citrix Provisioning server version.

The install instructions for all Target Device versions 2411 and older are essentially the same.

Do the following on the master VDA you intend to convert to a vDisk. Try not to install this while connected using RDP or ICA since the installer will disconnect the NIC.

  1. Ghost NICs – Your Target Device might have ghost NICs. This is very likely to occur on Windows 7 and Windows 2008 R2 VMs when using VMXNet3. Follow CTX133188 Event ID 7026 – The following boot-start or system-start driver(s) failed to load: Bnistack to view hidden devices and remove ghost NICs.
  2. Go to the downloaded Citrix Provisioning and run PVS_Device_x64.exe.
  3. If you see a requirements window, then click Install to install prerequisites.
  4. In the Welcome to the Installation Wizard for Citrix Provisioning Target Device x64 page, click Next.
  5. In the License Agreement page, select I accept, and click Next.
  6. In the Customer Information page, click Next.
  7. In the Destination Folder page, click Next.
  8. In the Ready to Install the Program page, click Install.
  9. In the Installation Wizard Completed page click Finish.
  10. Click Yes if prompted to restart.
  11. The Imaging Wizard launches. Review the following tweaks. Then proceed to converting the Master Image to a vDisk.

Target Device Software Tweaks

Asynchronous I/O

Prevent Drive for Write Cache

From Citrix Community PVS Target Device wrong drive letters: The driver that determines which partition to place the local cache searches for a file named: {9E9023A4-7674-41be-8D71-B6C9158313EF}.VDESK.VOL.GUID in the root directory. If the file is found it will not place the write cache on that disk.

Excessive Retries

If VMware vSphere, make sure the NIC is VMXNET3.

Hide Citrix Provisioning Systray Icon

From Citrix CTX572340 Hide “Virtual Disk status” icon from System tray on the endpoints: Add the reg value below:

  • HKLM\Software\Citrix\ProvisioningServices\StatusTray
    • ShowIcon (DWORD) = 0

This however will disable to all users, even Admins. Solution: Apply the HKCU key below based on Group membership (Group Policy Preferences > Item Level Targeting):

  • HKEY_CURRENT_USER\SOFTWARE\Citrix\ProvisioningServices\StatusTray
    • ShowIcon (DWORD) = 0

Once that is in place the icon will go away.

Related Pages

Citrix Provisioning Console Configuration

Last Modified: Dec 4, 2024 @ 3:55 am

Navigation

This article applies to all 7.x versions of Citrix Provisioning, including 2411, 2402 LTSR, and 2203 LTSR.

Change Log

Launch the Provisioning Console

  1. Launch the Citrix Provisioning Console.
  2. Right-click the top-left node and click Connect to Farm.
  3. Enter localhost and click Connect.
  4. In large multi-domain environments, or when older domains are still configured but are unreachable, if you see Server communication timeout, then see CTX231194 PVS Console Errors: “Critical Error: Server communication timeout” for a registry key to skip forest level trusts, a registry key to increase the console timeout, and a .json file to blacklist domains.

Farm Properties

  1. Right-click the farm name and click Properties.
  2. On the Groups tab, add the Citrix Admins group.
  3. On the Security tab, add the Citrix Administrators group to grant it full permission to the entire Provisioning farm. You can also assign permissions in various nodes in the Provisioning console. Citrix Provisioning 2311 and newer let you restrict a group to Read-only access.
  4. On the Options tab, check the boxes next to Enable Auditing, and Enable offline database support.

    • With Auditing enabled, you can right-click on objects and click Audit Trail to view the configuration changes.

  5. If you see a Problem Report tab, you can enter MyCitrix credentials. This tab was removed in Provisioning 2209.
  6. Registration tab shows you if the farm is registered to a CVAD Site or Citrix Cloud.

  7. Encryption tab shows you the status of database encryption. In PVS 2407 and newer, database encryption no longer requires registration with Citrix Cloud.
  8. Click OK to close Farm Properties.
  9. Click OK when prompted that a restart of the service is required.

Server Properties

  1. Expand the Provisioning Site and click Servers.
  2. For each Provisioning Server, right-click it, and click Configure Bootstrap.
  3. Click Read Servers from Database. This should cause both servers to appear in the list.
  4. From Carl Fallis at PVS HA at Citrix Discussions: when stopping the stream service through the console the Provisioning server will send a message to the targets to reconnect to another server before the stream service shuts down. The target then uses the list of login servers (Bootstrap servers) and reconnects to another server, this is almost instantaneous failover and can’t really be detect . In the case of the Provisioning server failing the target detects it and reconnects, slightly different mechanism and the target may hang for a short time. Check out the following article for more information https://www.citrix.com/blogs/2014/10/16/provisioning-services-failover-myth-busted for the Provisioning server failure case.
  5. On the Options tab, check the box next to Verbose mode.
  6. Right-click the server, and click Properties.
  7. On the General tab, check the box next to Log events to the server’s Windows Event Log.
  8. Click Advanced.
  9. Citrix Blog Post From Legacy to Leading Edge: The New Citrix Provisioning Guidelines says Avoid Modifying the Threads Per Port and Streaming Ports. The old guidance was for the number of threads per port should match the number of vCPUs assigned to the server.
  10. On the same tab are concurrent I/O limits. Note that these throttle connections to local (drive letter) or remote (UNC path) storage. Setting them to 0 turns off the throttling. Only testing will determine the optimal number.
  11. Click OK to close Advanced Server Properties.
  12. On the Network tab, Citrix Blog Post From Legacy to Leading Edge: The New Citrix Provisioning Guidelines says Avoid Modifying the Threads Per Port and Streaming Ports. The old guidance was to change the Last port to 6968.
    • Note: port 6969 is used by the Provisioning two-stage boot (Boot ISO) component.
    • You can set the First port to 7000 to avoid port 6969 and get more ports.
    • Citrix Provisioning 1811 and newer open Windows Firewall ports during installation, but Citrix Provisioning Console will not change the Windows Firewall rules based on what you configure here. You’ll need to adjust the Windows Firewall rules manually.
  13. Click OK when done.
  14. Click Yes if prompted to restart the stream service.
  15. If you get an error message about the stream service then you’ll need to restart it manually.

  16. From Carl Fallis at PVS HA at Citrix Discussions: when stopping the stream service through the console the Provisioning server will send a message to the targets to reconnect to another server before the stream service shuts down. The target then uses the list of login servers and reconnects to another server, this is almost instantaneous failover and can’t really be detect . In the case of the Provisioning server failing the target detects it and reconnects, slightly different mechanism and the target may hang for a short time. Check out the following article for more information https://www.citrix.com/blogs/2014/10/16/provisioning-services-failover-myth-busted for the Provisioning server failure case.
  17. Repeat for the other servers. You can copy the Server Properties from the first server, and paste them to additional servers.



Create vDisk Stores

To create additional vDisk stores (one per vDisk / Delivery Group / Image), do the following:

  1. On the Provisioning servers, using Explorer, go to the local disk containing the vDisk folders and create a new folder. The folder name usually matches the vDisk name. Do this on both Provisioning servers.
  2. In the Provisioning Console, right-click Stores, and click Create Store.
  3. Enter the name for the vDisk store, and select an existing site.
  4. Switch to the Servers tab. Check the boxes next to the Provisioning Servers.
  5. On the Paths tab, enter the path for the Delivery Group’s vDisk files. Shared SMB paths are supported as described at Citrix Blog Post PVS Internals #4: vDisk Stores and SMB3.
  6. Click Validate.
  7. Click Close and then click OK.
  8. Click Yes when asked for the location of write caches.

Create Device Collections

  1. Expand the site, right-click Device Collections, and click Create Device Collection.
  2. Name the collection in some fashion related to the name of the Delivery Group, and click OK.

If you are migrating from one Provisioning farm to another, see Kyle Wise How To Migrate PVS Target Devices.

Prevent “No vDisk Found” PXE Message

If PXE is enabled on your Provisioning servers, and if you PXE boot a machine that is not added as a device in the Provisioning console, then the machine will pause booting with a “No vDisk Found” message at the BIOS boot screen. Do the following to prevent this.

  1. Enable the Auto-Add feature in the farm Properties on the Options tab.

  2. Create a small dummy vDisk (e.g. 100 MB).

  3. Create a dummy Device Collection.

  4. Create a dummy device.
  5. Set it to boot from Hard Disk
  6. Assign the dummy vDisk and click OK.
  7. Set the dummy device as the Template.

  8. Right-click the site, and click Properties.
  9. On the Options tab, point the Auto-Add feature to Dummy collection, and click OK.

Related Topics

Citrix Provisioning 2411 – Server Install

Last Modified: Dec 7, 2024 @ 4:01 am

Navigation

This article applies to all 7.x versions of Citrix Provisioning, including 2411, 2402 LTSR, and 2203 LTSR.

đź’ˇ = Recently Updated

Change Log

Planning and Versions

CTX220651 Best Practices for deploying PVS in multi-geo environments: ensure that Provisioning farms do not span data centers with a network latency that can affect communications between the Provisioning Servers and the SQL database

SQL 2019 is supported with Citrix Provisioning 2003 and newer.

Citrix Provisioning Firewall Rules

The most recent Current Release version of Citrix Provisioning is 2411.

For LTSR CVAD, deploy the Citrix Provisioning version that matches your CVAD version:

Citrix License Server Version

Upgrade the Citrix Licensing server to the latest version. Citrix now requires the latest License Server version and is configured to upload license telemetry data.

Upgrade

Windows Server 2022 is supported with Citrix Provisioning 2203 and newer.

VMware ESXi 8.0 is supported with Citrix Provisioning 2212 and newer.

SCVMM 2022 is supported with Citrix Provisioning 2203 and newer.

If you are upgrading from an older version of Citrix Provisioning, do the following:

  1. In-place upgrade the Citrix License Server.
  2. In-place upgrade the Provisioning Console.
    1. Re-register the Citrix.PVS.snapin.dll snap-in:
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" "c:\program files\citrix\provisioning services console\Citrix.PVS.snapin.dll"
    2. If upgrading from 7.15.3000 to 7.15.4000, then manually upgrade the snap-ins. See CTX256773 Powershell SnapIns are not upgraded from PVS 7.15 LTSR CU3 to 7.15 LTSR CU4 after the upgrade is complete
  3. In-place upgrade the Provisioning Server. If you have two or more Provisioning servers, upgrade one, and then the other. If High Availability is configured correctly, then the Target Devices should move to a different Provisioning server while a Provisioning server is being upgraded.
    1. After the first Provisioning server is upgraded, run the Configuration Wizard. You can generally just click Next through the wizard. At the end, you’ll be prompted to upgrade the database. Then upgrade the remaining Provisioning servers and run the Config Wizard on each of them too.
  4. Upgrade the Target Device Software inside each vDisk. Don’t do this until the Provisioning servers are upgraded (Target Device Software must be same version or older than the Provisioning Servers).
    1. If your Target Devices are 7.6.1 or newer, you can create a Maintenance version, boot an Updater Target Device, and in-place upgrade the Target Device Software.
    2. If your Target Devices are older, then you must reverse image.

vDisk Storage

Do the following on both Provisioning Servers. The vDisks will be stored locally on both servers. You must synchronize the files on the two servers: either manually (e.g. Robocopy), or automatically (e.g. DFS Replication).

Create D: Drive

  1. In the vSphere Web Client, edit the settings for each of the Provisioning server virtual machines.
  2. On the bottom, use the drop-down list to select New Hard Disk, and click Add.
  3. Expand the New Hard disk by clicking the arrow next to it.
  4. Change the disk size to 500 GB or higher. It needs to be large enough to store the vDisks. Each full vDisk is 40 GB plus a chain of snapshots. Additional space is needed to merge the chain.
  5. Feel free to select Thin provision, if desired. Click OK when done.
  6. Login to the session host. Right-click the Start Button, and click Disk Management.
  7. In the Action menu, click Rescan Disks.
  8. On the bottom right, right-click the CD-ROM partition, and click Change Drive Letters and Paths.

  9. Click Change.
  10. Change the drive letter to E:, and click OK.
  11. Click Yes when asked to continue.
  12. Right-click Disk 1 and click Online.
  13. Right-click Disk 1 and click Initialize Disk.
  14. Click OK to initialize the disk.
  15. Right-click the Unallocated space, and click New Simple Volume.
  16. In the Welcome to the New Simple Volume Wizard page, click Next.
  17. In the Specify Volume Size page, click Next.
  18. In the Assign Drive Letter or Path page, select D: and click Next.
  19. In the Format Partition page, change the Volume label to vDisks and click Next.
  20. In the Completing the New Simple Volume Wizard page, click Finish.
  21. If you see a pop-up asking you to format the disk, click Cancel since Disk Management is already doing that.

vDisk Folders

On the new D: partition, create one folder per Delivery Group. For example, create one called Win10Common, and create another folder called Win10SAP. Each vDisk is composed of several files, so its best to place each vDisk in a separate folder. Each Delivery Group is usually a different vDisk.

Robocopy Script

Here is a sample robocopy statement to copy vDisk files from one Provisioning server to another. It excludes .lok files and excludes the WriteCache folders.

REM Robocopy from PVS01 to PVS02
REM Deletes files from other server if not present on local server
Robocopy D:\vDisks \\pvs02\d$\vDisks *.vhd *.vhdx *.avhd *.avhdx *.pvp /b /mir /xf *.lok /xd WriteCache /xo

Citrix Blog Post vDisk Replicator Utility has a GUI utility script that can replicate vDisks between Provisioning Sites and between Provisioning Farms.

Service Account

Provisioning Services should run as a domain account that is in the local administrators group on both Provisioning servers. This is required for KMS Licensing.

Provisioning Console Install/Upgrade

The installation and administration of Citrix Provisioning 2411 and older (including LTSR versions 2203 and 1912) are essentially identical.

Operating System – Windows Server 2022 is supported with Citrix Provisioning 2203 and newer.

Hypervisor – VMware ESXi 8.0 is supported with Citrix Provisioning 2212 and newer. VMware VSAN 8 is supported with Citrix Provisioning 2311 and newer.

BIOS – Citrix Provisioning 2311 and newer no longer support BIOS. See Converting BIOS vDisks to UEFI at Citrix Docs.

If you want to automate the installation and configuration of Citrix Provisioning, see Dennis Span Citrix Provisioning Server unattended installation.

To manually install Provisioning Console, or in-place upgrade the Provisioning Console:

  1. Go to the downloaded Citrix Provisioning, and in the Console folder, run PVS_Console_x64.exe.
  2. Click Install.
  3. If you see the .NET Framework Setup page:
    1. Check the box next to I have read and accept the license terms, and click Install.
    2. In the Installation Is Complete page, click Finish.
    3. Click Restart Now.
    4. Restart the PVS_Console_x64.exe installer.
    5. Click Install.
  4. Click Yes to reboot when prompted. Then restart the installation.
  5. In the Welcome to the InstallShield Wizard for Citrix Provisioning Console x64 page, click Next.
  6. In the License Agreement page, select I accept the terms, and click Next.
  7. In the Customer Information page, click Next.
  8. In the Destination Folder page, click Next.
  9. In the Ready to Install the Program page, click Install.
  10. In the InstallShield Wizard Completed page, click Finish.
  11. Click Yes if you are prompted to restart.

After upgrading the Console, re-register the PowerShell snap-in. This is required for the Citrix App Layering Agent.

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" "c:\program files\citrix\provisioning services console\Citrix.PVS.snapin.dll"

Provisioning Server – Install/Upgrade

The installation and administration of Citrix Provisioning 2411, 1912 LTSR CU9, 7.15.45, 7.6.9 and other 7.x versions are essentially identical.

Operating System – Windows Server 2022 is supported with Citrix Provisioning 2203 and newer.

Hypervisor – VMware ESXi 8.0 is supported with Citrix Provisioning 2212 and newer. VMware VSAN 8 is supported with Citrix Provisioning 2311 and newer.

BIOS – Citrix Provisioning 2311 and newer no longer support BIOS. See Converting BIOS vDisks to UEFI at Citrix Docs.

You can in-place upgrade Provisioning Server. The Provisioning Servers must be upgraded before the vDisks’ Target Device Software are upgraded. While upgrading one Provisioning Server, all Target Devices are moved to the other Provisioning Server assuming that vDisk High Availability is properly configured.

To install/upgrade Provisioning server:

  1. If vSphere, make sure the Provisioning server virtual machine Network Adapter Type is VMXNET 3.
  2. Go to the downloaded Provisioning ISO, and in the Server folder, run PVS_Server_x64.exe.
  3. Click Install when asked to install prerequisites.
  4. Click Yes to reboot. After the restart, relaunch the installer.
  5. Note: there’s a long delay before the installation wizard appears.
  6. In the Welcome to the Installation Wizard for Citrix Provisioning Server x64 page, click Next.
  7. In the License Agreement page, select I accept the terms, and click Next.
  8. In Citrix Provisioning 1811 and newer, you’ll see a Default Firewall Ports page. You can optionally select Automatically open all Citrix Provisioning ports in Windows Firewall. If you later use the Citrix Provisioning Console to change the ports, then the Windows Firewall rules need to be adjusted manually since the Citrix Provisioning Console won’t do it for you.
  9. In the Customer Information page, select Anyone who users this computer, and click Next.
  10. In the Destination Folder page, click Next.
  11. In the Ready to Install the Program page, click Install.
  12. In the Installation Wizard Completed page, click Finish.

Database Script

By default, the Citrix Provisioning Configuration Wizard will try to create the database using the credentials of the person that is running the Wizard. This isn’t always feasible. An alternative is to create a script that a DBA can run on the SQL server.

  1. Go to C:\Program Files\Citrix\Provisioning Services and run DBScript.exe.
  2. Change the selection to New database for 2012 or higher.
  3. Enter a path to save the script file.
  4. Fill in the other fields.
  5. Select an Active Directory group containing your Citrix administrators, and click OK.
  6. In SQL Server Management Studio, open the SQL script.

  7. Execute the script to create the database.

  8. The person that runs the Citrix Provisioning Configuration Wizard will need db_owner permission to the new Citrix Provisioning database.
  9. Create a Windows service account that will run the services on the Citrix Provisioning server. This account must have a SQL login on the SQL server containing the Citrix Provisioning database. The Citrix Provisioning Configuration Wizard will grant this account the correct permissions in the database.

Configuration Wizard – New Farm

  1. If you used DBScript.exe to pre-create the database, skip to Configuration Wizard – Join Farm.
  2. Certificate – Joining PVS to CVAD site requires a valid certificate on the PVS server.
  3. For SQL AlwaysOn Availability Group, see CTX201203 SQL Server AlwaysOn Configuration for PVS 7.6. In summary: Use the wizard to create the database instance. In SQL, create the Availability Group. Then reconfigure Citrix Provisioning Server to point to the SQL AlwaysOn listener.
  4. The Citrix Provisioning Configuration Wizard launches automatically. If the database wasn’t pre-created, then the person running the wizard must have dbcreator and securityadmin roles on the SQL Server. If true, click Next. If not true, then cancel the wizard and launch it as somebody that does have those roles.

  5. The DHCP Services page appears. DHCP is typically hosted on a different server so select The service that runs on another computer. It is also possible to install DHCP on the Provisioning Servers. Click Next.
  6. In the PXE Services page, if you intend to use Boot Device Manager (BDM or ISO) instead of PXE, then change the selection to The service that runs on another computer, which disables the PXE service.
  7. If your Target Devices and Provisioning Servers are on the same broadcast network, then change the selection to Citrix Provisioning PXE service on this computer.
  8. Click Next.

  9. In the Farm Configuration page, choose Create Farm, and click Next.
  10. In the Database Server page, enter the name of the SQL server. Citrix Provisioning 2203 and newer has an option for specifying credentials to the SQL server.

    • In Citrix Provisioning 2203 and newer, click the Connection Options button and there’s an option for Enable MultiSubnetFailover for SQL Always On. There’s also an Optional TCP port field. Click OK and then click Next.
    • Older versions of Provisioning have an option for MultiSubnetFailover on the Database Server page. Click Next.
  11. In the New Farm page, enter the following:
    • Enter a descriptive Database name. Put the word Citrix in the database name so the DBA knows what it is for.
    • Enter a descriptive Farm name.
    • Enter a descriptive Site name.
    • Enter a descriptive Collection name. All of these names can be changed later.
    • Select the Active Directory group that will have administrator permissions to Citrix Provisioning, and click Next. If you don’t see your group here, select any group you belong to, and you can fix it later in the console.
  12. In the New Store page, browse to one of the vDisk folders, and give the store a name. Then click Next.
  13. You can optionally join the Provisioning Farm to CVAD or Citrix Cloud so that you can use Web Studio to provision Targets. The CVAD option is available in Citrix Provisioning 2311 and newer.

    1. Click Yes to join the farm to a CVAD Site.
    2. In the Citrix Virtual Desktops Controller page, click Next.
    3. Later in the wizard, an SSL certificate is required on the PVS server.
    4. The Registration tab in Provisioning Console > Farm Properties shows the status of CVAD Site registration.
  14. In the License Server page, enter the name of your Citrix license server, check the box next to Validate license server communication, and click Next.
  15. Click Yes to trust the license server certificate.
  16. In the User account page, notice it defaults to Network service account. This won’t work with KMS licensing so change it to Specified user account. Enter credentials for an account that is a local administrator on all Provisioning servers, and click Next. Note: Provisioning 7.16 and newer support Group Managed Service Accounts.

  17. In the Active Directory Computer Account Password page, check the box, and click Next.
  18. In the Network Communications page, click Next.
  19. In the TFTP Option and Bootstrap Location page, check the box, and click Next.
  20. In the Stream Servers Boot List page, click Advanced.
  21. Check the box next to Verbose mode, click OK, and then click Next.
  22. If Provisioning 7.12 or newer, in the SSL Configuration page, click Next.
  23. If you see the Problem Report Configuration page, enter your MyCitrix credentials and click Next.
  24. In the Finish page, click Finish.
  25. If you are upgrading, then you might be asked to upgrade the database. Click Yes.
  26. Click OK if you see the firewall message.
  27. In the Finish page, click Done.

From Running the Configuration Wizard silently at Citrix Docs: Now that you have a configured server, you can run "C:\Program Files\Citrix\Provisioning Services\ConfigWizard.exe" /s to produce an .ans file at "C:\ProgramData\Citrix\Provisioning Services\ConfigWizard.ans". This .ans file can be modified and copied to additional Provisioning servers. "C:\Program Files\Citrix\Provisioning Services\ConfigWizard.exe" /a reads the .ans file and applies the configuration silently.

Configuration Wizard – Join Farm

  1. The Configuration Wizard launches automatically.
  2. There are two methods of handling SQL permissions:
    1. The person running the wizard must have db_owner on the database and securityadmin role on the SQL Server. This allows the wizard to add the service account to SQL logins and grant it access to the database.
    2. Or the person running the wizard can be limited to just db_owner permission to the database. The service account must be added manually to SQL logins by a DBA.
  3. The DHCP Services page appears. DHCP is typically hosted on a different server so select The service that runs on another computer. It is also possible to install DHCP on the Provisioning Servers. Click Next.
  4. In the PXE Services page, if you intend to use Boot Device Manager (BDM or ISO) instead of PXE, then change the selection to The service that runs on another computer, which disables the PXE service.
  5. If your Target Devices and Provisioning Servers are on the same broadcast network, then change the selection to Citrix Provisioning PXE service on this computer.
  6. Click Next.

  7. In the Farm Configuration page, click Join existing farm.
  8. In the Database Server page, enter the name of the SQL server. Citrix Provisioning 2203 and newer has an option for specifying credentials to the SQL server.

    • In Citrix Provisioning 2203 and newer, click the Connection Options button and there’s an option for Enable MultiSubnetFailover for SQL Always On. There’s also an Optional TCP port field. Click OK and then click Next.
    • Older versions of Provisioning have an option for MultiSubnetFailover on the Database Server page. Click Next.
  9. In the Existing Farm page, select the database, and click Next.
  10. In the Site page, select an existing site, and click Next.
  11. If you used the script to create the database, then there probably are no stores defined. Do so now.
  12. Otherwise, in the New Store page, select the existing store, and click Next.
  13. In the License Server page, click Next.
  14. In the User account page, notice it defaults to Network service account. This won’t work with KMS licensing so change it to Specified user account. Enter credentials for an account that is a local administrator on all Provisioning servers, and click Next. Note: Provisioning 7.16 and newer support Group Managed Service Accounts.

  15. In the Active Directory Computer Account Password page, check the box, and click Next.
  16. In the Network Communications page, click Next.
  17. In the TFTP Option and Bootstrap Location page, check the box, and click Next.
  18. In the Stream Servers Boot List page, click Advanced.
  19. Check the box next to Verbose mode, click OK, and then click Next.
  20. If Provisioning 7.12 or newer, in the Soap SSL Configuration page, click Next.
  21. If Provisioning 7.11 or newer, in the Problem Report Configuration page, enter your MyCitrix credentials, and click Next.
  22. In the Finish page, click Finish.
  23. Click OK if you see the firewall message.
  24. In the Finish page, click Done.

Troubleshooting – Networking Services Don’t Work After Reboot

If your PXE service or TFTP service does not work after a reboot of the Provisioning server, do the following:

  1. One option is to set the Citrix PVS PXE Service, Citrix PVS TFTP Service, and Citrix PVS Two-stage boot Service to Automatic (Delayed Start).
  2. The TFTP and Two-stage Boot services can be delayed by setting registry keys.
    • Keys = HKLM\System\CurrentControlSet\services\BNTFTP (and PVSTSB)\Parameters
    • Value = InitTimeoutSec (DWORD). 1 – 4 seconds. Default is 1.
    • Value = MaxBindRetry (DWORD). 5 – 20 retries. Default is 5.

Disable Firewall

Disable the Windows Firewall to allow communication to all Citrix Provisioning Server ports. Or, see Citrix Provisioning Firewall Rules and manually open all required ports. If you change the ports in the Citrix Provisioning Console, then you’ll need to adjust the Windows Firewall rules accordingly.

  1. In Server Manager, click Tools, and click Windows Firewall with Advanced Security.
  2. Click Windows Firewall Properties.
  3. On the Domain Profile tab, change the Firewall state to Off.

Disable BIOS Boot Menu

The versioning process in Citrix Provisioning will present a boot menu when booting any version except Production.

  1. To avoid this, create the DWORD registry value HKLM\Software\Citrix\ProvisioningServices\StreamProcess\SkipBootMenu on both Provisioning Servers and set it to 1. Note: the location of this key changed in Provisioning Services 7.0 and newer.
  2. Then restart the Citrix PVS Stream Service.

Private Mode vDisk – No Servers Available for vDisk

Citrix CTX200233 – Error: “No servers available for disk”: When you set a vDisk to Private Image mode (or new Maintenance version), if the Target Device is not connected to the server that contains the vDisk then you might see a message saying “No Servers Available for vDisk”.

  1. To avoid this, create the DWORD registry value HKLM\Software\Citrix\ProvisioningServices\StreamProcess\SkipRIMSForPrivate on both Provisioning Servers and set it to 1. Note: the location of this key changed in Provisioning Services 7.0.
  2. Then restart the Citrix PVS Stream Service.

Multi-Homed Provisioning Server

From slide 20 of http://www.slideshare.net/davidmcg/implementing-and-troubleshooting-pvs:, Multi-homed Provisioning server is not recommended but if you insist, and if running Provisioning 6.1 or older, configure the following. Provisioning 7.7 configuration wizard should have asked you for the management NIC.

  • HKLM\Software\Citrix\ProvisioningServices\IPC
    • New Reg_Sz (string) named IPv4Address with the IP of the NIC for IPC
  • HKLM\Software\Citrix\ProvisioningServices\Manager
    • New Reg_Sz (string) named GeneralInetAddr with the IP of the NIC and port
    • e.g. 10.1.1.2:6909

Citrix 133877 Timeout Error 4002 in Provisioning Server Console after Clicking “Show Connected Devices: when there are multiple streaming NICs assigned to the Provisioning Server, when Show Connected Devices was clicked in the Provisioning console, the following symptoms might be experienced: Server timeout error 4002, unusual delay of 3 to 4 minutes to list the connected devices, or Provisioning console stops responding. Complete the following to resolve the issue:

  1. On the Provisioning Server machine, under HKLM\software\citrix\provisioningServices\Manager key, create registry DWORD RelayedRequestReplyTimeoutMilliseconds, and set it to 50 ms (Decimal).
  2. Create a DWORD RelayedRequestTryTimes, and set it to 1.
  3. Open the Provisioning Server console and test by selecting the Show Connected Devices command.

Antivirus Exclusions

Citrix’s Recommended Antivirus Exclusions

Endpoint Security, Antivirus, and Antimalware Best Practices at Citrix Docs TechZone contains a list of recommended exclusions for Citrix Provisioning.

 

Citrix Blog Post Citrix Recommended Antivirus Exclusions: the goal here is to provide you with a consolidated list of recommended antivirus exclusions for your Citrix virtualization environment focused on the key processes, folders, and files that we have seen cause issues in the field:

  • Set real-time scanning to scan local drives only and not network drives
  • Disable scan on boot
  • Remove any unnecessary antivirus related entries from the Run key
  • Exclude the pagefile(s) from being scanned
  • Exclude Windows event logs from being scanned
  • Exclude IIS log files from being scanned

See the Blog Post for exclusions for each Citrix component/product including: StoreFront, VDA, Controller, and Provisioning. The Blog Post also has links to additional KB articles on antivirus.

Microsoft’s virus scanning recommendations

(e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

TFTP High Availability

BIOS machines have multiple methods of booting into PVS:

  • PXE (network boot) on same subnet as Citrix Provisioning Servers.
  • PXE (network boot) on different subnet as Citrix Provisioning Servers. DHCP Scope Options 66 and 67 required.
  • Boot ISO created by Citrix Provisioning Boot Device Manager.
  • Boot partition created by the Citrix Provisioning Virtual Desktops Setup Wizard.

EFI/UEFI machines have two methods of booting into PVS:

  • PXE (network boot) on same subnet as Citrix Provisioning Servers. DHCP Scope Option 11 required.
  • PXE (network boot) on different subnet as Citrix Provisioning Servers. DHCP Scope Options 66, 67, and 11 required.

If PXE booting on same subnet as Provisioning Servers, then make sure the PXE service is running on the Citrix Provisioning Servers. When your target device boots, it will broadcast a PXE Request message to the entire subnet. One of the Provisioning Servers PXE services will reply with the IP address of the TFTP service on the local Provisioning Server.

If your Target Devices are not on the same VLAN/subnet as the Provisioning Servers, then use Boot ISO or Boot Partition.

HA for DHCP Scope Options:

DHCP Failover

The DHCP infrastructure must be highly available. And session hosts should be configured with DHCP Reservations. With multiple DHCP servers, any reservation should be created on all DHCP servers hosting the same DHCP scope. The easiest way to accomplish this is with the DHCP Failover feature in Windows Server 2012 and newer.

  1. Build two DHCP servers on Windows Server 2012 or newer.
  2. Create a scope for the Provisioning Target Devices.
  3. Right-click the existing scope, and click Configure Failover.
  4. In the Introduction to DHCP Failover page, click Next.
  5. In the Specify the partner server to use for failover page, enter the name of the other DHCP server, and click Next.
  6. In the Create a new failover relationship page, enter a Shared Secret, and click Next.
  7. Click Finish.
  8. Click Close.

Health Check

CTP Sacha Thomet’s PowerShell script to view the health/status of the Provisioning environment. Emails an HTML Report. For Provisioning 7.7 and newer, see https://blog.sachathomet.ch/2015/12/29/happy-new-script-pvs-7-7-healthcheck/.

Related Pages

Citrix Provisioning – Create Devices

Last Modified: Dec 4, 2024 @ 3:56 am

Navigation

This article applies to all 7.x versions of Citrix Provisioning, including 2411, 2402 LTSR, and 2203 LTSR.

💡  = Recently Updated

Change Log

Target Device Template – vSphere

The hardware of the additional target devices must match the original virtual machine so that the drivers contained in the vDisk continue to function. The easiest way to preserve the hardware configuration is to clone the original virtual machine.

  1. Shut down the original virtual machine.
  2. Edit the Settings of the virtual machine and make sure there is a blank, formatted cache disk.
  3. Citrix Provisioning 2311 and newer only support UEFI. See Converting BIOS vDisks to UEFI at Citrix Docs.
  4. In the vSphere Client, right-click the original virtual machine, expand Clone, and click Clone to Template. The new machine must be a Template and not a regular virtual machine.
  5. In the Select a name and folder page, enter a name for the template, and click Next.
  6. In the Select a compute resource page, select the cluster and click Next.
  7. In the Select storage page, select a datastore for the template and click Next. Note: if you use the Citrix Provisioning wizards to create Target Devices, the new machines will be created on the same datastore as this template.
  8. In the Ready to complete page, click Finish.

Target Device Template – Hyper-V

If you store the template in the library then you might see the issue described in CTX128750 Hyper-V Synthetic Network Interface Card Reinitializes on New Target Devices. The article recommends cloning a real VM instead of a template VM but this might not work for Citrix Provisioning Citrix Virtual Desktops Setup Wizard.

  1. Edit the Properties of the original virtual machine and make sure there is a blank, formatted cache disk.
  2. Right-click the original virtual machine, expand Create and click Create VM Template.
  3. Click Yes to acknowledge that the source virtual machine will be destroyed.
  4. In the VM Template Identity page, give the template a name and click Next.
  5. In the Configure Hardware page, click Next.
  6. In the Configure Operating System page, select None – customization not required, and click Next. There is no need to run SysPrep.
  7. In the Select Library Server page, select a library server, and click Next.
  8. In the Select Path page, click Browse to select a share, and click Next.
  9. In the Summary page, click Create.

Citrix Virtual Desktops Setup Wizard

The easiest way to create a bunch of Target Devices is to use the Citrix Virtual Desktops Setup Wizard that is built into the Citrix Provisioning Console. This wizard used to be named XenDesktop Setup Wizard.

If you prefer to script much of this wizard, see:

Do the following to launch the Citrix Virtual Desktops Setup Wizard:

  1. The Citrix Virtual Desktops Setup Wizard uses the Hosting Resources defined in Citrix Studio, so configure Citrix Studio > Configuration > Hosting with destination datastores and networks for the new Target Devices. For maximum control over datastore placement, create a separate Hosting Resource per datastore.
  2. Make sure the Template Target Device is on the same datastore that you want the new Target Devices to be stored on.
  3. If Hyper-V, make sure the VMM Console is installed on the same machine as the Citrix Provisioning Console.
  4. In the Citrix Provisioning Console, right-click the site, and click Citrix Virtual Desktops Setup Wizard.
  5. In the Welcome to Citrix Virtual Desktops page, click Next.
  6. In the Citrix Virtual Desktops Controller page, choose Customer-Managed Control Plane, enter the name of a Delivery Controller, and click Next.
  7. In the Citrix Virtual Desktops Host Resources page, select a hosting resource. This list comes from the Hosting Resources created inside Studio. Click Next.
  8. Use a service account to login to vCenter or SCVMM when prompted. Citrix Provisioning might use these credentials later to power manage the target devices.
  9. If you see a message about no available templates, then you need to move your virtual machine template to this datastore.
  10. In the Template page, select the Target Device template, and click Next.
  11. In the Citrix Virtual Desktops Host Resources Network page, select a network and click Next.
  12. In the vDisk page, select the Standard Image vDisk and click Next.
  13. In the Catalog page, enter a name for a new catalog, and click Next. Or you can add machines to an existing catalog.
  14. In the Operating System page, make your selection, and click Next.
  15. If you selected Single-session OS, then in the User Experience page, select random or static, and click Next.
  16. In the Virtual machines page:
    1. Enter the number of machines you want to create.
    2. Enter the number of vCPUs for each new virtual machine. For RDSH, you usually add between 4 and 8 vCPUs.
    3. Enter the amount of Memory for each new virtual machine.
      • To accommodate the Citrix Provisioning vDisk memory cache, add 256 MB (virtual desktop) or 4 GB of RAM (Remote Desktop Session Host) to the Memory. See Citrix Blog Post Size Matters: PVS RAM Cache Overflow Sizing for more information.
    4. Specify the size of the cache disk: 20-40 GB for session hosts, or 5-10 GB for virtual desktops.
    5. Select BDM disk or PXE boot.
      1. For PXE boot, the Target Devices must be on the same VLAN as the Provisioning servers.
      2. BDM disk burns the boot image into the new virtual machine’s disk. BDM Disk supports target devices on a different subnet than the Provisioning servers. Make sure the Target Device VM template does not have any Boot ISOs configured.
  17. Click Next.
  18. In the Active Directory page, PVS 2308 and newer let you create computer accounts in untrusted domains. Click Next. 
  19. In the Active Directory accounts and location page
    1. Select an OU.
    2. Enter a naming pattern for the new machines. Use ## to represent numbering.
    3. Select a Starting Index.
  20. Click Next.
  21. In the Citrix Provisioning server information page, PVS 2308 and newer let you enter boot addresses that work for UEFI targets. Choose or enter your boot PVS servers and click Next.
  22. In the Summary page, click Finish to start creating the machines. The wizard will power on the machines so it can format the cache disk.
  23. Then click Done. PVS 2407 and newer have a button to View Logs.
  24. In Citrix Provisioning Console, if you go to Farm > Sites > mySite > Hosts, you’ll see the Hosting Resource used by the Wizard. If you open the Properties of the Hosting Resource…
  25. On the Credentials tab, you can see the credentials you used when running the wizard. You will probably want to change these to a service account.
  26. In Citrix Studio, you’ll see a new machine catalog.
  27. The Citrix Provisioning Citrix Virtual Desktops Setup Wizard seems to ignore zones, so you’ll have to move it to the correct zone manually.
  28. Create a new Delivery Group or add the machines to an existing Delivery Group.

Target Device Power Operation

If you used the Citrix Virtual Desktops Setup Wizard to create Target Devices, then the Target Devices are linked to a hosting connection and can be powered on from the Citrix Provisioning Console by right clicking the device and clicking Boot.

Target Devices created by the Citrix Virtual Desktops Setup Wizard have a VirtualHostingPoolId, which corresponds to the hosting connection listed under Sites > MySite > Hosts. When powering on the VM, Citrix Provisioning searches for a VM with the same name as the Target Device.

Boot Disk Manager (BDM) Partition Update

During Citrix Provisioning Citrix Virtual Desktops Setup Wizard, you can configure the Target Devices to use a BDM Partition to boot from Citrix Provisioning servers. This partition contains the IP addresses of the Citrix Provisioning servers. Prior to Citrix Provisioning 7.9, it was not possible to change the BDM Partition configuration.

In Citrix Provisioning 7.9 and newer, it is now possible to update the BDM Partition with the latest bootstrap info:

  1. In Citrix Provisioning Console, go to MyFarm > Sites > MySite > Servers, right-click each Citrix Provisioning server, and click Configure Bootstrap. Update the list of Citrix Provisioning servers.
  2. Make sure the Target Devices are powered off.
  3. Go to MyFarm > Sites > MySite > Device Collections, right-click a collection created by the Citrix Virtual Desktops Setup Wizard, expand Target Device, and click Update BDM Partitions.
  4. Citrix Provisioning 2311 and newer let you specify the Boot Servers.
  5. Click Update Devices.
  6. Click Close when done.

Citrix Studio Catalog of Citrix Provisioning Machines

The easiest method to create Citrix Provisioning Target Device machines (i.e. VDAs) and add them to a Machine Catalog is to run the Citrix Virtual Desktops Setup Wizard.

If you’re not able to use the Citrix Virtual Desktops Setup Wizard for any reason, then you can manually create Citrix Provisioning Target Device machines or use the Streamed VM Setup Wizard. Once the machines are created in the Citrix Provisioning Console, you need to Export them to a Delivery Controller.

In Citrix Provisioning 1906 and newer, to add Target Devices to a Machine Catalog, Citrix recommends that you use the new Export Devices Wizard because it works with both on-premises CVAD and Citrix Cloud. Find the wizard by right-clicking the Site name. See Export Devices Wizard at Citrix Docs. The Export Wizard is very similar to the Citrix Virtual Desktops Setup Wizard.

For Citrix Provisioning 1903 and older, do the following:

  1. In Citrix Studio, create a new Catalog.
  2. On the Introduction page, click Next.
  3. In the Operating System page, make a selection that matches the vDisk, and click Next.
  4. In the Machine Management page, change the Deploy machines using selection to Citrix Provisioning, and click Next.
  5. In the Device Collection page, enter the Provisioning server name, and click Connect.
  6. Select the Citrix Provisioning Device Collection, and click Next.
  7. In the Devices page, review the list of machines that will be added to the catalog, and click Next.
  8. In the Summary page, give the Catalog a name, and click Finish. You can now add these machines to a Delivery Group.
  9. You can later add more machines to the Device Collection in the Citrix Provisioning Console.
  10. To add the new machines to Citrix Studio, right-click the existing Catalog, and click Add Machines.
  11. In the Device Collection page, click Connect.
  12. Select the Device Collection containing new machines and click Next.
  13. In the Devices page, review the list of new machines, and click Next.
  14. In the Summary page, click Finish. You can now add these new machines to a Delivery Group.

Write Cache Disk

Write Cache Drive Letter

If the Write Cache disk is not mounting with the correct drive letter, see CTX133476 Explaining and Troubleshooting WriteCache Disk Drive Letter Assignment

Write Cache File Name

Citrix Provisioning has had three different cache names:

  • .vdiskCache is Legacy Ardence format (5 .x and before not supported anymore, you can delete this if your target software is running latest, this cache was optimized for size)
  • .vdiskdif.vhd is legacy hard drive cache (6.0 and above local hard drive cache, used standard 1mb sector size and is larger than the legacy cache but worked better with storage and was incrementally faster than Legacy Ardence format)
  • vdiskdiff.vhdx is Ram cache with overflow (7.1.4 and above RAM cache with overflow, 2 mb sectors larger than vhd but much faster and more compatible with storage)

Write Cache Filling Up Cache Disk

The vdisk cache is basically a difference disk and only contains the blocks that are written to the system drive so you cannot mount it or read the file, it is just block data.  Use a tool like Process Monitor from Microsoft (used to be sysinternals) and monitor the system drive. Any write to the system drive is redirected by the Citrix Provisioning software to the cache file.  Make sure that any software that is installed on the target image does not have an auto update feature enabled, redirect all user data to a network share and educate your users to make sure they are not doing something that will fill up the cache like downloading a video to the local system drive.

Be aware that the RAM cache with overflow to hard drive can use more space on your local drive, it is important even in the older cache that you perform regular maintenance on your vdisks some recommendations:

  • Merge to a new base disk when you have created 5 or more versions
  • After every merge to the base disk, mount the new base disk and defrag the disk, this is important to reduce sectors used in the local cache, it is very important with the new RAM cache with overflow to local disk but it can have a very positive impact with the legacy local cache. Refer to http://blogs.citrix.com/2015/01/19/size-matters-pvs-ram-cache-overflow-sizing for more information.

Write Cache Size Monitoring

To view the size of Write Cache in RAM with overflow to disk, look in Task Manager for Nonpaged pool.

Citrix Blog Post Digging into PVS with PoolMon and WPA details how to use Windows Performance Analyzer to view Citrix Provisioning RAM cache and overflow.

Related Topics

Citrix Provisioning – Update vDisk

Last Modified: Dec 4, 2024 @ 3:56 am

Navigation

This article applies to all 7.x versions of Citrix Provisioning, including 2411, 2402 LTSR, and 2203 LTSR.

đź’ˇ = Recently Updated

Change Log

Updater Device

  1. Create a new Updater Target Device that is only used when you need to update a vDisk. You can create the Updater device manually or you can use the Citrix Virtual Desktops Setup Wizard.
  2. Put the Updater device in a new Device Collection. This is to avoid assigning the device to a Catalog in Studio. Users must not connect to an Updater device while it is powered on.
  3. Set the Updater device to boot from the Maintenance Type. This is used by the Versioning method of updating a vDisk.
  4. When adding the Updater device to Active Directory, be mindful of group policies. Sometimes it is helpful to apply the group policies to the Updater device so they are stored in the vDisk you are updating.
  5. An Updater device can only boot from one vDisk at a time but it can boot from any vDisk. If you need to do updates to multiple vDisks simultaneously, create more Updater devices.
  6. If you are using Enterprise Software Deployment tools (e.g., System Center Configuration Manager) to maintain a vDisk, keep the Updater device constantly booted to a Maintenance version so the ESD tool can push updates to it. This basically requires a separate Updater device for each vDisk.

Update a vDisk – Versioning Method

  1. In the Citrix Provisioning Console, right-click a Standard Mode vDisk, and click Versions.
  2. In the vDisk Versions window, click New.
  3. Notice that the Access is set to Maintenance. Click Done.
  4. If you look at the physical location where the vDisks are stored, you’ll see a new .avhdx file.
  5. Go to the properties of an Updater Target Device, and change the Type to Maintenance. You’ll use this Target Device to update the vDisk. Make sure this Target Device you are using for vDisk Updating is not in any Delivery Group so that users don’t accidentally connect to it when it is powered on.
  6. Of course this Target Device will need to be configured to use the vDisk you are updating.
  7. Power on the Updater Target Device.
  8. If you did not configure the DWORD registry value HKLM\Software\Citrix\ProvisioningServices\StreamProcess\SkipBootMenu to 1 on the Provisioning Servers, then you’ll see a boot menu.
  9. Login to your Updater Target Device. The Virtual Disk Status icon by the clock should indicate that the vDisk Mode is now Read/Write.
  10. Make any desired changes.
  11. The Citrix Provisioning Image Optimization tool disables Windows Update. To install Windows Updates, use the following script to enable Windows Update, install updates, then disable Windows Update – http://www.xenappblog.com/2013/prepare-a-provisioning-services-vdisk-for-standard-mode/
  12. Before powering off the target device, run your sealing tasks. Run antivirus sealing tasks. See VDA > Antivirus for links to antivirus vendor articles.
  13. Citrix Blog Post Sealing Steps After Updating a vDisk contains a list of commands to seal an image for Citrix Provisioning.
  14. Base Image Script Framework (BIS-F) automates many sealing tasks. The script is configurable using Group Policy.
  15. Power off the target device so the vDisk is no longer being used.
  16. Go back to the Versions window for the vDisk.
  17. Highlight the version you just updated, and click Promote.
  18. Best practice is to promote it to Test first. Or you can go directly to Production if you’re confident that your updates won’t cause any problems. Note: if you select Immediate, it won’t take effect until the Target Devices are rebooted. For scheduled promotion, the Target Devices must be rebooted after the scheduled date and time.
  19. The Replication icon should have a warning icon on it indicating that you need to copy the files to the other Provisioning server.
  20. Only copy the .avhdx and .pvp files. Do not copy the .lok file.

  21. Another method of copying the vDisk files is by using Robocopy:
    Robocopy D:\vDisks\ \\pvs2\d$\vDisks *.vhd *.avhd *.pvp *.vhdx *.avhdx /b /mir /xf *.lok /xd WriteCache /xo
  22. Citrix Blog Post The vDisk Replicator Utility is finally finished! has a GUI utility script that can replicate vDisks between Citrix Provisioning Sites and between Citrix Provisioning Farms.

  23. Then click the Refresh button, and the warning icon should go away.
  24. Configure a Target Device to boot the Test vDisk Type. Then boot it.
  25. Once testing is complete, promote the vDisk version again.
  26. Immediate means it will take effect only after Target Devices are rebooted, whether immediately or later. Scheduled means the Target Device has to be rebooted after the scheduled date and time before it takes effect; if the Target Device has been rebooted before the scheduled date, then the older version is still in effect. Click OK.
  27. If you need to Revert, you can use the Revert button, or the drop-down on top of the window.

Merge Versions

  1. Citrix recommends no more than five .avhd files in the snapshot chain. To collapse the chain of .avhd files, you can Merge the versions. Don’t Merge until the files on both Provisioning servers are replicated.
  2. You can merge (Merged Updates) multiple .avhdx files into a single new .avhdx file that is linked to the original base file. Or you can merge (Merged Base) the original base, plus all of the .avhdx files into a new base .vhdx file, without any linked .avhdx files.
  3. The Merged Base process creates a whole new .vhdx file that is the same size or larger than the original base. After merging, replicate the merged file to both Provisioning Servers.

  4. Make sure there is no warning icon on the Replication button.
  5. If your merged version is currently in Test mode, then you can promote it to Production.
  6. After merging, you can delete older versions if you don’t need to revert to them.

Citrix CTX207112 Managing Provisioning Services VDisk Versions with VhdUtil Tool: CLI tool that can do the following outside of Citrix Provisioning Console:

  • dump header/footer
  • merge chain
  • rename chain

Expand vDisk VHD

To expand a vDisk file, create a Merged Base. Then use normal VHD expansion tools/methods.

One method is described below: (Commands in fixed width font)

  1. Open cmd or powershell as administrator
  2. diskpart
  3. select vdisk file=“<path to your visk>” (e.g. V:\store\my.vhd)
  4. list vdisk (you should now see your vdisk and the path)
  5. expand vdisk maximum=60000 (This is the size in megabytes of the size you want to extend, so 60000 is 60Gb)
  6. attach vdisk
  7. list disk
  8. list volume (take note of the Volume number of the your vdisk, you should see the old size)
  9. select volume 5 (or whatever volume number from list volume command)
  10. extend
  11. list volume (you should now see the size you want for your disk. This should also be seen in the Citrix Provisioning console)
  12. detach vdisk
  13. exit

Reverse Image – BCDEDIT Method

If you want to upgrade the Citrix Provisioning Target Device Software on a vDisk, and if your current Target Devices Software installation is 7.6 Update 1 or newer then you can simply install the new Target Device Software. No special steps required. However, if your Target Device software is 7.6 or older then you’ll need to Reverse Image as detailed in this section.

If you want to update the NIC driver (e.g., VMware Tools), then you can’t use the normal vDisk versioning process since NIC interruptions will break the connection between Target Device and vDisk. Instead, you must reverse image, which essentially disconnects the vDisk from Citrix Provisioning.

One method of reverse imaging is to boot directly from the vDisk VHD. All you need to do is copy the vDisk VHD/VHDX to a Windows machine’s local C: drive, run bcdedit to configure booting to the VHD/VHDX, reboot into the VHD/VHDX, make your changes, reboot back into the original Windows OS, copy the VHD/VHDX back to Citrix Provisioning and import it. Details can be found later in this section.

Instead of the BCDEDIT method, you can try one of these alternative reverse image methods:

  • Citrix Image Portability Service can take a VHD from a Citrix Provisioning (PVS) store and recreate the original vSphere image. 
  • Aaron Silber How to update VMware Tools without Reverse Imaging – The gist is to add an E1000 NIC, boot from that, upgrade VMware Tools, and then remove the E1000 NIC. CTA Nishith Gupta has detailed this process in VMware Tools In PVS Image.
  • The traditional method of reverse imaging is to use Citrix Provisioning Imaging (P2PVS.exe), or similar, to copy a vDisk to a local disk, boot from the local disk, make changes, and then run the Imaging Wizard again to copy the local disk back to a new vDisk. Select Volume to Volume. On the next page, select C: as source, and local disk as Destination. If you don’t see the C: drive as an option, then make sure your vDisk is in read/write mode (Private Image or Maintenance Version).
  • George Spiers PVS Reverse Image with VMware vCenter Converter. This article has troubleshooting steps if the reverse image won’t boot.
  • Jan Hendriks Citrix PVS Reverse Imaging with Windows Backup.

To use bcdedit to boot from directly from vDisk VHD (Microsoft TechNet Add a Native-Boot Virtual Hard Disk to the Boot Menu):

  1. In Citrix Provisioning Console, if using versioning, create a merged base.
  2. Copy the merged based vDisk (VHDX file) to any supported Windows machine. Note: the C: drive of the virtual machine must be large enough to contain a fully expanded VHDX file.
  3. Run the following command to export the current BCD configuration:
    bcdedit /export c:\bcdbackup

  4. Run the following command to copy the default BCD entry to a new entry. This outputs a GUID that you will need later.
    bcdedit /copy {default} /d "vhd boot (locate)"

  5. Run the following commands to set the new BCD entry to boot from the VHD file. Replace {guid} with the GUID outputted from the previous command. Include the braces.
    bcdedit /set {guid} device vhd=[locate]\MyvDisk.vhd
    bcdedit /set {guid} osdevice vhd=[locate]\MyvDisk.vhd
    

  6. Make sure you are connected to the console of the virtual machine.
  7. Restart the virtual machine.
  8. When the boot menu appears, select the VHD option. Note: if you see a blue screen, then you might have to enlarge your C: drive so the VHD file can be unpacked.
  9. Login to the virtual machine.
  10. Perform updates:
    1. Uninstall the Citrix Provisioning Target Device software.
    2. Upgrade VMware Tools.
    3. Reinstall Citrix Provisioning Target Device software. The Target Device software must be installed after VMware Tools is updated.
  11. When you are done making changes, reboot back into the regular operating system.

  12. Rename the updated VHD file to make it unique.
  13. Copy the updated VHD file to your Citrix Provisioning Store.
  14. Copy an existing .pvp file and paste it with the same name as your newly updated VHD.

  15. In the Citrix Provisioning Console, right-click the store, and click Add or Import Existing vDisk.
  16. Click Search.
  17. It should find the new vDisk. Click Add. Click OK.

  18. You can now assign the newly updated vDisk to your Target Devices.

Automatic Scheduled vDisk Update – SCCM

You can use the vDisk Update Management node (and Hosts node) in Citrix Provisioning Console to schedule an updater machine to power on, receive updates from System Center Configuration Manager, and power off. The new vDisk version can then be automatically promoted to Production, or you can leave it in Maintenance or Test mode and promote it manually.

See the following Citrix links for instructions:

Related Topics

Global Server Load Balancing (GSLB) – NetScaler 10.5

Last Modified: Nov 6, 2020 @ 7:11 am

Navigation

This article was written for NetScaler 10.5.

GSLB Planning

GSLB is nothing more than DNS. GSLB is not in the data path. GSLB receives a DNS query and GSLB sends back an IP address, which is exactly how a DNS server works. However, GSLB can do some things that DNS servers can’t do:

  • Don’t give out an IP address unless it is UP (monitoring)
    • If active IP address is down, give out the passive IP address (active/passive)
  • Give out the IP address that is closest to the user (proximity load balancing)
  • Give out different IPs for internal vs external (DNS View)

GSLB is only useful if you have a single DNS name that could resolve to two or more IP addresses. If there’s only one IP address then use normal DNS instead.

Citrix Blog Post Global Server Load Balancing: Part 1 explains how DNS queries work and how GSLB fits in.

Citrix has a good DNS and GSLB Primer.

When configuring GSLB, don’t forget to ask “where is the data?”. For XenApp/XenDesktop, DFS multi-master replication of user profiles is not supported so configure “home” sites for users. More information at Citrix Blog Post XenDesktop, GSLB & DR – Everything you think you know is probably wrong!

GSLB can be enabled both externally and internally. For external GSLB, configure it on the DMZ NetScaler appliances and expose it to the Internet. For internal GSLB, configure it on internal NetScaler appliances. Note: Each NetScaler appliance only has one DNS table so if you try to use one NetScaler for both public and internal then be aware that external users can query for internal GSLB-enabled DNS names.

For internal and external GSLB of the same DNS name on the same appliance, you can use DNS Policies and DNS Views to return different IP addresses depending on where users are connecting from. Citrix CTX130163 How to Configure a GSLB Setup for Internal and External Users Using the Same Host Name.

However, GSLB monitoring applies to the entire GSLB Service so it would take down both internal and external GSLB. If you need different GSLB monitoring for internal and external of the same DNS name, try CNAME:

  • External citrix.company.com:
    • Configure NetScaler GSLB for citrix.company.com.
    • On public DNS, delegate citrix.company.com to the NetScaler DMZ ADNS services.
  • Internal citrix.company.com:
    • Configure NetScaler GSLB for citrixinternal.company.com or something like that.
    • On internal DNS, create CNAME for citrix.company.com to citrixinternal.company.com
    • On internal DNS, delegate citrixinternal.company.com to NetScaler internal ADNS services.

Some IP Addresses are needed on each NetScaler pair:

  • ADNS IP: An IP that will listen for ADNS queries. For external, create a public IP for the ADNS IP and open UDP 53 so Internet-based DNS servers can access it. This can be an existing SNIP on the appliance.
  • GSLB Site IP / MEP IP: A GSLB Site IP that will be used for NetScaler-to-NetScaler communication, which is called MEP or Metric Exchange Protocol. The IP for ADNS can also be used for MEP / GSLB Site.
    • RPC Source IP: RPC traffic is sourced from a SNIP, even if this is different than the GSLB Site IP. It’s less confusing if you use a SNIP as the GSLB Site IP.
    • Public IP: For external GSLB, create public IPs that are NAT’d to the GSLB Site IPs. The same public IP used for ADNS can also be used for MEP. MEP should be routed across the Internet so NetScaler can determine if the remote datacenter has Internet connectivity or not.
    • MEP Port: Open port TCP 3009 between the two NetScaler GSLB Site IPs. Make sure only the NetScalers can access this port on the other NetScaler. Do not allow any other device on the Internet to access this port. This port is encrypted.
    • GSLB Sync Ports: To use GSLB Configuration Sync, open ports TCP 22 and TCP 3008 from the NSIP (management IP) to the remote public IP that is NAT’d to the GSLB Site IP. The GSLB Sync command runs a script in BSD shell and thus NSIP is always the Source IP.
  • DNS Queries: The purpose of GSLB is to resolve a DNS name to one of several potential IP addresses. These IP addresses are usually public IPs that are NAT’d to existing Load Balancing, SSL Offload, Content Switching, or NetScaler Gateway VIPs in each datacenter.
  • IP Summary: In summary, for external GSLB, you will need a minimum of two public IPs in each datacenter:
    • One public IP that is NAT’d to the IP that is used for ADNS and MEP (GSLB Site IP). You only need one IP for ADNS / MEP no matter how many GSLB names are configured. MEP (GSLB Site IP) can be a different IP, if desired.
    • One public IP that is NAT’d to a Load Balancing, SSL Offload, Content Switching, or NetScaler Gateway VIP.
    • If you GSLB-enable multiple DNS names, each DNS name usually resolves to different IPs. This usually means that you will need additional public IPs NAT’d to additional VIPs.

ADNS

  1. Identify a SNIP that you will use for MEP and ADNS.
  2. Configure a public IP for the SNIP and configure firewall rules.
  3. If you wish to use GSLB configuration sync then management access (SSH) must be enabled on this SNIP.
  4. On the left, expand Traffic Management > Load Balancing, and click Services.
  5. On the right, click Add.
  6. Name the service ADNS or similar.
  7. In the IP Address field, enter an appliance SNIP.
  8. In the Protocol field, select ADNS. Then click OK.
  9. Scroll down and click Done.
  10. On the left of the console, expand System, expand Network, and then click IPs.
  11. On the right, you’ll see the SNIP is now marked as the ADNS svc IP. If you don’t see this yet, click the Refresh icon.
  12. Repeat on the other appliance in the other datacenter.
  13. Your NetScaler appliances are now DNS servers.

Metric Exchange Protocol

  1. Open the firewall rules for Metric Exchange Protocol. You can use the same SNIP and same public IP used for ADNS.
  2. On the left, expand Traffic Management, right-click GSLB, and enable the feature.
  3. Expand GSLB, and click Sites.
  4. On the right, click Add.
  5. Add the local site first. Enter a descriptive name and in the Site Type drop-down, select LOCAL.
  6. In the Site IP Address field, enter an appliance SNIP. This SNIP must be in the default Traffic Domain. The NetScaler listens for GSLB MEP traffic on this IP.
  7. For Internet-routed GSLB MEP, in the Public IP Address field, enter the public IP that is NAT’d to the GSLB Site IP (SNIP). For internal GSLB, there is no need to enter anything in the Public IP field. Click Create.
  8. Go back to System > Network > IPs, and verify that the IP is now marked as a GSLB site IP. If you don’t see it yet, click the Refresh button.
  9. If you want to use the GSLB Sync Config feature, then you’ll need to edit the GSLB site IP, and enable Management Access.
  10. Scroll down and enable Management Access. SSH is all you need.
  11. Go to the other appliance and also create the local GSLB site using its GSLB site IP and its public IP that is NAT’d to the GSLB site IP.
  12. In System > Network > IPs on the remote appliance, there should now be a GSLB site IP. This could be a SNIP. If GSLB Sync is desired, enable management access on that IP and ensure SSH is enabled.
  13. Now on each appliance add another GSLB Site, which will be the remote GSLB site.
  14. Enter a descriptive name and select REMOTE as the Site Type.
  15. Enter the other appliance’s actual GSLB Site IP as configured on the appliance. This IP does not need to be reachable.
  16. In the Public IP field, enter the public IP that is NAT’d to the GSLB Site IP on the other appliance. For MEP, TCP 3009 must be open from the local GSLB Site IP to the remote public Site IP. For GSLB sync, TCP 22, and TCP 3008 must be open from the local NSIP to the remote public Site IP. Click Create.
  17. Repeat on the other appliance.
  18. MEP will not function yet since the NetScaler appliances are currently configured to communicate unencrypted on TCP 3011. To fix that, on the left, expand System, expand Network, and click RPC.
  19. On the right, edit the new RPC address (the other site’s GSLB Site IP), and click Edit.
  20. On the bottom, check the box next to Secure, and click OK.
  21. Do the same thing on the other appliance.
  22. If you go back to GSLB > Sites, you should see it as active.

GSLB Services

GSLB Services represent the IP addresses that are returned in DNS Responses. DNS Query = DNS name. DNS Response = IP address.

GSLB should be configured identically on both NetScalers. Since you have no control over which NetScaler will receive the DNS query, you must ensure that both NetScalers are giving out the same DNS responses.

Create the same GSLB Services on both NetScalers:.

  1. Start on the appliance in the primary data center. This appliance should already have a traffic Virtual Server (NetScaler Gateway, Load Balancing, or Content Switching) for the DNS name that you are trying to GSLB enable.
  2. On the left, expand Traffic Management > GSLB, and click Services.
  3. On the right, click Add.
  4. The service name should be similar to the DNS name that you are trying to GSLB. Include the site name in the service name.
  5. Select the LOCAL Site.
  6. On the bottom part, select Virtual Servers, and then select a Virtual Server that is already defined on this appliance. It should automatically fill in the other fields. If you see a message asking if you wish to create a service object, click Yes.
  7. Scroll up and make sure the Service Type is SSL. It’s annoying that NetScaler doesn’t set this drop-down correctly.
  8. The Public IP field contains the actual IP Address that the GSLB ADNS service will hand out. Make sure this Public IP is user accessible. It doesn’t even need to be a NetScaler owned IP.
  9. Scroll down and click OK.
  10. If the GSLB Service IP is a VIP on the local appliance, then GSLB will simply use the state of the local traffic Virtual Server (Load Balancing, Content Switching, or Gateway). If the GSLB Service IP is a VIP on a remote appliance, then GSLB will use MEP to ask the other appliance for the state of the remote traffic Virtual Server. In both cases, there’s no need to bind a monitor to the GSLB Service.
  11. However, you can also bind monitors directly to the GSLB Service. Here are some reasons for doing so:
    • If the GSLB Service IP is a NetScaler-owned traffic VIP, but the monitors bound the traffic Virtual Server are not the same ones you want to use for GSLB. When you bind monitors to the GSLB Services, the monitors bound to the traffic Virtual Server are ignored.
    • If the GSLB Service IP is in a non-default Traffic Domain, then you will need to attach a monitor since GSLB cannot determine the state of Virtual Servers in non-default Traffic Domains.
    • If the GSLB Service IP is not hosted on a NetScaler, then only GSLB Service monitors can determine if the Service IP is up or not.
  12. If you intend to do GSLB active/active and if you need site persistence then you can configure your GSLB Services to use Connection Proxy or HTTP Redirect. See Citrix Blog Post Troubleshooting GSLB Persistence with Fiddler for more details.
  13. Click Done.
  14. On the other datacenter NetScaler, create a GSLB Service.
  15. Select the REMOTE site that is hosting the service.
  16. Since the service is on a different appliance and not this one, you won’t be able to select it using the Virtual Servers option. Instead, select New Server.
  17. For the Server IP, enter the actual VIP configured on the other appliance. This local NetScaler will use GSLB MEP to communicate with the remote NetScaler to find a traffic Virtual Server with this VIP. The remote NetScaler respond if the remote traffic Virtual Server is up or not. The remote Server IP configured here does not need to be directly reachable by this local appliance. If the Server IP is not owned by either NetScaler, then you will need to bind monitors to your GSLB Service.
  18. In the Public IP field, enter the IP address that will be handed out to clients. This is the IP address that users will use to connect to the service. For Public DNS, you enter a Public IP that is usually NAT’d to the traffic VIP. For internal DNS, the Public IP and the Server IP are usually the same.
  19. Scroll up and change the Service Type to match the Virtual Server defined on the other appliance..
  20. Click OK.
  21. Just like the other appliance, you can also configure Site Persistence and GSLB Service Monitors. Click Done when done.
  22. Create more GSLB Services, one for each traffic VIP. GSLB is useless if there’s only one IP address to return. You should have multiple IP addresses (VIPs) through which a web service (e.g. NetScaler Gateway) can be accessed. Each of these VIPs is typically in different datacenters, or on different Internet circuits. The mapping between DNS name and IP addresses is configured in the GSLB vServer, as detailed in the next section.

GSLB Virtual Server

The GSLB Virtual Server is the entity that the DNS name is bound to. GSLB vServer then gives out the IP address of one of the GSLB Services that is bound to it.

Configure the GSLB vServer identically on both appliances:

  1. On the left, expand Traffic Management > GLSB and click Virtual Servers.
  2. On the right, click Add.
  3. Give the GSLB vServer a descriptive name. For active/active, you can name it the same as your DNS name. For active/passive, you will create two GSLB Virtual Servers, one for each datacenter, so include Active or Passive in the Virtual Server name.
  4. Make sure Service Type is set correctly.
  5. If you intend to bind multiple GSLB Services to this GSLB vServer, then you can optionally check the box for Send all “active” service IPs. By default, GSLB only gives out one IP per DNS query. This checkbox always returns all IPs, but the IPs are ordered based on the GSLB Load Balancing Method and/or GSLB Persistence.
  6. Click OK.
  7. On the right, in the Advanced column, click Service.
  8. On the left, click where it says No GSLB Virtual Server to GSLBService Binding.
  9. Click the arrow next to Click to select.
  10. Check the box next to an existing GSLB Service and click OK. If your GSLB is active/passive then only bind one service.
  11. If your GSLB is active/active then bind multiple GSLB Services. Also, you’d probably need to configure GSLB persistence (Source IP or cookies).
  12. Click Bind.
  13. On the right, in the Advanced column, click Domains.
  14. On the left, click where it says No GSLB Virtual Server Domain Binding.
  15. Enter the FQDN that GSLB will resolve.
  16. If this GSLB is active/passive, there are two options:
    • Use the Backup IP field to specify the IP address that will be handed out if the primary NetScaler is inaccessible or if the VIP on the primary appliance is marked down for any reason.
    • Or, create a second GSLB Virtual Server that has the passive GSLB service bound to it. Don’t bind a Domain to the second GSLB Virtual Server. Then edit the Active GSLB Virtual Server and use the Backup Virtual Server section to select the second GSLB Virtual Server.
  17. Click Bind.
  18. If this is active/active GSLB, you can edit the Method section to enable Static Proximity. This assumes the Geo Location database has already been installed on the appliance.
  19. Also for active/active, if you don’t want to use Cookie-based persistence, then you can use the Persistence section to configure Source IP persistence.
  20. Click Done.
  21. If you are configuring active/passive using the backup GSLB Virtual Server method, create a second GSLB Virtual Server that has the passive GSLB service bound to it. Don’t bind a Domain to the second GSLB Virtual Server. Then edit the Active GSLB Virtual Server and use the Backup Virtual Server section to select the second GSLB Virtual Server.

  22. On the left, if you expand Traffic Management > DNS, expand Records, and click Address Records, you’ll see a new DNS record for the GSLB domain you just configured. Notice it is marked as GSLB DOMAIN.

  23. Create identical GSLB Virtual Servers on the other NetScaler appliance. Both NetScalers must be configured identically.
  24. You can also synchronize the GSLB configuration with the remote appliance by going to Traffic Management > GSLB.
  25. On the right, click Sychronize configuration on remote sites.
  26. Use the check boxes on the top, if desired. It’s usually a good idea to Preview the changes before applying them. Then click OK to begin synchronization.

Some notes regarding GSLB Sync:

  • It’s probably more reliable to do it from the CLI by running sync gslb config and one of the config options (e.g. -preview).
  • GSLB Sync runs as a script on the BSD shell and thus always uses the NSIP as the source IP.
  • GSLB Sync connects to the remote GSLB Site IP on TCP 3008 (if RPC is Secure) and TCP 22.

Test GSLB

  1. To test GSLB, simply point nslookup to the ADNS services and submit a DNS query for one of the DNS names bound to a GSLB vServer. Run the query multiple times to make sure you’re getting the response you expect.
  2. Both NetScaler ADNS services should be giving the same response.
  3. To simulate a failure, disable the traffic Virtual Server.
  4. Then the responses should change. Verify on both ADNS services.

  5. Re-enable the traffic Virtual Server, and the responses should return to normal.


DNS Delegation

If you are enabling GSLB for the domain gateway.corp.com, you’ll need to create a delegation at the server that is hosting the corp.com DNS zone. For public GSLB, you need to edit the public DNS zone for corp.com.

DNS Delegation instructions will vary depending on what product host’s the public DNS zone. This section details Microsoft DNS, but it should be similar in BIND or web-based DNS products.

There are two ways to delegate GSLB-enabled DNS names to NetScaler ADNS:

  • Delegate the individual record. For example, delegate gateway.corp.com to the two NetScaler ADNS services (gslb1.corp.com and gslb2.corp.com).
  • Delegate an entire subzone. For example, delegate the subzone gslb.corp.com to the two NetScaler ADNS services. Then create a CNAME record in the parent DNS zone for gateway.corp.com that is aliased to gateway.gslb.corp.com. When DNS queries make it to NetScaler, they will be for gateway.gslb.corp.com and thus gateway.gslb.corp.com needs to be bound to the GSLB Virtual Server instead of gateway.corp.com. For additional delegations, simply create more CNAME records.

This section covers the first method – delegating an individual DNS record:

  1. Run DNS Manager.
  2. First, create Host Records pointing to the ADNS services running on the NetScalers in each data center. These host records for ADNS are used for all GSLB delegations no matter how many GSLB delegations you need to create.
  3. The first Host record is gslb1 (or similar) and should point to the ADNS service (Public IP) on one of the NetScaler appliances.
  4. The second Host record is gslb2 and should point to the ADNS Service (public IP) on the other NetScaler appliance.
  5. If you currently have a host record for the service that you are delegating to GSLB (gateway.corp.com), delete it.
  6. Right-click the parent DNS zone and click New Delegation.
  7. In the Welcome to the New Delegation Wizard page, click Next.
  8. In the Delegated Domain Name page, enter the left part of the DNS record that you are delegating (e.g. gateway). Click Next.
  9. In the Name Servers page, click Add.
  10. This is where you specify gslb1.corp.com and gslb2.corp.com. Enter gslb1.corp.com and click Resolve. Then click OK. If you see a message about the server not being authoritative for the zone, ignore the message.
  11. Then click Add to add the other GSLB ADNS server.
  12. Once both ADNS servers are added to the list, click Next.
  13. In the Completing the New Delegation Wizard page, click Finish.
  14. If you run nslookup against your Microsoft DNS server, it will respond with Non-authoritative answer. That’s because it got the response from NetScaler and not from itself.

That’s all there is to it. Your NetScalers are now DNS servers. For active/passive, the NetScalers will hand out the public IP address of the primary data center. When the primary data center is not accessible, GSLB will hand out the GSLB Service IP bound to the Backup GSLB vServer.

Geo Location Database

If you want to use DNS Policies or Static Proximity GSLB Load Balancing or Responders based on user’s location, import a geo location database. Common free databases are:

For IP2Location, see the blog post Add IP2Location Database as NetScaler’s Location File for instructions on how to import.

For GeoLite Legacy:

  1. Download the GeoLite Country database CSV from http://dev.maxmind.com/geoip/legacy/geolite/.
  2. Note: GeoLite City is actually two files that must be merged as detailed at Citrix Blog Post GeoLite City as NetScaler location database. GeoLite Country doesn’t need any preparation.
  3. Upload the extracted database (.csv file) to the NetScaler appliance at /var/netscaler/locdb.

To import the Geo database:

  1. In the NetScaler GUI, on the left, expand AppExpert, expand Location, and click Static Database (IPv4).
  2. On the right, click Add.
  3. Browse to the location database file.
  4. In the Location Format field, select geoip-country and click Create.
  5. When you open a GSLB Service, the public IP will be translated to a location.

You can use the Geo locations in a DNS Policy, static proximity GSLB Load Balancing, or Responders:

Remote PC

Last Modified: Aug 20, 2024 @ 8:53 am

Navigation

đź’ˇ = Recently Updated

Change Log

Remote PC Catalog

  1. In Citrix Studio, create a Machine Catalog.
  2. In the Introduction page, click Next.
  3. In the Operating System page, select Remote PC Access, and click Next.
  4. In the Machine Accounts page, click Add OUs.
  5. Browse to an OU containing office PCs. Check the box next to Include subfolders, and click OK.
  6. Then click Next.
  7. Name the catalog Remote PC or similar, and then click Finish.
  8. After the Catalog is created, you can Edit Machine Catalog to add more OUs.

  9. Or explicitly add individual machines to the Catalog.

Remote PC Delivery Group

  1. Create a Delivery Group.
  2. In the Introduction page, click Next.
  3. In the Machines page, highlight the Remote PC catalog, and click Next.
  4. Add users that can access the Remote PCs, and then click Next.
  5. In the Desktop Assignment Rules page, adding an entry here will let users connect to unassigned machines. If you don’t add anything here, then users can only connect to machines to which they’ve been explicitly assigned. Click Next.
  6. In the Summary page, enter a name for the Delivery Group, and then click Finish.
  7. Click Yes when prompted that there are no desktops to deliver.

Remote PC Citrix Policy

  • Citrix Policy 2106 and newer have a User Setting (user half of GPO) named Disconnected session timer for Remote PC Access.

    • Make sure you also configure the Disconnected session timer interval.

Multiple Users per PC

Citrix CTX137805 How to Switch Off Remote PC Access Multiple User Assignment in XenDesktop 7.x: By default, when using Remote PC Access in Citrix Virtual Apps and Desktops (CVAD), anybody that logs into the console session of the physical PC is automatically assigned to the Catalog machine in Citrix Studio. This can result in multiple users assigned to the same machine. For IT desktop support staff that routinely log into multiple PCs to support them, the IT staff could see many more machines in StoreFront than they intend.

To stop this, on every Delivery Controller, configure the following registry value so only the first user to log on to the machine after it has registered with the Citrix Broker service gets assigned to the machine. You can still manually assign users to machines using Studio or Director.

  • HKLM\Software\Citrix\DesktopServer\
    • AllowMultipleRemotePCAssignments (DWORD) = 0

Wake On LAN

As of CVAD 2012, this SCCM integration feature has been deprecated. The replacement Wake on LAN feature in CVAD 2009 and newer no longer needs SCCM and is configured using PowerShell as detailed at Configure Wake on LAN at Citrix Docs.

If you have SCCM configured for Wake On LAN, you can connect Citrix Virtual Apps and Desktops (CVAD) to SCCM to power manage the Remote PC machines.

  1. In Citrix Studio, go to Configuration, right-click Hosting, and click Add Connection and Resources.
  2. In the Connection page, change the selection to Create a new connection.
  3. Change the Connection type to Microsoft Configuration Manager Wake on LAN.
  4. Enter the SCCM server’s FQDN.
  5. Enter SCCM credentials. The SCCM credentials you specify must include collections in the scope, and the Remote Tools Operator role.
  6. Give the Connection a name, and click Next.
  7. In the Summary page, click Finish.
  8. Edit the Remote PC Machine Catalog.
  9. In the Power Management page, change the selection to Yes, and click OK

Install VDA on PC

  1. On the PC, install .NET Framework 4.8 (or newer).
  2. Disable power saving options (e.g. Hibernate, Sleep, etc.)
  3. If Wake on LAN is desired, configure the PC’s BIOS and NIC to enable Wake on LAN.
  4. Download Standalone Single-session OS (aka Desktop OS) installers for Virtual Delivery Agent 2407, Virtual Delivery Agent 2402 LTSR CU1, Virtual Delivery Agent 2203 LTSR CU5, or Virtual Delivery Agent 1912 LTSR CU9.
    1. The standalone VDA installers are in the Components that are on the product ISO but also packaged separately section.
    2. The Single-session OS Core Services VDA is designed specifically for Remote PC and is the smallest installer available.  However, the Core Services installer does not include Profile Management, which means Director cannot show you logon durations.
  5. Remote PC is typically installed on many distributed PCs. Use a software deployment tool to install the VDA package using CLI parameters. See Use the standalone VDA installer at Citrix Docs for more information.
  6. For Teams Redirection and Browser Content Redirection (BCR) in VDA 1912 and older, use the full VDA installer with the /remotepc switch:
    VDAWorkstationSetup_1912.exe /quiet /remotepc /controllers "xdc01.corp.local xdc02.corp.local" /enable_hdx_ports /noreboot
  7. VDA 2003 and newer support Teams Redirection and Browser Content Redirection (BCR) in the Core Services installer:
    VDAWorkstationCoreSetup_2407.exe /quiet /controllers "xdc01.corp.local xdc02.corp.local" /enable_hdx_ports /enable_hdx_tls_dtls /noresume /noreboot
    • If you instead use the full VDA installer (VDAWorkstationSetup_2407.exe) in VDA 2206 and newer, see Citrix Docs for the syntax. For example, VDA 2206 and newer require the /remotepc and /physicalmachine switches.
    • /enable_hdx_tls_dtls is for HDX Direct in CVAD 2311 and newer.
  8. CTX256820 When a user connects to his physical VDA using Remote PC Access, the monitor layout order changes.
    1. On the Remote PC machine, in regedit, go to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Graphics
    2. Create a DWORD named  UseSDCForLocalModes and set it to 1.
  9. Vrajesh Subrahari at Remote PC Solution Issue – The virtual machine ‘Unknown’ cannot accept additional sessions at Citrix Discussions recommends disabling Fast Boot.
    1. On the Remote PC machine, in regedit, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power\.
    2. Set HiberbootEnabled to 0.
  10. After the machine is rebooted, if the machine is in one of the OUs assigned to the Remote PC Catalog, then the machine will be automatically added to the Catalog and the Delivery Group.
  11. When somebody logs into the console of the machine, that user will be automatically assigned to the machine. You can use the Change User link on the right to change or add users. Multiple users can be assigned to one machine.

  12. When the user logs into StoreFront, the user will see the actual machine name.
  13. In CVAD 2407 and newer, the Machine Allocation page lets you change the machine Display name shown to the user.

    • Or the name displayed in StoreFront can be changed by running Set-BrokerPrivateDesktop MyMachine -PublishedName MyDisplayName.
  14. When viewing machines in Studio or Director, there’s a new column for Desktop Display Name.

Remote PC Maintenance

Assign/Un-assign users – There are four methods of assigning users to desktops:

  • Let Remote PC do it automatically. The first user that logs into the physical machine will be assigned to the desktop. If single user mode is not enabled then all other users that log into the machine will also be assigned to the desktop.
  • In Citrix Studio, find the machine, right-click it, and click Change User.
  • In Director, go to machine details and click Manage Users.
  • Use PowerShell:
    asnp citrix.*
    Remove-BrokerUser -Machine 'CORP\WIN1002' -Name 'CORP\user01'
    Add-BrokerUser -Machine 'CORP\WIN1002' -Name 'CORP\user01'

Rename desktop icon – For Remote PC, the icon displayed to the user is the actual machine name. This sometimes is not very intuitive. The name displayed to the user can be changed by running a PowerShell command.

asnp citrix.*
Set-BrokerPrivateDesktop CORP\WIN10002 -PublishedName "Users Desktop"

Display last login time for the machines – Use the following PowerShell to display desktops sorted by when they were last used. Adjust the date filter as desired. You can manually remove the older machines or pipe the results to Remove-BrokerMachine.

asnp citrix.*

Get-BrokerDesktop -CatalogName "Remote PC" -filter {LastConnectionTime -le "2015-02-28"} 
-property AssociatedUserNames,MachineName,LastConnectionTime | Sort-Object LastConnectionTime

The above PowerShell command uses the -filter and -property switches. These switches process the filtering on the server-side, which improves performance.

Horizon View Load Balancing – NetScaler 10.5

Last Modified: Nov 6, 2020 @ 7:11 am

Navigation

Use this procedure to load balance Horizon View Connection Servers, Horizon View Security Servers, and/or VMware Access Points.

Overview

A typical Horizon View Installation will have at least six connection servers:

  • Two Internal View Connection Servers – these need to be load balanced on an internal VIP
  • Two DMZ View Security Servers – these need to be load balanced on a DMZ VIP
  • The DMZ View Security Servers are paired with two additional internal View Connection Servers. There is no need to load balance the internal Paired Connection Servers. However, we do need to monitor them.

If you are using Access Points instead of Security Servers then you’ll have the following machines. Server pairing is not necessary.

  • Two Internal View Connection Servers – these need to be load balanced on an internal VIP
  • Two DMZ VMware Access Point appliances – these need to be load balanced on a DMZ VIP

This topic is focused on traditional View Security Servers but could be easily adapted for Access Point appliances. The difference is that with Access Points there are no paired servers and thus there’s no need to monitor the paired servers. The VIP ports are identical for both solutions.

Monitors

Users connect to Horizon View Connection Server, Horizon View Security Server, and Access Point appliances on four ports: TCP 443, TCP 8443, TCP 4172, and UDP 4172. Users will initially connect to port 443 and then be redirected to one of the other ports on the same server initially used for the 443 connection. If one of the ports is down, the entire server should be removed from load balancing. To facilitate this, create a monitor for each of the ports (except UDP 4172).

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it View-PCOIP or similar.
  4. Change the Type drop-down to TCP.
  5. In the Destination Port field, enter 4172.
  6. Scroll down and click Create.
  7. On the right, click Add.
  8. Name it View-Blast or similar.
  9. Change the Type drop-down to TCP.
  10. In the Destination Port field, enter 8443.
  11. Scroll down and click Create.
  12. On the right, click Add.
  13. Name it View-SSL or similar.
  14. Change the Type drop-down to HTTP-ECV.
  15. In the Destination Port field, enter 443.
  16. Scroll down and check the box next to Secure.
  17. On the Special Parameters tab, in the Send String section, enter GET /broker/xml/
  18. In the Receive String section, enter clientlaunch-default.
  19. Scroll down and click Create.
  20. View Security Servers are paired with View Connection Servers. If the paired View Connection Server is down, then we should probably stop sending users to the corresponding View Security Server. Let’s create a monitor that has a specific IP address in it. Right-click the existing View-SSL or View-SSLAdv monitor and click Add.

  21. Note: this step does not apply to Access Points. Normally a monitor does not have any Destination IP defined, which means it uses the IP address of the service that it is bound to. However, we intend to bind this monitor to the View Security Server but we need it to monitor the paired View Connection Server, which is a different IP address. Type in the IP address of the paired View Connection Server. Then rename the monitor so it includes the View Connection Server name.
  22. Note: this step does not apply to Access Points. Since we are embedding an IP address into the monitor, you have to create a separate monitor for each paired View Connection Server IP.

Servers

Create Server Objects for the DMZ Security Servers and the internal non-paired Connection Servers. Do not create Server Objects for the Paired Connection Servers.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. Enter a descriptive server name, usually it matches the actual server name.
  4. Enter the IP address of the View Connection Server or View Security Server.
  5. Enter comments to describe the server. Click Create.
  6. Continue adding View Connection Servers or View Security Servers.

Services

If deploying View Security Servers, create Services Objects for the DMZ Security Servers and the internal non-paired Connection Servers. Do not create Services Objects for the Paired Connection Servers.

If deploying Access Points, create Services Objects for the DMZ Access Point appliances and the internal Connection Servers

Each connection server and security server needs separate Service objects. Each Security Server listens on multiple port numbers and thus there will be multiple Services Objects for each Security Server.

For Internal Connection Servers (not the paired servers), load balancing monitoring is very simple:

  • Create services for SSL 443
  • To verify server availability, monitor port TCP 443 on the same server.
  • If tunneling is disabled then internal users connect directly to View Agents and UDP/TCP 4172 and TCP 8443 are not used on Internal Connection Servers. There’s no need to create services and monitors for these ports.

Security Servers and Access Points are more complex:

  • The PCoIP Secure Gateway and HTML Blast Secure Gateway are typically enabled on Security Servers and Access Points but they are not typically enabled on internal Connection Servers.
  • All traffic initially connects on TCP 443. For Security Servers and Access Points, the clients then connect to UDP 4172 or TCP 8443 on the same Security Server. If UDP 4172 or TCP 8443 are down, then you probably want to make sure TCP 443 is also brought down.
  • Each Security Server is paired with an internal Connection Server. If the internal Connection Server is down then the Security Server should be taken down. This does not apply to Access Points.
  • To accommodate these failure scenarios, bind multiple monitors to the View Security Server or Access Point load balancing Services. If any of the monitors fails then NetScaler will no longer forward traffic to 443 on that particular server.

If you have two View Security Servers or Access Points named VSS01 and VSS02, the configuration is summarized as follows (scroll down for detailed configuration):

  • Service = VSS01, Protocol = SSL_BRIDGE, Port = 443
    • Monitors = PCoIP (TCP 4172), SSL (443), and Blast (8443)
    • Monitor = SSL (443) on paired View Connection Server VCS01. This monitor is not needed on Access Points.
  • Service = VSS02, Protocol = SSL_BRIDGE, Port = 443
    • Monitors = PCoIP (TCP 4172), SSL (443), and Blast (8443)
    • Monitor = SSL (443) on paired View Connection Server VCS02. This monitor is not needed on Access Points.
  • Service = VSS01, Protocol = TCP, Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service = VSS02, Protocol = TCP, Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service = VSS01, Protocol = UDP, Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service = VSS02, Protocol = UDP, Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service = VSS01, Protocol = SSL_BRIDGE, Port = 8443
    • Monitor = Blast (8443)
  • Service = VSS02, Protocol = SSL_BRIDGE, Port = 8443
    • Monitor = Blast (8443)

If you are not using HTML Blast then you can skip 8443. If you are not using PCoIP Secure Gateway, then you can skip the 4172 ports.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Services.
  2. On the right, click Add.
  3. Give the Service a descriptive name (e.g. svc-VSS01-SSL).
  4. Change the selection to Existing Server and select the View Security Server or internal (non-paired) View Connection Server you created earlier.
  5. Change the Protocol to SSL_BRIDGE and click OK.
  6. On the left, in the Monitors section, click where it says 1 Service to Load Balancing Monitor Binding.
  7. Click Add Binding.
  8. Click the arrow next to Click to select.
  9. Select the View-SSL monitor and click OK.
  10. Then click Bind.
  11. If this is a View Security Server, add monitors for PCoIP and HTML Blast. If any of those services fails, then 443 needs to be marked DOWN.

  12. If this is a View Security Server, also add a monitor that has the IP address of the paired View Connection Server. If the paired View Connection Server is down, then stop sending connections to this View Security Server.
  13. The Last Response should indicate Success. If you bound multiple monitors to the Service, then the member will only be UP if all monitors succeed. There’s a refresh button on the top-right. Click Close when done.
  14. Then click Done.
  15. Right-click the first service and click Add.
  16. Change the name to match the second View Server.
  17. Use the Server drop-down to select to the second View Server.
  18. The remaining configuration is identical to the first server. Click OK.
  19. You will need to configure the monitors again. They will be identical to the first server except for the monitoring of the paired View Connection Server. Click Done when done.

  20. Add another Service for PCoIP on TCP 4172.
    1. Name = svc-VSS01-PCoIPTCP or similar.
    2. Server = Existing Server, select the first View Server.
    3. Protocol = TCP
    4. Port = 4172.
    5. Monitors = View-PCoIP. You can add the other monitors if desired.
  21. Repeat for the 2nd View Security Server.
  22. Add another Service for PCoIP on UDP 4172.
    1. Name = svc-VSS01-PCoIPUDP or similar.
    2. Existing Server = first View Server
    3. Protocol = UDP
    4. Port = 4172.
    5. Monitors = View-PCoIP. You can add the other monitors if desired.
  23. Repeat for the 2nd View Server.
  24. Add another Service for HTML Blast on SSL_BRIDGE 8443.
    1. Name = svc-VSS01-HTMLBlast or similar.
    2. Existing Server = the first View Server
    3. Protocol =
    4. Port = 8443.
    5. Monitors = View-Blast. You can add the other monitors if desired.
  25. Repeat for the 2nd View Server.
  26. The eight services should look something like this:
  27. Repeat these instructions to add the internal (non-paired) View Connection Servers except that you only need to add services for SSL_BRIDGE 443 and only need monitoring for 443.

Load Balancing Virtual Servers

Create separate load balancers for internal and DMZ.

  • Internal load balances the two non-paired Internal View Connections Servers.
  • DMZ load balances the two View Security Servers or Access Point appliances.

The paired View Connection Servers do not need to be load balanced.

For the internal View Connection Servers you only need a load balancer for SSL_BRIDGE 443. If tunneling is disabled then you don’t need load balancers for the other ports (UDP/TCP 4172 and SSL_BRIDGE 8443).

However, tunneling is enabled on the View Security Servers and Access Point appliances so you will need separate load balancers for each port number. Here is a summary of the Virtual Servers:

  • Virtual Server on SSL_BRIDGE 443 – bind both View SSL Services.
  • Virtual Server on UDP 4172 – bind both View PCoIPUDP Services.
  • Virtual Server on TCP 4172 – bind both View PCoIPTCP Services.
  • Virtual Server on SSL_BRIDGE 8443 – bind both View Blast Services.

Do the following to create the Virtual Servers:

  1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  2. On the right click Add.
  3. Name it View-SSL-LB or similar.
  4. Change the Protocol to SSL_BRIDGE.
  5. Specify a new internal VIP. This one VIP will be used for all of the Virtual Servers.
  6. Enter 443 as the Port.
  7. Click OK.
  8. On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server Service Binding.
  9. Click the arrow next to Click to select.
  10. Select the two View-SSL Services and click OK.
  11. Click Bind.
  12. Click OK.
  13. Then click Done. Persistency will be configured later.
  14. If this is a View Security Server or Access Point or if tunneling is enabled then create another Load Balancing Virtual Server for PCoIP UDP 4172:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = UDP, Port = 4172
    3. Services = the PCoIP UDP Services.
  15. If this is a View Security Server or Access Point or if tunneling is enabled then create another Load Balancing Virtual Server for PCoIP TCP 4172:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = TCP, Port = 4172
    3. Services = the PCoIP TCP Services.
  16. If this is a View Security Server or Access Point or if tunneling is enabled then create another Load Balancing Virtual Server for HTML Blast SSL_BRIDGE 8443:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = SSL_BRIDGE, Port = 8443
    3. Services = the HTML Blast SSL_BRIDGE Services.
  17. This gives you four Virtual Servers on the same VIP but different protocols and port numbers.

Persistency Group

For Security Servers and Access Point appliances, users will first connect to SSL_BRIDGE 443 and be load balanced. Subsequent connections to the other port numbers must go to the same load balanced server. Create a Persistency Group to facilitate this.

If tunneling is disabled on the internal View Connection Servers then you probably only have one load balancer for those servers and thus you could configure persistence directly on that one load balancer instead of creating a Persistency Group. However, since the View Security Servers have multiple load balancers then you need to bind them together in a Persistency Group.

  1. On the left, under Traffic Management, expand Load Balancing and click Persistency Groups.
  2. On the right, click Add.
  3. Give the Persistency Group a name (e.g. View).
  4. Change the Persistence to SOURCEIP.
  5. Enter a timeout that is equal to or greater than the timeout in View Administrator, which defaults to 10 hours (600 minutes).
  6. In the Virtual Server Name section, click Add.
  7. Move all four View Security Server / Access Point Load Balancing Virtual Servers to the right. Click Create.

Horizon View Configuration

  1. On the View Security Servers (or View Connection Servers), request a certificate that matches the FQDN that resolves to the Load Balancing VIP.
  2. Make sure the private key is exportable.
  3. Set the Friendly Name to vdm and restart the View Security Server services.
  4. In View Administrator, go to View Configuration > Servers.
  5. On the right, switch to the Security Servers tab.
  6. Highlight a server and click Edit.
  7. Change the URLs to the FQDN that resolves to the load balancing VIP.
  8. Change the PCoIP URL to the VIP. For View Security Servers, this is typically a public IP that is NAT’d to the DMZ Load Balancing VIP.

Citrix Policy Settings

Last Modified: Dec 5, 2024 @ 3:14 am

Navigation

đź’ˇ = Recently Updated

Change Log

Citrix Policy Settings – GPO Method

Citrix offers two methods of delivering Citrix Policy settings:

  • Citrix Studio – also known as FMA policies
  • Group Policy Object – the Citrix Group Policy Management Plugin installer (included with Studio) adds a Citrix Policy node to the regular Group Policy Editor.

For this page, Citrix Policy refers to policy settings that are provided by Citrix for VDAs. It does not include settings that are native to Microsoft group policies. See the VDA Group Policies articles for more information on the recommended Microsoft group policy settings for a Citrix Virtual Apps and Desktops environment.

Citrix Policies can be easily configured in Citrix Studio and stored in the site database. In CVAD 2402 and newer, you can use Citrix Automated Configuration to export policies from one site/farm and import to another.

GPOs linked to an Active Directory OU can apply to VDAs in multiple Citrix Virtual Apps and Desktops sites/farms. If you use the GPO method, make sure the GPOs are linked to OUs that contain VDAs.

Citrix Web Studio > Policies has the new single-pane Policy configuration interface. Group Policy > Citrix Policies has the older Policy configuration interface as detailed in the rest of this article.

In Web Studio 2407 and newer, on the Settings page, you can enable Policy sets, which contain multiple policies. Then assign a policy Set to Delivery Groups. Administrator scopes can include Policy Sets. See Citrix Docs.



 

If you ever want to copy the Studio policies to a GPO, run the following PowerShell commands as mentioned at Citrix Discussions:

New-PSDrive -PSProvider CitrixGroupPolicy -Name LocalFarmGpo -Root \ -Controller "MyController"

New-PSDrive -PSProvider CitrixGroupPOlicy -Name TargetGPO -Root \ -DomainGpo "MyGPO"

cd LocalFarmGpo:\User

copy * TargetGPO:\User 

cd LocalFarmGpo:\Computer

copy * TargetGPO:\Computer

Citrix Group Policy Management Plug-in

To configure and deliver Citrix Policy Settings using a group policy object, you must install the Citrix Group Policy Management Plug-in on your group policy editing machine. This plug-in adds the Citrix Policies node to the Group Policy Editor.

Do the following to install the plug-in.

  1. Login to a machine that has the Group Policy Management Console (GPMC) Windows Feature installed.
  2. If this machine doesn’t have Citrix Studio installed, then install the Citrix Group Policy component from the \x64\Citrix Policy folder on the Citrix Virtual Apps and Desktops ISO. Make sure all Group Policy consoles are closed first.

  3. Citrix Virtual Apps and Desktops (CVAD) 2411 comes with Citrix Group Policy Management 7.43.100.

    1. Citrix Virtual Apps and Desktops (CVAD) 2402 LTSR CU1 comes with Citrix Group Policy Management 7.41.1100.34.
    2. Citrix Virtual Apps and Desktops (CVAD) 2203 LTSR CU5 comes with Citrix Group Policy Management 7.33.5000.10.
    3. Citrix Virtual Apps and Desktops (CVAD) 1912 LTSR CU8 comes with Citrix Group Policy Management 7.24.8000.0.
    4. XenApp/XenDesktop 7.15 LTSR Cumulative Update 9 comes with Citrix Group Policy Management 3.1.9000.0.
  4. Click Finish to finish the wizard.
  5. Citrix releases quarterly updates for this component, so whenever you update your Delivery Controllers, also update your Group Policy editing machines (machines with Group Policy Management Console installed).
  6. Citrix Policies let you use Delivery Groups as a filter. To see the list of Delivery Groups, install the Broker SDK plug-in.

    1. On the CVAD ISO, go to \x64\Citrix Desktop Delivery Controller and run Broker_PowerShellSnapIn_x64.
    2. Check the box next to I accept and click Install.
    3. Close the Group Policy Editor and re-open it. Now you can see the list of Delivery Groups.

Computer Settings

  1. Run Group Policy Management Console.
  2. Edit a GPO that applies computer settings to the VDA machines.
  3. In the GPO, expand Computer Configuration, expand Policies, and click Citrix Policies.
  4. On the right, on the Templates tab, you can create a new policy based on a built-in template. Note: Citrix (Daniel Feller XenDesktop 7.7 and Windows 7) has found that the High Server Scalability template can increase user density by 30%.
  5. On the right, on the Policies tab, you can either edit the Unfiltered policy, or you can create a new policy that is filtered.
  6. Switch to the Settings tab.
  7. Citrix Policies in the Computer Half of the GPO only shows Computer Settings. Later, we’ll configure Citrix Policies in the User Half of the GPO, which has different settings (User Settings).
  8. Some of the setting detailed in this post require newer versions of Citrix Virtual Apps and Desktops.
  9. As you edit the policy settings, make note of the Applies to field. Some of the Citrix Policy settings do not apply to Virtual Delivery Agent 7.x.
  10. Also notice that some settings apply to Desktop OS (virtual desktop) or Server OS (Remote Desktop Session Host) but not necessarily both. Read the Applies to section to verify.
  11. Change the Categories drop-down to ICA.
  12. Scroll down and add the setting Virtual channel allow list.

    • In VDA 2109 and newer, the setting Virtual channel allow list is enabled by default, which means that non-Citrix virtual channels, like Zoom and WebEx, won’t work. One option is to disable this setting. Another option is to find the name of the third-party virtual channel and add it to this list as detailed in Citrix Docs. See Citrix Blog Post Virtual channel allow list now enabled by default for a list of virtual channels to add.
    • CVAD 2206 and newer let you enter wildcards in the Virtual channel allow list setting. See Citrix Docs.
    • New Teams VDI Plug-in (SlimCore) requires three custom virtual channels.
  13. CVAD 2311 and newer support HDX Direct for both internal and external connections. HDX Direct automatically installs self-signed certificates on the VDAs. Workspace apps then connect directly to the VDAs without going through ICA Proxy (NetScaler Gateway). For external users, the connections use STUN to traverse NAT. Use Citrix Policy to enable HDX Direct and set the mode to Internal and external. See HDX Direct at Citrix Docs.
  14. Change the Categories drop-down to Auto Client Reconnect.
  15. Click Add next to the setting Auto client reconnect logging.

    • Change the Value to Log auto-reconnect events, and click OK.
  16. Change the Categories drop-down to End User Monitoring.
  17. Click Add next to the setting ICA round trip calculations for idle connections.

    • Change the selection to Enabled and click OK.
  18. Change the Categories drop-down to Graphics.
  19. CVAD 2402 and newer let you enable Allow windows screen lock on Desktop OS.

  20. Change the Categories drop-down to Local App Access.
  21. Click Add next to the setting Allow Local App Access.

  22. Change the Categories drop-down to Printing.
  23. Click Add next to the setting Universal Print Server enable. See Citrix Universal Print Server at Citrix Docs for more info.

    • Change the Value to Enabled with fallback to Windows’ native remote printing. Click OK.
  24. Change the Categories drop-down to Virtual Delivery Agent Settings > Monitoring.
  25. Click Add next to the setting Enable monitoring of application failures.

    • You can optionally change the Value drop-down to Both application errors and faults. Click OK.
  26. Click Add next to the setting Enable monitoring of application failures on Desktop OS VDAs.

  27. Click Add next to the setting Enable process monitoring.  Note: this setting could significantly increase the size of the Monitoring database. See Citrix Blog Post Citrix Director: CPU, Memory Usage and Process Information.

    • Change the setting to Allowed, and click OK. This is the last Computer setting.

User Settings

  1. With the GPO method of configuring Citrix Policies, Citrix Policy settings are split between Computer and User. The remaining settings are User settings. Edit a GPO that applies to Users.
  2. Expand User Configuration, expand Policies, and click Citrix Policies.
  3. On the right, select the Unfiltered policy, and edit it. Or you can create a new policy that is filtered. You can also use the Templates tab to create a policy based on a template.
  4. In CVAD 2012 and newer, in the Search Box, enter Drag and Drop and click Add Value.

    • Drag and Drop is enabled by default. Decide if this is acceptable to your security policies.
  5. In CVAD 2012 and newer, in the Search Box, enter WIA and click Add Value.

    • WIA Redirection is disabled by default. You can enable it if you have applications that use Windows Image Acquisition.
  6. CVAD 2411 adds the setting Virtual channel plugin manager that can push the Microsoft Teams VDI plug-in to Workspace App 2409 and newer when users launch Microsoft Teams using SlimCore mode. See Citrix Docs for details.


  7. On the Settings tab, change the Categories drop-down to Audio.
  8. Click Add next to the setting Audio quality.

    • Workspace app 2109 and newer connecting to CVAD 2109 and newer support Adaptive Audio and no longer need this Audio quality setting.
    • For all older versions of Citrix, change the Value of Audio quality to Medium – optimized for speech, and click OK.
  9. CVAD 2402 and newer support Loss tolerant mode for audio.
  10. Change the Categories drop-down to Client Sensors.
  11. Click Add next to the Allow applications to use the physical location setting.

    • Change the selection to Allowed and click OK.
  12. Change the Categories drop-down to Graphics.
  13. CVAD 2112 and newer allow users to Screen sharing with each other. This setting requires Graphic status indicator to be enabled.
  14. Change the Categories drop-down to Mobile Experience.
  15. Click Add next to the Automatic keyboard display setting.

    • Change the selection to Allowed, and click OK. Note: this setting might break SAP.
  16. Click Add next to the Remote the combo box setting. Note: this setting might break SAP.

    • Change the selection to Allowed, and click OK.
  17. Change the Category drop-down to Multimedia.
  18. Click Add next to the Use GPU for optimizing Windows Media setting.

    • Change the selection to Allowed, and click OK.
  19. Change the Categories drop-down to Printing.
  20. Click Add next to the setting Auto-create PDF Universal Printer.

    • Change the selection to Enabled and click OK.
    • This setting normally only applies to sessions using HTML5 Receiver or HTML5 Workspace app.
    • In Citrix Virtual Apps and Desktops (CVAD) 1808 or newer, and Workspace app 1808 or newer, the PDF Universal Printer also applies to regular Workspace app connections and is no longer limited to HTML5 connections.
  21. Click Add next to the setting Automatic installation of in-box printer drivers.

    • Change the selection to Disabled, and click OK.
  22. Click Add next to the setting Direct connections to print servers.

    • Change the selection to Disabled, and click OK.
  23. Click Add next to the setting Printer auto-creation event log preference.

    • Change the Value to Log errors only and click OK.
  24. Click Add next to the setting Universal print driver usage.

    • Change the Value to Use universal printing only.
  25. Workspace app for Mac version 2203 and newer along with VDA 2112 and newer supports PDF printing instead of Postscript printing. With PDF, it’s no longer necessary to install the HP Color LaserJet 2800 Series PS driver on the VDA. Citrix Policy setting Universal driver preference must be adjusted to enable PDF printing as higher priority than PS (postscript) printing. See Citrix Docs for more details.
  26. CVAD 2206 and newer let you set RDSH timers in the user half of a Citrix Policy under the Server Limits category. Citrix Docs says: Timer settings for multi-session machines configured using Citrix policies are expected to override timer settings configured through Microsoft Group Policies. To avoid unexpected behavior, we recommend you configure timer settings using one of the two methods.
  27. Change the Categories drop-down to Session Limits.
  28. If you look at the Applies to text for these settings, notice that they apply to virtual desktops (Desktop OS), but not Remote Desktop Session Hosts (Server OS). Session timeouts for Remote Desktop Session Hosts can be configured in a Microsoft GPO or in the Server Limits section in CVAD 2206 and newer,

  29. Change the Categories drop-down to Time Zone Control.
  30. Click Add next to the setting Use local time of client.

  31. CVAD 1906 has a new policy for Desktop OS only that can revert to the VDA’s original time zone when the user disconnects or logs off. It’s called Restore Desktop OS time zone on session disconnect or logoff.
  32. Change the Categories drop-down to USB Devices.
  33. Click Add next to the setting Client USB device redirection.

    • If your security policies allow it then change the selection to Allowed, and click OK. This is the last generic setting. See the next couple sections for more settings.

Also see:

Citrix Policy Templates

  1. The Citrix Policies node of a GPO (or Citrix Studio) has a Templates tab. Each of these templates has pre-defined settings that you can use as a basis for new policies. Note: Citrix (Daniel Feller XenDesktop 7.7 and Windows 7) has found that the High Server Scalability template can increase user density by 30%.
  2. Citrix Docs Group Policy management template updates for XenApp and XenDesktop contains additional templates that you can download and import.

  3. If you are using a GPO to configure Citrix Policies, be aware that user settings and computer settings are in different parts of the GPO.
  4. If you highlight a template, on the bottom of the window is a Settings tab that lets you see what’s contained in the template.
  5. To use a template, right-click it, and click New Policy.

Framehawk Configuration

As of Citrix Virtual Apps and Desktops (CVAD) 1811, Framehawk is a deprecated feature.

In CVAD 1903 and newer, Framehawk has been completely removed.

  1. Framehawk is disabled by default because it uses more bandwidth and more server resources. Citrix recommends only enabling it for users on lossy connections with high bandwidth. More details in the Framehawk Virtual Channel Administrator Guide at Citrix Docs. Also see Framehawk virtual channel at Citrix Docs.
  2. To enable Framehawk, you edit a Citrix Policy, either in Studio or in a GPO. In either case, you need the updated Group Policy Management 2.4 Hotfix 2 or Group Policy Management 2.5 (aka 7.6.300) or newer (e.g. 7.20 included in Citrix Virtual Apps and Desktops 1811) on the machine where you are editing the policy.

  3. If configuring a GPO, you’ll find the Framehawk settings in User Configuration > Policies > Citrix Policies. Edit one of the Citrix Policies.
  4. Search for Framehawk, add the Framehawk display channel setting, and Enable it.

  5. Framehawk requires the newest Citrix Workspace app / Receiver (4.3.100 or newer).



  6. To use Framehawk through NetScaler Gateway you need NetScaler firmware 11.0 build 62 or newer.
  7. Then enable DTLS on the Gateway vServer. This is the same process as enabling DTLS for UDP Audio.
  8. Note: there are limitations of Framehawk with NetScaler Gateway. For example, HA, AppFlow, and double-hop are not supported. See NetScaler Gateway support for Framehawk at Citrix Docs.
  9. Framehawk defaults to ports UDP 3224-3324. Open these ports between the NetScaler SNIP and the VDAs.
    1. Also make sure these ports are open on the VDA’s Windows Firewall. VDA 7.8 and newer opens these ports automatically. VDA 7.6.300 and VDA 7.7 do not open these ports automatically.

Graphics Settings (EDT, H.264, ThinWire Plus)

Citrix Tech Zone Design Decision: HDX Graphics Overview

CVAD 2402 adds many new HDX features. See Citrix Blog Post What’s new with HDX in the 2402 LTSR. These features include:

  • TLS 1.3 support for HDX
  • Virtual Channel Allow List supports wildcards and environment variables
  • Enhanced EDT congestion control
  • EDT Lossy
  • Audio traffic using loss-tolerant EDT
  • Graphics using loss-tolerant EDT
  • HDX protocol compression algorithm reduces bandwidth required by up to 15 percent
  • Virtual loopback
  • Version 2 of the Rendezvous protocol is the new default
  • AV1 codec support
  • Automatically adapts the session’s refresh rate to frame rate
  • HEVC 4:4:4 visually lossless
  • Virtual display layout per monitor
  • Audio volume is synchronized between the client device and the VDA
  • Multiple audio devices
  • Multiple webcam resolutions
  • Teams app sharing

Citrix Blog Post What graphics policies do I need, and when? says you should not change any Citrix Policy Graphics Settings. The only exception is 3D workloads, which should have the Visual Quality user setting set to Build to Lossless.

Citrix Blog Post HDX Graphics Encoder Configuration Overview: a comprehensive overview of all relevant HDX Graphics Encoder settings. This overview should give you a guidance and allow you to configure an optimal HDX policy set based on your own needs. A Visio chart with an overview of all relevant configurations and their possible combinations. Furthermore, almost every setting has a review box. The review boxes contain, where applicable, the policy name, facts & figures, recommendations, and example use cases.

In 1811 and newer, Graphics Status Indicator replaces the Lossless Indicator.

  • Graphics Status Indicator can be enabled in a Citrix policy in the user half in the Category named Graphics.
  • The graphics status indicator should eventually show up in the system tray.

7.13 and newer: 7.13 adds a UDP version of HDX/ICA known as Enlightened Data Transport (EDT). EDT improves HDX/ICA performance across WAN links, Internet, etc. In 7.12, EDT was Tech Preview. In Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.13 and  and newer, EDT is officially supported.

EDT (Adaptive Transport) is enabled by default in Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.16 and newer, but it is not enabled by default in XenApp/XenDesktop 7.15 LTSR.

EDT has several requirements:

  • VDA 7.13 or 1808 or newer.
  • UDP 1494 and UDP 2598 must be opened to every VDA, including from the NetScaler SNIP, if you’re using NetScaler Gateway.
  • Receiver for Windows must be 4.7 or newer. Or upgrade to Workspace app.
  • Receiver for Mac must be 12.5 or newer. Or upgrade to Workspace app.
  • StoreFront must be 3.9 or newer.
  • HDX Insight requires NetScaler ADC 12.1 build 49 and newer
  • NetScaler Gateway 11.1 build 51 and newer supports EDT (DTLS). The following NetScaler features are not supported with EDT at this time:
  • Use a Citrix Policy to enable EDT. The HDX Adaptive Transport setting is in the Computer half of a GPO. See Citrix CTX220732 How to Configure HDX Enlightened Data Transport Protocol. EDT (Adaptive Transport) is enabled by default in Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.16 and newer, but it is not enabled by default in XenApp/XenDesktop 7.15 LTSR.
  • Preferred means it will try to use UDP if it can, and TCP if it can’t.
  • EDT MTU Discovery prevents EDT packet fragmentation that might result in performance degradation or failure to establish a session. This feature requires the following:
    • Citrix Workspace app 1911 for Windows or newer
    • Citrix ADC 13.0.52.24 or newer
    • Citrix ADC 12.1.56.22 or newer
    • On VDA 2203 and newer, MtuDiscovery should be enabled by default. In older VDAs, configure it at Key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\icaw
      • Value (DWORD) = MtuDiscovery = 1
  • From inside a session, you can run ctxsession -v to verify that it’s using UDP and see the detected MTU.
  • Director will also show if EDT (UDP) is active. See CTX220730 How to Confirm HDX Enlightened Data Transport Protocol is Active

In 7.13 and newer, the Policy Setting Use hardware encoding for video codec now supports Intel Iris Pro Hardware. Install the Intel Graphics Drivers before installing the VDA. If VDA is already installed, run C:\Program Files\Citrix\ICAService\GfxDisplayTool.exe -vd enable. See Citrix CTX220731 How to Enable Hardware Encoding of H.264 streams using Intel Iris Pro Hardware. 

7.11 and newer:

  • Use video codec for compression can be configured For actively changing regions, which uses H.264 for actively changing regions, and Thinwire Plus for the rest. Users get the benefit of lower bandwidth use for the video content combined with sharpness of text in applications they are working with elsewhere on their screen(s). Nick Rintalan at CUGC Blog Post Citrix HDX Just Got Smarter…Again explains this new setting.
  • In 7.11 and newer, Use when preferred = Thinwire+ with Selective H264. This is the default selection, so generally there’s no need to change this setting.
  • In 7.18 and newer, Selective H.264 uses H.264 for build to lossless instead of JPEG for build to lossless.
  • Use hardware encoding for video codec is enabled by default.

7.9 and newer:

  • The VDA automatically chooses Thinwire Plus or H.264. The setting: User > Graphics > Use video codec for compression defaults to Use video codec when preferred, which prefers Thinwire Plus. To force Thinwire Plus, set it to Do not use video codec. Citrix Blog Post “Use Video Codec for Compression”: to Use or Not to Use? explains this setting.

7.6.300 and newer:

7.0 – 7.6:

Graphics Tools

Security Settings

CTP Dave Bretty Making Your Citrix Policy Secure – By Default.

To improve security, configure these additional Citrix Policy settings.

  • Computer \ ICA \ Secure HDX = Enabled
  • User \ ICA \ Client clipboard redirection = Prohibit
  • User \ ICA \ Desktop launches = Disabled
  • User \ ICA \ Drag and Drop = Disabled (CVAD 2012 and newer)
  • User \ ICA \ Launching of non-published programs = Disabled
  • User \ ICA \ File Redirection \ Allow file transfer between desktop and client = Prohibited (7.6.300 and newer, for HTML5 Client)
  • User \ ICA \ File Redirection \ Auto connect client drives = Disabled
  • User \ ICA \ File Redirection \ Client drive redirection = Prohibited
  • User \ ICA \ File Redirection \ Fixed drives = Disable
  • User \ ICA \ File Redirection \ Client network drives = Prohibit
  • User \ ICA \ File Redirection \ Client removable drives = Prohibit
  • User \ ICA \ Printing \ Client printer redirection = Prohibit
  • User \ ICA \ SecureICA \ SecureICA minimum encryption level = RC5 128 bit
  • User \ ICA \ Session Limits \ Disconnected session timer = Enabled
  • User \ ICA \ Session Limits \ Disconnected session timer internal = 30 minutes
  • User \ ICA \ TWAIN devices \ Client TWAIN device redirection = Prohibit
  • User \ ICA \ USB devices \ Client USB device redirection = Disable
  • User \ ICA \ USB devices \ Client USB device redirection rules = Prohibit
  • User \ ICA \ USB devices \ Client USB Plug and Play device redirection = Prohibit

Citrix’s Common Criteria documentation includes additional recommended Citrix Policy, Group Policy, and other security settings.

 

XenDesktop 7.17 adds a Session Watermark feature.

Find the settings in the user half of a Citrix Policy under the Session Watermark category.

Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained:

  • How to use the toolbar to transfer files
  • Citrix Policy settings to enable/disable file transfer
  • VDA registry settings to control file transfer
  • HTML5Client\Configuration.js settings for client-side configuration
  • View HTML5Client log file

Additional clipboard settings were added in XenApp/XenDesktop 7.6 and newer. To see them, set the middle drop-down to All Settings and then search for clipboard. The setting Readonly clipboard does not apply to 7.6 so skip it. Instead, review the three clipboard settings below it. Or you can turn off clipboard altogether by setting Client clipboard redirection to Prohibit.

Under File Redirection is a setting for Read-only client drive access. This allows client drive mapping but prevents files from being copied to the client device.

For VDAs in Legacy Graphics Mode, the following ICA/HDX protocol tuning options should be evaluated to optimize bandwidth consumption and virtual desktop resource utilization:

  • User \ ICA \ Desktop UI \ Desktop Wallpaper = Disable
  • User \ ICA \ Desktop UI \ Menu animation = Disable
  • User \ ICA \ Desktop UI \ View window contents while dragging = Disable
  • User \ ICA \ Multi Stream Connections \ Multi-Stream = Enable (and QoS)
  • User \ ICA \ Printing \ Direct connection to print servers = Disable
  • User \ ICA \ TWAIN devices \ TWAIN Compression Level = High
  • User \ ICA \ Visual Display \ Target Frames per Second = 15
  • User \ ICA \ Visual Display \ Moving Images \ Minimum Image Quality = Low
  • User \ ICA \ Visual Display \ Still Images \ Extra Color Compression = Enabled in very low bandwidth scenarios. Please note that the “Extra Color Compression Threshold” should be configured to an appropriate value.
  • User \ ICA \ Visual Display \ Still Images \ Lossy compression level = High or “Heavyweight compression” in case image quality loss is not acceptable (more CPU intensive)
  • Enable “Windows Media Redirection”
  • Enable “Flash acceleration” with client side content fetching
  • Enable “Audio over UDP Real-Time Transport”. Please note that this configuration requires audio quality to be set to “Medium – optimized for speech”
  • Set “Progressive compression level” to “Low” or any higher value

For more information, please refer to the Citrix Knowledgebase Article CTX131859 – Best Practices and Recommendations for Citrix Receiver 3 and HDX Technology with XenDesktop 5.5.