Citrix Health Check

Last Modified: Feb 28, 2024 @ 2:29 pm

Navigation

đź’ˇ = Recently Modified

Change Log

Health Check Overview

Health Checks review an environment for configurations that might cause future problems, not necessarily existing problems. Health Checks tend to focus on non-functional qualities like the following:

  • Availability
  • Security
  • Manageability
  • User Experience
  • Performance
  • Reliability

The rest of this article is an incomplete list of health check assertions for Citrix environments.

StoreFront Load Balancing

  • Citrix connectivity infrastructure design is documented: StoreFront, Gateways, ADCs, multiple datacenters, Delivery Controllers, SQL, etc.
    • Separate test Citrix environment has identical architecture as production: multiple data centers, high availability for all components, etc. – enables testing changes, including HA/DR changes, before performing those changes in production. Some upgrades are performed differently for HA/DR than for single components.
  • The FQDN that users use to access Citrix (e.g. https://citrix.company.com) resolves to a Load Balancing VIP, not a single server.
    • The FQDN automatically fails over (e.g. GSLB) to a VIP in a different data center if the primary data center is down.
  • The certificate for the SSL Load Balancing VIP is valid: trusted, not expired, matches FQDN, no errors in Chrome, etc.
    • Someone is responsible for ensuring the certificate is not expired and receives pending certificate expiration notifications.
  • The Load Balancing VIP sends SSL traffic to two or more StoreFront servers in the local data center – for redundancy.
    • The ADC-to-StoreFront server communication is SSL/TLS encrypted, not HTTP – this traffic contains user credentials.
  • The ADC monitor for the StoreFront servers is type STOREFRONT, or does a GET request to /Citrix/Store/discovery – other monitors might not detect stopped services.
  • X-Forwarded-For is configured in the Load Balancing Services (or Service Group) for Client IP header insertion.
  • Load balancing persistence is SOURCEIP with a timeout that is as long as the Receiver for Web timeout – COOKIEINSERT doesn’t work on all client devices.

StoreFront Servers

  • If the StoreFront servers are on the same hypervisor cluster, then anti-affinity is configured to keep them on separate hypervisor hosts.
  • StoreFront server VMs do no have any old snapshots – slows down performance, and consumes disk space.
  • StoreFront version is updated to resolve Security vulnerability as of Jan 16, 2024.
    • Upgrades are performed in a separate test environment that has identical architecture as production before the updates are performed in production.
  • StoreFront server group have latency of less than 40 ms (with subscriptions disabled) or less than 3 ms (with subscriptions enabled) between each member.
  • StoreFront configuration is propagated to other servers in the StoreFront Server Group.
  • OS, Patch level and VM Configuration of all StoreFront Server Group members are identical.
  • No recent unknown errors in Event Viewer at Applications and Services -> Citrix Delivery Services.
  • StoreFront Base URL is an https URL, not http. The FQDN resolves to the Load Balancing VIP, not a single server.
  • SSL certificates are installed on each StoreFront server and bound to IIS Default Web site. The SSL certificates are not expired.
  • C:\Users does not contain a bunch of user profiles. Delprof2.exe should be scheduled to delete these profiles – caused by users changing expired passwords.
  • If HTML5 Workspace app is enabled, then HTML5 Receiver is up to date – New versions are released at least monthly.
  • If Workspace app is stored on StoreFront servers, then the local Workspace apps in C:\Program Files\Citrix\Receiver StoreFront\Receiver Clients is current.
  • If Favorites are enabled, then Favorites (aka Subscriptions) are replicated to a StoreFront Server Group in a different data center.
  • If Federated Authentication Service (FAS), then multiple FAS servers configured through Group Policy.
    • FAS Servers are the same version as StoreFront.
    • If the FAS servers are on the same hypervisor cluster, then anti-affinity is configured to keep them on separate hypervisor hosts.
    • FAS Get-FasAuthorizationCertificate shows registration certificate is OK and not MaintenanceDue.
    • FAS group policy .admx template is up to date in SYSVOL.
    • FAS User Rules restricts usage to just some StoreFront servers, some VDAs, and some users – not all
    • Auto-enrollment is not enabled on the FAS certificate templates..
    • The Certificate Authority database is not excessively large.
    • For CA that is dedicated to only FAS, only Citrix templates. Other templates (e.g. Domain Controller) removed.
  • Task Manager shows sufficient CPU and Memory for each StoreFront server.
  • There’s sufficient free disk space – check C:\inetpub\logs
  • A monitoring tool alerts administrators of any StoreFront performance metric issue, availability issue (e.g. service stopped), and Event Log errors.
  • Logon Simulator runs periodically to verify that StoreFront is functional.
  • StoreFront Disaster Recovery procedure is documented and tested.

StoreFront Configuration

  • Only one store. Or every store but one is hidden – if multiple stores are advertised, then Workspace app will prompt the user to select a store.
  • Each Delivery Controller farm is configured with two or more Delivery Controllers – for redundancy.
    • Or Delivery Controller XML can be load balanced. If load balanced, then ADC monitor is of type CITRIX-XD-DDC – so ADC can detect Local Host Cache outages.
    • Prefer separate farms per data center instead of stretched single farms (with zones) across multiple data centers.
  • Transport Type for Delivery Controllers is https, not http – this traffic includes user credentials.
  • Receiver for Web Session Timeout is not too short for user experience or too long for security.
  • Citrix Gateway configuration in StoreFront console:
    • The STAs in StoreFront match the STAs configured on the Citrix Gateway Virtual Server on the ADC appliances.
    • Session Reliability is enabled.
    • Callback URL is only needed for SmartAccess and Citrix FAS – Callback URL should be removed if it’s not needed.
    • Internal Beacon is only reachable internally.
    • External Beacon does not include citrix.com – ping.citrix.com is OK
  • HDX Optimal Routing can send ICA traffic through the Citrix Gateway that is closest to the VDA (i.e. farm).

Delivery Controllers

  • In CVAD 1906+, Citrix Scout Health Check does not show any errors or warnings.
  • If the Delivery Controller servers are on the same hypervisor cluster, then ensure anti-affinity is configured to keep them on separate hypervisor hosts.
  • Delivery Controller VMs do not have any old snapshots.
  • Delivery Controller version is an LTSR Cumulative Update version (e.g., 1912 CU7), or the two latest Current Release versions (e.g., 2305). No other versions are supported – Citrix Product Matrix shows support dates.
    • Delivery Controller Upgrades are performed in a separate test environment before performed in production.
    • Citrix upgrades or updates are performed around twice per year.
  • Run Get-BrokerDBConnection to see the SQL connection string. No SQL Express. For AlwaysOn Availability Group (AAG):
    • SQL String points to AAG Listener, not single node.
    • All AAG SQL nodes in one data center. For multiple data centers, prefer separate farms in each data center with local SQL.
    • SQL String contains MultiSubnetFailover.
    • Each SQL server has SQL Logins for all Delivery Controllers – SQL Logins usually don’t replicate between SQL nodes.
    • Prefer Synchronous Commit with Automatic Failover over Asynchronous replication.
    • AAG Dashboard in SQL Studio does not show any issues.
  • SQL databases for Site, Monitoring, and Log are separate, not combined.
  • SQL databases for Citrix are not excessively large. Database Backup tool is truncating the database logs.
  • SQL Servers have sufficient CPU/Memory to handle the Citrix SQL traffic. Monitoring tool alerts SQL DBAs of any performance or availability issues.
  • SQL Server version is supported by Citrix. https://support.citrix.com/article/CTX114501
  • Local Host Cache is enabled on the Delivery Controllers. Run Get-BrokerSite to confirm.
    • Delivery Controller virtual CPU allocation is 1 CPU socket with multiple cores – SQL Express LocalDB for Local Host Cache only runs on a single socket (up to four cores).
    • How are non-persistent virtual desktops handled during SQL outage?
    • In CVAD 1912 and newer, LocalDB is upgraded to SQL Server Express LocalDB 2017
  • SQL Disaster Recovery plan is documented and tested.
  • SSL Certificates are installed on Delivery Controllers to encrypt XML traffic from StoreFront.
    • SSL certificates are bound to IIS Default Web Site, or netsh http sslcert to perform binding. IIS Binding does not include hostname.
    • SSL certificate not expired.
  • Trust XML Requests is enabled for pass-through authentication, SmartAccess, FAS, etc. Run Get-BrokerSite to confirm.
  • Task Manager shows sufficient CPU and Memory for each Delivery Controller server.
  • A monitoring tool alerts administrators of any Delivery Controller performance metric issue, availability issue (e.g. service stopped), and Event Log errors.

Citrix Studio

  • Citrix Studio consoles installed on administrator machines are the same version as the Delivery Controllers.
  • Customer Experience Improvement Program is disabled in Citrix Studio > Configuration node > Product Support tab.
  • Licensing Model/Edition matches what you actually own.
  • Citrix Studio Administrators are periodically audited to ensure only authorized users are granted Studio access.
    • Administrators are added as Active Directory Groups, not individual users.
  • Applications are published to Active Directory Groups, not individual users.
  • If App Groups, applications are published to only App Groups. Applications are not published to both App Groups and Delivery Groups.
  • Hypervisor connection uses a service account, not an admin account.
    • Hypervisor permissions for the service account are the minimum permissions required (custom role), not full hypervisor administrator.
  • Each Hosting Resource only has one datastore selected, not multiple datastores – Citrix MCS does not have a datastore “Rebalance” option. More datastores means more copies of master image snapshots, which means longer time to push out an updated Master image.
  • MCS Memory Caching Option is not enabled unless VDA 1903 or newer – older VDA, including 7.15 VDA, has poor performing MCSIO driver.
  • If MCS, VDA restarts are not performed in hypervisor since hypervisor does not cause MCS reset like Studio restart does.
  • StoreFront URLs are not assigned to Delivery Groups using Studio – instead use Workspace app group policy to assign StoreFront URL.

Citrix License Server

  • Citrix License Server is version 11.17.2.0 build 40000 or newer to resolve Apache vulnerabilities.
  • Citrix License Server is uploading telemetry every 90 days as required by Citrix. Check c:\Program Files (x86)\Citrix\Licensing\LS\resource\usage\last_compliance_upload
  • The licenses installed on Citrix License Server match the purchased licenses at https://citrix.com/account – some Citrix License Servers have too many licenses installed.
  • If multiple Citrix License Servers, installed license count across all License Servers does not exceed the purchased licenses shown at https://citrix.com/account
  • Administrators are not frequently clearing named user license assignments to simulate concurrent licensing – license assignments should only be cleared when the user permanently no longer uses Citrix.
  • Subscription Advantage dates are not expired – if expired, download new license files and install them.
  • Usage and Statistics tab is configured as intended in the Citrix Licensing Manager gear icon.
  • Citrix License Server Disaster Recovery procedure is documented and tested.

Remote Desktop Services (RDS) Licensing

  • If RDSH VDAs, two or more activated RDS Licensing servers.
  • RDS Licensing Server operating system version matches (or newer) the RDSH VDA operating system version – e.g. Windows 2019 RDS Licensing for Windows 2019 RDSH servers. Windows 2019 RDS Licensing also works with Windows 2016 RDSH servers.
  • In RD Licensing Manager, right-click server -> Review Configuration shows green checkmarks.
  • The combined licenses installed on all RDS license servers do not exceed the purchased licenses.
  • On RDSH VDAs, HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\LicenseServers shows two servers.
    • LicensingMode = 4, which is Per User mode, which is not enforced.

Citrix Director

  • Director version matches the Delivery Controller version.
  • If multiple Director servers:
    • Hypervisor Anti-affinity is configured.
    • Director Saved Filters are relocated to a UNC path instead of local C: drive.
  • Director server VMs do not have old snapshots – slows down servers, and increases disk space.
  • SSL certificate is installed on Director servers.
    • Admins and Support teams always use https to access Director. IIS or load balancer redirects from http to https.
  • Director website is SSL load balanced.
    • SSL protocol, not http, between load balancer and Director servers – this traffic contains user credentials.
  • Director logon page auto-populates the domain name – for user convenience. Might have to reconfigure the domain name after every Director upgrade.
  • Citrix Policy Settings for Director:
    • Enable Process monitoring is enabled.
    • Enable monitoring of application failures is enabled.
  • If Citrix Virtual Apps and Desktops (CVAD) is Premium Edition:
    • Director Alerts are configured to email CVAD administrators.
    • Citrix ADM HDX Insight is integrated with Director. HTTPS protocol, not HTTP.
    • Probes are configured – Probe Agent version matches the Director version.
  • Help Desk knows how to use Citrix Director to support users.
  • Average logon durations are not excessive.
  • Repetitive issues (e.g. profile resets) are analyzed for root cause analysis and future prevention.

VDAs

  • Catalog design is documented – storage design, network design, multiple datacenters design, recovery design, etc.
  • VDA version matches the Delivery Controller version.
  • VDA Subnets are added to Active Directory Sites & Services.
    • Check LOGONSERVER variable after logon to confirm correct Domain Controller.
  • DHCP is highly available. VDA IP Subnet router forwards DHCP requests to more than one DHCP server. DHCP scope is replicated to more than one DHCP server.
    • DHCP Scope has sufficient address availability for VDAs.
  • DNS Reverse Lookup Zone with PTR records for the Virtual Apps and Desktops machines.
  • If KMS, slmgr.vbs /dlv shows a unique KMS CMID for each VDA machine – another option is Active Directory-based activation.
  • If persistent (dedicated) Catalogs:
    • The VDA version matches the Delivery Controller version – VDA updates should be automated (e.g. SCCM).
    • Dedicated Catalogs are created as Full Clones – Fast Clones cannot be moved to different storage or different hypervisor cluster.
    • Persistent desktops are backed up, replicated, etc. Recovery process is documented and tested.
    • Persistent desktop provisioning process is automated, preferably from a self-service portal.
  • No Personal vDisk – User Layers instead
  • No User Layers – slows down logons, and not all apps work – prefer Persistent Desktops instead.
    • User Layers are backed up, and restore process is documented and tested.
    • User Layers are stored on a clustered file server that can handle failover of always-open VHD files (e.g. Windows File Share with Continuous Availability) – Replication won’t help with file server outage and already open User Layers
  • Multiple department-specific master images instead of a single monolithic image – during user logon, monolithic images need to be dynamically customized for user requirements, which slows down logons.
    • No double-hop – slows down logons and increases complexity since double hop requires Workspace app and icon management on the first-hop VDA machine – prefer master images with every application installed locally instead of double-hop to published applications.
    • No Shortcut visibility management – slows down logons
    • No Elastic Layering – slows down logons
    • No App-V – slows down logons, and slows down machine performance
    • Master Image update process is automated – e.g. SCCM can push updates to master images
  • Catalogs are upgraded to latest Catalog version available.
  • VDA registrations are somewhat evenly distributed across the Delivery Controllers.
  • ListOfDDCs registry value on VDAs has two or more Delivery Controllers.
  • Daily Health Check report shows registration status and maintenance mode status of every VDA machine.
  • RDSH Load Index Policy has not been modified from the default. CPU Metric is too volatile, and can cause a Denial of Service and uneven distribution of sessions. Current Load Index values should be almost the same on every RDSH VDA and not be anywhere near 10000.
  • In-guest monitoring agent shows VDA memory usage. Allocated VM Memory matches or exceeds memory Committed Bytes – Hypervisor monitoring can’t show actual VM memory usage.
  • RDSH VDAs are periodically restarted – net statistics workstation or net server statistics shows uptime.
    • In CVAD 1909+, MaxDelayMins is configured in Get-BrokerRebootScheduleV2.
  • For EDT protocol, MtuDiscovery is enabled on the VDAs. MtuDiscovery requires VDAs version 1912 and newer.
  • If Cloud-hosting of VDAs, PowerScale controls VDA power management.

VDAs – Hypervisor Hardware Clusters

  • Desktop VDAs are in their own hypervisor cluster that does not contain any Server virtual machines – avoids Windows Server licensing.
    • Hypervisor clusters with Windows Servers have proper Windows Server licensing.
  • Hypervisor admins don’t perform any hypervisor updates without first reviewing Citrix’s Supported Hypervisors article.
  • VDA vCenter is separate from non-VDA vCenter – allows non-VDA vCenter to be upgraded without affecting Citrix.
  • Hypervisor performance is monitored and alerted: CPU contention (aka CPU Ready Percentage), disk latency, CPU Usage, etc.
  • Capacity planning tool warns admins when more hypervisor hardware is needed.
  • vSphere clusters have N+1 or N+2 extra capacity for redundancy.
  • HA and DRS are enabled on vSphere cluster according to design – not all designs use these features
  • CPU and Memory consumption are evenly distributed across the hypervisor cluster
  • If VMFS6 datastores, vSphere 6.7 Update 3 is installed – see release notes
  • NTP is configured and running on hypervisor hosts.
  • Hypervisor hosts have High performance BIOS settings.
  • In larger environments, dedicated VLAN(s) for VDAs – not shared with non-Citrix workloads
    • MCS and PVS require DHCP
  • Network Uplinks are redundant and have sufficient capacity
    • ESXi Management/Vmotion/Storage traffic are separate VLANs from the VDA VLANs
    • Storage multipathing is functioning
  • NVIDIA vGPU software is current on hypervisor host and virtual machines. – vGPU Manager 11.0+ supports guest driver version one major version back (e.g., 10.0) – February 2024 security update
    • The newest hypervisors can vMotion GPU-configured virtual machines – vgpu.hotmigrate configured in vCenter Advanced Settings. DRS set to Manual or Partially Automated.
    • NVIDIA in-guest vGPU Driver is installed before the VDA is installed – otherwise HDX 3D Pro will not work.
    • ESXi Host Graphics Settings set to Shared Direct and spread across GPUs – Host GPUs set to Shared Direct.
    • NVIDIA license servers are redundant (failover support), or in the cloud.

VDAs – Virtual Machine Hardware (vSphere)

  • Network Interface type is VMXNET3, not E1000.
  • devices.hotplug=false is configured in Virtual Machine Configuration Settings.
  • If disk space is a concern, virtual machine memory is reserved to reduce .vswp file size.
  • If Citrix App Layering:
    • Paravirtual controller is not added.
    • Boot firmware is BIOS, not EFI.
  • Windows 10 version is supported by Citrix VDA version, and supported by App Layering version.
    • Windows 11 is supported with VDA 2109 and newer. It is not supported by VDA 1912.
  • VMware Tools version is current.

VDAs – Master Image Build

  • Master Image build process is documented.
  • Master Image virtual machine was built from scratch – not converted from a physical machine.
  • Security scan of the VDA Master Images shows compliance with enterprise security requirements.
  • VDA version resolves vulnerability – 2305, 2203 CU3, or 1912 CU7
  • Master Image updates:
    • Master Image maintenance is automated – e.g., SCCM can push updates to Master Images. A script can push Master Images to Catalogs.
    • Software Deployment team notifies the Master Image maintainers when applications or Windows require an update.
    • Master Image is sealed before shutdown – e.g., antivirus is generalized, SCCM Client is generalized – sealing should be scripted – Base Image Script Framework (BIS-F) can automate this
    • Master Image updates are tested before deployed to production. QA testing. Canary testing.
    • Master Image snapshots are deleted after a period of time.
  • Profile Management is patched to resolve Local privilege escalation vulnerability – 2106 Hotfix 1, 1912 CU3 Hotfix 1, or 7.15 CU7 Hotfix 1. 1912 CU4 includes the fix.
  • Antivirus is installed. Antivirus is optimized for non-persistent machines (aka VDI).
  • Other IT agents (e.g., software auditing, SCCM Agent) are optimized for non-persistent machines.
  • Local Groups:
    • Administrators group does not contain any non-administrators.
    • Direct Access Users group only contains authorized RDP users.
  • Citrix Optimizer or similar has removed Windows 10 Store Apps.
  • Windows Default profile was not modified – instead use group policy to control Windows appearance.
  • Windows Updates are current (i.e., last install date is within the last 60 days).
  • C: drive permissions are changed so Users can’t create folders on root of C: drive.
  • Power management is set to High Performance with no sleep timers.
  • If Citrix Provisioning:
    • Pagefile is shrunk so it fits on PVS cache disk – there’s no need to move the pagefile since PVS will move it for you. Just make sure it’s small.
    • Event Logs are moved to PVS cache disk.
  • Customer Experience Improvement Program is disabled in VDA registry.
  • FSLogix is a recent version – FSLogix version 2.9.7979.62170 resolves a security vulnerability in Cloud Cache.
  • Office 365 Shared Computer Activation is enabled.
    • FSLogix is implemented for Outlook search roaming.
  • Microsoft Teams is installed using machine-wide installer.
    • Microsoft Teams machine-wide installation is periodically manually updated – there’s no auto-update.
    • Teams cache folders excluded from roaming profiles.
  • For OneDrive Files On-demand, is only installed on Windows Server 2019 and newer, or Windows 10 1709 and newer
    • OneDrive is installed using machine-wide installer – check C:\Program Files (x86)\OneDrive
    • FSLogix saves OneDrive cache.

Citrix App Layering

  • Prefer automated (e.g. SCCM) Master Image updates over manual App Layering layer updates – if SCCM is mature, then there’s no need for App Layering.
  • Prefer SCCM-managed dedicated desktops over User Layers – SCCM is a known technology. User Layers are proprietary to Citrix and might not support every application.
  • Enterprise Layer Manager (ELM) version is current – ELM updates are required to support newer Citrix Virtual Apps and Desktops (CVAD) and newer Windows 10. There’s no LTSR version of ELM.
  • Citrix Provisioning Agent version matches the ELM version.
  • Directory Junction Bind account is a service account, not a regular user whose password expires.
    • LDAP is Secure (Use SSL).
  • Administrator role membership is periodically audited to ensure only authorized users are granted access.
  • ELM is backed up. Or layers are periodically exported from ELM.
  • Group Policy controls membership of local groups in VDA machines – e.g. add Domain Admins to local Administrators group.
  • Antivirus is configured properly for Layering.
  • Hypervisor Connector uses a service account with limited permissions.
  • Connector cache is enabled to speed up layering operations.
  • Offload Compositing is enabled in the Connectors.
  • File servers hosting Elastic Layers and User Layers are monitored for performance issues and capacity planning.
  • User Layers are backed up, replicated, etc.

Citrix Provisioning

Provisioning Servers:

  • Provisioning Servers version matches the Delivery Controller version.
  • Multiple Provisioning Servers for High Availability.
    • Hypervisor Anti-affinity is configured.
  • Sufficient RAM for vDisk caching in memory – around 2-3 GB of memory per active vDisk.
  • Only one NIC per Provisioning Server – simplifies the configuration.
  • Server Bootstrap has multiple Provisioning Servers listed.
  • Threads times Ports are sufficient for the number of target devices.
  • vDisk Boot Menu is disabled in the registry – enables maintenance mode Target Devices to automatically boot from maintenance mode vDisks.
  • Antivirus has exclusions for Citrix Provisioning.
  • Provisioning Server performance metrics are monitored and alerted.
    • NIC throughput is not saturated.

Provisioning Farm Properties:

  • Offline database is enabled.
  • Auditing is enabled.
  • Administrators list only contains authorized administrators, preferably from an Active Directory Group.
  • Customer Experience Improvement Program is disabled.
  • For AlwaysOn Availability Group, MultiSubnetFailover is configured in the database connection string.

vDisks:

  • If local storage, vDisk files are identical on all Provisioning Servers.
  • vDisk files are VHDX, not VHD – faster version merging.
  • vDisks are sized dynamic, not fixed – Saves disk space. Standard Mode vDisks don’t grow so no performance impact.
  • vDisk files are defragmented.
  • vDisk files are backed up.
  • vDisk updates are automated.

Target Devices:

  • Target Device Boot Method is highly available – Target Devices on same subnet Provisioning Servers. Or DHCP Option 66 with TFTP Load Balancing. Or Boot ISO/Boot Partition has multiple Provisioning Server addresses.
    • DHCP is highly available. Subnet’s router forwards DHCP requests to multiple DHCP servers. Replicated DHCP scope.
    • Use PXEChecker to verify multiple TFTP responses.
  • vDisk Write cache is configured for Target Device RAM with overflow to disk – health check script should periodically verify this.
  • WriteCache folders on Provisioning Servers are empty – no server-side caching.
  • If KMS, slmgr.vbs /dlv shows a unique KMS CMID for each Target Device machine – another option is Active Directory-based activation.
  • Target Devices are evenly distributed across multiple Provisioning servers – ensures that High Availability is working correctly – stop Stream Service to confirm HA
  • System Reserved Partition is removed from inside vDisk.
  • VMware Tools in Target Devices (vDisks) is up to date.
  • Target Device Software version matches the Citrix Provisioning version.
  • Target Device status shows low number of retries.

Group Policies and Active Directory

  • VDAs are placed in VDA-only OUs, no users – group policies apply to VDAs without affecting physical endpoints.
    • Separate OUs per Delivery Group – different group policies apply to different Delivery Groups.
  • Master Images are located in VDA OUs – computer-level GPO settings apply to the Master Images to avoid GPO timing issues on linked clones.
  • Block Inheritance OUs and Enforced GPOs are minimized.
  • .admx templates in SYSVOL > PolicyDefinitions are current – Windows 10 templates, Office templates, Citrix templates, etc.
  • Group Policy Loopback Processing Mode is enabled.
  • Duplicate, conflicting GPO settings are minimized – e.g. Group Policy Loopback Processing Mode is sometimes enabled in several GPOs.
    • Run Group Policy Results to show the actual GPO settings that applied to a specific session – compare with design
  • Lockdown GPO applies to non-administrators that log into VDA machines. Lockdown GPO doesn’t apply to administrators.
  • Remote Desktop Session Host (RDSH) session timeouts (idle, disconnect) are configured in a Microsoft GPO.
  • AppLocker or similar prevents users from running unauthorized executables (e.g. ransomware).
  • Initial application configuration is automated using group policy – e.g. auto configure application database connections, remove first time usage prompts.
  • Group Policy changes are tested in separate Test GPOs and separate Test VDAs before applying to production.
  • Monitoring tool shows group policy processing duration during logon.

Citrix Policies

  • Citrix Policies are configured in a Group Policy Object, not in Citrix Studio – a GPO can apply to multiple Citrix Virtual Apps and Desktops (CVAD) farms in multiple datacenters. Citrix Studio is single farm only.
    • Citrix Policies are not configured in both Citrix Studio and Group Policy – avoids confusion over which setting wins
    • If configured in Citrix Studio, and if multiple farms/sites, then Citrix Policy settings are identical in all farms/sites.
  • Citrix Group Policy Management plug-in on GPMC machines is same version included with CVAD ISO.
  • Unfiltered policy is on the bottom of the list (lowest priority) – most specific filters on top, least specific filters on bottom.
  • Client drive mapping, client clipboard, client printing, drag and drop, and client USB are disabled when connecting from external (e.g. SmartAccess) – only enabled by exception.
  • Client printing is set to Use Universal Print Driver only – avoids installing print drivers on VDA machines.
  • Audio is set to Medium quality – High Quality uses more bandwidth than Medium Quality.
  • Time zone redirection is configured in both Citrix Policy and RDSH Microsoft Group Policy.
  • For HDX Insight, ICA Round-Trip Time policy is enabled.
  • Visual quality and video codec settings are not modified from the defaults.
    • Legacy Graphics Mode is disabled.
  • Adaptive Transport (EDT) is enabled – it’s default disabled in 7.15. MTU might need to be decreased.
    • MtuDiscovery is enabled on the VDAs. MtuDiscovery requires VDAs version 1912 and newer.
  • Session Reliability is not disabled.
  • RDSH Session Timers are configured in Microsoft GPO, not Citrix Policy – Citrix Policy setting description shows if setting applies to Server OS or not.

Citrix Workspace Environment Management (WEM)

  • Prefer Group Policies over WEM – WEM requires extra infrastructure, extra learning, extra administration, and extra support. Some WEM user settings are per-machine (per configuration set) only. WEM can’t replace group policies since there’s currently no .admx support.
    • Citrix Profile Management and Microsoft Folder Redirection are configured using Microsoft Group Policy, not WEM – Group Policies are well known. WEM is proprietary to Citrix and requires WEM skills to troubleshoot.
  • WEM is within two versions of the latest – there’s no LTSR version of WEM.
    • WEM Consoles and WEM Agents match WEM Server version.
  • Multiple load balanced WEM Servers for High Availability.
    • If multiple WEM servers are on the same hypervisor cluster, then Hypervisor anti-affinity is configured for the multiple WEM servers.
    • WEM Agents point to WEM Server load balanced FQDN, not individual server.
    • WEM Console points to single WEM Server, not load balanced FQDN.
  • WEM Brokers are close the VDAs – WEM configuration can be exported/imported into WEM implementations in multiple data centers.
  • WEM Database is hosted on an AlwaysOn Availability Group or other Highly Available SQL solution.
    • SQL database is backed up. SQL database recovery is documented and tested.
  • In WEM 1909+, Infrastructure Service Enable performance tuning for Windows Communication Framework is enabled and set to the number of concurrent WEM Agents that will be connected to this one WEM server. Maximum value is 3000.
  • Antivirus exclusions are configured for Citrix WEM.
  • WEM .admx group policy template in SYSVOL > PolicyDefinitions is updated whenever WEM Servers are updated.
  • Settings are in WEM, or Group Policy, but not both – helps troubleshooting. Reduces confusion.
  • Bypass ie4uinit Check is enabled (Advanced Settings > Service Options) – for faster logons.
  • Drive mappings and printer mappings are moved to WEM and processed asynchronously (Advanced Settings > Agent Options).
  • Check Application Existence is enabled (Advanced Settings > Agent Options) – doesn’t create shortcut unless application exists
  • CPU Optimization is enabled – Memory management trades memory for disk; which is cheaper? Process exclusions might be needed.
    • In WEM 1909 and newer, CPU Spike Protection = Auto instead of Customize.
  • Fast logoff is enabled.
  • Unused action types are disabled from processing (Advanced Settings > Main Configuration) – speeds up logons.
  • Run Once enabled for Actions and scenarios that support it – speeds up logons.
  • WEM Agent Offline mode is enabled.
  • Computer startup script refreshes WEM Agent cache on each VDA reboot.
    • Script has correct Agent installation path and correct service name since they changed in 1909 and newer.
  • WEM Logs are reviewed for problems – enable debug logging. Look for Active Directory timeouts.
  • WEM Server performance is monitored for metric thresholds and future capacity issues.
  • WEM Server recovery is documented and tested.

Citrix Profile Management and Folder Redirection

  • No mandatory profiles on Windows 10 – benchmarks show slower performance.
  • Profile Management is configured in Group Policy, not Citrix Policy or Citrix WEM – Group Policy is the most reliable and most well-known option.
  • Profile file share:
    • File server is close to the VDAs – users log into VDAs that are closest to the file server (aka home site).
    • File share is highly available.
    • Caching is disabled on the file share.
    • No DFS multi-master replication. Single target only – neither Citrix nor Microsoft support merge replication.
    • Profiles are backed up and/or replicated. Recovery process is documented and tested.
    • Different profile folders for different operating system versions and/or different Delivery Groups.
    • NTFS permissions of individual user folders in the file share only grant access to the one user – no Users, no Domain Users, and no Authenticated Users.
    • Use TreeSize or similar to see profile size – adjust profile exclusions if too big.
    • Antivirus is not slowing down profile file transfer performance – time how long it takes to copy a profile folder to the local machine.
    • File servers are monitored for performance issues, including disk latency and free disk space.
  • Profile Management .admx file in SYSVOL > PolicyDefinitions matches the VDA version (or date).
  • Profile Management logs are stored on UNC share instead of local C: drive, especially if the VDAs are non-persistent.
    • Only Domain Computers have Modify permission to the Logs share – Users don’t need any permission.
  • Profile Management logs contain at least a few days of logons – if only a few minutes, then too much information is being logged and Log Settings GPO setting should be modified.
  • Profile streaming is enabled – speeds up logons.
  • Active Write Back is disabled – places extra load on file servers for not much benefit.
  • Customer Experience Improvement Program is disabled.
  • Locally cached profiles are deleted at logoff from RDSH machines that don’t reboot often.
  • No Start Menu roaming issues – might need ResetCache registry value.
  • Microsoft FSLogix is implemented for Outlook Search roaming – better than UPM’s Outlook search roaming.

Folder Redirection:

  • Folder Redirection is configured in Microsoft GPO settings, not in Citrix Profile Management settings – Microsoft GPO configuration is most reliable, most known, and can migrate existing files.
  • No AppData redirection – slows down applications.
  • “Grant the user exclusive rights” option is unchecked – allows administrators to access redirected profile folders.
  • Folder Redirection file share:
    • File share is highly available.
    • No DFS multi-master replication. Single target only – neither Citrix nor Microsoft support merge replication.
    • Redirected Folders are backed up and/or replicated. Recovery process is documented and tested.
    • NTFS permissions of individual user folders in the file share only grant access to the one user – no Users, no Domain Users, and no Authenticated Users.
    • Antivirus is not slowing down folder redirection performance.
    • File servers are monitored for performance issues, including disk latency and free disk space.

Home Directories:

  • File server is close to the VDAs – users log into VDAs that are closest to the file server (aka home site).
  • File share is highly available.
  • No DFS multi-master replication. Single target only – neither Citrix nor Microsoft support merge replication.
  • Home Directories are backed up and/or replicated. Recovery process is documented and tested.
  • NTFS permissions of individual user folders in the file share only grant access to the one user – no Users, no Domain Users, and no Authenticated Users.
  • Antivirus is not slowing down file transfer performance – time how long it takes to copy a Home Directory folder to the local machine.
  • File servers are monitored for performance issues, including disk latency and free disk space.

Endpoint Devices

  • Prefer Windows 10 endpoints over thin clients – thin clients don’t support all Citrix functionality (e.g. local printing, browser content redirection). ThinKiosk can lock down Windows 10 endpoints.
  • Newest VDAs and newest Workspace apps have better WAN performance than LTSR 7.15.
  • Browser Content Redirection offloads video (e.g. YouTube) from VDAs to endpoint – reduces CPU consumption in the data center.
  • Workspace app is periodically (e.g., twice per year) updated by endpoint management team. 
  • Workspace app (aka Receiver) ADMX templates in SYSVOL > PolicyDefinitions are current.
  • Group Policy adds StoreFront URL to Local Intranet zone.
  • Group Policy pushes StoreFront URL to Workspace app – so users don’t have to enter the URL.
  • Pass-through authentication is enabled for internal PCs – SSON Configuration Checker can verify proper configuration.
  • HKCU\Software\Citrix\Dazzle\Sites\store\type shows DS, not PNA – store added as Delivery Services (StoreFront), not PNAgent (legacy).
  • Internal Beacon at HKEY_CURRENT_USER\SOFTWARE\Citrix\Receiver\SR\Store\#\Beacons\Internal\Addr0 is internally reachable only – not reachable externally.
  • External Beacon at HKEY_CURRENT_USER\SOFTWARE\Citrix\Receiver\SR\Store\#\Beacons\External does not include citrix.com or ping.citrix.com.
  • EDT protocol (aka Adaptive Transport) is enabled. Director shows HDX protocol as UDP – Remote Display Analyzer can analyze problems with the graphics/codec.
  • HDX Insight: Newest VDAs and newest Workspace app have less AppFlow CPU impact on ADC than LTSR 7.15 VDAs.
  • Google Chrome detects Workspace app properly, especially through Gateway – requires Gateway ADC to able to resolve StoreFront Base URL to StoreFront IP
    • Chrome 77+ has receiver://* added to URL whitelist so the user isn’t prompted to open Workspace app

Citrix NetScaler ADC

  • NetScaler ADC Admins have subscribed to Citrix Security Bulletins at https://support.citrix.com/user/alerts
  • NetScaler ADC firmware build is patched for vulnerabilities as of Jan 16, 2024.
  • NetScaler ADC firmware updates are tested on separate test ADC appliances before performed in production. Test ADC appliances have test VIPs – application owners can test their VIPs on test ADC before firmware is upgraded in production.
  • NetScaler ADC VPX on vSphere:
    • NetScaler VPX NICs are VMXNET3, not E1000.
    • NetScaler is version that supports vSphere version.
    • DRS Cluster Anti-affinity is configured for the VPX appliances in the same HA pair.
    • CPU/Memory are reserved at hypervisor. If not reserved at hypervisor, then Yield CPU is not enabled so that VPX can reserve CPU itself.
  • NetScaler ADC license does not expire any time soon – check date inside license files at /nsconfig/license
    • ADM Pooled Licensing has license alerts enabled for email notifications.
  • Physical NetScaler ADC:
    • LOM port is connected and configured.
    • LOM nsroot password is changed from the default.
    • No VLAN is connected to multiple active interfaces unless those interfaces are in a port channel.
  • ADC nsroot password is not nsroot. nsroot password is managed by Privileged Identity Management tool. Admins don’t use nsroot to login.
  • Policies are Advanced Expressions instead of Classic Expressions. (source = CTX296948)
  • Management authentication is configured for external authentication server, typically LDAP.
    • LDAP is load balanced instead of multiple LDAP Policies to individual LDAP servers – avoids premature account lockout.
    • LDAP is encrypted: LDAPS on port 636.
    • LDAP Bind account is a service account – not a regular user whose password expires.
    • LDAP Search Filter only allows ADC Admins Active Directory Group to authenticate.
  • If TACACS, firmware is 12.0 build 57 or newer to prevent TACACS Accounting from blocking AAA.
  • nsroot account has external authentication disabled.
  • No local NetScaler ADC accounts except nsroot.
  • NTP and Time Zone are configured.
  • Syslog is configured to send logs to external SIEM, especially if ADC is performing authentication.
  • SNMP Traps are sent to Citrix ADM appliance.
    • Thresholds are configured for CPU and Memory alarms.
  • Customer Experience Improvement Program (CUXIP) is disabled.
  • Recommended TCP Profile Settings are configured.
  • Drop Invalid HTTP requests is enabled in HTTP global settings.
  • Secure Access Only is enabled on all NSIPs and all management-enabled SNIPs – check both nodes of High Availability pair.
    • Management certificate has no certificate errors.
  • Networking:
    • NetScaler ADC VLANs only have one interface (or one channel) – Best Practices at Citrix Docs.
    • If Dedicated Management Network, Policy Based Routes (PBR) are configured for NSIP reply traffic and NSIP-initiated traffic.
    • Unused network interfaces are disabled.
    • ADC instance is connected to only one security zone – if connected to multiple security zones, then a firewall is bypassed.
    • Default route should be Internet facing, or a data VLAN – not NSIP VLAN.
    • Only one default route – extra default routes can come from HA pairing or hardware migration.
  • Root DNS server address “h.root-servers.net” is set to 198.97.190.53 – might be old address due to older firmware
  • Unused NetScaler ADC configurations are removed – unused server objects, unused policies, etc.
  • Citrix ADM monitors and backs up the ADC appliances.
  • ADC Dashboard shows that CPU, Memory, and Throughput have not exceeded appliance capacity or appliance licensing.
  • /var/core and /var/crash do not have recent crash dumps.

NetScaler ADC High Availability Pair

  • Firmware build is identical on both nodes.
  • Installed Licenses are identical on both nodes.
  • NTP and time zones are configured on both appliances – Configuration node shows System Time.
  • Unused interfaces are disabled.
  • HA is synchronizing without error.
  • Both HA nodes are set to ENABLED – not STAYPRIMARY and/or STAYSECONDARY.
  • Fail-safe mode is enabled.
  • “show ha node” shows heartbeats across all interfaces – no “interfaces on which heartbeats are not seen”.
  • High Availability failover has been tested, including RADIUS authentication, which might come from a different source IP.
  • Sync VLAN configured to enable ISSU on ADC 13.0+

NetScaler ADC SDX

  • LOM port is connected and configured.
    • LOM nsroot password is not nsroot.
  • No hardware problems shown on SDX SVM dashboard page.
  • SDX firmware is current – should be same or newer than the VPX firmware.
  • SDX SVM nsroot password is not nsroot. nsroot password is complex. Admins don’t use nsroot to login.
  • Management authentication is configured for external authentication server, typically LDAP.
    • LDAP is load balanced instead of multiple LDAP Policies to individual LDAP servers – avoids premature account lockout.
    • LDAP is encrypted: LDAPS on port 636.
    • LDAP Bind account is a service account – not a regular user whose password expires
      • LDAP Bind account should be a regular domain account, not a Domain Admin.
      • LDAP Bind account should be dedicated to LDAP Bind and not used for anything else.
    • LDAP Search Filter only allows ADC SDX Admins Active Directory Group to authenticate.
  • No local accounts except nsroot.
  • No certificate errors when accessing SVM management using htttps.
    • HTTPS is forced in System Settings – HTTP is not allowed.
  • Multiple DNS servers are configured in Networking Configuration – initial setup only asks for one DNS server.
  • Channels are created at SDX SVM instead of inside VPX instances.
  • NTP is configured and enabled.
  • Syslog is configured.
  • SNMP traps are sent to Citrix ADM.
  • The number of SDX instance licenses installed matches what’s owned at https://citrix.com/account
  • SDX SVM Backups are configured with External Transfer – or download periodically – or ADM.
  • VPX Instances:
    • Platinum Edition license is assigned to instances.
    • SSL Chips are assigned to VPX instances.
    • All SDX hardware is allocated to VPX instances – If not, why not?
    • Production instances typically have Dedicated CPU cores. Test/Dev instances typically have Shared CPU.
    • VLANs are specified inside VPX instances instead of at instance properties on SDX Management Service – avoids reboot if you need to change the VLAN configuration.
    • No VMACs in instance interface settings.

NetScaler ADC Load Balancing and SSL

  • Load Balancing configurations are documented.
  • Monitors do more than just telnet – e.g. LDAP monitor performs LDAP query.
    • LDAP monitor bind account uses service account, not domain admin.
    • LDAP monitor is filtered to cn=builtin – to reduce result size.
    • RADIUS monitor looks for response code 2 or 3.
  • If multiple Virtual Servers for multiple ports on the same VIP, configure Persistency Group – e.g. Horizon Load Balancing.
  • Rewrite policies remove web server header information (Server, X-Powered-By, etc.)
  • SSL Labs SSL Server Test shows A or A+ grade for all Internet-facing SSL vServers.
  • Redirect Virtual Servers are UP (Responder method) instead of DOWN (Backup URL method).
  • Custom (non-default) ciphers are bound to every SSL Virtual Server – see Citrix Networking SSL / TLS Best Practices.
  • SSL v3 and TLS v1.0 are disabled on every SSL Virtual Server.
  • SSL Renegotiation is set to NONSECURE: configured globally, or in SSL Profiles (including default profile).
  • Root certificate is not linked to intermediate certificate.
  • Certificates are not expired.
  • SSL Services do not have “-TLS11 disabled” or “-TLS12 disabled” – might be disabled from older firmware.
  • ADM alerts ADC administrators when certificates are soon to expire.
  • ADM Analytics is enabled for the HTTP Virtual Servers.
    • ADM Web Insight is viewed.
  • Bot Management (13.0 build 41+) and/or Web App Firewall are configured if ADC Premium Edition.
    • ADM Security Insight is enabled and viewed.

Citrix NetScaler ADM

  • NetScaler ADM exists and manages all ADC appliances.
    • Prompt credentials for instance login is enabled in ADM System Settings – if ADM does Single Sign-on to instances, then all instance changes are logged as nsroot instead of ADM user.
  • NetScaler ADM firmware version is current.
    • ADM Agents and DR nodes have same firmware version as ADM – check /var/mps/log/install_state
  • Two DNS servers are configured in ADM Network Configuration – initial setup only asks for one DNS server.
  • Two NetScaler ADM appliances in High Availability mode with Floating IP – provides redundancy.
  • Every High Availability node and DR node has same disk size.
  • NetScaler ADM nsroot password is not nsroot. nsroot password is complex. Admins don’t use nsroot to login.
  • NetScaler ADM Agent nsrecover password has been changed from the default.
  • Management authentication is configured for external authentication server, typically LDAP.
    • LDAP is load balanced instead of multiple LDAP Policies to individual LDAP servers – avoids premature account lockout.
    • LDAP is encrypted: LDAPS on port 636.
    • LDAP Bind account is a service account – not a regular user whose password expires.
    • LDAP Search Filter only allows ADM Admins Active Directory Group to authenticate.
  • No local accounts except nsroot.
  • No certificate errors when accessing ADM management using htttps.
    • HTTPS is forced in System Settings – HTTP is not allowed
  • Time zone is configured.
  • NTP is configured and enabled.
  • NetScaler ADM Database is not full. Sufficient disk space.
  • Sufficient ADM CPU/Memory – verify at System > Statistics or System > Deployment.
  • All features enabled – verify at System > Administration > Disable or enable features
  • SSL Dashboard alert notifications are enabled to warn of upcoming certificate expiration.
  • Tasks page notifications are enabled
  • Event Rules are configured to email ADC administrators of Critical or Major ADC alarms.
  • NetScaler ADC Instance Backup settings on NetScaler ADM:
    • Number of NetScaler ADC instance backups retained is sufficient for restoring from history.
    • NetScaler ADC Backups are transferred to external SFTP, SCP, or FTP server.
    • NetScaler ADC Restore process is documented and tested.
  • VIP Licensing:
    • Installed license count on NetScaler ADM matches the licenses owned at https://citrix.com/account.
    • Licenses are assigned to Virtual Servers that need Analytics (e.g. HDX Insight) or Applications tab.
    • AppFlow/Insight is enabled on NetScaler Citrix Gateway and HTTP Virtual Servers.
    • TCP 5563 opened from SNIP to ADM for Metrics Collector.
    • License expiration notifications are enabled.
  • Private IP Blocks are configured for geo mapping of ADC instances and Analytics sessions.
  • Analytics Thresholds are configured – e.g., ICA Latency threshold.
  • Session Reliability on HA Failover is enabled on ADC instances in ICA Parameters – if not enabled, then sessions drop on failover.
  • ADM HDX Insight is linked to Director Premium Edition using https protocol, not http protocol.

NetScaler Citrix Gateway ICA Proxy

NetScaler Citrix Gateway Virtual Server:

  • SSL Labs SSL Server Test shows A or A+ when it scans the Gateway external FQDN.
  • If ICA Only is unchecked on the Gateway Virtual Server, then System > Licenses shows sufficient Maximum Citrix Gateway Users Allowed.
  • NetScaler Citrix Gateway Virtual Server Maximum Users is 0, which means unlimited.
  • TCP Profile is configured with Recommended TCP Profile Settings.
  • DTLS is enabled on the Virtual Server for EDT protocol.
    • UDP ports are open on firewall from Internet and to VDAs.
    • Director Session Details shows HDX protocol as UDP.
  • ICA Connections shows port 2598 (Session Reliability enabled), not 1494.
  • NetScaler Citrix Gateway communication to StoreFront is https protocol, not http.
  • NetScaler Citrix Gateway communication to StoreFront is load balanced to multiple StoreFront servers – not a single StoreFront server.
  • STAs on NetScaler Citrix Gateway matches StoreFront configuration.
  • Policies are Advanced Expressions instead of Classic Expressions. (source = CTX296948)
  • If EPA is used for SmartAccess, then Endpoint Analysis Libraries are updated.

NetScaler Citrix Gateway Authentication:

  • Encrypted LDAP:
    • LDAP is load balanced instead of multiple LDAP Policies to individual LDAP servers – avoids premature account lockout.
    • LDAP is encrypted: LDAPS on port 636.
    • LDAP Bind account is a service account – not a regular user whose password expires.
    • LDAP Search Filter only allows authorized remote users in an Active Directory group to authenticate.
  • Two-factor authentication – RADIUS:
    • For Workspace app, password fields are swapped.
    • Both factors are required to login. Can’t bypass second factor.
    • RADIUS tested from both High Availability nodes (perform failover).
  • SAML Authentication:
    • Prefer RADIUS over SAML so that ADC will have access to the user’s password to facilitate Single Sign-on to the VDA machines.
    • If SAML response does not provide user’s password, then Federated Authentication Service (FAS) is deployed .
    • For Workspace app support of SAML, SAML is configured in nFactor (AAA), not Gateway – requires ADC 12.1 and newest Workspace app.
    • SAML iDP Signing certificate is not expired. ADC administrators know how to update the Signing certificate.
    • relaystateRule configured in SAML Action to prevent session hijack – see https://support.citrix.com/article/CTX316577
  • Native OTP:
    • OTP Active Directory attribute is encrypted.
  • nFactor login fields are encrypted.

NetScaler ADC GSLB

  • If a DNS name resolves to multiple IP addresses, then the DNS name should be GSLB-enabled for automatic failover.
  • DNS Records are delegated to two or more ADC ADNS services, usually in separate data centers.
    • NS records and SOA records are added to ADC for delegated domain names and/or delegated sub zones.
  • All NetScaler ADC nodes that have ADNS listeners for the same DNS name have identical GSLB configuration.
  • Public GSLB Services have monitors that verify remote Internet connectivity – don’t give out IP if users can’t reach it.
  • Separate NetScaler ADC appliances for public DNS and internal DNS – If both are on one appliance, then how are the DNS configurations separated?
  • RPC nodes for Metric Exchange Protocol (MEP) should have Secure enabled.
  • Firewall should only allow the MEP endpoints to communicate over 3009 – don’t open to whole Internet.
  • If Static Proximity:
    • Static Proximity database is current.
    • GSLB Services show correct geo location.
    • Custom Entries are added for internal subnets.
  • If DNS Views, DNS Views are configured on all GSLB Services – if GSLB Service doesn’t have a DNS View, then that GSLB Service might not function correctly.
  • If Active/Active GSLB load balancing, then site persistence is functioning correctly.
  • DNS security options are configured to prevent ADNS Denial of Service.

Detailed Change Log

Last Modified: Nov 9, 2021 @ 1:47 pm

This post lists all minor and major changes made to carlstalhood.com since May 2020.

Citrix Provisioning Master Device – Convert to vDisk

Last Modified: Dec 4, 2024 @ 3:56 am

Navigation

This article applies to all 7.x versions of Citrix Provisioning, including 2411, 2402 LTSR, and 2203 LTSR.

đź’ˇ = Recently Updated

Change Log

PXE Tester

If you will use PXE, download CTX217122 PXEChecker to the master machine.

The TFTP portion won’t work unless the client-side firewall is disabled.

To verify functioning PXE, run PXEChecker, and Run Test in Legacy BIOS mode. Or you can do a BDM Test (see the article for details).

Convert to vDisk – Imaging Wizard Method

The Imaging Wizard connects to a Citrix Provisioning server to create a vDisk (.vhdx file) and a device (database entry with device’s MAC address). Once that’s done, the machine reboots and the conversion process begins. You can also do all of these steps manually.

  1. In the Citrix Provisioning Console, create a Store to hold the new vDisk.
  2. In the Citrix Provisioning Console, create a Device Collection to hold the new Target Device. This could be a Device Collection for Updater machines.
  3. The Imaging Wizard will ask you to enter a new machine name. You can’t use the existing machine name because Citrix Provisioning needs to create a new Active Directory account so Citrix Provisioning will know the new machine’s computer password.
  4. If the Imaging Wizard is not already running, launch it from the Start Menu.
  5. In the Welcome to the Imaging Wizard page, click Next.
  6. In the Connect to Citrix Provisioning Site page, enter the name of a Citrix Provisioning server, and click Next.
  7. In the Imaging Options page, click Next to create a new vDisk. Alternatively, you can select Create an image file.
  8. In the Add Target Device page, enter a new unique name for the new Target Device.
  9. Select a Collection name and click Next.
  10. In the New vDisk page:
    1. Enter a name for the vDisk.
    2. Select an existing Store name.
    3. Leave vDisk type set to Dynamic and VHDX.
  11. Click Next
  12. In the Microsoft Volume Licensing page, select None, and click Next. We’ll configure this later when switching to Standard Image mode.
  13. In the What to Image page, leave it set to Image entire boot disk, and click Next.
  14. In the Optimize Hard Disk for Citrix Provisioning page, click Next.

    • Shown below are the optimizations it performs.
  15. In the Summary page, click Create.
  16. In the Restart Needed page, click Continue.
  17. When asked to reboot, click No.
  18. Then click Yes to shut down the machine. This gives you time to reconfigure the machine to boot from the network or ISO. The vDisk conversion process cannot continue until you are booted from Citrix Provisioning.
  19. If you look in the Citrix Provisioning console, in the Store, you will see a new vDisk in Private Image mode. Currently there is nothing in this vDisk. The new vDisk is sized the same as the machine you ran Imaging Wizard from. You might have to Refresh the display to see the new vDisk.
  20. In the chosen Device Collection, you will see a new Target Device record that is configured to boot from Hard Disk, and is assigned to the new vDisk. You might have to Refresh the display to see the new Device.

Boot from Network or ISO

  1. Power off the Target Device.
  2. If the Target Devices are on the same subnet as the Provisioning Servers, then you don’t need to configure DHCP Scope Options 66 or 67.
  3. If the Target Devices are on a different subnet than the Provisioning Servers, then machines can use a Boot ISO that has UEFI enabled. Or configure DHCP Scope Options 66 and 67.
    1. For DHCP Scope option 66, you can only configure one TFTP Server address. For HA, you can enter a DNS name that does DNS round robin to multiple Citrix Provisioning servers. Or use Citrix ADC to load balance the TFTP service on the PVS servers.
    2. Configure DHCP scope option 67 with the correct file name. For the EFI file name. See Unified Extensible Firmware Interface (UEFI) pre-boot environments at Citrix Docs.
  4. For vSphere Client, edit the settings of the virtual machine.
  5. Switch to the VM Options tab.
  6. In the Boot Options section, check the box to Force EFI Setup, or Force BIOS Setup.

  7. If vSphere, and booting from an ISO:
    1. Switch to the Virtual Hardware tab.
    2. Expand CD/DVD drive 1 and connect the virtual machine’s CD to the Datastore ISO File named PvSBoot.iso.
    3. Make you check Connect At Power On.
    4. Make sure the CD-ROM is IDE, and not SATA.
    5. Also, remove any SATA controller.
    6. Click OK to close the virtual machine settings.
  8. If Hyper-V:
    1. In VMM, edit the virtual machine properties
    2. Switch to the Hardware Configuration page.
    3. If booting from ISO, in the Virtual DVD drive page, assign the ISO from the library.
    4. Switch to the Hardware Configuration > Firmware page
    5. Move PXE Boot or IDE Hard Drive to the top.
    6. Click OK to close the virtual machine properties.
  9. Power on the virtual machine.
  10. If vSphere EFI:
    1. Boot the virtual machine.
    2. In the Boot Manager, don’t select a boot option. Instead, go to Enter Setup.
    3. Go to Configure boot options.
    4. Go to Change boot order.
    5. Press <Enter> on Change the order.
    6. Use the plus icon on your number pad to move EFI Network to the top.
    7. Commit changes and exit.
    8. Exit the Boot Maintenance Manager.
    9. Now boot from EFI Network.
  11. If vSphere BIOS:
    1. Boot the virtual machine.
    2. In the Virtual Machine’s console, on the Boot tab, move Network boot or CD-ROM Drive to the top.

    3. Press F10 to close the BIOS Setup Utility.
  12. You should see the virtual machine boot from a Citrix Provisioning server and find the vDisk.

  13. Once the machine has booted, login. If you see a Format Disk message, just ignore it, or click Cancel. The Imaging Wizard will format it for you.
  14. The conversion wizard will commence. It will take several minutes to copy the files from C: drive (local hypervisor disk) to vDisk (Citrix Provisioning disk) so be patient.

    1. If the Imaging Wizard does not successfully copy the local drives to the vDisk, first make sure the vDisk is mounted by opening the systray icon.

    2. Then you can manually start the conversion by running C:\Program Files\Citrix\Provisioning Services\P2PVS.exe.

  15. When done, click Done. It might prompt you to reboot. Reboot it, log in, and then shut it down.

Master Target Device – Join to Domain

Citrix Provisioning must learn the password of the Target Device’s Active Directory computer account. To achieve this, use the Citrix Provisioning Console to create or reset the computer account.

Do not use Active Directory Users & Computers to manage the Target Device computer account passwords. Creating, Resetting, and Deleting Target Device Active Directory computer objects must be done from inside the Citrix Provisioning Console so Citrix Provisioning will know the computer’s password. Citrix Provisioning will automatically handle periodic (default 7 days) changing of the computer passwords.

  1. In the Citrix Provisioning Console, right-click the new Target Device, expand Active Directory, and click Create Machine Account.
  2. Select the correct OU in which the Active Directory computer object will be placed, and click Create Account.
  3. Then click Close.

Boot from vDisk

  1. In the Citrix Provisioning Console, go to the Device Collection.
  2. Right-click the new device, and click Properties.
  3. On the General tab, set Boot from to vDisk.
  4. Restart the Target Device.
  5. At this point it should be booting from the vDisk. To confirm, in the systray by your clock is an icon that looks like a disk. Double-click it.
  6. The General tab shows it Boot from = vDisk, and the Mode = Read/Write.

vDisk – Save Clean Image

If you have not yet installed applications on this image, you can copy the VHDX file and keep it as a clean base image for future vDisks.

  1. If this vDisk is in Private Image mode, first power off any Target Devices that are accessing it.
  2. Then you can simply copy the VHDX file and store it in a different location.

If you later need to create a new vDisk, here’s how to start from the clean base image:

  1. Copy the clean base image VHDX file to a new folder.
  2. Rename the file to match your new Image name.
  3. In the Citrix Provisioning Console, create a new Store, and point it to the new folder.
  4. Give the new Store a name.
  5. On the Servers tab, select all Provisioning servers.
  6. On the Paths tab, enter the path to the new folder. Click OK.
  7. Click OK when asked to create the default write cache.
  8. Right-click the new store and click Add or Import Existing vDisk.
  9. Click Search.
  10. Click OK if prompted that a new property file will be created with default values.
  11. Click Add, click OK, and then click Close.

  12. You can now assign the new vDisk to an Updater Target Device and install applications.

KMS

Skip this section if you are using Active Directory-based Activation instead of KMS Server.

This only needs to be done once. More information at CTX128276 Configuring KMS Licensing for Windows and Office.

  1. Make sure the Citrix Provisioning services are running as an account that is a local administrator on the Provisioning Servers. Citrix Provisioning needs to mount the vDisk but only local administrators can mount VHDX files.
  2. In the Citrix Provisioning Console, right-click on the virtual disk, and select Properties.
  3. Click on the tab named Microsoft Volume Licensing, and set the licensing option to None. Click OK.
  4. Boot an Updater device from the vDisk in Private Image mode.
  5. Login to Windows and rearm the system for both Windows and Office, one after the other.
    1. For Windows Vista, 7, 2008, and 2008R2: Run cscript.exe slmgr.vbs -rearm
    2. For Office (for 64-bit client): C:\Program Files(x86)\Common Files\Microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE
    3. For Office (for 32-bit client): C:\Program Files\Common Files\Microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE
  6. A message is displayed to reboot the system, DO NOT REBOOT- Instead, run sealing tasks and then shut down the Target Device.
  7. In the Citrix Provisioning Console, right-click on the virtual disk, and select Properties.
  8. Click on the tab named Microsoft Volume Licensing, and set the licensing option to Key Management Services (KMS).
    • In Citrix Provisioning 1906 and newer, also check the box next to Accelerated Office Activation.
  9. Click OK.

Note: After streaming the vDisk to multiple Target Devices, Administrators can validate that the KMS configuration was successful by verifying that the CMID for each device is unique.

  • For Windows: Run cscript.exe slmgr.vbs –dlv
  • For Office: Run C:\Program Files\Microsoft Office\Office16\cscript ospp.vbs /dcmid

Also see Citrix Blog Post Demystifying KMS and Provisioning Services

vDisk – Seal

Do the following sealing steps every time you switch from Private Image mode to Standard Image mode, or promote a Maintenance Image to Test or Production.

  1. Run antivirus sealing tasks. See VDA > Antivirus for links to various antivirus vendor articles.
  2. Citrix Blog Post Sealing Steps After Updating a vDisk contains a list of commands to seal an image for Citrix Provisioning.
  3. Citrix Blog Post PVS Target Devices & the “Blue Screen of Death!” Rest Easy. We Can Fix That has a reg file to clear out DHCP configuration.
  4. Shut down the target device.
  5. Note: Base Image Script Framework (BIS-F) automates many sealing tasks. The script is configurable using Group Policy.

Defrag the vDisk

In the Citrix Blog Post Size Matters: PVS RAM Cache Overflow Sizing, Citrix recommends defragmenting the vDisk.

If the vDisk was created by App Layering ELM, then Gunther Anderson at Performance considarations? at Citrix Discussions says there’s no point in doing a defrag.

  1. While still in Private Image mode, right-click the vDisk, and click Mount vDisk.
  2. In File Explorer, find the mounted disk, right-click it, and click Properties.
  3. On the Tools tab, click Optimize.
  4. Highlight the mounted drive and click Optimize.
  5. When done, back in Citrix Provisioning Console, right-click the vDisk, and click Unmount vDisk.

Standard Image Mode

  1. In the Citrix Provisioning Console, go to the vDisk store, right-click the vDisk, and click Properties.
  2. On the General tab:
    1. Change the Access Mode to Standard Image.
    2. Set the Cache Type to Cache in device RAM with overflow on hard disk. Don’t leave it set to the default cache type or you will have performance problems. Also, every time you change the vDisk from Standard Image to Private Image and back again, you’ll have to select Cache in device RAM with overflow on hard disk.
    3. Change the Maximum RAM size to a higher value. For virtual desktops, set it to 512 MB or larger. For Remote Desktop Session Hosts, set it to 4096 MB or lager. Make sure your Target Devices have extra RAM to accommodate the write cache.
    4. On the bottom of the General tab is a new checkbox to disable cleanup of cached secrets. By default, Citrix Provisioning 7.12 and newer will delete any cached credentials. This behavior can be disabled by checking the box.
  3. Click OK when done.

vDisk – High Availability

  1. In the Citrix Provisioning Console, right-click the vDisk, and click Load Balancing.
  2. Ensure Use the load balancing algorithm is selected. Check the box next to Rebalance Enabled. Click OK.
  3. Go to the physical vDisk store location (e.g. D:\Win2016Common) and copy the .vhd and .pvp vDisk files for the new vDisk. Do not copy the .lok file.
  4. Go to the same path on the other Provisioning Server and paste the files. You must keep both Provisioning Servers synchronized.
  5. Another method of copying the vDisk files is by using Robocopy:
    Robocopy D:\vDisks\ \\pvs2\d$\vDisks *.vhd *.avhd *.pvp *.vhdx *.avhdx /b /mir /xf *.lok /xd WriteCache /xo
  6. Citrix Blog Post The vDisk Replicator Utility is finally finished! has a GUI utility script that can replicate vDisks between Citrix Provisioning Sites and between Citrix Provisioning Farms.

  7. In the Citrix Provisioning Console, right-click the vDisk, and click Replication Status.
  8. Blue indicates that the vDisk is identical on all servers. If they’re not identical then you probably need to restart the Citrix PVS Stream Service and the Citrix PVS SOAP Service. Click Done when done.

Cache Disk – vSphere

Here are vSphere instructions to remove the original C: drive from the Master Target Device, and instead add a blank cache disk.

  1. In vSphere Client, right-click the Master Target Device, and click Edit Settings.
  2. Select Hard disk 1, and click the x icon. Click OK.
  3. Edit the Settings of the virtual machine again.
  4. On the top right, click Add New device, and select Hard Disk.
  5. This is your cache overflow disk. Size is based on the type of VDA.
    • 40 GB is probably a good size for session hosts.
    • For virtual desktops this can be a smaller disk (e.g. 5 GB).
    • Note: the pagefile must be smaller than the cache disk.
  6. Expand the newly added disk, and set Disk Provisioning to Thin provision if desired. Click OK when done.
  7. Configure group policy to place the Event Logs on the cache disk.
  8. Boot the Target Device and Verify the Write Cache Location.

Cache Disk – Hyper-V

Remove the original C: drive from the Target Device and instead add a cache disk.

  1. Edit the settings of your Citrix Provisioning master virtual machine and remove the existing VHD.
  2. Make a choice regarding deletion of the file.
  3. Create a new Disk.
  4. This is your cache overflow disk. 15-20 GB is probably a good size for session hosts. For virtual desktops this can be a smaller disk (e.g. 5 GB). Note: the pagefile must be smaller than the cache disk. Click OK when done.
  5. Configure group policy to place the Event Logs on the cache disk.

Verify Write Cache Location

  1. Boot the target device virtual machine.
  2. Open the Virtual Disk Status window by clicking the Citrix Provisioning disk icon in the system tray by the clock.
  3. Make sure Mode is set to Read Only and Cache type is set to  device RAM with overflow on local hard drive.
  4. If Cache type says server, then follow the next steps:

    1. For the cache disk, if machine uses BIOS, then only MBR is supported. GPT only works with EFI/UEFI machines.
    2. The cache disk must be a Basic disk, not Dynamic.
    3. Format the cache disk with NTFS.
    4. Make sure the pagefile is smaller than the cache disk. If not it will fail back to server caching.
  5. After fixing the problem and rebooting, the Cache Type should be device RAM with overflow on local hard drive.
  6. To view the files on the cache disk, go to Folder Options, and deselect Hide protected operating system files.
  7. On the cache disk, you’ll see the pagefile, and the vdiskdiff.vhdx file, which is the overflow cache file.

Related Pages

Citrix Provisioning Master Device – Preparation

Last Modified: Dec 4, 2024 @ 3:54 am

Navigation

This article applies to all 7.x versions of Citrix Provisioning, including 2411, 2402 LTSR, and 2203 LTSR.

đź’ˇ = Recently Updated

Change Log

General Preparation

  1. In Provisioning 2311 and newer, make sure the VDA machine is UEFI instead of BIOS. If not, see Converting BIOS vDisks to UEFI at Citrix Docs.
  2. Build the VDA like normal.
  3. Update VMware Tools.
  4. Join the machine to the domain.
  5. Chrome and Edge – CTX212545 PVS 7.6 CU1: Write cache getting filled up automatically recommends disabling Google Chrome automatic updates.

Pagefile

Ensure the pagefile is smaller than the cache disk. For example, if you allocate 20 GB of RAM to your Remote Desktop Session Host, and if the cache disk is only 15 GB, then Windows will have a default pagefile size of 20 GB and Citrix Provisioning will be unable to move it to the cache disk. This causes Citrix Provisioning to cache to server instead of caching to your local cache disk (or RAM).

The cache disk size for a session host is typically 15-20 GB. The cache disk size for a virtual desktop is typically 5 GB.

  1. Open System. In 2012 R2 and newer, you can right-click the Start button, and click System.
  2. For older versions of Windows, you can click Start, right-click the Computer icon, and click Properties. Or find System in the Control Panel.
  3. Click Advanced system settings.
  4. On the Advanced tab, click the top Settings button.
  5. On the Advanced tab, click Change.
  6. Either turn off the pagefile or set the pagefile to be smaller than the cache disk. Don’t leave it set to System managed size. Don’t forget to click the Set button. Click OK several times.

VMware ESXi/vSphere

VMXNET3

E1000 is not supported – For VMware virtual machine, make sure the NIC is VMXNET3. E1000 is not supported and will affect performance.

View hidden adapters in Device Manager and delete any ghost VMXNET3 NICs.

  1. At the command prompt, type the following lines, pressing ENTER after each line
    set devmgr_show_nonpresent_devices=1
    start devmgmt.msc
    
  2. Open the View menu, and click Show hidden devices.
  3. Expand Network adapters, and look for ghost NICs (grayed out). If you see any, remove them.

SATA Controller

Citrix Provisioning does not support the SATA Controller that became available in ESXi virtual machine hardware Version 10. Change the CD/DVD Drive to IDE instead of SATA.

Then remove the SATA Controller.

NTP

Ensure that the ESXi hosts have NTP enabled.

DHCP

After creating the vDisk, follow the instructions at Provisioning Services 6 Black Screen Issue to clear any DHCP address in the vDisk.

Slow Boot Times

Citrix Provisioning Target Devices in VMware ESX boot slow intermittently after upgrading the ESX hosts from 5.0 to 5.1.

Citrix CTX139498 Provisioning Services Target Devices Boot Slow in ESX 5.x: Use the following command to disable the NetQueue feature on the ESX hosts:

esxcli system settings kernel set -s netNetqueueEnabled -v FALSE

Hyper-V

  1. Generation 2 support is available in Citrix Provisioning 7.8 and newer.
  2. If Generation 1, each Hyper-V Citrix Provisioning Target Device must have a Legacy network adapter. Legacy NIC supports Network Boot, while the Synthetic NIC does not.
  3. Give the Legacy Network Adapter a Static MAC address. If you leave it set to all zeros then VMM will generate one once the VM is deployed.
  4. When you reopen the virtual machine properties there will be a Static MAC address.
  5. Set the Action to take when the virtualization server stops to Turn off virtual machine. This prevents Hyper-V from creating a BIN file for each virtual machine.
  6. To set a VLAN, either create a Logical Network and Network Site.
  7. Or use Hyper-V Manager to set the VLAN on each virtual machine NIC.

Antivirus Best Practices

Citrix’s Recommended Antivirus Exclusions

Citrix Tech Zone: Endpoint Security, Antivirus, and Antimalware Best Practices.

Citrix Blog Post Citrix Recommended Antivirus Exclusions: the goal here is to provide you with a consolidated list of recommended antivirus exclusions for your Citrix virtualization environment focused on the key processes, folders, and files that we have seen cause issues in the field:

  • Set real-time scanning to scan local drives only and not network drives
  • Disable scan on boot
  • Remove any unnecessary antivirus related entries from the Run key
  • Exclude the pagefile(s) from being scanned
  • Exclude Windows event logs from being scanned
  • Exclude IIS log files from being scanned

See the Blog Post for exclusions for each Citrix component/product including StoreFront, VDA, Controller, and Provisioning. The Blog Post also has links to additional KB articles on antivirus.

Sophos

Sophos Anti-Virus for Windows 2000+: incorporating current versions in a disk image, including for use with cloned virtual machines: This procedure will make sure that the produced target/cloned computers:

  • Get their distinct identity with Enterprise Console, under which they can be subsequently managed.
  • Have the desired version of Sophos Anti-Virus already installed and configured on the created image.

Kaspersky

CTX217997 BSOD Error: “STOP 0x0000007E CVhdMp.sys with Kaspersky antivirus: install Kaspersky Light Agent using the /pINSTALLONPVS=1 switch.

Boot ISO

You can create a Citrix Provisioning boot ISO for your Target Devices. This is an alternative to PXE.

  1. On the Provisioning server, run Citrix Provisioning Boot Device Manager.
  2. In the Specify the Login Server page, add the IP addresses of Provisioning servers.
  3. Check the box next to Target device is UEFI firmware. Click Next.
  4. In the Set Options page, check the box next to Verbose Mode, and click Next.
  5. In the Burn the Boot Device page, do not click Burn. If you do, then you will have a very bad day. Instead, look in the Boot Device section, and change it to Citrix ISO Image Recorder. Then you can click Burn.
  6. Save the iso and upload it to a datastore or VMM library.
  7. You can now configure your Target Devices to boot from this ISO file.

Target Device Software Installation

The Target Device Software version must be the same or older than the Citrix Provisioning server version.

The install instructions for all Target Device versions 2411 and older are essentially the same.

Do the following on the master VDA you intend to convert to a vDisk. Try not to install this while connected using RDP or ICA since the installer will disconnect the NIC.

  1. Ghost NICs – Your Target Device might have ghost NICs. This is very likely to occur on Windows 7 and Windows 2008 R2 VMs when using VMXNet3. Follow CTX133188 Event ID 7026 – The following boot-start or system-start driver(s) failed to load: Bnistack to view hidden devices and remove ghost NICs.
  2. Go to the downloaded Citrix Provisioning and run PVS_Device_x64.exe.
  3. If you see a requirements window, then click Install to install prerequisites.
  4. In the Welcome to the Installation Wizard for Citrix Provisioning Target Device x64 page, click Next.
  5. In the License Agreement page, select I accept, and click Next.
  6. In the Customer Information page, click Next.
  7. In the Destination Folder page, click Next.
  8. In the Ready to Install the Program page, click Install.
  9. In the Installation Wizard Completed page click Finish.
  10. Click Yes if prompted to restart.
  11. The Imaging Wizard launches. Review the following tweaks. Then proceed to converting the Master Image to a vDisk.

Target Device Software Tweaks

Asynchronous I/O

Prevent Drive for Write Cache

From Citrix Community PVS Target Device wrong drive letters: The driver that determines which partition to place the local cache searches for a file named: {9E9023A4-7674-41be-8D71-B6C9158313EF}.VDESK.VOL.GUID in the root directory. If the file is found it will not place the write cache on that disk.

Excessive Retries

If VMware vSphere, make sure the NIC is VMXNET3.

Hide Citrix Provisioning Systray Icon

From Citrix CTX572340 Hide “Virtual Disk status” icon from System tray on the endpoints: Add the reg value below:

  • HKLM\Software\Citrix\ProvisioningServices\StatusTray
    • ShowIcon (DWORD) = 0

This however will disable to all users, even Admins. Solution: Apply the HKCU key below based on Group membership (Group Policy Preferences > Item Level Targeting):

  • HKEY_CURRENT_USER\SOFTWARE\Citrix\ProvisioningServices\StatusTray
    • ShowIcon (DWORD) = 0

Once that is in place the icon will go away.

Related Pages

Citrix Provisioning Console Configuration

Last Modified: Dec 4, 2024 @ 3:55 am

Navigation

This article applies to all 7.x versions of Citrix Provisioning, including 2411, 2402 LTSR, and 2203 LTSR.

Change Log

Launch the Provisioning Console

  1. Launch the Citrix Provisioning Console.
  2. Right-click the top-left node and click Connect to Farm.
  3. Enter localhost and click Connect.
  4. In large multi-domain environments, or when older domains are still configured but are unreachable, if you see Server communication timeout, then see CTX231194 PVS Console Errors: “Critical Error: Server communication timeout” for a registry key to skip forest level trusts, a registry key to increase the console timeout, and a .json file to blacklist domains.

Farm Properties

  1. Right-click the farm name and click Properties.
  2. On the Groups tab, add the Citrix Admins group.
  3. On the Security tab, add the Citrix Administrators group to grant it full permission to the entire Provisioning farm. You can also assign permissions in various nodes in the Provisioning console. Citrix Provisioning 2311 and newer let you restrict a group to Read-only access.
  4. On the Options tab, check the boxes next to Enable Auditing, and Enable offline database support.

    • With Auditing enabled, you can right-click on objects and click Audit Trail to view the configuration changes.

  5. If you see a Problem Report tab, you can enter MyCitrix credentials. This tab was removed in Provisioning 2209.
  6. Registration tab shows you if the farm is registered to a CVAD Site or Citrix Cloud.

  7. Encryption tab shows you the status of database encryption. In PVS 2407 and newer, database encryption no longer requires registration with Citrix Cloud.
  8. Click OK to close Farm Properties.
  9. Click OK when prompted that a restart of the service is required.

Server Properties

  1. Expand the Provisioning Site and click Servers.
  2. For each Provisioning Server, right-click it, and click Configure Bootstrap.
  3. Click Read Servers from Database. This should cause both servers to appear in the list.
  4. From Carl Fallis at PVS HA at Citrix Discussions: when stopping the stream service through the console the Provisioning server will send a message to the targets to reconnect to another server before the stream service shuts down. The target then uses the list of login servers (Bootstrap servers) and reconnects to another server, this is almost instantaneous failover and can’t really be detect . In the case of the Provisioning server failing the target detects it and reconnects, slightly different mechanism and the target may hang for a short time. Check out the following article for more information https://www.citrix.com/blogs/2014/10/16/provisioning-services-failover-myth-busted for the Provisioning server failure case.
  5. On the Options tab, check the box next to Verbose mode.
  6. Right-click the server, and click Properties.
  7. On the General tab, check the box next to Log events to the server’s Windows Event Log.
  8. Click Advanced.
  9. Citrix Blog Post From Legacy to Leading Edge: The New Citrix Provisioning Guidelines says Avoid Modifying the Threads Per Port and Streaming Ports. The old guidance was for the number of threads per port should match the number of vCPUs assigned to the server.
  10. On the same tab are concurrent I/O limits. Note that these throttle connections to local (drive letter) or remote (UNC path) storage. Setting them to 0 turns off the throttling. Only testing will determine the optimal number.
  11. Click OK to close Advanced Server Properties.
  12. On the Network tab, Citrix Blog Post From Legacy to Leading Edge: The New Citrix Provisioning Guidelines says Avoid Modifying the Threads Per Port and Streaming Ports. The old guidance was to change the Last port to 6968.
    • Note: port 6969 is used by the Provisioning two-stage boot (Boot ISO) component.
    • You can set the First port to 7000 to avoid port 6969 and get more ports.
    • Citrix Provisioning 1811 and newer open Windows Firewall ports during installation, but Citrix Provisioning Console will not change the Windows Firewall rules based on what you configure here. You’ll need to adjust the Windows Firewall rules manually.
  13. Click OK when done.
  14. Click Yes if prompted to restart the stream service.
  15. If you get an error message about the stream service then you’ll need to restart it manually.

  16. From Carl Fallis at PVS HA at Citrix Discussions: when stopping the stream service through the console the Provisioning server will send a message to the targets to reconnect to another server before the stream service shuts down. The target then uses the list of login servers and reconnects to another server, this is almost instantaneous failover and can’t really be detect . In the case of the Provisioning server failing the target detects it and reconnects, slightly different mechanism and the target may hang for a short time. Check out the following article for more information https://www.citrix.com/blogs/2014/10/16/provisioning-services-failover-myth-busted for the Provisioning server failure case.
  17. Repeat for the other servers. You can copy the Server Properties from the first server, and paste them to additional servers.



Create vDisk Stores

To create additional vDisk stores (one per vDisk / Delivery Group / Image), do the following:

  1. On the Provisioning servers, using Explorer, go to the local disk containing the vDisk folders and create a new folder. The folder name usually matches the vDisk name. Do this on both Provisioning servers.
  2. In the Provisioning Console, right-click Stores, and click Create Store.
  3. Enter the name for the vDisk store, and select an existing site.
  4. Switch to the Servers tab. Check the boxes next to the Provisioning Servers.
  5. On the Paths tab, enter the path for the Delivery Group’s vDisk files. Shared SMB paths are supported as described at Citrix Blog Post PVS Internals #4: vDisk Stores and SMB3.
  6. Click Validate.
  7. Click Close and then click OK.
  8. Click Yes when asked for the location of write caches.

Create Device Collections

  1. Expand the site, right-click Device Collections, and click Create Device Collection.
  2. Name the collection in some fashion related to the name of the Delivery Group, and click OK.

If you are migrating from one Provisioning farm to another, see Kyle Wise How To Migrate PVS Target Devices.

Prevent “No vDisk Found” PXE Message

If PXE is enabled on your Provisioning servers, and if you PXE boot a machine that is not added as a device in the Provisioning console, then the machine will pause booting with a “No vDisk Found” message at the BIOS boot screen. Do the following to prevent this.

  1. Enable the Auto-Add feature in the farm Properties on the Options tab.

  2. Create a small dummy vDisk (e.g. 100 MB).

  3. Create a dummy Device Collection.

  4. Create a dummy device.
  5. Set it to boot from Hard Disk
  6. Assign the dummy vDisk and click OK.
  7. Set the dummy device as the Template.

  8. Right-click the site, and click Properties.
  9. On the Options tab, point the Auto-Add feature to Dummy collection, and click OK.

Related Topics

Citrix Provisioning 2411 – Server Install

Last Modified: Dec 4, 2024 @ 3:43 am

Navigation

This article applies to all 7.x versions of Citrix Provisioning, including 2411, 2402 LTSR, and 2203 LTSR.

đź’ˇ = Recently Updated

Change Log

Planning and Versions

CTX220651 Best Practices for deploying PVS in multi-geo environments: ensure that Provisioning farms do not span data centers with a network latency that can affect communications between the Provisioning Servers and the SQL database

SQL 2019 is supported with Citrix Provisioning 2003 and newer.

Citrix Provisioning Firewall Rules

The most recent Current Release version of Citrix Provisioning is 2411.

For LTSR CVAD, deploy the Citrix Provisioning version that matches your CVAD version:

Citrix License Server Version

Upgrade the Citrix Licensing server to the latest version. Citrix now requires the latest License Server version and is configured to upload license telemetry data.

Upgrade

Windows Server 2022 is supported with Citrix Provisioning 2203 and newer.

VMware ESXi 8.0 is supported with Citrix Provisioning 2212 and newer.

SCVMM 2022 is supported with Citrix Provisioning 2203 and newer.

If you are upgrading from an older version of Citrix Provisioning, do the following:

  1. In-place upgrade the Citrix License Server.
  2. In-place upgrade the Provisioning Console.
    1. Re-register the Citrix.PVS.snapin.dll snap-in:
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" "c:\program files\citrix\provisioning services console\Citrix.PVS.snapin.dll"
    2. If upgrading from 7.15.3000 to 7.15.4000, then manually upgrade the snap-ins. See CTX256773 Powershell SnapIns are not upgraded from PVS 7.15 LTSR CU3 to 7.15 LTSR CU4 after the upgrade is complete
  3. In-place upgrade the Provisioning Server. If you have two or more Provisioning servers, upgrade one, and then the other. If High Availability is configured correctly, then the Target Devices should move to a different Provisioning server while a Provisioning server is being upgraded.
    1. After the first Provisioning server is upgraded, run the Configuration Wizard. You can generally just click Next through the wizard. At the end, you’ll be prompted to upgrade the database. Then upgrade the remaining Provisioning servers and run the Config Wizard on each of them too.
  4. Upgrade the Target Device Software inside each vDisk. Don’t do this until the Provisioning servers are upgraded (Target Device Software must be same version or older than the Provisioning Servers).
    1. If your Target Devices are 7.6.1 or newer, you can create a Maintenance version, boot an Updater Target Device, and in-place upgrade the Target Device Software.
    2. If your Target Devices are older, then you must reverse image.

vDisk Storage

Do the following on both Provisioning Servers. The vDisks will be stored locally on both servers. You must synchronize the files on the two servers: either manually (e.g. Robocopy), or automatically (e.g. DFS Replication).

Create D: Drive

  1. In the vSphere Web Client, edit the settings for each of the Provisioning server virtual machines.
  2. On the bottom, use the drop-down list to select New Hard Disk, and click Add.
  3. Expand the New Hard disk by clicking the arrow next to it.
  4. Change the disk size to 500 GB or higher. It needs to be large enough to store the vDisks. Each full vDisk is 40 GB plus a chain of snapshots. Additional space is needed to merge the chain.
  5. Feel free to select Thin provision, if desired. Click OK when done.
  6. Login to the session host. Right-click the Start Button, and click Disk Management.
  7. In the Action menu, click Rescan Disks.
  8. On the bottom right, right-click the CD-ROM partition, and click Change Drive Letters and Paths.

  9. Click Change.
  10. Change the drive letter to E:, and click OK.
  11. Click Yes when asked to continue.
  12. Right-click Disk 1 and click Online.
  13. Right-click Disk 1 and click Initialize Disk.
  14. Click OK to initialize the disk.
  15. Right-click the Unallocated space, and click New Simple Volume.
  16. In the Welcome to the New Simple Volume Wizard page, click Next.
  17. In the Specify Volume Size page, click Next.
  18. In the Assign Drive Letter or Path page, select D: and click Next.
  19. In the Format Partition page, change the Volume label to vDisks and click Next.
  20. In the Completing the New Simple Volume Wizard page, click Finish.
  21. If you see a pop-up asking you to format the disk, click Cancel since Disk Management is already doing that.

vDisk Folders

On the new D: partition, create one folder per Delivery Group. For example, create one called Win10Common, and create another folder called Win10SAP. Each vDisk is composed of several files, so its best to place each vDisk in a separate folder. Each Delivery Group is usually a different vDisk.

Robocopy Script

Here is a sample robocopy statement to copy vDisk files from one Provisioning server to another. It excludes .lok files and excludes the WriteCache folders.

REM Robocopy from PVS01 to PVS02
REM Deletes files from other server if not present on local server
Robocopy D:\vDisks \\pvs02\d$\vDisks *.vhd *.vhdx *.avhd *.avhdx *.pvp /b /mir /xf *.lok /xd WriteCache /xo

Citrix Blog Post vDisk Replicator Utility has a GUI utility script that can replicate vDisks between Provisioning Sites and between Provisioning Farms.

Service Account

Provisioning Services should run as a domain account that is in the local administrators group on both Provisioning servers. This is required for KMS Licensing.

Provisioning Console Install/Upgrade

The installation and administration of Citrix Provisioning 2411 and older (including LTSR versions 2203 and 1912) are essentially identical.

Operating System – Windows Server 2022 is supported with Citrix Provisioning 2203 and newer.

Hypervisor – VMware ESXi 8.0 is supported with Citrix Provisioning 2212 and newer. VMware VSAN 8 is supported with Citrix Provisioning 2311 and newer.

BIOS – Citrix Provisioning 2311 and newer no longer support BIOS. See Converting BIOS vDisks to UEFI at Citrix Docs.

If you want to automate the installation and configuration of Citrix Provisioning, see Dennis Span Citrix Provisioning Server unattended installation.

To manually install Provisioning Console, or in-place upgrade the Provisioning Console:

  1. Go to the downloaded Citrix Provisioning, and in the Console folder, run PVS_Console_x64.exe.
  2. Click Install.
  3. If you see the .NET Framework Setup page:
    1. Check the box next to I have read and accept the license terms, and click Install.
    2. In the Installation Is Complete page, click Finish.
    3. Click Restart Now.
    4. Restart the PVS_Console_x64.exe installer.
    5. Click Install.
  4. Click Yes to reboot when prompted. Then restart the installation.
  5. In the Welcome to the InstallShield Wizard for Citrix Provisioning Console x64 page, click Next.
  6. In the License Agreement page, select I accept the terms, and click Next.
  7. In the Customer Information page, click Next.
  8. In the Destination Folder page, click Next.
  9. In the Ready to Install the Program page, click Install.
  10. In the InstallShield Wizard Completed page, click Finish.
  11. Click Yes if you are prompted to restart.

After upgrading the Console, re-register the PowerShell snap-in. This is required for the Citrix App Layering Agent.

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" "c:\program files\citrix\provisioning services console\Citrix.PVS.snapin.dll"

Provisioning Server – Install/Upgrade

The installation and administration of Citrix Provisioning 2411, 1912 LTSR CU9, 7.15.45, 7.6.9 and other 7.x versions are essentially identical.

Operating System – Windows Server 2022 is supported with Citrix Provisioning 2203 and newer.

Hypervisor – VMware ESXi 8.0 is supported with Citrix Provisioning 2212 and newer. VMware VSAN 8 is supported with Citrix Provisioning 2311 and newer.

BIOS – Citrix Provisioning 2311 and newer no longer support BIOS. See Converting BIOS vDisks to UEFI at Citrix Docs.

You can in-place upgrade Provisioning Server. The Provisioning Servers must be upgraded before the vDisks’ Target Device Software are upgraded. While upgrading one Provisioning Server, all Target Devices are moved to the other Provisioning Server assuming that vDisk High Availability is properly configured.

To install/upgrade Provisioning server:

  1. If vSphere, make sure the Provisioning server virtual machine Network Adapter Type is VMXNET 3.
  2. Go to the downloaded Provisioning ISO, and in the Server folder, run PVS_Server_x64.exe.
  3. Click Install when asked to install prerequisites.
  4. Click Yes to reboot. After the restart, relaunch the installer.
  5. Note: there’s a long delay before the installation wizard appears.
  6. In the Welcome to the Installation Wizard for Citrix Provisioning Server x64 page, click Next.
  7. In the License Agreement page, select I accept the terms, and click Next.
  8. In Citrix Provisioning 1811 and newer, you’ll see a Default Firewall Ports page. You can optionally select Automatically open all Citrix Provisioning ports in Windows Firewall. If you later use the Citrix Provisioning Console to change the ports, then the Windows Firewall rules need to be adjusted manually since the Citrix Provisioning Console won’t do it for you.
  9. In the Customer Information page, select Anyone who users this computer, and click Next.
  10. In the Destination Folder page, click Next.
  11. In the Ready to Install the Program page, click Install.
  12. In the Installation Wizard Completed page, click Finish.

Database Script

By default, the Citrix Provisioning Configuration Wizard will try to create the database using the credentials of the person that is running the Wizard. This isn’t always feasible. An alternative is to create a script that a DBA can run on the SQL server.

  1. Go to C:\Program Files\Citrix\Provisioning Services and run DBScript.exe.
  2. Change the selection to New database for 2012 or higher.
  3. Enter a path to save the script file.
  4. Fill in the other fields.
  5. Select an Active Directory group containing your Citrix administrators, and click OK.
  6. In SQL Server Management Studio, open the SQL script.

  7. Execute the script to create the database.

  8. The person that runs the Citrix Provisioning Configuration Wizard will need db_owner permission to the new Citrix Provisioning database.
  9. Create a Windows service account that will run the services on the Citrix Provisioning server. This account must have a SQL login on the SQL server containing the Citrix Provisioning database. The Citrix Provisioning Configuration Wizard will grant this account the correct permissions in the database.

Configuration Wizard – New Farm

  1. If you used DBScript.exe to pre-create the database, skip to Configuration Wizard – Join Farm.
  2. Certificate – Joining PVS to CVAD site requires a valid certificate on the PVS server.
  3. For SQL AlwaysOn Availability Group, see CTX201203 SQL Server AlwaysOn Configuration for PVS 7.6. In summary: Use the wizard to create the database instance. In SQL, create the Availability Group. Then reconfigure Citrix Provisioning Server to point to the SQL AlwaysOn listener.
  4. The Citrix Provisioning Configuration Wizard launches automatically. If the database wasn’t pre-created, then the person running the wizard must have dbcreator and securityadmin roles on the SQL Server. If true, click Next. If not true, then cancel the wizard and launch it as somebody that does have those roles.

  5. The DHCP Services page appears. DHCP is typically hosted on a different server so select The service that runs on another computer. It is also possible to install DHCP on the Provisioning Servers. Click Next.
  6. In the PXE Services page, if you intend to use Boot Device Manager (BDM or ISO) instead of PXE, then change the selection to The service that runs on another computer, which disables the PXE service.
  7. If your Target Devices and Provisioning Servers are on the same broadcast network, then change the selection to Citrix Provisioning PXE service on this computer.
  8. Click Next.

  9. In the Farm Configuration page, choose Create Farm, and click Next.
  10. In the Database Server page, enter the name of the SQL server. Citrix Provisioning 2203 and newer has an option for specifying credentials to the SQL server.

    • In Citrix Provisioning 2203 and newer, click the Connection Options button and there’s an option for Enable MultiSubnetFailover for SQL Always On. There’s also an Optional TCP port field. Click OK and then click Next.
    • Older versions of Provisioning have an option for MultiSubnetFailover on the Database Server page. Click Next.
  11. In the New Farm page, enter the following:
    • Enter a descriptive Database name. Put the word Citrix in the database name so the DBA knows what it is for.
    • Enter a descriptive Farm name.
    • Enter a descriptive Site name.
    • Enter a descriptive Collection name. All of these names can be changed later.
    • Select the Active Directory group that will have administrator permissions to Citrix Provisioning, and click Next. If you don’t see your group here, select any group you belong to, and you can fix it later in the console.
  12. In the New Store page, browse to one of the vDisk folders, and give the store a name. Then click Next.
  13. You can optionally join the Provisioning Farm to CVAD or Citrix Cloud so that you can use Web Studio to provision Targets. The CVAD option is available in Citrix Provisioning 2311 and newer.

    1. Click Yes to join the farm to a CVAD Site.
    2. In the Citrix Virtual Desktops Controller page, click Next.
    3. Later in the wizard, an SSL certificate is required on the PVS server.
    4. The Registration tab in Provisioning Console > Farm Properties shows the status of CVAD Site registration.
  14. In the License Server page, enter the name of your Citrix license server, check the box next to Validate license server communication, and click Next.
  15. In the User account page, notice it defaults to Network service account. This won’t work with KMS licensing so change it to Specified user account. Enter credentials for an account that is a local administrator on all Provisioning servers, and click Next. Note: Provisioning 7.16 and newer support Group Managed Service Accounts.

  16. In the Active Directory Computer Account Password page, check the box, and click Next.
  17. In the Network Communications page, click Next.
  18. In the TFTP Option and Bootstrap Location page, check the box, and click Next.
  19. In the Stream Servers Boot List page, click Advanced.
  20. Check the box next to Verbose mode, click OK, and then click Next.
  21. If Provisioning 7.12 or newer, in the SSL Configuration page, click Next.
  22. If you see the Problem Report Configuration page, enter your MyCitrix credentials and click Next.
  23. In the Finish page, click Finish.
  24. If you are upgrading, then you might be asked to upgrade the database. Click Yes.
  25. Click OK if you see the firewall message.
  26. In the Finish page, click Done.

From Running the Configuration Wizard silently at Citrix Docs: Now that you have a configured server, you can run "C:\Program Files\Citrix\Provisioning Services\ConfigWizard.exe" /s to produce an .ans file at "C:\ProgramData\Citrix\Provisioning Services\ConfigWizard.ans". This .ans file can be modified and copied to additional Provisioning servers. "C:\Program Files\Citrix\Provisioning Services\ConfigWizard.exe" /a reads the .ans file and applies the configuration silently.

Configuration Wizard – Join Farm

  1. The Configuration Wizard launches automatically.
  2. There are two methods of handling SQL permissions:
    1. The person running the wizard must have db_owner on the database and securityadmin role on the SQL Server. This allows the wizard to add the service account to SQL logins and grant it access to the database.
    2. Or the person running the wizard can be limited to just db_owner permission to the database. The service account must be added manually to SQL logins by a DBA.
  3. The DHCP Services page appears. DHCP is typically hosted on a different server so select The service that runs on another computer. It is also possible to install DHCP on the Provisioning Servers. Click Next.
  4. In the PXE Services page, if you intend to use Boot Device Manager (BDM or ISO) instead of PXE, then change the selection to The service that runs on another computer, which disables the PXE service.
  5. If your Target Devices and Provisioning Servers are on the same broadcast network, then change the selection to Citrix Provisioning PXE service on this computer.
  6. Click Next.

  7. In the Farm Configuration page, click Join existing farm.
  8. In the Database Server page, enter the name of the SQL server. Citrix Provisioning 2203 and newer has an option for specifying credentials to the SQL server.

    • In Citrix Provisioning 2203 and newer, click the Connection Options button and there’s an option for Enable MultiSubnetFailover for SQL Always On. There’s also an Optional TCP port field. Click OK and then click Next.
    • Older versions of Provisioning have an option for MultiSubnetFailover on the Database Server page. Click Next.
  9. In the Existing Farm page, select the database, and click Next.
  10. In the Site page, select an existing site, and click Next.
  11. If you used the script to create the database, then there probably are no stores defined. Do so now.
  12. Otherwise, in the New Store page, select the existing store, and click Next.
  13. In the License Server page, click Next.
  14. In the User account page, notice it defaults to Network service account. This won’t work with KMS licensing so change it to Specified user account. Enter credentials for an account that is a local administrator on all Provisioning servers, and click Next. Note: Provisioning 7.16 and newer support Group Managed Service Accounts.

  15. In the Active Directory Computer Account Password page, check the box, and click Next.
  16. In the Network Communications page, click Next.
  17. In the TFTP Option and Bootstrap Location page, check the box, and click Next.
  18. In the Stream Servers Boot List page, click Advanced.
  19. Check the box next to Verbose mode, click OK, and then click Next.
  20. If Provisioning 7.12 or newer, in the Soap SSL Configuration page, click Next.
  21. If Provisioning 7.11 or newer, in the Problem Report Configuration page, enter your MyCitrix credentials, and click Next.
  22. In the Finish page, click Finish.
  23. Click OK if you see the firewall message.
  24. In the Finish page, click Done.

Troubleshooting – Networking Services Don’t Work After Reboot

If your PXE service or TFTP service does not work after a reboot of the Provisioning server, do the following:

  1. One option is to set the Citrix PVS PXE Service, Citrix PVS TFTP Service, and Citrix PVS Two-stage boot Service to Automatic (Delayed Start).
  2. The TFTP and Two-stage Boot services can be delayed by setting registry keys.
    • Keys = HKLM\System\CurrentControlSet\services\BNTFTP (and PVSTSB)\Parameters
    • Value = InitTimeoutSec (DWORD). 1 – 4 seconds. Default is 1.
    • Value = MaxBindRetry (DWORD). 5 – 20 retries. Default is 5.

Disable Firewall

Disable the Windows Firewall to allow communication to all Citrix Provisioning Server ports. Or, see Citrix Provisioning Firewall Rules and manually open all required ports. If you change the ports in the Citrix Provisioning Console, then you’ll need to adjust the Windows Firewall rules accordingly.

  1. In Server Manager, click Tools, and click Windows Firewall with Advanced Security.
  2. Click Windows Firewall Properties.
  3. On the Domain Profile tab, change the Firewall state to Off.

Disable BIOS Boot Menu

The versioning process in Citrix Provisioning will present a boot menu when booting any version except Production.

  1. To avoid this, create the DWORD registry value HKLM\Software\Citrix\ProvisioningServices\StreamProcess\SkipBootMenu on both Provisioning Servers and set it to 1. Note: the location of this key changed in Provisioning Services 7.0 and newer.
  2. Then restart the Citrix PVS Stream Service.

Private Mode vDisk – No Servers Available for vDisk

Citrix CTX200233 – Error: “No servers available for disk”: When you set a vDisk to Private Image mode (or new Maintenance version), if the Target Device is not connected to the server that contains the vDisk then you might see a message saying “No Servers Available for vDisk”.

  1. To avoid this, create the DWORD registry value HKLM\Software\Citrix\ProvisioningServices\StreamProcess\SkipRIMSForPrivate on both Provisioning Servers and set it to 1. Note: the location of this key changed in Provisioning Services 7.0.
  2. Then restart the Citrix PVS Stream Service.

Multi-Homed Provisioning Server

From slide 20 of http://www.slideshare.net/davidmcg/implementing-and-troubleshooting-pvs:, Multi-homed Provisioning server is not recommended but if you insist, and if running Provisioning 6.1 or older, configure the following. Provisioning 7.7 configuration wizard should have asked you for the management NIC.

  • HKLM\Software\Citrix\ProvisioningServices\IPC
    • New Reg_Sz (string) named IPv4Address with the IP of the NIC for IPC
  • HKLM\Software\Citrix\ProvisioningServices\Manager
    • New Reg_Sz (string) named GeneralInetAddr with the IP of the NIC and port
    • e.g. 10.1.1.2:6909

Citrix 133877 Timeout Error 4002 in Provisioning Server Console after Clicking “Show Connected Devices: when there are multiple streaming NICs assigned to the Provisioning Server, when Show Connected Devices was clicked in the Provisioning console, the following symptoms might be experienced: Server timeout error 4002, unusual delay of 3 to 4 minutes to list the connected devices, or Provisioning console stops responding. Complete the following to resolve the issue:

  1. On the Provisioning Server machine, under HKLM\software\citrix\provisioningServices\Manager key, create registry DWORD RelayedRequestReplyTimeoutMilliseconds, and set it to 50 ms (Decimal).
  2. Create a DWORD RelayedRequestTryTimes, and set it to 1.
  3. Open the Provisioning Server console and test by selecting the Show Connected Devices command.

Antivirus Exclusions

Citrix’s Recommended Antivirus Exclusions

Endpoint Security, Antivirus, and Antimalware Best Practices at Citrix Docs TechZone contains a list of recommended exclusions for Citrix Provisioning.

 

Citrix Blog Post Citrix Recommended Antivirus Exclusions: the goal here is to provide you with a consolidated list of recommended antivirus exclusions for your Citrix virtualization environment focused on the key processes, folders, and files that we have seen cause issues in the field:

  • Set real-time scanning to scan local drives only and not network drives
  • Disable scan on boot
  • Remove any unnecessary antivirus related entries from the Run key
  • Exclude the pagefile(s) from being scanned
  • Exclude Windows event logs from being scanned
  • Exclude IIS log files from being scanned

See the Blog Post for exclusions for each Citrix component/product including: StoreFront, VDA, Controller, and Provisioning. The Blog Post also has links to additional KB articles on antivirus.

Microsoft’s virus scanning recommendations

(e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

TFTP High Availability

BIOS machines have multiple methods of booting into PVS:

  • PXE (network boot) on same subnet as Citrix Provisioning Servers.
  • PXE (network boot) on different subnet as Citrix Provisioning Servers. DHCP Scope Options 66 and 67 required.
  • Boot ISO created by Citrix Provisioning Boot Device Manager.
  • Boot partition created by the Citrix Provisioning Virtual Desktops Setup Wizard.

EFI/UEFI machines have two methods of booting into PVS:

  • PXE (network boot) on same subnet as Citrix Provisioning Servers. DHCP Scope Option 11 required.
  • PXE (network boot) on different subnet as Citrix Provisioning Servers. DHCP Scope Options 66, 67, and 11 required.

If PXE booting on same subnet as Provisioning Servers, then make sure the PXE service is running on the Citrix Provisioning Servers. When your target device boots, it will broadcast a PXE Request message to the entire subnet. One of the Provisioning Servers PXE services will reply with the IP address of the TFTP service on the local Provisioning Server.

If your Target Devices are not on the same VLAN/subnet as the Provisioning Servers, then use Boot ISO or Boot Partition.

HA for DHCP Scope Options:

DHCP Failover

The DHCP infrastructure must be highly available. And session hosts should be configured with DHCP Reservations. With multiple DHCP servers, any reservation should be created on all DHCP servers hosting the same DHCP scope. The easiest way to accomplish this is with the DHCP Failover feature in Windows Server 2012 and newer.

  1. Build two DHCP servers on Windows Server 2012 or newer.
  2. Create a scope for the Provisioning Target Devices.
  3. Right-click the existing scope, and click Configure Failover.
  4. In the Introduction to DHCP Failover page, click Next.
  5. In the Specify the partner server to use for failover page, enter the name of the other DHCP server, and click Next.
  6. In the Create a new failover relationship page, enter a Shared Secret, and click Next.
  7. Click Finish.
  8. Click Close.

Health Check

CTP Sacha Thomet’s PowerShell script to view the health/status of the Provisioning environment. Emails an HTML Report. For Provisioning 7.7 and newer, see https://blog.sachathomet.ch/2015/12/29/happy-new-script-pvs-7-7-healthcheck/.

Related Pages

Citrix Provisioning – Create Devices

Last Modified: Dec 4, 2024 @ 3:56 am

Navigation

This article applies to all 7.x versions of Citrix Provisioning, including 2411, 2402 LTSR, and 2203 LTSR.

💡  = Recently Updated

Change Log

Target Device Template – vSphere

The hardware of the additional target devices must match the original virtual machine so that the drivers contained in the vDisk continue to function. The easiest way to preserve the hardware configuration is to clone the original virtual machine.

  1. Shut down the original virtual machine.
  2. Edit the Settings of the virtual machine and make sure there is a blank, formatted cache disk.
  3. Citrix Provisioning 2311 and newer only support UEFI. See Converting BIOS vDisks to UEFI at Citrix Docs.
  4. In the vSphere Client, right-click the original virtual machine, expand Clone, and click Clone to Template. The new machine must be a Template and not a regular virtual machine.
  5. In the Select a name and folder page, enter a name for the template, and click Next.
  6. In the Select a compute resource page, select the cluster and click Next.
  7. In the Select storage page, select a datastore for the template and click Next. Note: if you use the Citrix Provisioning wizards to create Target Devices, the new machines will be created on the same datastore as this template.
  8. In the Ready to complete page, click Finish.

Target Device Template – Hyper-V

If you store the template in the library then you might see the issue described in CTX128750 Hyper-V Synthetic Network Interface Card Reinitializes on New Target Devices. The article recommends cloning a real VM instead of a template VM but this might not work for Citrix Provisioning Citrix Virtual Desktops Setup Wizard.

  1. Edit the Properties of the original virtual machine and make sure there is a blank, formatted cache disk.
  2. Right-click the original virtual machine, expand Create and click Create VM Template.
  3. Click Yes to acknowledge that the source virtual machine will be destroyed.
  4. In the VM Template Identity page, give the template a name and click Next.
  5. In the Configure Hardware page, click Next.
  6. In the Configure Operating System page, select None – customization not required, and click Next. There is no need to run SysPrep.
  7. In the Select Library Server page, select a library server, and click Next.
  8. In the Select Path page, click Browse to select a share, and click Next.
  9. In the Summary page, click Create.

Citrix Virtual Desktops Setup Wizard

The easiest way to create a bunch of Target Devices is to use the Citrix Virtual Desktops Setup Wizard that is built into the Citrix Provisioning Console. This wizard used to be named XenDesktop Setup Wizard.

If you prefer to script much of this wizard, see:

Do the following to launch the Citrix Virtual Desktops Setup Wizard:

  1. The Citrix Virtual Desktops Setup Wizard uses the Hosting Resources defined in Citrix Studio, so configure Citrix Studio > Configuration > Hosting with destination datastores and networks for the new Target Devices. For maximum control over datastore placement, create a separate Hosting Resource per datastore.
  2. Make sure the Template Target Device is on the same datastore that you want the new Target Devices to be stored on.
  3. If Hyper-V, make sure the VMM Console is installed on the same machine as the Citrix Provisioning Console.
  4. In the Citrix Provisioning Console, right-click the site, and click Citrix Virtual Desktops Setup Wizard.
  5. In the Welcome to Citrix Virtual Desktops page, click Next.
  6. In the Citrix Virtual Desktops Controller page, choose Customer-Managed Control Plane, enter the name of a Delivery Controller, and click Next.
  7. In the Citrix Virtual Desktops Host Resources page, select a hosting resource. This list comes from the Hosting Resources created inside Studio. Click Next.
  8. Use a service account to login to vCenter or SCVMM when prompted. Citrix Provisioning might use these credentials later to power manage the target devices.
  9. If you see a message about no available templates, then you need to move your virtual machine template to this datastore.
  10. In the Template page, select the Target Device template, and click Next.
  11. In the Citrix Virtual Desktops Host Resources Network page, select a network and click Next.
  12. In the vDisk page, select the Standard Image vDisk and click Next.
  13. In the Catalog page, enter a name for a new catalog, and click Next. Or you can add machines to an existing catalog.
  14. In the Operating System page, make your selection, and click Next.
  15. If you selected Single-session OS, then in the User Experience page, select random or static, and click Next.
  16. In the Virtual machines page:
    1. Enter the number of machines you want to create.
    2. Enter the number of vCPUs for each new virtual machine. For RDSH, you usually add between 4 and 8 vCPUs.
    3. Enter the amount of Memory for each new virtual machine.
      • To accommodate the Citrix Provisioning vDisk memory cache, add 256 MB (virtual desktop) or 4 GB of RAM (Remote Desktop Session Host) to the Memory. See Citrix Blog Post Size Matters: PVS RAM Cache Overflow Sizing for more information.
    4. Specify the size of the cache disk: 20-40 GB for session hosts, or 5-10 GB for virtual desktops.
    5. Select BDM disk or PXE boot.
      1. For PXE boot, the Target Devices must be on the same VLAN as the Provisioning servers.
      2. BDM disk burns the boot image into the new virtual machine’s disk. BDM Disk supports target devices on a different subnet than the Provisioning servers. Make sure the Target Device VM template does not have any Boot ISOs configured.
  17. Click Next.
  18. In the Active Directory page, PVS 2308 and newer let you create computer accounts in untrusted domains. Click Next. 
  19. In the Active Directory accounts and location page
    1. Select an OU.
    2. Enter a naming pattern for the new machines. Use ## to represent numbering.
    3. Select a Starting Index.
  20. Click Next.
  21. In the Citrix Provisioning server information page, PVS 2308 and newer let you enter boot addresses that work for UEFI targets. Choose or enter your boot PVS servers and click Next.
  22. In the Summary page, click Finish to start creating the machines. The wizard will power on the machines so it can format the cache disk.
  23. Then click Done. PVS 2407 and newer have a button to View Logs.
  24. In Citrix Provisioning Console, if you go to Farm > Sites > mySite > Hosts, you’ll see the Hosting Resource used by the Wizard. If you open the Properties of the Hosting Resource…
  25. On the Credentials tab, you can see the credentials you used when running the wizard. You will probably want to change these to a service account.
  26. In Citrix Studio, you’ll see a new machine catalog.
  27. The Citrix Provisioning Citrix Virtual Desktops Setup Wizard seems to ignore zones, so you’ll have to move it to the correct zone manually.
  28. Create a new Delivery Group or add the machines to an existing Delivery Group.

Target Device Power Operation

If you used the Citrix Virtual Desktops Setup Wizard to create Target Devices, then the Target Devices are linked to a hosting connection and can be powered on from the Citrix Provisioning Console by right clicking the device and clicking Boot.

Target Devices created by the Citrix Virtual Desktops Setup Wizard have a VirtualHostingPoolId, which corresponds to the hosting connection listed under Sites > MySite > Hosts. When powering on the VM, Citrix Provisioning searches for a VM with the same name as the Target Device.

Boot Disk Manager (BDM) Partition Update

During Citrix Provisioning Citrix Virtual Desktops Setup Wizard, you can configure the Target Devices to use a BDM Partition to boot from Citrix Provisioning servers. This partition contains the IP addresses of the Citrix Provisioning servers. Prior to Citrix Provisioning 7.9, it was not possible to change the BDM Partition configuration.

In Citrix Provisioning 7.9 and newer, it is now possible to update the BDM Partition with the latest bootstrap info:

  1. In Citrix Provisioning Console, go to MyFarm > Sites > MySite > Servers, right-click each Citrix Provisioning server, and click Configure Bootstrap. Update the list of Citrix Provisioning servers.
  2. Make sure the Target Devices are powered off.
  3. Go to MyFarm > Sites > MySite > Device Collections, right-click a collection created by the Citrix Virtual Desktops Setup Wizard, expand Target Device, and click Update BDM Partitions.
  4. Citrix Provisioning 2311 and newer let you specify the Boot Servers.
  5. Click Update Devices.
  6. Click Close when done.

Citrix Studio Catalog of Citrix Provisioning Machines

The easiest method to create Citrix Provisioning Target Device machines (i.e. VDAs) and add them to a Machine Catalog is to run the Citrix Virtual Desktops Setup Wizard.

If you’re not able to use the Citrix Virtual Desktops Setup Wizard for any reason, then you can manually create Citrix Provisioning Target Device machines or use the Streamed VM Setup Wizard. Once the machines are created in the Citrix Provisioning Console, you need to Export them to a Delivery Controller.

In Citrix Provisioning 1906 and newer, to add Target Devices to a Machine Catalog, Citrix recommends that you use the new Export Devices Wizard because it works with both on-premises CVAD and Citrix Cloud. Find the wizard by right-clicking the Site name. See Export Devices Wizard at Citrix Docs. The Export Wizard is very similar to the Citrix Virtual Desktops Setup Wizard.

For Citrix Provisioning 1903 and older, do the following:

  1. In Citrix Studio, create a new Catalog.
  2. On the Introduction page, click Next.
  3. In the Operating System page, make a selection that matches the vDisk, and click Next.
  4. In the Machine Management page, change the Deploy machines using selection to Citrix Provisioning, and click Next.
  5. In the Device Collection page, enter the Provisioning server name, and click Connect.
  6. Select the Citrix Provisioning Device Collection, and click Next.
  7. In the Devices page, review the list of machines that will be added to the catalog, and click Next.
  8. In the Summary page, give the Catalog a name, and click Finish. You can now add these machines to a Delivery Group.
  9. You can later add more machines to the Device Collection in the Citrix Provisioning Console.
  10. To add the new machines to Citrix Studio, right-click the existing Catalog, and click Add Machines.
  11. In the Device Collection page, click Connect.
  12. Select the Device Collection containing new machines and click Next.
  13. In the Devices page, review the list of new machines, and click Next.
  14. In the Summary page, click Finish. You can now add these new machines to a Delivery Group.

Write Cache Disk

Write Cache Drive Letter

If the Write Cache disk is not mounting with the correct drive letter, see CTX133476 Explaining and Troubleshooting WriteCache Disk Drive Letter Assignment

Write Cache File Name

Citrix Provisioning has had three different cache names:

  • .vdiskCache is Legacy Ardence format (5 .x and before not supported anymore, you can delete this if your target software is running latest, this cache was optimized for size)
  • .vdiskdif.vhd is legacy hard drive cache (6.0 and above local hard drive cache, used standard 1mb sector size and is larger than the legacy cache but worked better with storage and was incrementally faster than Legacy Ardence format)
  • vdiskdiff.vhdx is Ram cache with overflow (7.1.4 and above RAM cache with overflow, 2 mb sectors larger than vhd but much faster and more compatible with storage)

Write Cache Filling Up Cache Disk

The vdisk cache is basically a difference disk and only contains the blocks that are written to the system drive so you cannot mount it or read the file, it is just block data.  Use a tool like Process Monitor from Microsoft (used to be sysinternals) and monitor the system drive. Any write to the system drive is redirected by the Citrix Provisioning software to the cache file.  Make sure that any software that is installed on the target image does not have an auto update feature enabled, redirect all user data to a network share and educate your users to make sure they are not doing something that will fill up the cache like downloading a video to the local system drive.

Be aware that the RAM cache with overflow to hard drive can use more space on your local drive, it is important even in the older cache that you perform regular maintenance on your vdisks some recommendations:

  • Merge to a new base disk when you have created 5 or more versions
  • After every merge to the base disk, mount the new base disk and defrag the disk, this is important to reduce sectors used in the local cache, it is very important with the new RAM cache with overflow to local disk but it can have a very positive impact with the legacy local cache. Refer to http://blogs.citrix.com/2015/01/19/size-matters-pvs-ram-cache-overflow-sizing for more information.

Write Cache Size Monitoring

To view the size of Write Cache in RAM with overflow to disk, look in Task Manager for Nonpaged pool.

Citrix Blog Post Digging into PVS with PoolMon and WPA details how to use Windows Performance Analyzer to view Citrix Provisioning RAM cache and overflow.

Related Topics

Citrix Provisioning – Update vDisk

Last Modified: Dec 4, 2024 @ 3:56 am

Navigation

This article applies to all 7.x versions of Citrix Provisioning, including 2411, 2402 LTSR, and 2203 LTSR.

đź’ˇ = Recently Updated

Change Log

Updater Device

  1. Create a new Updater Target Device that is only used when you need to update a vDisk. You can create the Updater device manually or you can use the Citrix Virtual Desktops Setup Wizard.
  2. Put the Updater device in a new Device Collection. This is to avoid assigning the device to a Catalog in Studio. Users must not connect to an Updater device while it is powered on.
  3. Set the Updater device to boot from the Maintenance Type. This is used by the Versioning method of updating a vDisk.
  4. When adding the Updater device to Active Directory, be mindful of group policies. Sometimes it is helpful to apply the group policies to the Updater device so they are stored in the vDisk you are updating.
  5. An Updater device can only boot from one vDisk at a time but it can boot from any vDisk. If you need to do updates to multiple vDisks simultaneously, create more Updater devices.
  6. If you are using Enterprise Software Deployment tools (e.g., System Center Configuration Manager) to maintain a vDisk, keep the Updater device constantly booted to a Maintenance version so the ESD tool can push updates to it. This basically requires a separate Updater device for each vDisk.

Update a vDisk – Versioning Method

  1. In the Citrix Provisioning Console, right-click a Standard Mode vDisk, and click Versions.
  2. In the vDisk Versions window, click New.
  3. Notice that the Access is set to Maintenance. Click Done.
  4. If you look at the physical location where the vDisks are stored, you’ll see a new .avhdx file.
  5. Go to the properties of an Updater Target Device, and change the Type to Maintenance. You’ll use this Target Device to update the vDisk. Make sure this Target Device you are using for vDisk Updating is not in any Delivery Group so that users don’t accidentally connect to it when it is powered on.
  6. Of course this Target Device will need to be configured to use the vDisk you are updating.
  7. Power on the Updater Target Device.
  8. If you did not configure the DWORD registry value HKLM\Software\Citrix\ProvisioningServices\StreamProcess\SkipBootMenu to 1 on the Provisioning Servers, then you’ll see a boot menu.
  9. Login to your Updater Target Device. The Virtual Disk Status icon by the clock should indicate that the vDisk Mode is now Read/Write.
  10. Make any desired changes.
  11. The Citrix Provisioning Image Optimization tool disables Windows Update. To install Windows Updates, use the following script to enable Windows Update, install updates, then disable Windows Update – http://www.xenappblog.com/2013/prepare-a-provisioning-services-vdisk-for-standard-mode/
  12. Before powering off the target device, run your sealing tasks. Run antivirus sealing tasks. See VDA > Antivirus for links to antivirus vendor articles.
  13. Citrix Blog Post Sealing Steps After Updating a vDisk contains a list of commands to seal an image for Citrix Provisioning.
  14. Base Image Script Framework (BIS-F) automates many sealing tasks. The script is configurable using Group Policy.
  15. Power off the target device so the vDisk is no longer being used.
  16. Go back to the Versions window for the vDisk.
  17. Highlight the version you just updated, and click Promote.
  18. Best practice is to promote it to Test first. Or you can go directly to Production if you’re confident that your updates won’t cause any problems. Note: if you select Immediate, it won’t take effect until the Target Devices are rebooted. For scheduled promotion, the Target Devices must be rebooted after the scheduled date and time.
  19. The Replication icon should have a warning icon on it indicating that you need to copy the files to the other Provisioning server.
  20. Only copy the .avhdx and .pvp files. Do not copy the .lok file.

  21. Another method of copying the vDisk files is by using Robocopy:
    Robocopy D:\vDisks\ \\pvs2\d$\vDisks *.vhd *.avhd *.pvp *.vhdx *.avhdx /b /mir /xf *.lok /xd WriteCache /xo
  22. Citrix Blog Post The vDisk Replicator Utility is finally finished! has a GUI utility script that can replicate vDisks between Citrix Provisioning Sites and between Citrix Provisioning Farms.

  23. Then click the Refresh button, and the warning icon should go away.
  24. Configure a Target Device to boot the Test vDisk Type. Then boot it.
  25. Once testing is complete, promote the vDisk version again.
  26. Immediate means it will take effect only after Target Devices are rebooted, whether immediately or later. Scheduled means the Target Device has to be rebooted after the scheduled date and time before it takes effect; if the Target Device has been rebooted before the scheduled date, then the older version is still in effect. Click OK.
  27. If you need to Revert, you can use the Revert button, or the drop-down on top of the window.

Merge Versions

  1. Citrix recommends no more than five .avhd files in the snapshot chain. To collapse the chain of .avhd files, you can Merge the versions. Don’t Merge until the files on both Provisioning servers are replicated.
  2. You can merge (Merged Updates) multiple .avhdx files into a single new .avhdx file that is linked to the original base file. Or you can merge (Merged Base) the original base, plus all of the .avhdx files into a new base .vhdx file, without any linked .avhdx files.
  3. The Merged Base process creates a whole new .vhdx file that is the same size or larger than the original base. After merging, replicate the merged file to both Provisioning Servers.

  4. Make sure there is no warning icon on the Replication button.
  5. If your merged version is currently in Test mode, then you can promote it to Production.
  6. After merging, you can delete older versions if you don’t need to revert to them.

Citrix CTX207112 Managing Provisioning Services VDisk Versions with VhdUtil Tool: CLI tool that can do the following outside of Citrix Provisioning Console:

  • dump header/footer
  • merge chain
  • rename chain

Expand vDisk VHD

To expand a vDisk file, create a Merged Base. Then use normal VHD expansion tools/methods.

One method is described below: (Commands in fixed width font)

  1. Open cmd or powershell as administrator
  2. diskpart
  3. select vdisk file=“<path to your visk>” (e.g. V:\store\my.vhd)
  4. list vdisk (you should now see your vdisk and the path)
  5. expand vdisk maximum=60000 (This is the size in megabytes of the size you want to extend, so 60000 is 60Gb)
  6. attach vdisk
  7. list disk
  8. list volume (take note of the Volume number of the your vdisk, you should see the old size)
  9. select volume 5 (or whatever volume number from list volume command)
  10. extend
  11. list volume (you should now see the size you want for your disk. This should also be seen in the Citrix Provisioning console)
  12. detach vdisk
  13. exit

Reverse Image – BCDEDIT Method

If you want to upgrade the Citrix Provisioning Target Device Software on a vDisk, and if your current Target Devices Software installation is 7.6 Update 1 or newer then you can simply install the new Target Device Software. No special steps required. However, if your Target Device software is 7.6 or older then you’ll need to Reverse Image as detailed in this section.

If you want to update the NIC driver (e.g., VMware Tools), then you can’t use the normal vDisk versioning process since NIC interruptions will break the connection between Target Device and vDisk. Instead, you must reverse image, which essentially disconnects the vDisk from Citrix Provisioning.

One method of reverse imaging is to boot directly from the vDisk VHD. All you need to do is copy the vDisk VHD/VHDX to a Windows machine’s local C: drive, run bcdedit to configure booting to the VHD/VHDX, reboot into the VHD/VHDX, make your changes, reboot back into the original Windows OS, copy the VHD/VHDX back to Citrix Provisioning and import it. Details can be found later in this section.

Instead of the BCDEDIT method, you can try one of these alternative reverse image methods:

  • Citrix Image Portability Service can take a VHD from a Citrix Provisioning (PVS) store and recreate the original vSphere image. 
  • Aaron Silber How to update VMware Tools without Reverse Imaging – The gist is to add an E1000 NIC, boot from that, upgrade VMware Tools, and then remove the E1000 NIC. CTA Nishith Gupta has detailed this process in VMware Tools In PVS Image.
  • The traditional method of reverse imaging is to use Citrix Provisioning Imaging (P2PVS.exe), or similar, to copy a vDisk to a local disk, boot from the local disk, make changes, and then run the Imaging Wizard again to copy the local disk back to a new vDisk. Select Volume to Volume. On the next page, select C: as source, and local disk as Destination. If you don’t see the C: drive as an option, then make sure your vDisk is in read/write mode (Private Image or Maintenance Version).
  • George Spiers PVS Reverse Image with VMware vCenter Converter. This article has troubleshooting steps if the reverse image won’t boot.
  • Jan Hendriks Citrix PVS Reverse Imaging with Windows Backup.

To use bcdedit to boot from directly from vDisk VHD (Microsoft TechNet Add a Native-Boot Virtual Hard Disk to the Boot Menu):

  1. In Citrix Provisioning Console, if using versioning, create a merged base.
  2. Copy the merged based vDisk (VHDX file) to any supported Windows machine. Note: the C: drive of the virtual machine must be large enough to contain a fully expanded VHDX file.
  3. Run the following command to export the current BCD configuration:
    bcdedit /export c:\bcdbackup

  4. Run the following command to copy the default BCD entry to a new entry. This outputs a GUID that you will need later.
    bcdedit /copy {default} /d "vhd boot (locate)"

  5. Run the following commands to set the new BCD entry to boot from the VHD file. Replace {guid} with the GUID outputted from the previous command. Include the braces.
    bcdedit /set {guid} device vhd=[locate]\MyvDisk.vhd
    bcdedit /set {guid} osdevice vhd=[locate]\MyvDisk.vhd
    

  6. Make sure you are connected to the console of the virtual machine.
  7. Restart the virtual machine.
  8. When the boot menu appears, select the VHD option. Note: if you see a blue screen, then you might have to enlarge your C: drive so the VHD file can be unpacked.
  9. Login to the virtual machine.
  10. Perform updates:
    1. Uninstall the Citrix Provisioning Target Device software.
    2. Upgrade VMware Tools.
    3. Reinstall Citrix Provisioning Target Device software. The Target Device software must be installed after VMware Tools is updated.
  11. When you are done making changes, reboot back into the regular operating system.

  12. Rename the updated VHD file to make it unique.
  13. Copy the updated VHD file to your Citrix Provisioning Store.
  14. Copy an existing .pvp file and paste it with the same name as your newly updated VHD.

  15. In the Citrix Provisioning Console, right-click the store, and click Add or Import Existing vDisk.
  16. Click Search.
  17. It should find the new vDisk. Click Add. Click OK.

  18. You can now assign the newly updated vDisk to your Target Devices.

Automatic Scheduled vDisk Update – SCCM

You can use the vDisk Update Management node (and Hosts node) in Citrix Provisioning Console to schedule an updater machine to power on, receive updates from System Center Configuration Manager, and power off. The new vDisk version can then be automatically promoted to Production, or you can leave it in Maintenance or Test mode and promote it manually.

See the following Citrix links for instructions:

Related Topics

Citrix ADC and CVAD Firewall Rules

Last Modified: Jul 8, 2021 @ 6:45 am

Navigation

See CTX101810 Communication Ports Used by Citrix Technologies

đź’ˇ = Recently Updated

Change Log

Citrix ADC Firewall Rules

From To Protocol / Port Purpose
Administrator machines NSIPs (and/or SNIPs) TCP 22
TCP 80
TCP 443
TCP 3010
TCP 3008
SSH and HTTP/SSL access to NetScaler configuration GUI. TCP 3008/3010 is Java and 3008 is used if traffic is encrypted. Java not needed in 10.5 build 57 and newer.
Administrator machines NetScaler SDX SVM, XenServer TCP 22
TCP 80
TCP 443
To administer NetScaler SDX
Administrator machines NetScaler Lights Out Module TCP 443
TCP 623
TCP 5900
CTX200367
NSIP
SNIP
DNS servers Ping
UDP 53
TCP 53
Ping is used for monitoring. Can be turned off by load balancing on the same appliance.
NSIPs
SNIP
NetScaler MAS TCP 27000
TCP 7279
Pooled Licensing
NSIPs
SNIP
NTP servers UDP 123 NTP
NSIPs
SNIP
Syslog server UDP 514 Syslog
NSIPs callhome.citrix.com
cis.citrix.com
taas.citrix.com
TCP 443 Call Home
NSIPs (default)
SNIP
LDAP Servers(Domain Controllers) TCP 389 (Start TLS)
TCP 636 (Secure LDAP)
Secure LDAP requires certificates on the Domain Controllers. Secure LDAP enables password changes when they expire.SNIP if Load Balanced on same appliance
NSIPs LDAP Servers TCP 389
TCP 636
Monitor Domain Controllers
NSIPs (default)
SNIP
RADIUS servers UDP 1812 RADIUS is used for two-factor authentication. SNIP if Load Balanced on same appliance
SNIP RADIUS servers UDP 1812
Ping
Monitor RADIUS servers
NetScaler SDX Service virtual machine NSIPs Ping
TCP 22
TCP 80
TCP 443
Only if NetScaler VPX runs as a virtual machine on top of NetScaler SDX
Local GSLB Site IP
SNIP
GSLB Site IP (public IP) in other datacenter TCP 3009
TCP 3011
GSLB Metric Exchange Protocol between appliance pairs
NSIPs GSLB Site IP (public IP) in other datacenter TCP 22
TCP 3008
TCP 3010
GSLB Configuration Sync
Local GSLB Site IP
SNIP
All Internet Ping
UDP 53
TCP (high ports)
RTT to DNS Servers for Dynamic Proximity determination
SNIP StoreFront Load Balancing VIP TCP 443 NetScaler Gateway communicates with StoreFront
SNIP StoreFront servers TCP 80
TCP 443
TCP 808
StoreFront Load Balancing
NSIPs StoreFront servers TCP 80
TCP 443
Monitor StoreFront servers
StoreFront servers NetScaler Gateway VIP (DMZ IP) TCP 443 Authentication callback from StoreFront server to NetScaler Gateway.
SNIP Each individual Delivery Controller in every datacenter TCP 80
TCP 443
Secure Ticket Authorities. This cannot be load balanced.
TCP 443 only if certificates are installed on the Delivery Controllers.
SNIP All internal virtual desktops and session hosts (subnet rule?) TCP 1494
TCP 2598
UDP 1494
UDP 2598
UDP 16500-16509
HDX ICA
Enlightened Data Transport
Session Reliability
UDP Audio
All Internet
All internal users
NetScaler Gateway VIP (public IP) TCP 80
TCP 443
UDP 443
Connections from browsers and native Receivers
DTLS for UDP Audio
All Internet
All internal DNS servers
SNIP ADNS Listener (Public IP) UDP 53
TCP 53
ADNS (for GSLB)
Web logging server NSIPs TCP 3010 Web logging polls the NetScalers.
NSIPs NetScaler MAS or other SNMP Trap Destination UDP 161
UDP 162
SNMP Traps
NSIPs
SNIP
NetScaler MAS or other AppFlow Collector UDP 4739
TCP 5557, 5558
TCP 5563
AppFlow (IPFIX, Logstream, and Metrics)
NSIP mfa.cloud.com
trust.citrixworkspacesapi.net
TCP 443 Native OTP Push (DNS required)
  • Authentication traffic uses NSIPs by default. This can be changed by creating a local Load Balancing Virtual Server on the same appliance and sending authentication traffic through the Load Balancing VIP.
  • Several of the Load Balancing monitors run as Perl scripts, which are sourced from the NSIPs, not SNIP. But actual load balancing traffic uses SNIP as the source IP.
  • DNS Name Servers use ping for monitoring. This can be disabled by creating a local Load Balancing Virtual Server on the same appliance and sending DNS traffic through the load balancer.
  • In a ADC with a dedicated management network and default route on a different data network, configure Policy Based Routes (PBRs) to send NSIP-sourced traffic through a router on the NSIP subnet.
  • Logstream defaults to SNIP as source but can be changed to NSIP. See CTX286215.

Citrix ADM Firewall Rules

Citrix Application Delivery Management (ADM) monitors and manages the ADC appliances.

From To Protocol / Port Purpose
ADM Floating IP
ADM Agent
NSIPs Ping
TCP 22
TCP 80
TCP 443
Discovery and configuration of ADC devices
NSIPs ADM Floating IP
ADM Agent
TCP 80
TCP 443
Nitro
ADM (Primary, Secondary) NSIPs UDP 161 SNMP
ADM Agents ADM Floating IP TCP 443
TCP 7443
TCP 8443
Agent Communication
NSIPs ADM Floating IP
ADM Agent
UDP 4739 AppFlow
SNIP ADM Floating IP
ADM Agent
TCP 5563 Metrics Collector
NSIPs
SNIP
ADM Floating IP
ADM Agent
TCP 5557, 5558 Logstream (ULFD)
NSIPs ADM Floating IP
ADM Agent
UDP 161
UDP 162
SNMP Traps
NSIPs ADM Floating IP
ADM Agent
UDP 514 Syslog
CPX NSIPs
VPX NSIPs
ADM Floating IP
ADM Agent
TCP 27000
TCP 7279
Pooled Licensing
Administrator Machines ADM Floating IP
ADM Agent
TCP 22
TCP 80
TCP 443
Web-based GUI
Director Servers ADM Floating IP TCP 80
TCP 443
Insight Integration with Director
ADM LDAP(S)
LDAP(S) VIP
TCP 389
TCP 636
LDAP authentication
ADM Mail Server TCP 25 Email alerts
ADM NTP Server UDP 123 NTP
ADM Syslog Server UDP 514 Syslog

Citrix Virtual Apps and Desktops Firewall Rules

From To Protocol / Port Purpose
Administrator machines Delivery Controllers TCP 80/443
TCP 3389
PowerShell
RDP
Delivery Controllers SQL Server TCP 1433
UDP 1434
Other static port
SQL database
Delivery Controllers vCenter TCP 443 vCenter
Delivery Controllers SCVMM (Hyper-V) TCP 8100 SCVMM
Delivery Controllers Citrix Licensing TCP 27000
TCP 7279
TCP 8082-8083
Citrix Licensing
StoreFront servers Delivery Controllers TCP 80
TCP 443
XML
Secure Ticket Authority
StoreFront servers StoreFront servers TCP 808 Subscription Replication
StoreFront servers Domain Controllers in Trusted Domains TCP 88
TCP 135
TCP 445
TCP 389/636
TCP 49151-65535
RPC
Discussions
Administrator machines StoreFront servers TCP 3389 RDP
Administrator machines Citrix Licensing TCP 8082-8083
TCP 3389
Web-based administration GUI
RDP
Delivery Controllers All VDAs TCP 80 Brokering
All VDAs Delivery Controllers TCP 80 Registration
All VDAs Global Catalogs
(Domain Controllers)
TCP 3268 Registration
All Server OS VDAs Remote Desktop Licensing Server RPC and SMB Remote Desktop Licensing
All Workspace apps
(Internal)
StoreFront SSL Load Balancing VIP TCP 80
TCP 443
Internal access to StoreFront
All Workspace apps Citrix Gateway VIP TCP 80
TCP 443
External (or internal) access to Citrix Gateway
All Workspace apps
(Internal)
All VDAs TCP 1494
UDP 1494
TCP 2598
UDP 2598
UDP 16500-16509
ICA/HDX
EDT
Session Reliability
UDP Audio
Administrator machines Director TCP 3389 RDP
Administrator machines
Help Desk machines
Director TCP 80
TCP 443
Web-based GUI
Director Delivery Controllers TCP 80
TCP 443
Director
Administrator machines
Help Desk machines
All VDAs TCP 135
TCP 3389
Remote Assistance

Also see Microsoft Technet Which ports are used by a RDS 2012 deployment?

Citrix Provisioning Firewall Rules

From To Protocol / Port Purpose
Provisioning Servers SQL Server TCP 1433
UDP 1434
Other static port
SQL database for Provisioning Services
Provisioning Servers Provisioning Servers SMB File copy of vDisk files
Provisioning Servers Provisioning Servers UDP 6890-6909 Inter-server communication
Provisioning Servers Citrix Licensing TCP 27000
TCP 7279
TCP 8082-8083
TCP 80
Citrix Licensing
Provisioning Servers Controllers TCP 80
TCP 443
Setup Wizards to create machines
Provisioning Servers vCenter TCP 443 Setup Wizards to create machines
Provisioning Servers Target Devices UDP 6901
UDP 6902
UDP 6905
Provisioning Services Console Target Device power actions (e.g. Restart)
Administrator machines Provisioning Servers TCP 3389
TCP 54321
TCP 54322
TCP 54323
RDP
SOAP
Controllers Provisioning Servers TCP 54321
TCP 54322
TCP 54323
Add machines to Catalog
Target Devices DHCP Servers UDP 67 DHCP
Target Devices KMS Server TCP 1688 KMS Licensing
Target Devices Provisioning Servers UDP 69
UDP 67/4011
UDP 6910-6969
TFTP
PXE
Streaming (expanded port range)
Target Devices Provisioning Servers UDP 6969
UDP 2071
Two-stage boot (BDM)
Target Devices Provisioning Servers TCP 54321
TCP 54322
TCP 54323
Imaging Wizard to SOAP Service