null User manual

null  User manual
XenApp 5 for Windows Server 2008
2015-03-04 20:23:14 UTC
© 2015 Citrix Systems, Inc. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Contents
XenApp 5 for Windows Server 2008 ......................................................................
28
XenApp 5 for Windows Server 2008 ...........................................................
29
Release Notes for XenApp 5.0 Feature Pack............................................
32
Readme for Citrix XenApp 5.0 for Windows Server 2008 .............................
35
Installation Checklist.......................................................................
51
Getting Started with Citrix XenApp ......................................................
64
Before You Begin ......................................................................
65
New Product and Feature Names..............................................
66
Media Kit Contents ..............................................................
67
Introducing Citrix XenApp 5 .........................................................
69
XenApp Product Editions........................................................
70
New Features and Changes in XenApp 5 .....................................
71
New Features, Capabilities, and Changes in the XenApp 5 Feature
Pack ................................................................................
75
XenApp Feature Overview ...........................................................
76
Hosted Application Delivery and Features ...................................
77
Application Streaming...........................................................
79
Citrix Receiver and Merchandising Server ...................................
81
XenServer Virtualization Platform ............................................
82
Load Testing Services ...........................................................
83
Provisioning Services ............................................................
84
Profile Management .............................................................
85
Service Monitoring ...............................................................
86
SmartAuditor .....................................................................
87
Secure Application Access ......................................................
88
Branch Optimization ............................................................
89
Single Sign-on.....................................................................
90
EasyCall Voice Services .........................................................
91
Workflow Studio Orchestration ................................................
92
2
3
Getting Up and Running with XenApp 5............................................
93
Using XenApp to Manage Applications ........................................
94
Preparing to Create the Farm..................................................
96
Licensing This Release ..........................................................
97
Installing XenApp 5 ..............................................................
98
Installing Additional Features..................................................
99
Running Mixed Farms............................................................
100
Planning Your XenApp Deployment ......................................................
101
Farm Terminology and Concepts....................................................
102
Farm Hardware Considerations .....................................................
109
Planning for Applications and Server Loads .......................................
111
Assessing Applications for XenApp Compatibility ...........................
113
Evaluating Application Delivery Methods.....................................
114
Placing Applications on Servers................................................
116
Deciding How Many Farms to Deploy ...............................................
120
Planning Infrastructure Servers .....................................................
122
Planning the XenApp Data Store...............................................
123
Connecting to the Data Store.............................................
125
Database Server Hardware Performance Considerations
126
Replication Considerations................................................
128
Planning for Configuration Logging and IMA Encryption
129
Planning for Data Collectors ...................................................
131
Planning for WANs by Using Zones ............................................
132
Planning for the Web Interface and XML Broker ............................
133
Planning for Application Streaming ................................................
135
Designing Terminal Services User Profiles.........................................
136
Planning for Accounts and Trust Relationships ...................................
139
Recommendations for Active Directory Environments ..........................
141
Planning for System Monitoring and Maintenance................................
144
Planning for UAC ......................................................................
145
Planning for Shadowing...............................................................
147
Securing Delivery and Access........................................................
148
Planning for Supported Languages and Windows MUI Support .................
149
Planning for Passthrough Client Authentication ..................................
150
Planning a Successful User Experience ............................................
151
Integrating Other XenApp Features and Technologies ..........................
153
Choosing an Installation Method ....................................................
156
4
XenApp Installation.........................................................................
158
Building a XenApp Farm ..............................................................
159
Preparing Your Environment ...................................................
160
Creating a Farm ..................................................................
162
Choosing the Edition .......................................................
164
Choosing an Installation Category .......................................
165
Selecting Components .....................................................
166
Enabling and Configuring Passthrough Client Authentication
167
Installing the License Server..............................................
168
Selecting Components of XenApp ........................................
169
Specifying the Farm Name, Data Store, Zone, and Credentials
170
Enabling and Configuring IMA Encryption...............................
171
Specifying the Citrix License Server.....................................
173
Enabling and Configuring Session Shadowing ..........................
174
Configuring the Citrix XML Service Port.................................
175
Adding Users to the Remote Desktop Users Group ....................
176
Joining a Server Farm ...........................................................
177
Migrating to XenApp 5.0..............................................................
180
Choosing a Farm Migration Strategy ..........................................
181
Creating a Migration Plan.......................................................
183
Changes in This Release of XenApp ...........................................
185
Migration Requirements and Restrictions ....................................
188
To migrate from the previous release ........................................
189
To uninstall XenApp and remove a server from a farm ....................
190
To migrate a server farm by creating a new farm..........................
191
Mixed Farms ......................................................................
192
Provisioning Servers and Configuring XenApp.....................................
195
Provisioning Farm Servers ......................................................
196
Cloning XenApp Servers .........................................................
198
To clone a server ................................................................
200
Configuring Infrastructure Servers After Setup .............................
202
Configuring XenApp after Installation ........................................
203
Custom XenApp Installation .........................................................
204
Generating an Installation Log File ...........................................
205
Preparing for Custom XenApp Installations ..................................
206
Installing XenApp by Modifying Windows Installer Packages ..............
207
Applying Transforms to Setup..................................................
208
5
Performing an Unattended Installation with an Answer File..............
211
XenApp Windows Installer Properties Reference .................................
212
XenApp Setup Properties for Create Farm and Join Farm .................
213
CTX_ADDLOCAL .............................................................
216
CTX_CONFIGMGR_USER....................................................
218
CTX_CONFIGMGR_USER_PASSWORD .....................................
219
CTX_CPSVC_SERVICE_USER_NAME .......................................
220
CTX_CPSVC_SERVICE_USER_PASSWORD .................................
221
CTX_IGNORE_MCM..........................................................
222
CTX_IMA_PROTECTION_ENABLE ..........................................
223
CTX_MALOO_SERVICE_USER ..............................................
224
CTX_MALOO_SERVICE_USER_PASSWORD ................................
225
CTX_MF_ADD_ANON_USERS ...............................................
226
CTX_MF_ADD_LOCAL_ADMIN..............................................
227
CTX_MF_CREATE_FARM_DB_CHOICE.....................................
228
CTX_MF_CREATE_REMOTE_DESKTOP_USERS ...........................
229
CTX_MF_DOMAIN_NAME ...................................................
230
CTX_MF_ENABLE_VIRTUAL_SCRIPTS .....................................
231
CTX_MF_FARM_SELECTION ................................................
232
CTX_MF_INDIRECT_JOIN_DOMAIN_NAME................................
233
CTX_MF_INDIRECT_JOIN_PASSWORD ....................................
234
CTX_MF_INDIRECT_JOIN_USER_NAME ...................................
235
CTX_MF_JOIN_FARM_DB_CHOICE ........................................
236
CTX_MF_JOIN_FARM_SERVER_NAME .....................................
237
CTX_MF_JOIN_FARM_SERVER_PORT .....................................
238
CTX_MF_LIC_CHOICE_FOR_CREATE......................................
239
CTX_MF_LIC_CHOICE_FOR_JOIN_OR_UPGRADE........................
240
CTX_MF_LICENSE_SERVER_NAME.........................................
241
CTX_MF_LICENSE_SERVER_PORT .........................................
242
CTX_MF_LICENSE_SERVER_PORT_DEFAULT.............................
243
CTX_MF_LOCAL_DATABASE ...............................................
244
CTX_MF_MSDE_INSTANCE_NAME .........................................
245
CTX_MF_NEW_FARM_NAME ...............................................
246
CTX_MF_ODBC_DRIVER ....................................................
247
CTX_MF_ODBC_PASSWORD ................................................
248
CTX_MF_ODBC_USER_NAME...............................................
249
CTX_MF_ONLY_LAUNCH_PUBLISHED_APPS .............................
250
6
CTX_MF_SERVER_TYPE.....................................................
251
CTX_MF_SHADOW_PROHIBIT_NO_LOGGING ............................
252
CTX_MF_SHADOW_PROHIBIT_NO_NOTIFICATION ......................
253
CTX_MF_SHADOW_PROHIBIT_REMOTE_ICA .............................
254
CTX_MF_SHADOWING_CHOICE............................................
255
CTX_MF_SILENT_DSNFILE..................................................
256
CTX_MF_USER_NAME .......................................................
257
CTX_MF_XML_CHOICE......................................................
258
CTX_MF_XML_PORT_NUMBER .............................................
259
CTX_MF_ZONE_NAME ......................................................
260
CTX_PROTECT_KEY_PATH.................................................
261
CTX_PROTECT_KEY_TYPE .................................................
262
CTX_PROTECT_NEW_KEY_PATH ..........................................
263
CTX_RDP_DISABLE_PROMPT_FOR_PASSWORD..........................
264
CTX_REMOVE_WI_TURNKEY ...............................................
265
CTX_SERV_MALOO_LOGON ................................................
266
CTX_SERV_PRINTER_LOGON ..............................................
267
CTX_USE_EXISTING_JRE ...................................................
268
INSTALLDIR ..................................................................
269
REBOOT ......................................................................
270
REINSTALLMODE ............................................................
271
XenApp Windows Setup Properties Script Examples........................
272
Data Store Database Reference .....................................................
274
Microsoft Access Database .....................................................
275
Microsoft SQL Server Express Database ......................................
277
Microsoft SQL Server Database ................................................
279
Oracle Database..................................................................
282
IBM DB2 Database ................................................................
285
Creating a DSN File for XenApp Setup ........................................
287
Maintaining and Recovering a XenApp Data Store ..........................
288
Migrating a Farm Data Store ...................................................
289
Migrating a Farm Data Store from MSDE to SQL Server Express
292
XenApp Administration ....................................................................
294
Management Consoles and Other Tools ............................................
295
Choosing the Console or Tool to Use..........................................
297
To start the console .............................................................
298
Displaying Items in the Console ...............................................
299
7
The Console User Interface ....................................................
301
Performing Tasks with the Console ...........................................
304
To view zones ...............................................................
306
Enabling Citrix Administrators to Manage Farms Remotely ...............
307
XenApp Advanced Configuration and Presentation Server Console
309
Managing Citrix Administrators .....................................................
310
Delegating Tasks to Custom Administrators .................................
312
Publishing Resources..................................................................
315
Publishing Resources for Users.................................................
316
To configure servers to publish for multiple users ....................
317
To publish a resource using the Publish Application wizard
318
Publishing App-V Sequences in XenApp .................................
320
To select a resource type and delivery method .......................
324
To configure locations of published applications......................
326
To configure locations of published content ...........................
327
To disable command-line validation ....................................
328
Managing Streamed Applications ..............................................
330
Publishing Streamed Applications........................................
331
To select a streaming delivery method .................................
332
To force a delivery method for streamed applications
334
To provide HTTP or HTTPS delivery method ...........................
336
Configuring Offline Access ................................................
339
Configuring Content Redirection ..............................................
342
To enable content redirection from server to client .................
344
To configure content redirection from client to server
346
Managing Application Properties ..............................................
347
To rename a published application......................................
348
To configure locations of servers for published resources
349
To specify locations of applications for streaming....................
350
To enable an application for offline access ............................
351
To configure user access to applications ...............................
352
Granting Access to Explicit or Anonymous Users ......................
354
To configure shortcuts for user devices ................................
355
To configure access controlled by the Access Gateway
356
To associate published applications with file types ..................
357
To update file type associations .........................................
359
To configure alternate profiles ..........................................
360
8
To pass parameters to published applications .........................
361
To reduce user privileges for a streamed application
362
To configure application limits and importance.......................
363
To configure audio and encryption options for published
applications .................................................................
364
To configure application appearance ...................................
366
To disable or enable a published application ..........................
367
To delete a published application .......................................
368
To move a published application to another folder...................
369
To duplicate published application settings ...........................
370
To export published application settings to a file ....................
371
To import published application settings from a file .................
373
Making Virtual IP Addresses Available to Applications .....................
374
How Virtual IP Addressing Works.........................................
375
Configuring Virtual Loopback.............................................
376
Binding Applications .......................................................
377
To determine whether an application needs to use virtual IP
addresses ....................................................................
378
To make virtual IP addresses available to applications running in
sessions ......................................................................
379
To assign virtual IP address ranges to servers .........................
380
To enable application processes to use virtual IP addresses or
virtual loopback ............................................................
382
To supply client IP addresses to published applications on a
server ........................................................................
383
To make a virtual loopback address available to applications
running in sessions .........................................................
385
To enable or disable virtual loopback for a farm .....................
386
To configure virtual IP addresses and virtual loopback on an
individual server............................................................
387
Working with XenApp Policies .......................................................
389
Creating XenApp Policies .......................................................
390
Applying XenApp Policies .......................................................
392
Configuring Policy Rules ........................................................
397
To configure policy rules ..................................................
398
Using Multiple Policies ..........................................................
399
Using Citrix policies with Active Directory .............................
400
Prioritizing Policies and Creating Exceptions ..........................
401
Determining Which Policies Apply to a Connection ........................
403
Resolving Search Results that Partially Match Criteria
405
Troubleshooting Policies with Conflicting Rules.......................
406
Disabling, Reenabling, and Deleting Policies ................................
407
Changing Settings Based on User Location...................................
409
Configuring Policies and Filters for Web Access ............................
410
Enabling Scanners and Other TWAIN Devices................................
414
To enable TWAIN redirection.............................................
416
Managing Session Environments and Connections ................................
417
Defining User Environments in XenApp .......................................
419
Controlling the Appearance of User Logons ............................
420
Controlling Access to Devices and Ports ................................
421
Mapping Client Drives ................................................
422
Mapping Client COM Ports and Audio ..............................
423
Displaying Local Special Folders in Sessions............................
424
To enable Special Folder Redirection..............................
426
To prevent local special folders from being redirected
427
Configuring Audio for User Sessions .....................................
9
428
To enable or disable audio for published applications
429
Limiting Bandwidth for Audio Throughput ........................
430
To configure audio compression and output quality
431
Enabling Support for Microphones and Speakers
433
Setting Up for Digital Dictation Devices ...........................
435
Ensuring Session Continuity for Mobile Workers .......................
437
Maintaining Session Activity ..............................................
439
Configuring Session Reliability ......................................
440
Configuring Automatic Client Reconnection ......................
441
Configuring ICA Keep-Alive ..........................................
444
Managing and Monitoring XenApp Sessions...................................
446
Monitoring Session Status .................................................
447
Viewing User Sessions......................................................
451
Viewing User Sessions with the Shadow Taskbar
452
To view user sessions with the console............................
454
Enabling Logging for Shadowing ....................................
455
Enabling User-to-User Shadowing with Policies
457
To create a user policy to define users who can shadow
458
To merge shadowers in multiple policies
460
Managing User Sessions ....................................................
461
To terminate processes in a user’s session .......................
463
To display session properties........................................
464
To connect to a user’s session from Program Neighborhood
465
To reset a session .....................................................
466
To log off from a session.............................................
467
To send a message to one or more users ...............................
468
Controlling Client Connections in XenApp ...................................
469
Preventing Specific Client Connection Types ..........................
471
Specifying Connection Limits .............................................
472
Limiting Connections to a Server Farm ............................
473
Sharing Sessions and Connections ..................................
474
Limiting Application Instances ......................................
476
Logging Connection Denial Events..................................
478
Controlling Connections with Terminal Services Configuration
479
Preventing User Connections during Farm Maintenance
481
Optimizing User Sessions for XenApp .........................................
482
Optimizing Web Page and Email Responsiveness ......................
484
Effects of Restricting Animations in Internet Explorer
486
SpeedScreen Browser Acceleration Limitations
487
Configuring SpeedScreen Browser Acceleration
488
Optimizing Audio and Video Playback...................................
Configuring SpeedScreen Multimedia Acceleration
10
490
492
Optimizing Flash Animations .............................................
494
Optimizing Throughput of Image Files ..................................
497
Optimizing Display of Image Files........................................
499
Optimizing Keyboard and Mouse Responsiveness......................
500
Configuring SpeedScreen Latency Reduction
501
Adjusting SpeedScreen Latency Reduction for an Application
502
To configure latency reduction settings for input fields in an
application .............................................................
505
To create exception entries for non-standard input fields in
an application .........................................................
507
Configuring ICA Display Settings .........................................
508
To configure ICA browser settings for a server ........................
511
Securing Server Farms ................................................................
512
Securing Access to Your Servers ...............................................
513
Securing the Data Store.........................................................
515
Securing Client-Server Communications .....................................
517
Using SecureICA.............................................................
519
Enabling SSL/TLS Protocols ...............................................
520
11
To configure session data encryption ...................................
521
To set a policy for ICA encryption .......................................
523
Configuring SSL/TLS Between Servers and Clients..........................
524
Task Summary for Implementing SSL Relay ............................
525
Installing and Configuring the SSL Relay Tool with User Account
Control Enabled.............................................................
526
Obtaining and Installing Server and Root SSL Certificates
527
Choosing an SSL Certificate Authority ..................................
528
Acquiring a Signed SSL Certificate and Password .....................
529
To enable the SSL Relay and select the relay credentials
530
Using the SSL Relay with the Microsoft Internet Information
Service (IIS)..................................................................
531
Configuring the Relay Port and Server Connection Settings
532
To add a server to the destination server list .........................
533
To change the port for a server listed in the destination server
list ............................................................................
534
To run the SSL Relay on port 443 without using HTTPS
535
Configuring the Ciphersuites Allowed by the SSL Relay
536
Using the Secure Gateway......................................................
537
Using the Secure Ticket Authority ............................................
538
Securing Network Communications ...........................................
540
Configuring TCP Ports......................................................
541
Using Proxy Servers ........................................................
542
Configuring Authentication for Workspace Control ...................
543
Using Smart Cards with Citrix XenApp ........................................
544
Smart Card Requirements .................................................
545
Configuring XenApp for Smart Cards ....................................
546
Configuring Kerberos Logon ....................................................
547
Logging Administrative Changes to a XenApp Farm ........................
550
Setting up the Configuration Logging Database .......................
552
Defining Database Permissions for Configuration Logging
554
To configure the connection to the Configuration Logging
database using the Configuration Logging Database wizard
556
To configure a SQL Server database for configuration logging
558
To configure an Oracle database for configuration logging
559
To set Configuration Logging properties................................
560
Delegating the Administration of Configuration Logging
561
To view Configuration Logging properties ..............................
562
Clearing Entries from the Configuration Logging Database
563
Generating Configuration Logging Reports .............................
564
Encrypting Sensitive Configuration Logging Data ...........................
566
Copying the key to a local computer....................................
568
To generate a key and enable IMA encryption on the first server
in a farm .....................................................................
569
To load a key on subsequent servers in the farm .....................
570
To store the key on a network location.................................
571
Changing Farms .............................................................
572
Enabling IMA Encryption Features .......................................
573
XenApp Service Account Privileges............................................
574
Maintaining Server Farms ............................................................
581
Displaying and Organizing Your Farm .........................................
582
Organizing Your Farm Display in the Console ..........................
584
To configure general farm properties ........................................
586
To search for objects in your farm............................................
587
Connecting to a Remote Server Console .....................................
589
To connect to a server’s published desktop .................................
591
To connect directly to a server's desktop ....................................
592
To limit the number of server connections per user .......................
593
To disable and re-enable server logons ......................................
594
Enabling Local Browsers with Published Applications ......................
595
Restarting Servers at Scheduled Times.......................................
596
To repair a XenApp installation................................................
598
Changing XenApp Farm Membership ..........................................
599
Removing and Reinstalling XenApp ...........................................
600
To remove XenApp .........................................................
603
To force the uninstallation of XenApp ..................................
604
To remove a server from the farm ......................................
605
To rename a XenApp server ..............................................
606
Monitoring Server Performance with Health Monitoring & Recovery
12
607
Enabling and Disabling Health Monitoring & Recovery
609
Modifying Health Monitoring & Recovery Test Settings
610
To modify the Health Monitoring & Recovery Tests settings
for farms or a server .................................................
612
Adding Health Monitoring & Recovery Tests ...........................
613
Developing Custom Health Monitoring & Recovery Tests
615
Getting Health Monitoring & Recovery Alerts..........................
616
Using Citrix Performance Monitoring Counters..............................
617
Enabling SNMP Monitoring ......................................................
618
To install the Microsoft SNMP Services..................................
619
SNMP Security Considerations ............................................
620
To display or change the SNMP security properties
Enabling the Citrix SNMP Agent and Configuring Trap Settings
622
To enable the SNMP agent and configure trap settings on all
servers in a farm ......................................................
623
To enable the SNMP agent and configure trap settings on an
individual server ......................................................
624
Monitoring Traps from SNMP Network Management Products
625
Using the Citrix Management Information Base .......................
626
Optimizing Server Performance ...............................................
627
Using Preferential Load Balancing .......................................
628
Resource Allotment...................................................
629
Multiple Published Applications in the Same Session
632
Using CPU Utilization Management ......................................
633
Fair Sharing of CPU Between Sessions .............................
634
Managing Peak Utilization on Multiprocessor Servers
635
Enabling CPU Utilization Management ..................................
636
Managing Virtual Memory Usage .........................................
638
Enabling Memory Utilization Management ........................
639
Scheduling Virtual Memory Optimization .........................
640
To create a memory optimization schedule
Excluding Applications from Memory Optimization
641
642
To exclude additional applications from memory
optimization......................................................
643
Optimizing Simultaneous Logon Performance .........................
644
Managing Farm Infrastructure .................................................
645
Maintaining the Local Host Cache .......................................
646
Tuning Local Host Cache Synchronization.........................
647
Refreshing the Local Host Cache ...................................
648
Recreating the Local Host Cache ...................................
649
Data Collectors and Elections ............................................
650
Specifying Backup Data Collectors .................................
651
Enhancing the Performance of a Remote Group of Servers
13
621
653
To configure zones in your farm....................................
655
Updating Citrix License Server Settings ......................................
657
To specify a default license server for a farm .........................
658
To specify a license server for individual servers .....................
659
14
To set the product edition .....................................................
660
Setting the Citrix XML Service Port ...........................................
661
To configure the Citrix XML Service port for a server
663
To manually change the XML Service port to use a port different
from IIS after installation .................................................
664
To manually configure Citrix XML Service to share the TCP port
with IIS .......................................................................
665
Understanding XenApp Printing .....................................................
666
Introduction to Windows Printing Concepts .................................
667
Local and Remote Print Job Spooling ...................................
669
XenApp Printing Concepts ......................................................
671
Overview of Client and Network Printing Pathways ..................
672
Provisioning Printers for Sessions ........................................
677
Auto-Creating Client Printers .......................................
679
Auto-Creating Network Printers ....................................
683
Letting Users Provision Their Own Printers .......................
684
Device or Session-Based Print Settings..................................
685
Device-Based Print Settings .........................................
686
Controlling Printing Settings and User Preferences
687
Setting Default Printers ...................................................
690
Printing and Mobile Workers..............................................
691
Optimizing Printing Performance by Routing ..........................
692
Managing Printer Drivers ..................................................
693
Types of Printer Drivers..............................................
695
Planning Your Printing Configuration .........................................
699
Default Printing Behavior .................................................
700
Printing Policy Configuration .............................................
701
Printing Security............................................................
702
Purchasing Printing Hardware ............................................
703
Configuring and Maintaining XenApp Printing.....................................
704
Configuring Printing .............................................................
705
Configuring Printer Autocreation Settings..............................
707
Configuring Citrix Universal Printing ....................................
709
Configuring Auto-Creation for DOS and Windows CE Clients
710
Configuring Network Printers for Users .................................
714
To import printers from a network print server
715
To import printers from other domains ...........................
716
To assign printers using the Session printers policy rule
717
To add a network printer while configuring the Session
printers rule ...........................................................
718
To specify a default printer for a session .........................
719
To edit the printer settings in the sessions policy
720
To configure server local printers ..................................
721
Configuring Printers for Mobile Workers ................................
722
Changing Network Print Job Routing ....................................
723
Providing Tools for User Provisioning ...................................
724
To store users’ printer properties .......................................
726
To synchronize properties from the printer............................
727
Controlling Printer Driver Automatic Installation .....................
728
Configuring Universal Printer Drivers on Farm Servers
731
Mapping Client Printer Drivers ...........................................
733
Increasing Printing Speed and Session Performance .......................
735
Updating Network Print Server Information .................................
739
Replicating Printer Drivers Across a Farm ...................................
741
Replicating Printer Drivers Manually ....................................
742
Replicating Printer Drivers Automatically ..............................
744
Displaying Printers ...............................................................
747
Displaying Printers Using the Network Printing Pathway
748
Displaying Printers Using the Client Printing Pathway
750
Displaying Drivers ................................................................
751
XenApp Commands Reference.......................................................
753
ACRCFG............................................................................
754
ALTADDR ..........................................................................
757
APP .................................................................................
759
AUDITLOG .........................................................................
762
CHANGE CLIENT ..................................................................
765
CHFARM ...........................................................................
769
To move a server to a new server farm using SQL Server Express
15
773
CTXKEYTOOL......................................................................
774
CTXXMLSS .........................................................................
776
DSCHECK ..........................................................................
777
DSMAINT ...........................................................................
786
ENABLELB .........................................................................
791
ICAPORT ...........................................................................
792
IMAPORT...........................................................................
794
MIGRATETOSQLEXPRESS.........................................................
796
16
QUERY FARM ......................................................................
797
QUERY PROCESS ..................................................................
800
QUERY SESSION...................................................................
802
QUERY TERMSERVER .............................................................
804
QUERY USER ......................................................................
806
TWCONFIG ........................................................................
808
Performance Counters Reference ..................................................
810
Citrix CPU Utilization Mgmt User Counters ..................................
811
Citrix IMA Networking Counters ...............................................
812
Citrix Licensing Counters .......................................................
813
Citrix MetaFrame Presentation Server Counters ............................
814
ICA Session Counters ............................................................
816
Secure Ticket Authority Counters .............................................
819
Policy Rules Reference ...............................................................
820
Policy Rules: Quick Reference Table .........................................
821
Bandwidth Folder ................................................................
824
Visual Effects Folder .......................................................
825
SpeedScreen Folder ........................................................
826
Session Limits and Session Limits (%) Folder ...........................
828
Client Devices Folder............................................................
831
Resources Folder ...........................................................
832
Audio Folder ...........................................................
833
Drives Folder...........................................................
835
Optimize Folder..................................................
836
Special Folder Redirection .....................................
837
Other Folder ...........................................................
838
Ports Folder............................................................
840
PDA Devices folder....................................................
841
Maintenance Folder ........................................................
842
Printing Folder ...................................................................
843
User Workspace Folder..........................................................
846
Connections Folder.........................................................
847
Content Redirection Folder ...............................................
848
Shadowing Folder...........................................................
849
Configuring User Shadowing.........................................
850
Permissions to Shadow Users........................................
851
Time Zones Folder .........................................................
852
17
Citrix Password Manager Folder..........................................
853
Streamed Applications Folder ............................................
855
Security and Encryption Folders ...............................................
856
Service Level Folder.............................................................
857
Application Streaming .....................................................................
858
New Features in This Release .......................................................
860
Components for Application Streaming ............................................
861
Creating Application Profiles ........................................................
863
Targets Overview ................................................................
865
Service Pack Level .........................................................
867
System Drive Letter ........................................................
868
Operating System Language ..............................................
869
Inter-Isolation Communication Overview ....................................
870
Managing Isolation Environment Rules........................................
871
Types of Isolation Environment Rules ...................................
872
Restrictions and Limitations for Rules ..................................
874
Creating Isolation Environment Rules for a Target....................
875
To create an isolation environment rule ...............................
876
To modify a rule ............................................................
877
Using Environment Variables to Construct Rules ......................
878
Preparing a Workstation for Profiling Applications .........................
880
Known Limitations for Profiling ..........................................
881
To install the profiler ......................................................
882
To start the profiler........................................................
883
To disable and enable profile signing ...................................
884
Creating a Profile and Its Initial Target ......................................
885
To create a profile and target ...........................................
886
To install multiple applications through Advanced Install
889
To set user profile security ...............................................
890
To install Internet Explorer plug-ins.....................................
891
To include files and folders in a target .................................
892
To include registry settings ...............................................
893
To choose an installation program for the application
894
To run an application in the profiler ....................................
896
To select applications for listing in the profile ........................
897
To set up inter-isolation communication ...............................
898
To sign a profile ............................................................
900
18
Editing Profiles ...................................................................
901
To view profile information ..............................................
902
To edit the profile name, description, or location....................
903
To view details about applications in a profile ........................
904
To view File Type Associations set in a profile ........................
905
To check for launch prerequisites .......................................
906
To check for prerequisite registry entries..............................
907
To check prerequisite applications and files...........................
909
To specify pre-launch and post-exit scripts ............................
910
To add a target to a profile...............................................
911
To resolve target conflicts ................................................
912
To delete a folder from a profile ........................................
913
To delete a target from a profile ........................................
914
To delete a profile in a linked profile...................................
915
To resolve invalid shortcuts ..............................................
916
Editing Targets ...................................................................
917
To edit the target name and description ...............................
918
To modify the application properties in the target ...................
919
To modify the operating system and language properties of a
target.........................................................................
920
To check for launch prerequisites for a target ........................
921
To specify pre-launch and post-exit scripts for a target
922
To update a target .........................................................
923
To remove an old version of an updated target .......................
924
Profile Contents on the Server.................................................
925
Manifest File ................................................................
926
Targets .......................................................................
927
Digital Signature ............................................................
928
Icons ..........................................................................
929
Scripts ........................................................................
930
Managing Streamed Applications ...................................................
931
To rename a published application ...........................................
932
To configure locations of servers for published resources ................
933
To specify locations of applications for streaming .........................
934
To enable an application for offline access .................................
935
To configure user access to applications.....................................
936
Granting Access to Explicit or Anonymous Users............................
938
To configure shortcuts for user devices ......................................
939
19
To configure access controlled by the Access Gateway ...................
940
To associate published applications with file types ........................
941
To update file type associations...............................................
943
To configure alternate profiles ................................................
944
To pass parameters to published applications ..............................
945
To reduce user privileges for a streamed application .....................
946
To configure application limits and importance ............................
947
To configure audio and encryption options for published applications
948
To configure application appearance.........................................
950
To disable or enable a published application ...............................
951
To delete a published application.............................................
952
To move a published application to another folder ........................
953
To duplicate published application settings .................................
954
To export published application settings to a file ..........................
955
To import published application settings from a file ......................
957
Managing the XenApp Streaming Plug-in ..........................................
958
XenApp Streaming Plug-in Overview ..........................................
959
Managing the XenApp Streaming Plug-in .....................................
960
To install the XenApp Streaming Plug-in ...............................
961
To configure the cache size of the streaming plug-in
962
To deploy the XenApp Streaming Plug-in ...............................
963
To configure an .MSI package using transforms .......................
965
To deploy the XenApp Streaming Plug-in to client devices through
Active Directory ............................................................
966
To deploy applications to client devices ...............................
967
To clear the streamed application cache on user devices
969
Finding EdgeSight Documentation .......................................................
970
Identifying Edgesight Documents ...................................................
971
Installing Your Monitoring and Reporting Tools...................................
972
Software Requirements .........................................................
973
Licensing Requirements ...................................................
974
The Installation Process ........................................................
975
Installing or Upgrading ....................................................
976
Uninstalling..................................................................
977
Displaying Monitoring and Reporting Tools and Components After
Installation ..................................................................
978
Configuring Metrics ...................................................................
979
Configuring a Set of Metrics for Specific Servers ...........................
980
Creating a Default Set of Metrics..............................................
981
Farm Performance Metrics .....................................................
982
Configuring Application Metrics ...............................................
983
Suspending Notification of a Metric’s Status ................................
984
Getting More Information About Metrics And Monitoring..................
985
Viewing Monitoring Information.....................................................
986
Current State of All Metrics ....................................................
987
Metrics That Breach Thresholds ...............................................
988
Graphs of Metric Values ........................................................
989
Creating Custom Metrics Displays .............................................
990
Configuring Logs .................................................................
991
Additional Alert Information ...................................................
992
Custom Displays ..................................................................
993
Alerting Administrators to Poor Server Performance ............................
994
Sources of Alerts .................................................................
995
Preparing Your System for Email Alerts ......................................
996
Using MAPI to Send Alerts .................................................
997
Setting up SSL for SMTP Email Alerts....................................
998
Preparing Your System for SMS Alerts ........................................
999
Preparing Your System for SNMP Alerts ...................................... 1000
Running a Script when an Alert Threshold Is Breached .................... 1001
Receiving Failed Import Alerts................................................. 1002
Receiving License Server Connection Failure Alerts........................ 1003
Recording the History of Servers and Applications............................... 1004
What Information Should I Record in the Database? ....................... 1005
Scheduling Summary Data Collection and Removal ........................ 1006
Ignoring Server Metrics During Periods of Low Server Activity
1007
Removing Unwanted Information from the Database................. 1008
Monitoring the Status of the Database ....................................... 1009
Managing the Database ......................................................... 1010
Reporting and Analyzing Monitoring Information................................. 1011
Reports ............................................................................ 1012
About Report Jobs and Specifications................................... 1013
Creating Reports About Current Activity ............................... 1014
Creating Reports About Past Activity ................................... 1015
Displaying Reports from Servers in Different Time Zones or Locales
What if a Reporting Server Uses a Different Language?
20
1016
1017
Estimating the Concurrent User Capacity of a Server...................... 1018
Billing Users for Resource Usage .................................................... 1019
Default Metric Set..................................................................... 1020
Database Schema...................................................................... 1021
Enterprise Management.................................................................... 1022
Management Pack for Microsoft Operations Manager 2005 ..................... 1023
Management Pack Features .................................................... 1024
The Management Pack and the Providers .................................... 1025
Citrix Views in the Management Pack ........................................ 1026
Health Monitoring Views .................................................. 1027
Discovery Views............................................................. 1028
Deployment Topology View ............................................... 1029
State View: the Citrix Server and Citrix Licensing Roles
1031
XenApp Managed and Unmanaged Computers............................... 1032
About Citrix Computer Groups................................................. 1033
To install or upgrade the Management Pack for MOM 2005 ............... 1034
Management Pack Post-Installation Tasks ................................... 1035
Security Considerations for the Management Pack ................... 1036
Troubleshooting Query Errors in MOM................................... 1037
Configuring Topology Discovery ............................................... 1038
To specify server farm and zone computer groups ......................... 1040
To configure Citrix Administrators as MOM operators...................... 1041
To change the format of net send messages ................................ 1042
Configuring and Enabling Site-specific Rules for MOM 2005............... 1043
Too Many Disconnected Sessions......................................... 1044
Idle Sessions ................................................................. 1045
Too Many Active Sessions ................................................. 1046
Sample Published Application Load ..................................... 1047
To open the Access Management Console from the MOM Operator
Console ............................................................................ 1048
To change the Access Management Console path with the MOM
Administrator Console ..................................................... 1049
Management Pack for System Center Operations Manager 2007............... 1050
System Requirements for the Management Pack ........................... 1052
To install the Management Pack .............................................. 1053
Management Pack Post-Installation Tasks ................................... 1054
Uninstalling the Management Pack ........................................... 1055
Security Considerations for the Management Pack ......................... 1056
21
Troubleshooting Query Errors in Operations Manager
1057
Citrix Managed Objects Included in the Management Pack ............... 1058
Citrix Views Included in the Management Pack ............................. 1059
To view state monitors and processing rules .......................... 1060
Viewing XenApp Alert and Event Information.......................... 1061
Viewing XenApp Deployment State Information ....................... 1062
Viewing Citrix Presentation Server Topology Diagrams
To reconfigure security settings on zone data collectors
1063
1067
Viewing XenApp Performance Information ............................. 1068
Viewing License Server Information ..................................... 1069
Configuring and Enabling Site-specific Monitors ............................ 1070
To open the Access Management Console or Delivery Services Console 1072
from the Operations Manager Console .......................................
Managing Providers and WMI ........................................................ 1073
XenApp Provider Overview ..................................................... 1074
Licensing Provider Overview ................................................... 1075
Installing the XenApp Provider ................................................ 1076
Installing the Licensing Provider .............................................. 1077
Starting the Provider Services ................................................. 1078
Security Considerations ......................................................... 1079
Uninstalling the Providers ...................................................... 1080
WMI Schema ...................................................................... 1081
XenApp Provider WMI Schema (Part 1 of 3) ............................ 1082
XenApp Provider WMI Schema (Part 2 of 3) ............................ 1083
XenApp Provider WMI Schema (Part 3 of 3) ............................ 1084
Citrix Licensing Provider WMI Schema .................................. 1085
Load Manager................................................................................ 1086
Working with Load Manager Rules .................................................. 1087
List of Load Manager Rules ..................................................... 1089
Working with Load Evaluators ....................................................... 1091
Viewing and Modifying Load Evaluator Properties .......................... 1092
Creating Load Evaluators ....................................................... 1093
Assigning Load Evaluators to Servers and Applications .................... 1094
Copying Load Evaluators ........................................................ 1095
Deleting Load Evaluators ....................................................... 1096
Scheduling Server Availability ................................................. 1097
Monitoring Server Loads.............................................................. 1098
Logging Load Management Activity ........................................... 1100
22
Setting the Frequency of Information Updates ............................. 1102
Viewing Usage Reports .......................................................... 1103
Secure Gateway............................................................................. 1104
Citrix XenApp Components That Work with Secure Gateway .................. 1105
Secure Gateway Features ...................................................... 1106
System Requirements for Secure Gateway ........................................ 1110
System Hardware Requirements............................................... 1111
Citrix Products Compatibility with Secure Gateway ....................... 1112
Certificate Requirements....................................................... 1113
Planning a Secure Gateway Deployment .......................................... 1115
Deploying the Secure Gateway in a Single-Hop DMZ ....................... 1116
Running the Web Interface behind the Secure Gateway in the
Demilitarized Zone ......................................................... 1118
Locking Down Internet Information Services ........................... 1120
Running the Web Interface Parallel with the Secure Gateway
1121
Setting Up the Web Interface and the Secure Gateway in a
Single-Hop Demilitarized Zone ........................................... 1122
Deploying the Secure Gateway in a Double-Hop DMZ ...................... 1123
Setting Up the Secure Gateway and the Secure Gateway Proxy in 1126
a Double-Hop DMZ..........................................................
Publishing the Web Address for the Secure Gateway in a
Double-Hop Demilitarized Zone .......................................... 1127
Setting Up and Testing a Server Farm ........................................ 1128
Installing the Secure Ticket Authority ........................................ 1129
Testing Your Deployment ....................................................... 1130
Installing and Configuring the Secure Gateway and Secure Gateway Proxy
1131
Upgrading Secure Gateway or Secure Gateway Proxy ..................... 1132
Using Firewall Software with the Secure Gateway or Secure Gateway 1133
Proxy...............................................................................
Installing the Secure Gateway or Secure Gateway Proxy.................. 1134
To install the Secure Gateway or Secure Gateway Proxy
1135
Configuring the Secure Gateway or Secure Gateway Proxy ............... 1136
To start the configuration wizard manually............................ 1137
To select a configuration level (Secure Gateway) .................... 1138
To select a configuration level (Secure Gateway Proxy)
1139
Task Summary for Secure Gateway, Advanced or Standard
Configuration ............................................................... 1140
Task Summary for Secure Gateway Proxy, Advanced or Standard
Configuration ............................................................... 1141
To select a server certificate............................................. 1142
To configure secure protocol settings................................... 1143
23
To configure inbound client connections ............................... 1144
To configure outbound connections ..................................... 1145
To configure an access control list for outbound connections
1146
To configure servers running the Secure Gateway Proxy
1148
To add the Secure Ticket Authority details ............................ 1149
To configure connection parameters.................................... 1150
To configure logging exclusions .......................................... 1151
To add the Web Interface server details ............................... 1152
To configure the logging parameters.................................... 1153
To complete the configuration ........................................... 1154
To stop the Secure Gateway/Secure Gateway Proxy service
1155
To uninstall the Secure Gateway .............................................. 1156
Managing the Secure Gateway ...................................................... 1157
Viewing Session and Connection Information with the Secure Gateway 1158
Console ............................................................................
Viewing Secure Gateway Performance Statistics ........................... 1160
To view the Secure Gateway performance statistics ................. 1161
Performance Counters Available for the Secure Gateway
1162
Generating the Secure Gateway Diagnostics Report ....................... 1166
Viewing the Secure Gateway Events .......................................... 1167
Viewing the Secure Gateway Access Logs.................................... 1169
Secure Gateway Configuration Wizard ....................................... 1170
Secure Gateway Optimization and Security Guidelines ......................... 1171
Configuring Firewalls for the Secure Gateway .............................. 1172
Ensuring High Availability of the Secure Gateway .......................... 1173
Load Balancing Multiple Secure Gateway Servers ..................... 1175
Load Balancing an Array of the Secure Gateway Proxy
1176
Certificate Requirements for Load Balancing Secure Gateway
Servers ....................................................................... 1177
Using Load Balancers and SSL Accelerator Cards with Secure
Gateway Servers............................................................ 1178
Coordinating Keep-Alive Values Between the Secure Gateway and
Citrix XenApp ..................................................................... 1179
Setting Connection Keep-Alive Values and the Secure Gateway
1180
Improving Security (Recommendations)...................................... 1181
Preventing Indexing by Search Engines....................................... 1185
Troubleshooting the Secure Gateway .............................................. 1186
To check your certificates...................................................... 1187
Client Connections Launched from IP Addresses in the Logging
Exclusions List Fail............................................................... 1188
24
Load Balancers Do Not Report Active Client Sessions if Connections
Are Idle ............................................................................ 1189
Performance Issues with Transferring Files Between a Client Device
and a Citrix XenApp Server..................................................... 1190
Gateway Client Connections Fail When Using Windows XP Service
Pack 2.............................................................................. 1191
Failed Client Connections to the Secure Gateway Result in Duplicate
Entries in the Secure Gateway Log............................................ 1192
Placing the Secure Gateway Behind a Reverse Web Proxy Causes an
SSL Error 4 ........................................................................ 1193
Run the Secure Gateway Parallel to the Reverse Web Proxy
1194
Use a Network Address Translator Instead of a Reverse Web Proxy 1195
Digital Certificates and the Secure Gateway ..................................... 1196
Understanding Cryptography................................................... 1197
Types of Cryptography..................................................... 1198
Combining Public Key and Secret Key Cryptography.................. 1199
Understanding Digital Certificates and Certificate Authorities
1200
Certificate Chains .......................................................... 1202
Certificate Revocation Lists .............................................. 1204
Deciding Where to Obtain Certificates ....................................... 1205
Obtaining and Installing Server Certificates ................................. 1207
Obtaining and Installing Root Certificates ................................... 1209
Support for Wildcard Certificates with the Secure Gateway ............. 1210
Using the Secure Gateway Proxy in Relay Mode.................................. 1211
Modes of Operation for the Secure Gateway Proxy ........................ 1212
How Relay Mode Works ......................................................... 1213
Installing the Secure Gateway Proxy in Relay Mode........................ 1215
To install the Secure Gateway Proxy in relay mode .................. 1216
To configure the Secure Gateway in relay mode...................... 1217
Configuring Plug-ins for Secure Gateway .................................... 1219
To configure plug-in connections to the Secure Gateway Proxy
1220
To configure all application sets for the plug-in to connect to the 1221
Secure Gateway Proxy .....................................................
To test the Secure Gateway relay mode ..................................... 1222
To start or stop the Secure Gateway Proxy Service manually ............ 1223
SmartAuditor ................................................................................ 1224
Example Usage Scenarios ............................................................ 1225
Getting Started with SmartAuditor ................................................. 1226
Planning Your Deployment ..................................................... 1228
Security Recommendations..................................................... 1231
25
Installing Certificates ...................................................... 1232
Scalability Considerations ...................................................... 1233
Important Deployment Notes .................................................. 1236
Pre-Installation Checklist ....................................................... 1238
To install SmartAuditor ......................................................... 1239
Automating Installations ........................................................ 1241
Uninstalling SmartAuditor ...................................................... 1242
To configure SmartAuditor to play and record sessions ................... 1243
Granting Access Rights to Users..................................................... 1245
Creating and Activating Recording Policies ....................................... 1246
Using System Policies ........................................................... 1247
Creating Custom Policies ....................................................... 1248
To create a new policy .................................................... 1250
To modify a policy ......................................................... 1251
To delete a policy .......................................................... 1252
To activate a policy ............................................................. 1253
Understanding Rollover Behavior.............................................. 1254
To disable or enable recording...................................................... 1255
To configure the connection to the SmartAuditor Server....................... 1256
Creating Notification Messages...................................................... 1257
Enabling Custom Event Recording .................................................. 1258
To enable or disable live session playback ........................................ 1259
To enable or disable playback protection ......................................... 1260
To enable and disable digital signing .............................................. 1261
To specify where recordings are stored ........................................... 1262
Specifying File Size for Recordings ................................................. 1263
Viewing Recordings ................................................................... 1264
To launch the SmartAuditor Player ........................................... 1265
To open and play recordings ................................................... 1266
To search for recorded sessions ............................................... 1268
To play recorded sessions ...................................................... 1270
To use events and bookmarks.................................................. 1273
To change the playback display ............................................... 1276
To display or hide window elements.......................................... 1278
To cache recorded session files ............................................... 1279
To change SmartAuditor Servers .............................................. 1280
Troubleshooting SmartAuditor ...................................................... 1281
26
Verifying Component Connections ............................................ 1282
Testing IIS Connectivity ................................................... 1284
Troubleshooting Certificate Issues....................................... 1286
SmartAuditor Agent Cannot Connect ......................................... 1287
SmartAuditor Server Cannot Connect to the SmartAuditor Database
1288
Sessions are not Recording ..................................................... 1289
Searching for Recordings in the Player Fails................................. 1290
Troubleshooting MSMQ..................................................... 1291
Unable to View Live Session Playback ........................................ 1292
To change your communication protocol .................................... 1293
Reference: Managing Your Database Records..................................... 1295
Glossary ...................................................................................... 1297
27
XenApp 5 for Windows Server 2008
Release Notes for XenApp 5.0 Feature
Pack
New Features, Capabilities, and Changes in
the XenApp 5 Feature Pack
Readme for Citrix XenApp 5.0 for
Windows Server 2008
New Features and Changes in XenApp 5
Readme for Citrix Offline Plug-in 5.2 and
Streaming Profiler 5.2
Compare Features of XenApp Product
Editions
Issues Fixed in Offline Plug-in 5.2 and
Online Plug-in 11.2 for Windows
Doc Finder
Installation Checklist for Citrix XenApp
5.0 for Windows Server 2008
Profile Management
Security Standards and Deployment
Scenarios
Web Interface
Licensing Your Product
Please check the archive for additional documentation not listed here.
Platinum Features
Branch optimization powered by Citrix
Branch Repeater™
SmartAccess powered by Citrix Access
Gateway™
EasyCall voice services
Service Monitoring (EdgeSight)
Load testing services
Single Sign-on
Provisioning Services
28
Release Notes for XenApp 5.0 Feature
Pack
Version: 1.0
Contents
•
Introduction
•
Installation Procedure
Introduction
This document describes the prerequisites and installation steps for the Citrix XenApp 5.0
Feature Pack. The feature pack comprises download links for new and enhanced features,
plus links to information about complementary additions to XenApp.
Note: To obtain the features through the XenApp 5.0 Feature Pack pages on My Citrix,
you must be a current member of Citrix Subscription Advantage as of March 9, 2009.
For information about XenApp features, see Getting Started with Citrix XenApp in Citrix
eDocs or CTX116418. The XenApp 5.0 Feature Pack download pages on My Citrix contain
links to additional information.
The Application streaming feature has been added to the XenApp Advanced Edition. To use
this feature, Advanced Edition customers must follow the procedures provided in the Citrix
support article CTX120305.
Installation Procedure
This procedure applies to XenApp 5.0 for Windows Server 2008, XenApp 5.0 for Windows
Server 2003, Presentation Server 4.5, and Presentation Server 4.5 with Feature Pack 1.
Note: If you are running XenApp 5 for Windows Server 2003, Presentation Server 4.5, or
Presentation Server 4.5 with Feature Pack 1, you must install Hotfix Rollup Pack 3 before
downloading any of the XenApp 5.0 Feature Pack software. See CTX115626 (32-bit) or
CTX115627 (64-bit) for details.
Unless otherwise noted, the following instructions assume you are at your XenApp 5.0
Feature Pack download page.
1. Access your XenApp 5.0 Feature Pack download page.
a. Log on to My Citrix.
29
XenApp 5 for Windows Server 2008
b. From the Support menu, select Downloads.
c. In the Search Downloads by Product box, select Citrix XenApp.
d. In the Product Software section, select XenApp 5 Feature Pack.
e. Select the link for your XenApp edition.
2. If you do not yet have XenApp installed, links are provided to images. For the latest
installation documentation, see Citrix eDocs.
3. Download XenApp and Access Management Console hotfixes, using the links provided.
•
At the XenApp hotfix link destination, select the hotfix for your XenApp server.
At the Access Management Console link destination, select the hotfix for your
XenApp server. For Windows Server 2008 systems, the updates are packaged in a
.zip file containing an executable file that calls .msi files for each extension. For
Windows Server 2003 systems, the updates comprise a single executable file that
calls the Presentation Server extension.
4. Install the latest license server, using the link provided. Citrix recommends upgrading
to the latest license server, which may include security updates, bug fixes, and new
features. For the latest licensing documentation, see Licensing Your Product in Citrix
eDocs.
•
5. For XenApp Enterprise and Platinum Edition customers using the Application streaming
feature: To enable the use of the Application streaming offline feature, or to use
application streaming with Citrix Receiver, download the latest versions of the
application streaming plug-in and profiler, using the link provided.
For XenApp Advanced Edition customers: The Application streaming feature has been
added to the XenApp Advanced Edition. To use this feature, Advanced Edition
customers must follow the procedures provided in the Citrix support article CTX120305.
6. For XenApp Platinum Edition customers using the Single sign-on feature: To enable use
of the Single sign-on offline feature, download the latest version of the Password
Manager plug-in, using the link provided.
7. To download the software for the following features, click the links provided, in any
order. If a feature is not supported in your XenApp edition, the link will guide you to
more information.
Note: If you already have these features installed, you must download the latest
version.
30
•
Workflow Studio orchestration
•
EasyCall voice services
•
Profile management
•
Load testing services
•
Provisioning services
•
Branch optimization
XenApp 5 for Windows Server 2008
For information about the complementary capabilities available with Citrix XenServer,
click the link provided.
http://www.citrix.com
Copyright © 2009 Citrix Systems, Inc.
31
Release Notes for XenApp 5.0 Feature
Pack
Version: 1.0
Contents
•
Introduction
•
Installation Procedure
Introduction
This document describes the prerequisites and installation steps for the Citrix XenApp 5.0
Feature Pack. The feature pack comprises download links for new and enhanced features,
plus links to information about complementary additions to XenApp.
Note: To obtain the features through the XenApp 5.0 Feature Pack pages on My Citrix,
you must be a current member of Citrix Subscription Advantage as of March 9, 2009.
For information about XenApp features, see Getting Started with Citrix XenApp in Citrix
eDocs or CTX116418. The XenApp 5.0 Feature Pack download pages on My Citrix contain
links to additional information.
The Application streaming feature has been added to the XenApp Advanced Edition. To use
this feature, Advanced Edition customers must follow the procedures provided in the Citrix
support article CTX120305.
Installation Procedure
This procedure applies to XenApp 5.0 for Windows Server 2008, XenApp 5.0 for Windows
Server 2003, Presentation Server 4.5, and Presentation Server 4.5 with Feature Pack 1.
Note: If you are running XenApp 5 for Windows Server 2003, Presentation Server 4.5, or
Presentation Server 4.5 with Feature Pack 1, you must install Hotfix Rollup Pack 3 before
downloading any of the XenApp 5.0 Feature Pack software. See CTX115626 (32-bit) or
CTX115627 (64-bit) for details.
Unless otherwise noted, the following instructions assume you are at your XenApp 5.0
Feature Pack download page.
1. Access your XenApp 5.0 Feature Pack download page.
a. Log on to My Citrix.
32
Release Notes for XenApp 5.0 Feature Pack
b. From the Support menu, select Downloads.
c. In the Search Downloads by Product box, select Citrix XenApp.
d. In the Product Software section, select XenApp 5 Feature Pack.
e. Select the link for your XenApp edition.
2. If you do not yet have XenApp installed, links are provided to images. For the latest
installation documentation, see Citrix eDocs.
3. Download XenApp and Access Management Console hotfixes, using the links provided.
•
At the XenApp hotfix link destination, select the hotfix for your XenApp server.
At the Access Management Console link destination, select the hotfix for your
XenApp server. For Windows Server 2008 systems, the updates are packaged in a
.zip file containing an executable file that calls .msi files for each extension. For
Windows Server 2003 systems, the updates comprise a single executable file that
calls the Presentation Server extension.
4. Install the latest license server, using the link provided. Citrix recommends upgrading
to the latest license server, which may include security updates, bug fixes, and new
features. For the latest licensing documentation, see Licensing Your Product in Citrix
eDocs.
•
5. For XenApp Enterprise and Platinum Edition customers using the Application streaming
feature: To enable the use of the Application streaming offline feature, or to use
application streaming with Citrix Receiver, download the latest versions of the
application streaming plug-in and profiler, using the link provided.
For XenApp Advanced Edition customers: The Application streaming feature has been
added to the XenApp Advanced Edition. To use this feature, Advanced Edition
customers must follow the procedures provided in the Citrix support article CTX120305.
6. For XenApp Platinum Edition customers using the Single sign-on feature: To enable use
of the Single sign-on offline feature, download the latest version of the Password
Manager plug-in, using the link provided.
7. To download the software for the following features, click the links provided, in any
order. If a feature is not supported in your XenApp edition, the link will guide you to
more information.
Note: If you already have these features installed, you must download the latest
version.
33
•
Workflow Studio orchestration
•
EasyCall voice services
•
Profile management
•
Load testing services
•
Provisioning services
•
Branch optimization
Release Notes for XenApp 5.0 Feature Pack
For information about the complementary capabilities available with Citrix XenServer,
click the link provided.
http://www.citrix.com
Copyright © 2009 Citrix Systems, Inc.
34
Readme for Citrix XenApp 5.0 for
Windows Server 2008
Readme Version: 2.02
Notes:
•
For the latest critical updates, visit the critical updates page for the 32-bit edition at
http://support.citrix.com/product/xa/v5.0_2008/hotfix/x86/?onlyCritical=true or for
the 64-bit edition at
http://support.citrix.com/product/xa/v5.0_2008/hotfix/x64/?onlyCritical=true to
download and apply any available critical updates
•
For a list of issues resolved in this release, go to
http://support.citrix.com/article/CTX118113
•
To view the list of exceptions to the Microsoft Windows 2008 Logo Requirements,
including files installed in locations other than Program Files, files that remain after
XenApp is uninstalled, unregistered file extensions, binaries that install without
complete file version information, and new custom .msi actions, see "Certification
Exceptions for XenApp 5.0" at http://support.citrix.com/article/CTX117944
Contents
•
Finding Documentation
•
Getting Support
•
Installation Issues
•
Other Known Issues
Finding Documentation
To access complete and up-to-date product information, go to Citrix eDocs located at
http://support.citrix.com/proddocs/index.jsp and expand the topics for your product.
35
•
Before you install this product, make sure you consult the XenApp Installation
Checklist.
•
To review the features included in your product edition, see Getting Started with Citrix
XenApp.
•
To plan, install, and deploy your farm, refer to Citrix XenApp Installation.
Readme for Citrix XenApp 5.0 for Windows Server 2008
For known issues related to other Citrix products, components, and features in this release,
see the following documents:
•
Readme for Web Interface 5.0.1
•
Readme for Password Manager 4.6 with Service Pack 1
•
Readme for XenApp Plug-ins for Hosted Apps 11.0 and Streamed Apps 1.2
•
Readme for XenApp 5.0 for Windows Server 2003
•
Readme for EasyCall Agent 1.2
•
Readme for EdgeSight for XenApp 5.0
•
Readme for Access Gateway 8.1 Enterprise Edition
•
Readme for Access Gateway 4.5 Advanced Edition
•
Readme for Access Gateway 4.5.6 Standard Edition
Licensing Documentation
To access licensing documentation in Citrix eDocs, go to Licensing Your Product
athttp://support.citrix.com/proddocs/topic/licensing/lic-library-node-wrapper.html.
Password Manager Documentation
To access the Readme and locate product documentation in Citrix eDocs, go to
http://support.citrix.com/proddocs/topic/passwordmanager/pm-library-wrapper.html.
Getting Support
Citrix provides an online user forum for technical support. This forum can be accessed at
http://support.citrix.com/xenappforum. The Web site includes links to downloads, the
Citrix Knowledge Center, Citrix Consulting Services, and other useful support pages.
Citrix provides technical support primarily through Citrix Solutions Advisor. Contact your
supplier for first-line support or use Citrix Online Technical Support to find the nearest
Citrix Solutions Advisor.
Citrix offers online technical support services on the Citrix Support Web site. The Support
page includes links to downloads, the Citrix Knowledge Center, Citrix Consulting Services,
and other useful support pages.
Installation Issues
Important: Before you install this product, make sure you consult the Installation Checklist
in Citrix eDocs.
XenApp 5.0 for Windows Server 2008
36
Readme for Citrix XenApp 5.0 for Windows Server 2008
•
Upgrading any XenApp 5.0 component or Citrix License Server from the Beta or Release
Preview is not supported. Uninstall all components from early releases before installing
XenApp 5.0. [#192993]
•
Review the documents listed in the Finding Documentation section, located on the
support Web site, before starting your installation. They include the installation
requirements, fixed issues, and installation procedures for XenApp 5.0 and components.
•
On all servers running Microsoft Windows Server 2008 and XenApp, Citrix recommends
installing the Microsoft Windows Server 2008 hotfix associated with Microsoft Help and
Support article 951149. For details, see http://support.microsoft.com/kb/951149.
[#179615]
•
Citrix does not recommend installing XenApp 5.0 on a domain controller because of a
known issue. Installing XenApp using Autorun on a Windows Server 2008 domain
controller fails when creating Citrix CPU Management Service and the Citrix Print
Manager Service accounts, thus ending the installation. [#196787]
As a workaround, to install XenApp on a domain controller, create two unique domain
users that these services will run as and then run the installation from a command line
(a silent install) and specify the following parameters in the msiexec statement using
the domain user accounts created for these services respectively.
CTX_MALOO_SERVICE_USER="[Domain User]"
CTX_MALOO_SERVICE_USER_PASSWORD="[Password]"
CTX_CPSVC_SERVICE_USER_NAME="[Domain User]"
CTX_CPSVC_SERVICE_USER_PASSWORD="[Password]"
For more information and a workaround, see
http://support.citrix.com/article/CTX107538.
•
On Windows Server 2008, if you install and then uninstall the Web Server (IIS) Role
before installing XenApp, the XenApp installation fails. This issue occurs because DLLs
required to import Citrix Drivers are removed.
As a workaround, re-install the Web Server (IIS) Role, and then, from Programs and
Features, select Citrix XenApp 5.0, click Change, and then select Repair. [#193429]
37
•
While installing XenApp, the event log contains multiple entries showing the Microsoft
Windows Terminal Services listener stack was down. These entries do not have any
impact on functionality or the installation. You can ignore these log entries. [#177047]
•
To use Autorun to install applicable XenApp components on a Windows 2000 Server,
before you begin the installation, obtain the gdiplus.dll file from the Microsoft Website
at http://www.microsoft.com/downloads/details.aspx?familyid=6A63AB9C-DF12-4D41-9
33C-BE590FEAA05A&displaylang=en. Download and run gdiplus_dnld.exe on the local server and copy gdi
winnt\system32 folder. Then start Autorun. [#190821]
•
To prevent the Citrix Print Service from failing, enable the Windows Print Service on
each server in the farm. To do this for farms that use Global Policy Objects (GPO), set a
Windows policy, which is currently not set automatically (this could change in a future
Microsoft hotfix). Citrix recommends setting the Local Security (GPO) policy either
before installation or, if after installation, before client devices with network printers
Readme for Citrix XenApp 5.0 for Windows Server 2008
connect to the farm. [#194625]
To set the Windows policy:
1. Open the Microsoft Management Console.
2. Add the "Group Policy Object" snap-in, accept the default Local Computer, and
finish the wizard in the Add or Remove Snap-ins dialog box.
3. Under Console Root > Local Computer Policy, select User Configuration >
Administrative Templates > Control Panel > Printers.
4. From Printers, select "Point and Print Restrictions," and from More Actions, select
Properties.
5. In the Properties Settings, click Enabled, and under Security Prompts, make sure
"Do not show warning or elevation prompt" is selected for both driver connection
options before closing the console.
Either set this policy manually on each server or use one of the following suggestions to
set the policy automatically on all servers in the farm:
•
If your farm is in a Windows Active Directory domain, to enable this policy
automatically on all servers, set a GPO policy
If your farm does not use Active Directory, run scripts on each server to install the
policy
Citrix does not support installing Secure Gateway 3.1 on the same computer as Citrix
XenApp (Advanced, Enterprise, and Platinum Editions). Install the Secure Gateway or
Secure Gateway Proxy on an independent computer in the DMZ. If you are using Citrix
Access Essentials 3.0, installing these components on the same computer is supported.
For a workaround, see "XTE service will not start after installing Secure Gateway" at
http://support.citrix.com/article/CTX118021.
•
•
•
For XenApp to function on Windows Server 2008, XenApp Setup reconfigures the default
Windows Firewall port settings to allow incoming connections, such as those from ICA
traffic and the Citrix Independent Management Architecture service. For a complete list
of the ports XenApp uses, see the Citrix XenApp Administrator's Guide. [#196726]
•
The Client for Mac OS X Version 10.00.600, included on the XenApp installation media,
is not the latest version. To download the latest version of the client, go to the Citrix
Web site, and then click Support > Downloads. For example, Version 10.00.601 contains
a session reliability fix for XenDesktop connections. [#197628]\
Other Known Issues
The next sections include information for the following components or products:
38
•
XenApp 5.0 for Windows Server 2008
•
Application Streaming Feature
•
Resource Manager
•
Secure Gateway
Readme for Citrix XenApp 5.0 for Windows Server 2008
•
Smart Auditor
•
Documentation Errata
Caution: Instructions may direct you to use the Registry Editor. Using Registry Editor
incorrectly can cause serious problems that can require you to reinstall the operating
system. Citrix cannot guarantee that problems resulting from incorrect use of Registry
Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the
registry before you edit it.
XenApp 5.0 for Windows Server 2008
XenApp issues
•
The ICA Settings tab of TS Config utility is visible only on a server that has XenApp
installed. [#170346]
•
In the Access Management Console, if you rename an application whose parent folder is
Applications, the renamed application does not appear in the Contents pane. To refresh
the Contents pane, select any node other than Applications, and then reselect
Applications. [#166150]
•
If you publish an application on two servers and the paths to those published
applications are different on the two servers, changing the icon later using the Shortcut
Presentation property invokes an error saying the icon cannot be found. This error
occurs because the application paths (icon paths) differ on each server.
As a workaround, when choosing Host names in the Icon Browser dialog box, select a
server on which the application is installed in its default path. Alternatively, make sure
the path to a published application is identical on all servers that host the application.
For example, use the application path on the first server (sorted alphabetically) as the
default path and customize each of the other servers to use the correct path for that
server. [#172958]
•
Entering an incorrect domain name when performing an advanced search using the
Access Management Console may cause the Access Management Console to stop instead
of returning an error message. This issue occurs when you select the Applications by
User search option and a prompt appears requiring user credentials to continue the
search. [#189058]
•
On Windows Server 2008, launching the Access Management Console might take over
two minutes. This issue occurs because of a Windows security requirement that the
binaries require Authenticode signatures and the time required for signature validation.
For more information, see http://support.microsoft.com/default.aspx/kb/936707.
As a workaround, you can turn off publisher evidence for the Access Management
Console and remove the startup delay. If you use .NET 2.0 (without Service Pack 1),
manually install the hotfix in the article; however, the hotfix is included in subsequent
Microsoft hotfix releases. With the hotfix installed, create a .NET config file for the
mmc.exe executable in one of the following locations:
On 32-bit systems, create a config file named "C:\Windows\System32\mmc.exe.config"
On 64-bit systems, create a config file named "C:\Windows\SysWOW64\mmc.exe.config"
39
Readme for Citrix XenApp 5.0 for Windows Server 2008
Add the following contents in the file:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<runtime>
<generatePublisherEvidence enabled="false" />
</runtime>
</configuration>
Note that this configuration affects all Microsoft Management Console (MMC) snap-ins
and there is a small chance it could cause some snap-ins to cease functioning. Be sure
to test your other MMC snap-ins after making this change. [#186638]
•
Report specifications created or updated using the Access Management Console of Citrix
XenApp 5.0 cannot be used in the Access Management Console of Presentation Server
4.5. [#166167]
•
In Event Viewer for the XenApp Provider, ignore error messages similar to the following,
which might appear after installing XenApp or applying a hotfix or upgrade: "A provider,
MgmtEventProv, has been registered in the Windows Management Instrumentation
namespace Root\Citrix\Management to use the LocalSystem account. This account is
privileged and the provider may cause a security violation if it does not correctly
impersonate user requests." The error is incorrect because the XenApp Provider runs as
the LocalService rather than the LocalSystem account. [#183919]
•
In the Access Management Console, the session view of IPv6 connections shows spurious
characters in the Client Address column. This is a known issue. [#185023]
•
If you embed the .ica file in an .html file, the .ica file does not launch when you access
the .html file from a Web browser. To launch the embedded .ica file, add the .ica
Multipurpose Internet Mail Extensions (MIME) type to the Internet Information Services
(IIS) settings. [#195572]
Workaround:
1. Launch Internet Information Services (IIS) Manager and select Default Web Site.
2. Under the IIS section, select MIME Types.
3. In the Action section, select Add.
4. In the File name extension field, type .ica.
•
40
5. In the MIME type field, type text/html.
If you experience problems repairing, modifying, or uninstalling a XenApp component
when User Account Control (UAC) is enabled, open a command prompt (as an
Administrator) and run msiexec /I "[Network drive\] [path to msi for the component]".
In the installer for the component, you can repair, modify, or remove the installed
version. [#196404]
Readme for Citrix XenApp 5.0 for Windows Server 2008
•
In rare situations, particularly on Windows Vista Ultimate and 64-bit versions of
Windows Server 2008, the Access Management Console does not launch when you use
the shortcut icon or the All Programs menu. [#191988]
If this occurs, as a workaround, instead of using the shortcut icon, launch the Access
Management Console using these procedures:
1. From the Start menu, select Run (or hold down the Windows key and press R).
2. Type "mmc /32".
3. From the File menu, select Add/Remove Snap-In, and add the Citrix Access
Management Console.
If you save this console to disk, you can load it again later and avoid having to add the
snap-in manually. To save the console, from the File menu, select Save.
Alternatively, use Windows Explorer to open Access Management Console - Framework:
1. To locate this file:
•
For 32-bit operating systems, go to "\Program Files\Common Files\Citrix\"
For 64-bit operating systems, go to "\Program Files (x86)\Common Files\Citrix\ "
2. For English, open the file "cmi20.msc". For another language, open the folder of
that language, and then open the file "cmi20.msc" in that folder.
The CPU Utilization Management Report for servers with XenApp 5.0 for Windows Server
2008 (Platinum Edition) is no longer available from the Report Center in the Access
Management Console. Instead, this report is available only from the Citrix EdgeSight
console. Use the Browse tab to locate the report. Note that for mixed farms, the CPU
Utilization Management Report for servers with Citrix Presentation Server 4.5 is still
available from the Access Management Console. [#196982]
•
•
•
In Japanese operating systems, the "Client application folder" name entered on the
Shortcut Presentation page for published applications cannot exceed 128 Japanese
characters or the folder cannot be displayed on Program Neighborhood. [#175600]
Client device issues
•
Reconnecting to a disconnected ICA desktop session either from the server locally or
through Remote Desktop Protocol (RDP) fails with an error message that the target
session is incompatible with the current session. Local desktop and RDP connections
also fail when the ICA desktop session is active and the server is set to restrict users to
a single session. In general, you cannot convert or promote any existing ICA desktop
session to a session started from the server locally or RDP because of cross-protocol
compatibility issues.
As a workaround, either the user or administrator should log off from the previous ICA
session. To do this, users can reconnect to the ICA session and log off, or the
administrator can log off the session for them. Then users can then log on to a new
session from the desktop or RDP. [#181473]
•
41
If you publish Windows Media Player 11 running on Windows Server 2008 64-bit Edition,
users launching the Media Player for the first time (regardless of the client device)
might see an error message stating that a DLL cannot be found and the application
should be reinstalled. Users can click OK and disregard this message. The application
runs normally (without reinstalling) and the error message does not appear again.
Readme for Citrix XenApp 5.0 for Windows Server 2008
To prevent this error message from appearing, manually add "%systemroot%\SysWow64"
to the system PATH environment variable on the XenApp server. [#180703]
•
Publishing Windows Media Player on Windows Server 2008 64-bit Edition, even if the
audio quality is set at high, results in background static on client devices. This issue
does not occur if you publish Media Player on a 32-bit operating system. [#197420]
Recording issues
•
Users of Philips SpeechMike USB devices cannot play back their recordings when
accessing the SpeechMike applications as a published application or in a published
desktop. If using the Philips SpeechMike Serial devices with the Philips Foot Pedal for
Playback USB device, users cannot play back their recordings when accessing the
SpeechMike applications as a published application or in a published desktop. See
Microsoft article http://support.microsoft.com/kb/961918 to resolve this issue.
[#193435, #194558]
•
Users of Philips SpeechMike USB devices cannot play back their recordings when
accessing the SpeechMike Test Recorder application as a published application.
Although the audio is recorded, users must save the audio files, end their current ICA
session, and then play back the audio files in a separate ICA session. This limitation
occurs when the client computer is running Window XP or Windows Vista and the
SpeechMike device is connected to the client computer through a USB port. Serial port
Philips SpeechMike devices do not exhibit this limitation. See Microsoft article
http://support.microsoft.com/kb/961918 to resolve this issue. [#177437]
Printing issues
•
Configuring the Citrix XPS Universal printer driver as the default for sessions can result
in long print times for certain documents, including documents with graphics and
documents created using Microsoft Publisher. If users experience this intermittent
issue, change the configuration to use the EMF Universal printer driver (the default
XenApp configuration). [#195677]
•
When using the Citrix XPS Universal Printer driver to print a Microsoft Word document
that contains both portrait and landscape pages, all pages are printed in portrait mode.
This causes content on the landscape pages to be trimmed to fit portrait orientation.
[#194634]
Workarounds include:
•
Use the EMF-based Citrix Universal Printer driver.
To use the Citrix XPS Universal Printer driver, separate the landscape and portrait
pages into two separate documents. A Word file containing only landscape pages
can print in landscape mode.
When users print from applications published on XenApp servers, the Print dialog box
might appear to be blank. If you create only one or two printers with long names, the
scroll bar might not appear; this makes selecting printers difficult. Microsoft has
released a hotfix, available at http://support.microsoft.com/kb/953348 to address this
issue. [#195768]
•
•
•
42
To support auto-created printers for devices running the Mac ICA Client V6.20, install
the Apple LaserWriter V23.0 driver on all XenApp servers running on Windows Server
2008. The Apple LaserWriter V23.0 driver is not included in Windows Server 2008.
[#193831]
Readme for Citrix XenApp 5.0 for Windows Server 2008
System exceptions
•
The spoolsv.exe process might cause excessive CPU utilization on Windows Server 2008
and on Windows Vista; also, the spooler.xml file might expand to fill the entire file
system volume. The issue is related to logging to the spooler.xml file. If you are
affected by this issue, go to
http://support.microsoft.com/default.aspx?scid=kb;EN-US;960919 for more information
and for resolution. [#180064]
Third-party issues
43
•
The Microsoft Terminal Services Group Policy setting to "Allow reconnection from
original client only" is not supported. If enabled, users can reconnect from another
computer or client. This is a third-party issue and there is no workaround. [#176130]
•
Audio recordings in Microsoft OneNote 2007 published on XenApp servers are not
supported in this release. This is a third-party issue and there is no workaround at this
time. [#169452]
•
Client connections are not disconnected from a Windows Server 2008 terminal server as
expected. This issue occurs if you do not have a configured Terminal Services license
server and the grace period has expired. Users see an error message indicating that
their connection will be terminated, but when they click OK, their connection is not
disconnected. Microsoft has released a hotfix, available at
http://support.microsoft.com/kb/958612 to address this issue. [#183767, #197609]
•
Terminal servers running Windows Server 2003 or Windows Server 2008 might stop
accepting new connections, and existing connections become unresponsive. Microsoft
has released a hotfix, available at http://support.microsoft.com/kb/956438 to address
this issue. [#184398]
•
The Terminal Services licensing service on computers running Windows Server 2008
might experience memory leaks. For a hotfix to fix this issue, download and install
http://support.microsoft.com/kb/967592 to address this issue. [#177282]
•
Legacy applications running in Windows Server 2008 terminal server sessions might
experience a random access violation at startup. Microsoft has released a hotfix,
available at http://support.microsoft.com/kb/967471 to address this issue. [#177365]
•
Under heavy stress conditions, Windows Server 2008 terminal server sessions might stop
responding and logon attempts fail to complete. Microsoft has released a hotfix,
available at http://support.microsoft.com/kb/966325 to address this issue. [#183282]
•
Computers running Windows Server 2008, Windows Vista, or Windows Vista SP1 might
experience a fatal exception, displaying a blue screen with stop code 0x000000D1.
Microsoft has released a hotfix, available at http://support.microsoft.com/kb/955734
to address this issue. [#181457]
•
While installing or uninstalling network printers on computers running Windows Visa SP1
or Windows Server 2008, handle leaks and memory leaks might occur on the Printer
Spooler service. Microsoft has released a hotfix, available at
http://support.microsoft.com/kb/955560 to address this issue. [#180064]
•
When logging on to or off from a Windows Server 2008 terminal server over RDP, a leak
in the non-paged pool memory might occur. Microsoft has released a hotfix, available at
http://support.microsoft.com/kb/950086 to address this issue. [#179306]
Readme for Citrix XenApp 5.0 for Windows Server 2008
•
Using keyboard shortcuts to open the Properties dialog box on a computer running
Windows Server 2008 can cause the Terminal Services Configuration to exit
unexpectedly. For a workaround, see http://support.microsoft.com/kb/953460.
[#175186]
•
Customized permissions for folder or file objects that are located on the desktop of a
roaming profile are not retained at logoff. Microsoft has released a hotfix, available at
http://support.microsoft.com/kb/968333 to address this issue. [#199555]
•
Logons to computers running Windows Server 2008 might take a long time. If you are
affected by this issue, go to
http://technet.microsoft.com/en-us/library/cc749438.aspx for more information.
[#183343]
Application Streaming Feature
Installation issues
•
By default, you cannot install the XenApp Plug-in for Streamed Apps and Streaming
Profiler 1.2 for Windows on Microsoft Vista Home Edition and XP Home Edition operating
systems. For supported platforms, refer to the Installation Checklist in Citrix eDocs. For
more information and a possible (unsupported) workaround, see
http://support.citrix.com/article/CTX118086.
Profiling issues
44
•
To profile and stream Microsoft Office 2007 applications, see the best practices at
http://support.citrix.com/article/CTX118204.
•
To enhance the security of application streaming to desktops, see a white paper at
http://support.citrix.com/article/CTX110304.
•
To profile and stream Microsoft Office applications to Windows Server 2003 operating
systems, install the Windows Data Execution Prevention (DEP) hotfix on the server and
profiling workstation. For information, go to http://support.microsoft.com/kb/931534.
[#192147]
•
Profiling Microsoft Input Method Editor (IME), which is included with Microsoft Office, is
not supported. You can create a profile for Microsoft Office that includes the IME
without errors, but the IME is disabled and cannot be launched. To prevent users from
attempting to launch the IME, exclude it when profiling Microsoft Office. [#180338]
•
If you create a profile for Microsoft Office 2003 with Service Pack 3, restart the
profiling workstation before creating a profile for Office 2007 with Service Pack 1. If
you do not restart the workstation, the installation of Office 2007 with Service Pack 1
fails. [#194170]
•
Changing the security level of a profile containing both 32-bit and 64-bit operating
systems fails with an unhandled exception. This is a known issue with no workaround.
When creating a profile with targets of mixed operating systems, consider the security
setting that you select to be final. However, if you must change the security setting,
create the profile again. Alternatively, create separate profiles for 32-bit and 64-bit
targets. [#197560]
Readme for Citrix XenApp 5.0 for Windows Server 2008
General streaming issues
•
When client devices stream applications profiled with enhanced security, users might
see a warning or error message. For example, this occurs when streaming Microsoft
Outlook 2007 to Vista and Windows Server 2008 platforms (32-bit or 64-bit) for the first
time, when streaming OneNote 2007 and attempting to write with the pen in the first
Notebook, or when streaming Microsoft Access 2007 to Vista platforms (32-bit or 64-bit)
for the first time and starting a pivot chart view of database tables.
In most cases, when users clear the error message, the application runs normally. You
can also check the Event Viewer log on the user computer for more information about
the profiled application. You may or may not need to reprofile the application.
[#172569, 175513, 175464]
•
When users stream Microsoft Excel 2007 and attempt to open a customized template,
an error might display saying that the file location is unavailable. This issue occurs
because Excel uses explorer.exe (running on the client desktop) to locate directories of
saved files, but the virtualized application and files do not exist on the client device.
[#192052]
To prevent this issue, use the following script to run explorer.exe within the isolation
environment on the client device. Add the script either after profiling Excel 2007 or as
a pre-launch script running inside isolation in the profile:
On Windows Server 2008 or Vista or operating systems:
Reg.exe delete HKEY_CLASSES_ROOT\Folder\shell\explore\command /v
DelegateExecute /f
Reg.exe add HKEY_CLASSES_ROOT\Folder\shell\explore\command /ve /t
REG_EXPAND_SZ /d "%SystemRoot%\Explorer.exe /n,/separate,/e,/idlist,%I,%L" /f
On Windows XP operating systems:
Reg.exe delete HKEY_CLASSES_ROOT\Folder\shell\explore\ddeexec /f
Reg.exe add HKEY_CLASSES_ROOT\Folder\shell\explore\command /ve /t
REG_EXPAND_SZ /d "%SystemRoot%\Explorer.exe /n,/e,/idlist,%I,%L" /f
45
•
When the following combination of conditions exist, applications configured for HTTP
protocol fail to stream through an HTTP site: Anonymous access is disabled, the
authentication method is set to Integrated Windows Authentication in IIS, and users are
not logged in as a domain user. In this situation, the XenApp Plug-in for Streamed Apps
does not prompt for credentials, and the application does not launch. As a workaround,
ensure that users are members of the Domain Users group. [#189503]
•
When users stream Microsoft Word 2007 to client desktops or servers and save
documents, the application listed in Windows Explorer displays an unexpected "Type."
For example, if users save a file as .docx, in Explorer the Type column displays "DOCX
file" instead of the expected "Microsoft Office Word Document." There is no workaround
for this issue. [#191807]
•
When using legacy profiles created from releases prior to XenApp 5.0 that contain
multiple applications all enabled for offline access, some applications in the profile
might not receive updated files immediately. As a result of this issue, users might
continue using outdated files until they launch the first application in the profile. This
Readme for Citrix XenApp 5.0 for Windows Server 2008
issue does not occur for profiles created using this release.
To fix this issue for legacy profiles, first, run RadeDeploy.exe /enum and note the exact
names of the applications in the profile. Then, for each application in the profile, run
RadeDeploy.exe /delete:"Application name" where "Application name" is the exact
name you noted. This command removes any registry entries residing on the client
device for the applications. When users re-launch the applications, they all receive
updates as soon as you send them. [#193953]
•
When streaming any Office application to a Microsoft Vista platform, users cannot
delete a file using the Open File dialog box. Attempting to do causes an error message
stating that the recycle bin is corrupted. If this occurs, users can disregard this
message. The recycle bin is neither corrupted nor related to the Office application.
[#172666]
•
To profile and stream applications that require the Microsoft Visual C++ 2005 or 2008
Redistributable Package, you must first install the redistributable package on the
profiling workstation and client devices. For example, to stream Citrix EasyCall 2.0
using XenApp Plug-in for Streamed Apps 1.2 (included in this release), you must first
install the Microsoft Visual C++ 2008 Redistributable Package on the profiling
workstation before you profile the application, and then install it on the client devices
that will stream the application. This redistributable is available from the Microsoft
Visual Studio Web site. [#199848, 202582]
Third-party issues
•
The Adobe Shockwave Player Version 10.2 plug-in for Internet Explorer cannot be
profiled successfully for Microsoft Windows XP 64-bit operating systems due to a
third-party issue. This issue does not occur on 32-bit platforms if the August 2007
Windows update is installed.
As a workaround, manually create the empty directory structure on the physical root of
the profiling workstation: "\windows\system32\macromed\Shockwave 10" and start the
installer again. [#170481]
Resource Manager
•
The Resource Manager interface does not appear in the Citrix XenApp Advanced
Configuration tool. For farms that include servers running earlier releases of Citrix
XenApp, selecting the Resource Manager node of the Advanced Configuration tool
displays the message "Resource Manager for Citrix XenApp is not installed. Please
reinstall Resource Manager on a server in this farm to enable this functionality." The
Resource Manager tools do not appear. [#176106]
To fix this problem, install the appropriate hotfix:
46
•
For computers running Presentation Server 4.5, install Hotfix PSE450R01W2K3035
(or a hotfix that replaces it)
•
For computers running Presentation Server 4.5 x64 edition, install Hotfix
PSE450R01W2K3X64019 (or a hotfix that replaces it)
Readme for Citrix XenApp 5.0 for Windows Server 2008
Secure Gateway
•
The Citrix Secure Gateway service fails to start if the installed certificate's
Distinguished Name (DN) of the server contains a non-English (EN) or extended
character. The Windows event log might contain a message indicating that the Common
Name (CN) does not match the DN or server name of the virtual host. Ensure that you
are not using the extended character set in the server name. [#191888, 192314]
•
The Advanced options of the Secure Gateway Configuration wizard enables you to
exclude computers such as load balancers from creating event log entries (known as
logging exclusion). At this time, the IP address field in the Logging Exclusions dialog box
accepts IPv4 addresses only. [#193725]
To prevent those computers with IPV6 addresses from creating log entries:
1. Stop the Secure Gateway service (from the Services control panel or the Secure
Gateway Management Console).
2. Open the C:\Program Files\Citrix\XTE\conf\httpd.conf file with a text editor and
add the following entry for each computer to exclude:
SetEnvIf Remote_Addr ^IPV6-address$ nolog=IPV6-address
where IPV6-address is the IPv6 address of the computer to exclude.
3. After saving and exiting the file, restart the Secure Gateway service (from the
Services control panel or the Secure Gateway Management Console).
SmartAuditor
•
When uninstalling the SmartAuditor Agent, a known Microsoft issue causes the
SmartAuditor Agent .msi file (published by Citrix) to be identified incorrectly as a
program from an unidentified publisher. A User Account Control warning appears
indicating an unidentified program wants to access your computer. In the warning
window, select "Allow" to continue uninstalling SmartAuditor Agent. [#194120]
•
SmartAuditor does not support Thin Wire 1.0 clients. If a Thin Wire 1.0 client connects
to a XenApp server on which SmartAuditor Agent is installed with session recording
enabled, a Winlogon error appears in the application Event Viewer of the computer
hosting the SmartAuditor Server. [#191515]
Documentation Errata
Getting Started with Citrix XenApp
In the Application Performance Monitoring topic of the Document Library (online help), the
guide incorrectly states that the EdgeSight 5.0 user interface is localized in English, French,
German, Spanish, and Japanese. For this release, the user interface as well as the
documentation are available in English only. [#196378]
Citrix XenApp Installation
47
Readme for Citrix XenApp 5.0 for Windows Server 2008
•
In the Supported Languages topic of the Document Library (online help), the table
incorrectly states that there is a Russian edition of XenApp. However, this release of
XenApp is not translated into the Russian language. Instead, XenApp, English edition, is
supported on the Russian edition of Windows Server 2008, as stated in the same table.
[#196497]
•
In the Additional Feature Planning Before Setup topic of the Document Library (online
help), the bulleted list states that you can install the XenApp providers after Setup by
right-clicking the mps.msi. This is incorrect. To install the XenApp WMI Providers after
Setup, from the Control Panel, open Programs and Features, choose Citrix XenApp 5.0,
click Change, and then run the Repair option. [#197126]
•
The XenApp Installation Guide and help erroneously include a section "Enabling
Administrative Installations." Citrix does not currently support administrative
installations. This section has been removed from the current XenApp installation
documentation on Citrix eDocs. [#207273]
•
The XenApp Installation Guide contains incorrect version information for migrating a
farm data store from another database to an Oracle database and migrating a farm data
store from another database to an IBM DB2 database. In each of the following topics,
the correct information is:
Migrating a Farm Data Store to Oracle
Migration of a farm data store from another database to an Oracle database is
supported for the database versions listed in the following table.
Original database
Supported target database
Microsoft Access
Oracle 10.2.0.3
SQL Server 2005 Express SP2
Oracle 11.1
SQL Server 2005 SP2
SQL Server 2008
IBM DB2 8.2
IBM DB2 9.5
Migrating a Farm Data Store to IBM DB2
Migration of a farm data store from another database to an IBM DB2 database is
supported for the database versions listed in the following table.
Original database
48
Supported target database
Readme for Citrix XenApp 5.0 for Windows Server 2008
Microsoft Access
IBM DB2 8.2
SQL Server 2005 Express SP2
IBM DB2 9.5
SQL Server 2005 SP2
SQL Server 2008
Oracle 10.2.0.3
Oracle 11.1
[#200053, #200211]
•
The Preparing Installations with Prepopulated Responses section contains the topic "To
create an administrative installation." The command line example in step 4 is missing
the TRANSFORMS parameter. The correct command line example is: msiexec /I <full
path to the new share point mps.msi> TRANSFORMS=<path to transform file> /L <full
path to log file location> /qb- [#204523]
Citrix XenApp Administration
•
Some documentation about printing states that the XPS-based Universal Printer driver is
the default Universal Printer driver. This is not correct. By default, XenApp uses the
EMF-based Citrix Universal Printer driver.
•
The topic "Managing Printer Drivers" in the Citrix XenApp Administrator's Guide makes
the following incorrect statement:
"If the driver cannot be installed using Windows drivers, XenApp attempts to download
the driver from the print server. However, if the print server is a 32-bit server and the
XenApp server is a 64-bit system, the driver might not work."
The correct statement is:
"XenApp does not download drivers, including printer drivers, from the print server."
[#198724]
•
The topic "Managing Printer Drivers" in the Citrix XenApp Administrator's Guide makes
the following misleading statement:
"However, if the print server is a 32-bit server and the XenApp server is a 64-bit system,
the driver might not work. As a workaround, you can use either two print servers - one
32-bit and one 64-bit - or use the Citrix Universal printer driver exclusively."
The correct statement is:
"For XenApp servers to print across the network printing pathway, the correct
device-specific printer driver for the XenApp server's operating system (version and bit
depth) must be installed on the XenApp server. Two print servers are not required."
When using the network printing pathway, issues can arise if the driver on the XenApp
server and the driver on the print server, including driver names, do not match exactly.
Note: Some Windows Server 2008 and Windows Vista native or "in-box" printer drivers
have slightly different names than their Windows Server 2003 and Windows XP
49
Readme for Citrix XenApp 5.0 for Windows Server 2008
counterparts. In environments where the XenApp server operating system differs from
that on the print server - either by version or bit depth - carefully compare printer
driver names in both operating systems and ensure they match. For example, if the
name of the driver on a Windows Server 2003, 32-bit print server does not match that
of the Windows Server 2008 driver on the XenApp, 64-bit server, install the appropriate
Windows Server 2008, 64-bit driver on the XenApp server. [#198724]
Citrix Systems, Inc.
851 West Cypress Creek Road
Fort Lauderdale, Florida 33309 USA
954-267-3000
http://www.citrix.com
Copyright © 2008 Citrix Systems, Inc.
50
Installation Checklist
Version: 1.4
This document lists support and prerequisites for installing Citrix XenApp 5.0 for Microsoft
Windows Server 2008. It includes information such as operating systems on which the
feature is supported, disk space and memory requirements, plus other required software
and where it can be obtained.
This checklist covers the following items:
•
General Information
•
License Server
•
License Management Console
•
XenApp 5.0 for Microsoft Windows Server 2008 (32-bit)
•
XenApp 5.0 for Microsoft Windows Server 2008 (64-bit)
•
Access Management Console
•
XenApp Advanced Configuration
•
Data Store Database
•
Web Interface
•
Citrix XenApp Plugin for Hosted Apps for Windows
•
Citrix XenApp Plugin for Streamed Apps and Streaming Profiler
•
SmartAuditor
Finding Other Documentation
Welcome to Citrix XenApp (Read_Me_First.html), which is included on the installation
media, contains links to documents that will help get you started, and guide you through
the XenApp installation. It also contains links to the most up-to-date documentation for
XenApp and its components, plus related technologies. After installing documentation and
help from Autorun, you can access this document by clicking Start > All Programs > Citrix >
XenApp Server > Documentation.
The Knowledge Center, http://support.citrix.com, contains links to all documentation.
Known issues information is included in the product readme.
See Getting Started with Citrix XenApp 5.0 for Windows Server 2008 for information about
which features are supported in the XenApp editions.
51
Installation Checklist
Read_Me_First.html and the Knowledge Center contain links to documentation for XenApp
Platinum Edition features that are not covered in this checklist, such as Citrix Password
Manager, Citrix EdgeSight for XenApp, and Citrix Access Gateway.
52
Installation Checklist
General Information
•
The installation of certain XenApp features and components requires Microsoft Windows
Installer (MSI) 3.1. The Microsoft Windows Server 2008 system has MSI 3.1 installed. On
other supported systems, if MSI 3.1 is not already installed, Autorun installs it, except
as noted.
•
During XenApp installation, Autorun automatically installs other software. If you later
uninstall this software, some XenApp features may not work properly. If you need to
reinstall this software, it is in the Support folder on the XenApp installation media.
•
Certain components require the Java Runtime Environment (JRE) Version 1.6.0_5 (also
known as Version 6, Update 5). The 32-bit JRE 1.6.0_5 package is available from
http://www.java.com. Uninstall any previous versions of JRE before installing the
32-bit JRE 1.6.0_5 package.
Important:
•
Both, 32-bit and 64-bit systems require the 32-bit version of the JRE - even on
64-bit systems the 32-bit version must be installed.
The product installation proceeds even if an incompatible version of the JRE is
installed, but a warning is not issued in all cases: When you install the product on
top of Version 1.7.x (or later) of the JRE, a warning is issued; a warning might not
be issued when you install the product on top of other incompatible versions of JRE.
Autorun requires administrator privileges to install Citrix products.
•
•
•
If any of the prerequisites are not met for a feature, Autorun reports a fatal error but
continues to install those features whose prerequisites are met.
•
To use Autorun to install applicable XenApp components on a Windows 2000 system,
before you begin the installation, obtain the gdiplus.dll file from the Microsoft Web site
at http://www.microsoft.com/downloads/details.aspx?familyid=6A63AB9C-DF12-4D41-9
33C-BE590FEAA05A&displaylang=en. Download and run gdiplus_dnld.exe on the local server and copy gdi
winnt\system32 folder. Then start Autorun.
•
The following Citrix commands do not work correctly in XenApp 5.0 for Windows Server
2008:
•
query citrix
•
query farm
query server
Instead, the following error message appears when you run these commands:
•
Invalid parameter(s)
The issue results from a design change in Windows Server 2008 and in Windows Vista
SP1 that prevents the XenApp installer from modifying the values of some subkey
entries of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\Utilities\query as necessary. To prevent this issue, Citrix recommends that you
install Microsoft Hotfix 958652, available from http://support.microsoft.com, before
installing XenApp 5.0.
53
Installation Checklist
•
XenApp 5 for Windows Server 2008 supports both 32-bit and 64-bit editions of the
Windows server in the same farm.
License Server
The License Server is supported on all editions of the following Windows operating systems.
Citrix recommends you install the latest Microsoft Service Pack for the operating system.
•
Windows 2000 Server Family
•
Windows Server 2003 Family
•
Windows Server 2008 Family
MSI 3.x is required. If it is not already installed, you can install it manually from the
Support folder on the installation media or download it from Citrix.
License Management Console
Requirements:
•
Citrix License Server Version 11.5. You can find this version on the installation media or
download it from Citrix.
•
Minimum browser version: Internet Explorer 5.0.
•
Web servers:
•
Microsoft Internet Information Services (IIS) Version 5.0, 6.0, or 7.0. For Microsoft
Windows Server 2008, add the following roles, using the Server Manager: ASP.NET,
Windows Authentication security, and IIS 6 Management Compatibility.
Apache HTTP Server 2.0. (available from http://archive.apache.org/dist/httpd).
Servlet Engine - Tomcat 4.1.24 (included in the License Management Console
installation).
•
•
•
Sun Java Runtime Environment (JRE) 1.6.0_5, 32-bit version. See details in General
Information.
For more information, see Citrix Licensing 11.5-11.6 in eDocs.
XenApp 5.0 for Microsoft Windows Server 2008
(32-bit)
XenApp 5.0 for Microsoft Windows Server 2008 is supported on all Windows Server 2008
editions that support Terminal Services, except the Web Server Edition and the Server Core
Edition.
Requirements:
54
Installation Checklist
•
Add the following roles, using the Server Manager:
•
Terminal Services
•
Application Server
If sharing a port between the Citrix XML service and IIS, add the Web Server (IIS)
role and these role services: Security, Windows Authentication, IIS 6 Management
Compatibility and all its subcomponents, ISAPI Extensions, and ISAPI Filters
Disk space: 400MB
•
•
During XenApp installation, an error message may appear, indicating mstlsapi.dll is missing.
Citrix recommends using the XenApp Plugin for Hosted Apps included with this release
(Version 11.x). If you want to use older plugins (clients) with XenApp 5.0 for Microsoft
Windows Server 2008, install a Microsoft hotfix on the server before installing XenApp. For
information, go to http://support.microsoft.com/kb/949914.
XenApp 5.0 for Microsoft Windows Server 2008
(64-bit)
The 64-bit edition of XenApp 5.0 for Microsoft Windows Server 2008 has the same
requirements as the 32-bit edition, with the following exceptions.
•
CPU (minimum): 64-bit architecture with Intel Pentium or Xeon family with Intel
Extended Memory 64 Technology, or AMD Opteron family, AMD Athlon 64 family, or
compatible processor. Windows HPC Server 2008 and Windows Server 2008 Standard
Edition support up to four processors per server. Windows Server 2008 Enterprise
Edition supports up to eight processors per server.
•
Suggested memory: 512MB RAM (minimum).
•
Disk space requirement: 4GB (minimum).
Access Management Console
By default, the Access Management Console is installed on the same computer where you
install XenApp. However, you can install and run it on a separate computer.
The Access Management Console is supported on the following Windows operating systems:
•
Windows Server 2008
•
Windows Server 2003 (Standard, Datacenter, and Enterprise editions)
•
•
Windows Server 2003, 32-bit edition, with Service Pack 2
•
Windows Server 2003, 64-bit edition
•
Windows Server 2003 R2, 32-bit edition
Windows XP Professional
•
55
Windows XP Professional, 32-bit edition, with Service Pack 3
Installation Checklist
•
•
Windows XP Professional, 64-bit edition, with Service Pack 2
Windows Vista (Business, Enterprise, and Ultimate editions), 32-bit and 64-bit editions,
with Service Pack 1
Requirements:
•
Microsoft .NET Framework 3.0 or 3.5
•
On Windows Server 2008 systems, add the .NET Framework role, using the Server
Manager
On other supported operating systems, if .NET Framework 3.0 or 3.5 is not already
installed, Autorun installs it, or you can install it manually from the
Support\dotNet30 folder on the XenApp installation media
Microsoft Data Access Component (MDAC) Version 2.6, if you want to run reports from
the summary database on farms using Microsoft SQL Server or Oracle Server as data
stores or summary databases
•
•
•
Microsoft Management Console (MMC) - For Windows Vista: MMC 3.0; for all other
supported Windows operating systems: MMC 2.0 or 3.0
•
Microsoft Visual C++ 2005 Redistributable Package, which is installed automatically by
Autorun
•
Disk space: 25MB.
During the installation of the Access Management Console, if you are not installing Citrix
Password Manager, you can ignore error messages related to missing prerequisites for the
Password Manager Console.
XenApp Advanced Configuration
By default, XenApp Advanced Configuration is installed on the same computer where you
install XenApp. However, you can install and run it on a separate computer.
XenApp Advanced Configuration is supported on the following Windows operating systems:
56
•
Windows Server 2008
•
Windows Server 2003
•
Windows Server 2003 R2
•
Windows 2000 Professional with Service Pack 4
•
Windows 2000 Server with Service Pack 4
•
Windows XP Professional, 32-bit edition, with Service Pack 3
•
Windows XP Professional, 64-bit edition, with Service Pack 2
•
Windows Vista (Business, Enterprise, and Ultimate editions) with Service Pack 1
Installation Checklist
Requirements:
•
Microsoft Visual C++ 2005 Redistributable Package, which is not installed automatically
by Autorun if you are installing only XenApp Advanced Configuration. You can install
this requirement from the folder Support\vcredist on the XenApp installation media.
•
Java Runtime Environment (JRE) Version 1.6.0_5, 32-bit version. See details in General
Information.
•
Disk space: 50MB.
Data Store Database
The following databases are supported for the farm data store. Unless otherwise noted,
versions are supported on 32-bit and 64-bit operating system editions. The required disk
space may increase with the number of published applications.
For detailed information, see http://support.citrix.com/article/CTX114501. Also, see the
database vendor documentation and the Citrix XenApp Installation Guide.
Microsoft Access
Microsoft Access Jet Database Engine for Windows Server 2008 is supported.
Requirements:
•
Disk space: approximately 50MB for every 100 servers. To accommodate automatic
backups, ensure the amount of free disk space is at least three times the size of the
Mf20.mdb database file.
•
Memory: 32MB of additional RAM if the server also hosts XenApp client connections.
Microsoft SQL Server 2005 Express Edition
Microsoft SQL Server 2005 Express Edition with Service Pack 2 for Windows Server 2008 is
supported.
Requirements:
•
Disk space: approximately 50MB for every 100 servers and 25 published applications in
the farm, plus 70MB for the database
•
Memory: 32MB of additional RAM if the server also hosts connections
Microsoft SQL Server
The following Microsoft SQL Server versions are supported (and verified for MDAC 2.8):
57
•
Microsoft SQL Server 2005 with Service Pack 2 for Windows Server 2003 with Service
Pack 2
•
Microsoft SQL Server 2005 with Service Pack 2 for Windows Server 2008
•
Microsoft SQL Server 2008 for Windows Server 2003 with Service Pack 2
Installation Checklist
•
Microsoft SQL Server 2008 Preview for Windows Server 2008
Requirements:
•
Disk space: approximately 100MB for every 250 servers and 50 published applications in
the farm.
•
A "temp" database on a partition with at least 1GB of free disk space and set to grow
automatically. Citrix recommends 4GB if the farm is large and includes multiple print
drivers.
•
An ODBC database client driver on each server that connects directly to the database.
Servers that connect indirectly (through another server running XenApp) do not require
an ODBC client driver.
IBM DB2
The following IBM DB2 versions are supported:
•
IBM DB2 Enterprise Version 8.2 for Windows Server 2003 with Service Pack 2. Supported
client version: 32-bit IBM DB2 9.5.
•
IBM DB2 Enterprise Version 9.5 for Windows Server 2008. Supported client version:
32-bit IBM DB2 9.5.
Requirements:
•
Disk space: approximately 100MB for every 250 servers and 50 published applications in
the farm.
•
An ODBC database client driver installed on each server that connects directly to the
database. Servers that connect indirectly (through another server running XenApp) do
not require an ODBC client driver.
Oracle
The following Oracle versions are supported:
•
Oracle Enterprise 10.2.0.3 for Windows Server 2003 with Service Pack 2. Supported
client version: 32-bit Oracle 11.1 and 10.2.0.3.
•
Oracle Enterprise 11.1 for Windows Server 2008. Supported client versions: 32-bit
Oracle 11.1 and 10.2.0.3.
Requirements:
58
•
Disk space: approximately 100MB for every 250 servers and 50 published applications in
the farm.
•
An ODBC database client driver installed on each server that connects directly to the
database. Servers that connect indirectly (through another server running XenApp) do
not require an ODBC client driver.
Installation Checklist
Web Interface
The Web Interface is supported on the following Windows operating systems:
•
Windows Server 2003, 32-bit and 64-bit editions, with Service Pack 2
•
Windows Server 2008, 32-bit and 64-bit editions
Requirements on Windows systems:
•
Citrix Access Management Console 4.8.
•
Add the Web Server (IIS) role, using Server Manager. On Windows Server 2008 systems,
enable the following role services under the Web Server (IIS) role: ASP.NET, IIS 6
Metabase Compatibility, Windows Authentication (for pass-through and pass-through
with smart card authentication), and Client Certificate Mapping Authentication (for
smart card authentication).
•
ASP.NET Version 2.0. This software is available from the Microsoft Windows Server 2008
installation media.
•
Microsoft Visual J#.NET Version 2.0 Second Edition (SE). The runtime installer is
included in the Support\Jsharp20 folder on the XenApp installation media.
•
Microsoft .NET Framework 3.5
•
On Windows Server 2008 systems, add the .NET Framework role, using the Server
Manager
On other supported operating systems, if .NET Framework 3.5 is not already
installed, Autorun installs it, or you can install it manually from the
Support\dotNet30 folder on the XenApp installation media
Disk space:
•
•
•
9.5MB for Access Management Console, Web Interface extension
•
6MB for the Web Interface without clients copied from the XenApp installation
media
•
120MB for the Web Interface with clients copied from the XenApp installation media
•
3.5MB for each Web Interface site you create (regardless of type)
You can also install the Web Interface on the Tomcat, Sun Java System Application Server,
and WebSphere for UNIX systems.
For more information, see the Web Interface Administrator’s Guide.
Citrix XenApp Plugin for Hosted Apps for Windows
The Citrix XenApp Plugin for Hosted Apps for Windows is supported on the following
Windows operating systems:
•
59
Windows Vista (Business, Enterprise, and Ultimate editions), 32-bit and 64-bit editions
Installation Checklist
•
Windows XP Professional, 32-bit and 64-bit editions
•
Windows XP Embedded
•
Windows Server 2008, 32-bit and 64-bit editions
•
Windows Server 2003, 32-bit and 64-bit editions
•
Windows 2000
The following browsers are supported (minimum versions):
•
Internet Explorer Version 5.0
•
Mozilla Firefox Version 1.0
Requirements:
•
VGA or SVGA video adapter with color monitor
•
Windows-compatible sound card for sound support (optional)
•
For network connections to the server farm, a network interface card (NIC) and the
appropriate network transport software
The following table lists the supported connection methods and network transports:
Protocol
Citrix XenApp
Citrix XenApp Web
Plugin
Program
Neighborhood
TCP/IP+HTTP
X
X
X
SSL/TLS+HTTPS
X
X
X
TCP/IP
X
X
For more information, see the XenApp Plugin for Hosted Apps Administrator’s Guide.
For information about clients for other operating systems, go to http://support.citrix.com.
Citrix XenApp Plugin for Streamed Apps and
Streaming Profiler
The Citrix XenApp Plugin for Streamed Apps and the Streaming Profiler are supported on
the following Windows operating systems:
•
Windows XP Professional
•
•
•
Windows XP Professional, 64-bit edition, with Service Pack 2
Windows Server 2003
•
60
Windows XP Professional, 32-bit edition, with Service Pack 3
Windows Server 2003 (Standard, Enterprise, and Datacenter editions), 32-bit and
64-bit editions, with Service Pack 1 or 2
Installation Checklist
•
Windows Server 2003 R2, 32-bit and 64-bit editions
•
Windows Vista (Business, Enterprise, and Ultimate editions), 32-bit and 64-bit editions,
with Service Pack 1
•
Windows Server 2008, 32-bit and 64-bit editions
The profiler workstation and client computers must meet the following requirements:
•
Microsoft XML 2.0 installed (use Windows Update to ensure you installed all recent
Internet Explorer updates).
•
Standard PC architecture, 80386 processor or greater as required for the operating
system.
•
Administrator rights for the person installing.
•
To profile and stream Microsoft Office applications to Windows Server 2003 operating
systems, install the Windows Data Execution Prevention (DEP) hotfix on the server and
profiling workstation. For information, go to http://support.microsoft.com/kb/931534.
The profiler workstation must provide a run-time environment that is as close to your client
computer environment as possible:
•
If applications are Streamed to Client, the profiler workstation should be a similar
platform
•
The profiler workstation should also include standard programs that are part of the
company image, such as an antivirus program
The client computers must meet the following requirements:
•
A network connection to the server farm, such as a network interface card (NIC) and
the appropriate browser: Internet Explorer Version 6.0 or 7.0, Netscape Version 7.1, or
Firefox Version 1.0
•
.NET Framework 2.0, 3.0, or 3.5 installed to stream Microsoft Office 2007 programs or
to stream profiles enabled for inter-isolation communication
•
Manually uninstall any previous version of the Streaming Client and Program
Neighborhood Agent on client devices, and install the version included in this release:
•
If applications are Streamed to Client, client computers need both the Citrix
XenApp Plugin for Streamed Apps and XenApp Plugin for Hosted Apps installed
•
If applications are Accessed from a server, client computers need the XenApp Plugin
for Hosted Apps installed, but not the Citrix XenApp Plugin for Streamed Apps
SmartAuditor
Each SmartAuditor component has its own software requirements.
SmartAuditor Administration Components
61
Installation Checklist
The SmartAuditor Administration components (SmartAuditor Database, SmartAuditor Server,
and SmartAuditor Policy Console) can be installed on a single server or on different servers.
The SmartAuditor Administration components are not supported on Microsoft Windows
Server 2008.
SmartAuditor Database
•
The SmartAuditor Database is supported on the following Windows operating systems:
•
Microsoft Windows Server 2003 with Service Pack 2
Microsoft Windows 2000 with Service Pack 4
Requirements:
•
•
•
Microsoft SQL Server 2005 (Enterprise and Express editions) with Service Pack 2
.NET Framework Version 2.0 with Service Pack 1, Version 3.0 with Service Pack 1,
or Version 3.5
SmartAuditor Server
•
•
The SmartAuditor Server is supported on Microsoft Windows Server 2003 with Service
Pack 2.
•
Requirements:
•
.NET Framework Version 2.0 with Service Pack 1, Version 3.0 with Service Pack 1,
or Version 3.5.
•
If the SmartAuditor Server uses HTTPS as its communications protocol, SSL must be
installed. SmartAuditor uses HTTPS by default, and Citrix recommends you use
HTTPS.
Microsoft Message Queuing (MSMQ), with Active Directory integration disabled, and
MSMQ HTTP support enabled.
SmartAuditor Policy Console
•
•
The SmartAuditor Policy Console is supported on the following Windows operating
systems:
•
Microsoft Windows XP, 32-bit edition, with Service Pack 3
•
Microsoft Windows XP, 64-bit edition, with Service Pack 2
•
Microsoft Windows Server 2003 with Service Pack 2
Microsoft Windows Vista (Business, Enterprise, and Ultimate editions) with Service
Pack 1
The SmartAuditor Policy Console requires .NET Framework Version 2.0 with Service
Pack 1, Version 3.0 with Service Pack 1, or Version 3.5
•
•
SmartAuditor Agent
Install the SmartAuditor Agent on every XenApp server on which you want to record sessions
(after installing the XenApp 5.0 Platinum edition server software on the Microsoft Windows
Server 2008 system).
62
Installation Checklist
Requirements:
•
.NET Framework Version 3.0 with Service Pack 1, or Version 3.5
•
Microsoft Message Queuing (MSMQ), with Active Directory integration disabled, and
MSMQ HTTP support enabled
SmartAuditor Player
The SmartAuditor Player is supported on the following Windows operating systems:
•
Microsoft Windows XP, 32-bit edition, with Service Pack 3
•
Microsoft Windows XP, 64-bit edition, with Service Pack 2
•
Microsoft Windows Vista (Business, Enterprise, and Ultimate editions) with Service Pack
1
•
Windows Server 2003 with Service Pack 2 - this operating system is supported but not
recommended, due to the graphical nature and memory usage of the SmartAuditor
Player
The SmartAuditor Player requires NET Framework Version 2.0, Version 3.0, or Version 3.5
For optimal results, install SmartAuditor Player on a workstation with:
•
Screen resolution of 1024 x 768
•
Color depth of at least 32-bit
•
Memory: 1GB RAM (minimum) - additional RAM can improve performance on large files
http://www.citrix.com
Copyright © 2008 Citrix Systems, Inc.
63
Getting Started with Citrix XenApp
This section describes XenApp features and product naming.
For known issues in this release, see the Readme for Citrix XenApp 5.0 for Windows Server
2008.
For information about XenApp 5.0 for Windows Server 2003, see the Citrix XenApp 5.0 for
Microsoft Windows Server 2003 Upgrade Guide.
64
Before You Begin
This documentation provides information about Citrix XenApp 5 and includes information
about the XenApp 5 Feature Pack.
This documentation focuses primarily on XenApp 5 for Windows Server 2008. For more
information on XenApp 5 for Windows Server 2003, see CTX113699 and CTX116622.
65
New Product and Feature Names
Citrix has changed the name of its product line and several features.
Note: You might see previous product and feature names in documentation, user
interfaces, Web pages, and support materials.
66
This name
is the new name
for
Citrix XenApp
Citrix
Presentation
Server
XenApp Advanced Configuration
Presentation
Server Console
Citrix XenApp Plug-in for Hosted Apps, which contains the following
plug-ins:
Citrix
Presentation
Server Client
•
Citrix XenApp (formerly Program Neighborhood Agent)
•
Citrix XenApp Web Plug-in (formerly the Web Client)
•
Program Neighborhood
XenApp Plug-in for Streamed Apps
Citrix Streaming
Client
Citrix XenApp Provider
WMI Provider
Citrix XenApp Management Pack
System Center
Operations
Manager and MOM
Management
Packs
Branch optimization
WAN optimization
Secure application access
SmartAccess
EasyCall voice services
EasyCall
Load testing services
EdgeSight for
Load Testing
Provisioning services
Provisioning
Server for
Datacenters
Single sign-on
Single Sign-on
powered by
Password Manager
Profile management
Portable Profile
Manager
Workflow Studio orchestration
Workflow Studio
Media Kit Contents
The media kit for XenApp for Microsoft Windows Server 2008 contains the following items:
•
Tab 1: Citrix XenApp 5.0 for Microsoft Windows Server 2008. This DVD includes XenApp
and all the component technologies for Advanced, Enterprise, and Platinum Editions,
32-bit and 64-bit.
•
Tab 2: Citrix XenApp 5.0 for Microsoft Windows Server 2003 on six CDs:
•
Platinum Edition
•
Platinum Edition 64-bit
•
Advanced and Enterprise Editions
•
Advanced and Enterprise Editions 64-bit
•
Components
Citrix Password Manager 4.6 with Service Pack 1
Tab 3: Citrix XenApp for Unix 4.0 with Feature Pack 1 (CD)
•
•
•
Tab 4: Resources
•
Document describing where to find information and downloads for the XenApp 5
Feature Pack
This release of Citrix XenApp 5.0 for Microsoft Windows Server 2008 includes the following
component and feature versions:
67
•
License Server 11.5
•
Web Interface 5.0.1
•
XenApp Plugin for Hosted Apps 11.0
•
Streaming Profiler 1.2 and XenApp Plugin for Streamed Apps 1.2
•
The Secure Gateway 3.1
•
XenApp Provider 5.0 and XenApp Management Pack 5.0
•
SmartAuditor 1.2
•
EasyCall 1.2
•
EdgeSight 5.0 (English only)
•
Access Gateway Standard Edition 4.5.8, Advanced Edition 4.5, and Enterprise Edition
8.1
Media Kit Contents
•
Password Manager 4.6 with Service Pack 1
•
WAN Optimization for WANScaler 4.3
For information about getting the XenApp 5 Feature Pack, see the Release Notes for XenApp
5.0 Feature Pack.
68
Introducing Citrix XenApp 5
Citrix XenApp is a Windows application delivery system that manages applications in the
datacenter and delivers them as an on-demand service to users anywhere using any device.
XenApp reduces the cost of application management by up to 50 percent, increases IT
responsiveness when delivering an application to distributed users and improves application
and data security.
The XenApp documentation includes information about planning your deployment, including
farm concepts, configuration considerations, and access options.
69
XenApp Product Editions
XenApp 5 is released in three editions: Advanced, Enterprise, and Platinum. The following
chart identifies key features included, supported, or licensed in each edition. An asterisk (*)
indicates that an appliance must be purchased separately
In the edition columns, numeric notations refer to expanded functionality or support in the
XenApp 5 Feature Pack.
•
1 - Feature is new to this edition
•
2 - Feature has enhanced functionality
•
3 - New feature or complementary capability
For more information about the XenApp 5 Feature Pack, see New Features, Capabilities,
and Changes in the XenApp 5 Feature Pack.
70
Feature
Advanced
Enterprise
Platinum
Hosted application delivery and
presentation virtualization
Yes
Yes
Yes
Application streaming
Yes ¹ ²
Yes ²
Yes ²
EasyCall voice services
Yes ¹
Yes ¹
Yes
Workflow Studio orchestration
Yes ³
Yes ³
Yes ³
XenServer virtualization platform
Yes ³
Yes ³
Yes ³
Enterprise Management (Includes Resource
Manager, Installation Manager,
CPU/Memory Optimization, Health
Assistant, XenApp Provider and
Management Pack)
Yes
Yes
Load testing services
Yes ³
Yes ³
Profile management
Yes ³
Yes ³
Provisioning services
Yes ³
SmartAuditor
Yes
Branch optimization *
Yes
Application performance monitoring
Yes
Secure application access *
Yes
Single sign-on
Yes ²
New Features and Changes in XenApp 5
XenApp 5 is designed to bring world-class application delivery to Windows Server 2003 and
Windows Server 2008 and optimize and enhance the Microsoft platform. To learn more
about XenApp 5 for Windows Server 2003, see CTX113699 and CTX116622.
Below are the new features and benefits added in XenApp 5.
Performance Improvements
XenApp 5 includes these significant overall performance improvements:
•
Farm scalability: Reductions in Independent Management Architecture (IMA) service
start time, discovery time, application resolution and enumeration time, and server
enumeration time.
•
Data store sizing: Reductions in installation time and XenApp Advanced Configuration
start time.
•
Single server scalability: With over 50 users launching applications simultaneously,
application launch time decreases by over 50 percent.
•
Application streaming: Significant improvements in application launch time on both
servers and laptops
•
Single sign-on: Significant reductions of plug-in logon time for Active Directory and file
server central stores and of plug-in response time for Windows, Web, and Java
applications.
Enhanced Security
XenApp 5 provides the following security enhancements:
71
•
Support for Windows Server 2008 security enhancements, including Microsoft User
Account Control (UAC).
•
Citrix XenApp Plugin for Hosted Apps now supports IPv6 via the Secure Gateway feature
of XenApp. It provides the ability to connect to published applications from a pure
IPv6-only based network using the XenApp Plugin. It also improves connectivity and
mobility by supporting a higher number of client devices and their unique static IPv6
addresses.
•
Enhanced security (or “hardening”) of XenApp services. For example, new functionality
adds extended command-line parameter validation for applications launched by file
type association.
•
Support for Microsoft Data Execution Prevention (DEP) hardware and software
technology.
New Features and Changes in XenApp 5
User Access and Experience
XenApp 5 provides the following enhancements to improve the experience of end users.
•
The XenApp Plugin for Hosted Apps and the Web Interface offer new features such as
Special Folder Redirection and ClearType font smoothing.
•
XenApp supports the Windows Vista Security Guide, including its Enterprise Client (EC)
and Specialized Security-Limited Functionality (SSLF) templates.
•
The Web Interface now supports any device that authenticates using the RADIUS
authentication protocol, including RADIUS servers.
•
The Web Interface application presentation has been redesigned to provide more
functionality and an enhanced user experience. For details, see the Web Interface
Administrator's Guide.
•
XPS Printing support. XenApp uses this printing specification in addition to the current
Enhanced Metafile Format (EMF) protocol.
•
Support for Philips SpeechMike USB devices. When setting up for digital dictation
devices, you can enable support for Philips SpeechMike USB devices.
Optimized Support for Media Software
XenApp 5 optimizes the latest releases of the following software:
•
SpeedScreen Flash Acceleration now supports Adobe Flash Player, Versions 8 to 10
•
Multimedia Acceleration now supports Windows Media Player 9, Windows Media Player
10, Real Player, and any DirectShow Based Media Players
•
SpeedScreen Browser Acceleration now supports Internet Explorer 6 and 7, Outlook
2003, and Windows Mail
Enhanced Documentation
XenApp 5 provides improved documentation:
72
•
A handy reference page, the Welcome to Citrix XenApp at CTX113391 (or
Read_Me_First.html on the installation media ), with links to PDF guides on the Web.
This page is available from the Start menu. Alternatively, go to the Quick Links for
product documentation at CTX116089.
•
All documentation is now installed on your system by default in a searchable
centralized help system, known as the XenApp Document Library. From the Access
Management Console, use the Help menu to open the library. (Citrix eDocs may contain
more current information.)
New Features and Changes in XenApp 5
Changes to Installation
For details about changes to Setup, see the XenApp installation documentation..
•
The XenApp Media Kit, which contains the installation media, is now on a DVD.
•
The XenApp Plugin for Hosted Apps is now an explicit option in the XenApp Setup
(mps.msi); it is no longer silently installed by XenApp Setup. If you are performing
installation using any method other than Autorun, you must install the plugin before
Setup; Setup fails without the plugin and you might not get a warning prompt if you are
performing a silent install.
•
Java Runtime Environment (JRE) is no longer installed by default or included in the
Support folder of the XenApp installation media. See the Citrix XenApp Installation
Checklist for details.
•
For unattended installations, the sequence of installation options has changed and some
Setup programs are no longer part of mps.msi.
•
The Access Management Console uninstaller now lets you uninstall all Access
Management Console components in a single removal task.
Changes for Resource Publishing and Delivery
For more detailed information, refer to the XenApp administration documentation.
•
The Microsoft Windows 2000 operating system is no longer supported for virtualizing or
streaming applications and resources.
•
Isolation environments are no longer configured in the Publish Applications wizard. The
application streaming feature is the recommended solution for delivering applications
that must be isolated. In particular, applications that are not compliant with Terminal
Services and applications that cannot socialize with others should be streamed so that
application isolation can be used. The application streaming feature allows you to
profile these applications individually and then publish them so they run in isolation
environments on user desktops or from a server. for more information about application
streaming enhancements, see the application streaming documentation.
•
Specifying CPU priorities exclusively for applications is no longer supported when
publishing applications. This option has been replaced by an application importance
level setting, which is used with the session importance policy setting to determine the
Resource Allotment for Preferential Load Balancing.
Changes to Features and General Changes
Before you install XenApp, note the following changes, which may change your farm
deployment or the operating systems of the servers on which you publish applications.
•
73
The English version of XenApp is now supported on Russian language operating systems.
The installation for the XenApp Plugin for Hosted Apps and the user interface for the
plugin and Web Interface include Russian language support.
New Features and Changes in XenApp 5
•
Network Manager is no longer available to manage vendor-specific snap-ins for SNMP
network monitoring; the snap-ins for third-party products and instructions for their use
are now provided by the product vendors. You can continue to enable the SNMP agent
on supported platforms and use the Access Management Console to enable or disable
traps to be reported.
•
Installation Manager has been rewritten based on Windows Server 2008 Task Scheduler.
•
Conferencing Manager is no longer included as part of Citrix XenApp. Citrix recommends
using Citrix GoToMeeting instead.
•
Citrix has replaced its former Resource Manager monitoring and reporting tools with
Resource Manager powered by EdgeSight (Enterprise Edition) and EdgeSight for XenApp
(Platinum Edition).
•
If you are familiar with Presentation Server 4.5 monitoring and reporting
functionality, see Finding EdgeSight Documentation. This guide directs users to
documentation for their EdgeSight equivalent, where one exists.
For monitoring in a mixed farm environment, use Resource Manager in XenApp
Advanced Configuration as well as the Dashboard and Report Center features in the
Access Management Console to monitor computers running Presentation Server 4.5.
HP ProtectTools is not currently supported on XenApp 5 for Windows Server 2008.
•
•
•
74
Downgrading a server in your farm from XenApp 5 to Presentation Server 4.5 is not
supported.
New Features, Capabilities, and Changes
in the XenApp 5 Feature Pack
The Citrix XenApp 5 Feature Pack extends the value of using XenApp 5 by enhancing current
features, adding new features and capabilities, and expanding feature support to other
XenApp editions.
The XenApp 5 Feature Pack is supported on the following XenApp versions:
•
XenApp 5 for Microsoft Windows Server 2008
•
XenApp 5 for Microsoft Windows Server 2003, with Hotfix Rollup Pack 3 installed
•
Citrix Presentation Server 4.5, with Hotfix Rollup Pack 3 installed
•
Citrix Presentation Server 4.5 with Feature Pack 1, with Hotfix Rollup Pack 3 installed
The following table lists the new and enhanced features and complementary capabilities in
the XenApp 5 Feature Pack.
Advanced
Enterprise
Platinum
Application
streaming
new to edition
offline support
added
offline support
added
offline support
added
Workflow Studio
orchestration
new feature
new feature
new feature
XenServer
virtualization
platform
new complementary
capability
new complementary
capability
new complementary
capability
EasyCall voice
services
new to edition
new to edition
(previously
supported)
Profile management
new feature
new feature
Load testing
services
new feature
new feature
Provisioning
services
new feature
Single sign-on
offline support
added
See XenApp Feature Overview for descriptions. For installation information, see the Release
Notes for XenApp 5.0 Fature Pack.
75
XenApp Feature Overview
Citrix XenApp features enable users to access applications easily and increase productivity.
This section provides summary descriptions of several XenApp features.
Citrix has changed the names of several features. For details, see New Product and Feature
Names.
Important Information About Editions and
Subscription Advantage
Certain features are supported in all XenApp 5 editions; others are supported in only
specific editions. See XenApp Product Editions for edition support information.
For a more comprehensive chart of the features in all editions and how XenApp 5 compares
to past editions, see the Citrix XenApp Comparative Features Matrix at
http://www.citrix.com/xenapp/comparativematrix.
Only customers with a current Citrix Subscription Advantage membership are allowed to
implement certain features. This includes many of the features in the XenApp 5 Feature
Pack.
76
Hosted Application Delivery and Features
Hosted application delivery is the process of delivering applications to users by first hosting
them on centralized servers in the data center, and then remotely displaying or presenting
them to user devices. Presentation virtualization occurs when the user connects to the
hosting server and the application is remotely displayed on their device in a seamless
fashion.
The following sections briefly describe the XenApp features that help facilitate hosted
application delivery. See the XenApp administration documentation for more information
about each feature, unless otherwise noted.
Load Management
Use Load Manager to set up, monitor, and balance the server and published application
loads in a server farm so that users can run the published applications they need quickly
and efficiently.
The criteria you define in Load Manager determine which servers are least busy and can
best run an application. When users launch published resources, Load Manager selects the
server that runs the application or desktop session, based on server load. Load Manager
ensures that each new session request is forwarded to a server that is not overloaded, thus
improving the user experience. For more information, see the Load Manager
documentation.
Preferential Load Balancing
Preferential Load Balancing provides preferential treatment for users and applications. This
feature enables you to prioritize a user group and applications based on pre-established
priorities. Use Preferential Load Balancing to assign higher or lower levels of XenApp service
to specific users, groups, and applications.
Users and applications with higher priorities and levels of service connect to their XenApp
sessions more quickly, experience more interactive ICA sessions, and have more computing
resources available to them.
CPU Utilization Management
CPU utilization management improves the ability of a farm or server to manage resources
and normalize CPU peaks when performance becomes limited by CPU-intensive operations
(Enterprise and Platinum Editions only). Depending on your XenApp edition, you can enable
Fair Sharing or Preferential Load Balancing.
77
Hosted Application Delivery and Features
Resource Management
For the XenApp Enterprise Edition, a new Resource Manager improves monitoring and
reporting capabilities with session-level performance counters, multivariable alert
capabilities, a vast library of pre-configured and customizable reports, and integration with
Health Assistant.
To locate the EdgeSight documentation needed to transition to this release of Resource
Manager, see Finding EdgeSight Documentation.
Health Assistant
The Health Monitoring and Recovery service monitors the health of many XenApp features
and reports failures. You can configure this utility to stop accepting new connections or
take the server offline if it detects a problem, thereby optimizing the end-user experience.
SNMP Monitoring
XenApp supports Simple Network Management Protocol (SNMP) monitoring and integration
with third-party SNMP network management products. Via this support, third-party
applications can monitor server status, terminate processes on servers, disconnect, logoff,
or send messages to users, and query server activity.
The XenApp administrator enables SNMP monitoring on the XenApp servers, and indicates
the traps to be monitored.
XenApp Provider and XenApp Management Pack
Working together, the XenApp Provider for Microsoft Windows Management Instrumentation
(XenApp Provider) and the XenApp Management Pack for Microsoft Operations Manager and
System Center Operations Manager (XenApp Management Pack) enable you to monitor the
health and availability of farms. This feature enables integration with Microsoft monitoring
tools to anticipate and react quickly to any problems.
For more information, see the Management Pack and Managing Providers documentation..
78
Application Streaming
Application streaming centralizes the management of desktop applications and isolates and
streams them to users without application and system conflicts. When you publish
applications for streaming to user desktops, users access the application from the file share
or Web server and stream it to their user devices. Streamed applications are cached on the
local user device and run within an isolation environment, which prevents conflicts with
locally installed applications. You must prepare applications for streaming using the
Streaming Profiler. Users install the Citrix offline plug-in locally to stream application to
their user devices.
Application streaming provides the following benefits:
•
Applications run on the local Windows user device. Streamed applications can use
system resources on the user device, not the XenApp server.
•
Update applications centrally. Deliver upgrades or patches efficiently and seamlessly
to user devices the next time they access the application.
•
Isolation environments. Run applications within protected isolation environments on
user devices, which prevents conflicts with other applications installed locally.
•
Application caching. Configure the option for caching files on the user device to allow
faster access the next time the application is launched.
•
Dual-mode streaming. Configure a fall-back method for application delivery in case
user devices do not support streaming.
•
Offline access. Allow users to continue running streamed applications after
disconnecting from the network.
•
Inter-isolation communication. Link individual profiles so that applications in separate
profiles can communicate with each other when launched on the user device.
•
Support for Citrix Receiver. Deploy and update the offline plug-in using Citrix
Receiver.
•
Sandbox reuse. Improves application launch time for applications from a single profile
by launching them in the same sandbox. Sandboxes are left alive for five minutes
(configurable in the registry) after the last application terminates.
•
Isolation environment variables are now visible from pre-launch/post-exit scripts
run outside of isolation. This feature enables you to purge the per-user isolation space
before and after application use without using the RadeRunSwitches command.
Software for the most recent Citrix plug-ins is always available for download at
http://www.citrix.com/xenapp/clients.
Local desktop (offline) use of the application streaming feature is available to all XenApp
users who access hosted applications. This allows XenApp users to stream applications to
the desktop without requiring a separate license.
79
Application Streaming
Important: Your use of application streaming to user devices included with XenApp is
limited to support users of XenApp hosted applications, and not other users.
80
Citrix Receiver and Merchandising Server
Citrix Receiver for Windows (Receiver) and Citrix Merchandising Server are components of
the Citrix Delivery Center solution that together enable you to deliver plug-ins to your
users. While Citrix Delivery Center provides the application delivery infrastructure to the IT
administrator, the Merchandising Server and the Receiver work together to streamline the
installation and management of plug-ins on users' desktops. The Receiver and the
Merchandising Server provide two very important features. First, the Merchandising Server
allows you to configure, deliver, and upgrade plug-ins for your users. Second, the Receiver
manages plug-in operations and configurations for your users.
The system consists of the Receiver application that is installed on your users' computers,
the Merchandising Server that is installed on a virtual machine in your data center, and the
Citrix Update Service that is hosted on Citrix.com. The Merchandising Server Administrator
Console is the interface on the Merchandising Server that you use to configure plug-ins and
schedule their delivery to your users. The Merchandising Server delivers the plug-ins and
their installation instructions to your users on the scheduled date.
Citrix Receiver simplifies application access and management for end users and
administrators by providing the following features:
81
•
Seamless installation. Your users install Receiver for Windows on their computers. If a
download is interrupted, the Receiver silently resumes the action when the connection
is restored. When installation is complete, the Receiver immediately installs the
scheduled plug-ins without requiring the user to enter any information. The Receiver
can even be installed from outside of the company firewall. The Receiver upgrades
itself automatically.
•
Manage connections to Delivery Services. The Receiver uses Citrix secure access
plug-in to supply secure connectivity enabling users access to work applications from
any where.
•
Simplified administration. The Merchandising Server enables you to deliver plug-ins to
all your users at once. The Merchandising Server retrieves plug-in updates from the
Citrix Update Service and presents the update list to you through the Administrator
Console.
•
Simplified installation and upgrade. The Merchandising Server virtual appliance is
delivered ready to import through your Citrix XenServer. Upgrades to the Merchandising
Server are imported directly through the Administrator Console.
XenServer Virtualization Platform
The Citrix XenServer virtualization platform provides open, powerful server virtualization
that reduces datacenter costs by transforming static and complex datacenter environments
into more dynamic, easy to manage server workload delivery centers. Based on the open
source Xen hypervisor, XenServer delivers a secure and mature server virtualization
platform with near bare-metal performance.
For more information, see the XenServer documentation.
82
Load Testing Services
The Load testing services feature provides an efficient and cost effective method of server
sizing and application load testing for XenApp environments. By simulating hundreds of
virtual Citrix users and monitoring the responsiveness of the system under test, it allows the
administrator to determine how the current configuration and hardware infrastructure will
support anticipated demand.
This load generating software solution enables XenApp administrators to:
83
•
Predict how systems will cope with high levels of user load
•
Deliver tried and tested application virtualization environments by simulating thousands
of users to identify system bottlenecks or application instability before systems go live
•
Reduce costs associated with change management and application regression testing;
reusable scripts simplify before and after comparison following application patches or
operating system updates
•
Assess new hardware; understand the capacity limits of different hardware types to
make informed purchasing decisions
•
Perform branch office application performance testing; create real traffic from remote
sites, ensuring bandwidth and server resources are available to deliver the best user
experience
Provisioning Services
The Provisioning services feature reduces total cost of ownership and improves both
manageability and business agility by virtualizing the workload of a datacenter server –
operating system, applications, and configuration - and streaming server workloads on
demand to physical or virtual servers in the network.
By delivering server workloads on demand rather than deploying them on individual servers,
the Provisioning services feature:
•
Simplifies and streamlines server management, and reduces software rollout risk
•
Delivers the operating system, applications, and server configuration information in a
real time stream, maximizing performance and minimizing network load
•
Assures server consistency by provisioning servers simultaneously from a single standard
image
•
Increases IT responsiveness and agility by enabling capacity on demand; repurpose any
server to do any job
•
Reduces utility costs and space needs by lowering the number of backup servers needed
to support disaster recovery and business continuity
•
Risk-free server workload rollout - rollback to a previous working image in the time it
takes to reboot
•
Built-in support for redundant servers, networks, and databases
Important: Your use of the Provisioning services feature included with the Platinum
Edition of XenApp is limited to provisioning only XenApp Platinum Edition workloads.
84
Profile Management
The Profile management feature provides an easy, reliable way for managing user
personalization settings. Profile management saves these settings during logoff to the user
store for each user. If the file already exists (the most common case), the changes from the
current session are merged with the existing settings. At logon, if a locally cached profile
exists, the two sets are synchronized.
Local desktop use of the Profile management feature is available in XenApp Enterprise and
Platinum Editions for all users who access hosted applications.
85
Service Monitoring
Service monitoring is an end-to-end performance and resource management solution for
users and servers running XenApp. It monitors user sessions and server performance in real
time, allowing you to analyze, resolve, and proactively prevent problems quickly.
The application performance monitoring feature includes:
86
•
Service level monitoring, with the ability to synthesize user tasks and monitor their
execution time, providing feedback on application performance and availability as
experienced by end-users.
•
Farm-wide monitoring, including a tree view of the entire farm structure, visual
detection of errors, and visual flags for devices with alerts.
•
Server availability and session reliability monitoring.
•
Health check alert displays.
•
Suite Monitoring and Alerting (SMA) that provides log entries and alerts.
SmartAuditor
SmartAuditor uses flexible policies to trigger recordings of XenApp sessions automatically.
This enables IT to monitor and examine user interaction with applications, such as financial
operations and healthcare patient information systems, demonstrating internal control,
thus ensuring regulatory compliance and successful security audits. Similarly, SmartAuditor
also aids in technical support by speeding problem identification and time-to-resolution.
87
Secure Application Access
The Secure application access feature empowers users with easy “anywhere” access and
provides administrators market-leading application-level control. With a single point of
control and market-leading application-level control, it provides administrators with better
risk, security, and compliance management, while boosting user productivity by optimizing
access for each user, network, and device.
88
Branch Optimization
XenApp accelerates and optimizes application delivery to any remote or mobile user,
whether the task is receiving a streaming application, running remotely using XenApp, or
doing other tasks over the network. These advanced acceleration features give your remote
users in-office performance wherever they are.
This feature requires the purchase of one or more Citrix WANScaler appliances.
89
Single Sign-on
The Single sign-on feature is an enterprise-class solution that provides secure and managed
access to Windows, Web, and terminal emulator applications running in the Citrix
environment as well as local applications on the desktop of XenApp Platinum Edition.
Users authenticate once and the Single sign-on feature does the rest, automatically logging
on to password-protected information systems, enforcing password policies, monitoring all
password-related events, and even automating user tasks, including password changes.
Local desktop (offline) use of the Single sign-on feature is available to all XenApp Platinum
Edition users who access hosted applications. Locally installed instances of the Password
Manager plug-in in a XenApp Platinum Edition environment do not require a separate
license.
Important: Your use of the Single sign-on feature on end-user devices (or clients or
machines) included with the Platinum Edition of XenApp is limited to support users of
XenApp Platinum hosted applications, and not other users.
90
EasyCall Voice Services
EasyCall voice services embeds communications directly into applications that are delivered
using XenApp or deployed on the desktop. The EasyCall voice services Agent enables a
computer user to hover over any phone number in published, streamed, or installed
Windows applications and have that number automatically dialed for them. The user simply
hovers the mouse over the number and clicks a button to start the call or even initiate a
conference from any telephone (desk, mobile, and home).
Important: Your use of the EasyCall voice services feature on end-user devices (or clients
or machines) included with XenApp is limited to support users of XenApp hosted
applications, and not other users.
91
Workflow Studio Orchestration
Citrix Workflow Studio orchestration is an infrastructure process automation platform that
enables you to transform your data center into a dynamic delivery center. It natively
supports Citrix products including XenApp, XenDesktop, XenServer and NetScaler. Built on
top of Windows PowerShell and Windows Workflow Foundation, Workflow Studio
orchestration provides an easy-to-use, graphical interface for workflow composition that
virtually eliminates scripting. Workflow Studio orchestration acts as the glue across the IT
infrastructure, allowing administrators to easily tie technology components together via
workflows.
Customers may want to review the available activity libraries and workflows as they are
released to determine when this feature will meet their needs.
92
Getting Up and Running with XenApp 5
This section provides high-level guidance for installing XenApp 5 for Windows Server 2008.
This information is not comprehensive; for complete information, see the XenApp
installation documentation.
93
Using XenApp to Manage Applications
Preparing and Publishing Applications
With XenApp, you can deliver:
•
Streamed applications installed in application profiles and stored on a file server. Users
access the profile and virtualize the applications on their user devices.
•
Applications installed on servers running XenApp. When users access them, the
published applications appear to be running locally on user devices.
•
Data files such as Web pages, documents, media files, spreadsheets, and URLs. In
XenApp, the combined total of data types you publish is referred to as content.
•
Server desktops that Publish the entire Windows desktop of a server in the farm.
To use the application streaming feature, you package applications into profiles. A profile
contains one or more targets (a collection of disk files, registry data, and other information
that represents an application isolation environment), plus the metadata needed to stream
the profiled applications. Each target specifies a combination of operating system, service
pack level, system drive letter, and language. A profile can contain one or more
applications; for example, a single profile can contain Microsoft Word or the entire
Microsoft Office suite.
When you publish an application, configuration information for the application is stored in
the data store for the server farm. Configuration information includes the types of files
associated with the application, users who can connect to the application, and the
importance level for load balancing.
See the XenApp administration section of eDocs for complete information about managing
delivery options for published resources, managing application properties, using virtual IP
addresses, and using the Publish Application wizard.
Accessing Applications
Citrix offers a variety of options for accessing applications. Additionally, you can customize
the user environments, as well as manage and optimize sessions.
94
•
Citrix Receiver for Windows. Citrix Receiver provides a simple way to download,
install, and update Citrix plug-ins.
•
Web Interface. The Web Interface can be used to create stand-alone Web sites for
access to published resources that you integrate into your corporate portal. The Web
Interface queries the server farms and dynamically creates an HTML page that can be
viewed with a Web browser. After logging on, users are presented with a customized
Web page containing a list of the published resources that you make available to them.
Using XenApp to Manage Applications
•
Citrix plug-ins. Citrix offers plug-ins for a wide range of user devices and platforms for
access to hosted applications. Application streaming also has its own plug-in. You can
use Citrix Receiver to manage several of these plug-ins; you can also manage plug-ins
individually.
You can customize the user environment through client-side session management properties
such as window size, number of colors, encryption level, and audio setting. To further
refine how users launch and access published resources, you can use content redirection
and XenApp policies.
Application Enhancements
XenApp offers a variety of features that complement and enhance application delivery. For
details, see XenApp Feature Overview.
95
Preparing to Create the Farm
Before you install XenApp, prepare the servers and install the preliminary components so
that the XenApp installation wizard can reference them. See the XenApp installation
documentation for details.
1. Citrix recommends installing Citrix XenApp on a fresh installation of Windows Server
2008. In particular, uninstall any XenApp components and Citrix License Server from
early releases, including the Beta and Release Preview.
2. Configure Windows Server 2008 for XenApp 5.
3. Install the system prerequisites on all XenApp servers. See the Installation Checklist
for details.
4. Install Certificate Services. Obtain the necessary certificates. Certificate Services
issues and manages SSL certificates within the domain to which the servers belong. A
certificate is required for use with the XenApp Single sign-on feature. As a best
practice, isolate evaluation systems from your production network environment. For
example, install an isolated Certificate Authority on the domain controller.
5. Install Citrix Licensing.
6. Install and configure the Web Interface. Install and configure this feature on one
server in the farm. For details, see the Web Interface documentation.
7. Install and deploy the XenApp Plug-ins for Hosted Apps and Streamed Apps.Whether
as part of Setup or separately, you must install, at a minimum, the client engine, which
is included in the Clients\ica32\XenAppWeb.exe, which provides the function for
pass-through client authentication. To stream applications from any server, even if you
are not streaming applications on this server, you must install the XenApp Plug-in for
Streamed Apps.
96
Licensing This Release
Important: The latest licensing documentation is available in the Technologies >
Licensing Your Product section of eDocs.
To run this release, update the license server to the most recent version. You can find
version 11.6.1 on the XenApp 5.0 Feature Pack 2 installation media; otherwise, you can
download the most recent version from the Citrix download site.
The most recent license server is always available for download at
http://www.citrix.com/english/ss/downloads/results.asp?productID=1679389.
97
Installing XenApp 5
For details about planning and installing XenApp 5, see the XenApp installation
documentation.
A typical installation comprises the following tasks:
1. On the initial Autorun page, choose the XenApp Edition.
2. Choose the installation category Application Virtualization.
3. From this category, the following pages appear:
•
The License Agreement page.
•
The Prerequisites Installation page. See the Citrix XenApp Installation Checklist for
details.
The Component Selection page. A sequence of separate Setup wizards guides you
through the installation of selected XenApp features. Note that Citrix Licensing is
disabled by default.
Depending on the components selected, some configuration options may not be available or
may appear in different order:
•
•
Citrix Licensing (if enabled on the Component Selection page)
•
Pass-through authentication
•
Access Management Console
•
Web Interface (reference the preconfigured site or accept the default)
•
XenApp Plugins
•
XenApp farm
•
XenApp Advanced Configuration
•
Documentation
Citrix strongly recommends that you review the Setup instructions for these components in
their respective documentation before attempting their installation.
After installing XenApp and deploying your farm, continue by installing the additional
features required for your organization.
98
Installing Additional Features
The XenApp editions license some or all of the following additional features. Do not install
XenApp features on a domain controller.
Note: The following list includes high-level installation information; it is not
comprehensive. Use the feature documentation for installation guidance.
•
Application streaming. On a separate, clean workstation with an operating system
similar to that of your end-users, install the Citrix Streaming Profiler and use this
workstation to profile applications for streaming.
•
Single sign-on. Before installing the Password Manager plug-in from a command prompt
onto a Windows Vista or Windows Server 2008 computer, install the Microsoft Visual C++
2005 SP1 Redistributable Pack (x86) and Microsoft Visual C++ 2005 SP1 Redistributable
Pack (x64), available from the installation media in the Support/vcredist directory.
•
SmartAuditor. Install the SmartAuditor player on a Windows Vista or Windows XP device
only. The SmartAuditor Server and database cannot be installed on Windows Server
2008. As a best practice, do not install the SmartAuditor Server and database on the
same server as XenApp.
•
Application performance monitoring. Install this feature on a separate server. To
avoid errors in performance measurement, do not install the Application performance
monitoring database on any farm servers that will be hosting user sessions.
•
EasyCall voice services. Install the EasyCall plugin and configure the EasyCall appliance
using documentation provided with the appliance (purchased separately). Install the
EasyCall plug-in on every XenApp 5 server or client device as required.
•
Secure application access. Depending on your Access Gateway edition, you can install
the plug-in from the appliance (purchased separately).
•
WANScaler. Install the WANScaler plug-in provided with this release and install and
configure the WANScaler appliance using documentation provided with the appliance
(purchased separately). The Branch optimization feature does not function with Access
Gateway Enterprise Edition.
Installing the XenApp 5 Feature Pack
For information about installing the XenApp 5 Feature Pack, see the Release Notes for
XenApp 5.0 Feature Pack.
99
Running Mixed Farms
When you run multiple versions of XenApp in your farm, this is known as a mixed farm or
mixed mode.
For information about mixed farms, as well as upgrading or migrating to XenApp 5, see
CTX117913. The XenApp installation documentation contains additional information.
100
Planning Your XenApp Deployment
Review this planning information before installing the first XenApp server in your farm.
A typical process for planning a XenApp farm includes:
1. Becoming familiar with XenApp and XenApp Setup by creating a small, one-server or
two-server test farm.
2. Deciding which applications to deliver to users.
3. Determining how you want to deliver applications - this includes testing and evaluating
the applications and peripheral requirements.
4. Determining where to install the applications on XenApp servers and which applications
can be collocated.
5. Determining the number of servers you need for applications.
6. Determining the total number of servers you need for your farm and evaluating
hardware requirements.
7. Creating the network infrastructure design and defining the installation processes.
8. Creating a pre-production pilot farm based on your farm design.
9. Testing the pilot farm.
10. Releasing the farm into production.
101
Farm Terminology and Concepts
Terminology
The XenApp planning and installation documentation uses the following terminology.
Multi-user environment
An environment, including XenApp and Terminal Services, where applications are
published on servers for use by multiple users simultaneously.
Application servers
The farm servers that host published applications.
Infrastructure servers
The farm servers that host services such as the data store or the license server.
Typically, they do not host published applications.
Production farm
A farm that is in regular use and accessed by users.
Design validation farm
A farm that is set up in a laboratory environment, typically as the design or blueprint for
the production farm.
Pilot farm
A preproduction pilot farm used to test a farm design before deploying the farm across
the organization. A true pilot is based on access by select users, and then adding users
until all users access the farm for their everyday needs.
Enumeration
The process in which a client transmits data to locate servers on the network and
retrieves information about the server farm’s published applications. For example,
during enumeration, the XenApp Plug-in for Hosted Apps communicates with the Citrix
XML Service or the ICA browser, depending on the browsing protocol selected in the
plug-in.
XenApp Setup comprises two installation wizards:
•
Create a New Farm. The first time you install XenApp, select Create a New Farm in the
installation wizard and Setup creates the farm with that server hosting specific roles.
The server where you installed XenApp and created the farm is the first farm server or
the Create farm server.
102
Farm Terminology and Concepts
•
Join an Existing Farm. When you run Setup on servers after installing XenApp on the
first farm server, you take a different path in Setup and XenApp references the settings
you specified on the first farm server. These servers join the existing farm and
communicate with the first server in the farm.
Farm Environment
You should already be familiar with client-server architecture, redirection, and application
publishing.
This illustration shows a basic deployment of XenApp.
Citrix Licensing
A Citrix License Server is required for all XenApp deployments. Install the license server
on either a shared or stand-alone server, depending on your farm’s size. After you install
the license server, download the appropriate license files and add these to the license
server.
Data Store
The data store is the database where servers store farm static information, such as
configuration information about published applications, users, printers, and servers. Each
server farm has a single data store.
Data Collector
103
Farm Terminology and Concepts
A data collector is a server that hosts an in-memory database that maintains dynamic
information about the servers in the zone, such as server loads, session status, published
applications, users connected, and license usage. Data collectors receive incremental
data updates and queries from servers within the zone. Data collectors relay information
to all other data collectors in the farm. By default, the first server in the farm functions
as the data collector.
By default, the data collector is configured on the first farm server during the Create
Farm Setup and all other servers are configured with equal rights to become the data
collector if the data collector fails. When the zone’s data collector fails, a data collector
election occurs and another server takes over the data collector functionality. Farms
determine the data collector based on the election preferences set for a server
The data collector is an infrastructure server and applications are typically not published
on it.
Zone
A zone is a grouping of XenApp servers that communicate with a common data collector.
In large farms with multiple zones, each zone has a server designated as its data
collector. Data collectors in farms with more than one zone function as communication
gateways with the other zone data collectors.
The data collector maintains all load and session information for the servers in its zone.
All farms have at least one zone, even small ones. The fewest number of zones should be
implemented, with one being optimal. Multiple zones are necessary only in large farms
that span WANs.
Streaming File or Web Server
Applications can be delivered to users by either streaming or hosting the applications on
the server. If you are streaming applications, either to client or server, you must install a
streaming file server in your environment. When streaming applications, you create
profiles of the application and then store the profile on a file or Web server. The profile
consists of the manifest file (.profile), which is an XML file that defines the profile, as
well as the target CAB files, a hash key file, the icons repository (Icondata.bin), and a
scripts folder for pre-launch and post-exit scripts.
Web Interface
The Web Interface is a required component in any environment where users access their
applications using either the XenApp plugin or a Web browser. Install the Web Interface
on a stand-alone computer; however, where resources are limited, the Web Interface is
sometimes collocated with other functions..
XenApp Web and XenApp Services Sites
XenApp Web and XenApp Services sites (formerly known as Access Platform and Program
Neighborhood Agent Services sites, respectively) provide an interface to the server farm
from the client device. When a user authenticates to a XenApp Web or XenApp Services
site, either directly or through the XenApp plug-in or the Access Gateway, the site:
104
•
Forwards the user’s credentials to the Citrix XML Service
•
Receives the set of applications available to that user by means of the XML Service
Farm Terminology and Concepts
•
Displays the available applications to the user either through a Web page or by
placing shortcuts directly on the user’s computer
Citrix XML Service and the Citrix XML Broker
The Citrix XML Broker functions as an intermediary between the other servers in the farm
and the Web Interface. When a user authenticates to the Web Interface, the XML Broker:
•
Receives the user’s credentials from the Web Interface and queries the server farm
for a list of published applications that the user has permission to access. The XML
Broker retrieves this application set from the Independent Management Architecture
(IMA) system and returns it to the Web Interface.
Upon receiving the user’s request to launch an application, the broker locates the
servers in the farm that host this application and identifies which of these is the
optimal server to service this connection based on several factors. The XML Broker
returns the address of this server to the Web Interface.
The XML Broker is a function of the Citrix XML Service. By default, the XML Service is
installed on every server during XenApp Setup. However, only the XML Service on the
server specified in the Web Interface functions as the broker. (The XML Service on other
farm servers is still running but is not used for servicing end-user connections.) In a small
farm, the XML Broker is typically designated on a server dedicated to several
infrastructure functions. In a large farm, the XML Broker might be configured on one or
more dedicated servers.
•
The XML Broker is sometimes referred to as a Citrix XML Server or the Citrix XML Service.
For clarity, the term XML Broker is used to refer to when the XML Service functions as
the intermediary between the Web Interface and the IMA service, regardless of whether
it is hosted on a dedicated server or collocated with other infrastructure functions.
T
h
i
s
105
Farm Terminology and Concepts
illustrationusesalargefarmtoshowhowtheWebInterfaceand
theXMLBrokerworktogether.(1)TheuserconnectstotheWebI
nterfacethroughtheXenAppplug-inoraWebbrowser;(2)theW
ebInterfacecontactstheXMLBrokertodeterminewhichappli
cationsareavailableforthisuser;(3)theXMLBrokerqueriest
heIMAserviceforthisinformationandreturnstheresultstoth
eWebInterface;(4)theWebInterfacedisplaystheavailablea
pplicationstotheusereitherthroughaWebpageorbyplacings
hortcutsdirectlyontheuser’scomputer.
Infrastructure Servers
XenApp farms have two types of servers: infrastructure servers and member servers that
host published applications. Infrastructure servers perform specific functions and do not
typically host published applications, except in small farms. The services include:
•
Farm infrastructure services - Data store, data collector, and the Citrix XML Broker.
•
Access infrastructure services - Web Interface, Secure Gateway (optional), and Access
Gateway (optional).
•
Additional services - Citrix License Server, Streaming File or Web Server (optional), a
computer for profiling applications, Configuration Logging database (optional),
EdgeSight database (optional), and SmartAuditor player (optional).
One or more infrastructure services can be grouped together in small farms. In large
deployments, each service runs on one or more dedicated servers.
106
Farm Terminology and Concepts
This illustration suggests which infrastructure functions can be grouped on the same server,
depending on the size of your environment.
Factors other than size can affect how infrastructure functions are grouped . Security
concerns, virtualized servers, and user load play a part in determining which functions can
be collocated.
107
Farm Terminology and Concepts
This illustration depicts infrastructure servers in a large farm. The Web Interface, XML
Service, data collector, and data store are deployed on separate servers.
One way to think of the division between infrastructure servers and published application
servers is to consider an infrastructure server as the controller server and the published
application servers as the worker servers. The controller server provides the infrastructure
that manages and supports the worker servers, which host the applications. Typically, in
larger farms, you segregate the controller functions onto distinct servers. For small farms,
you might have one controller server hosting infrastructure functions and multiple worker
servers hosting published applications.
Small farms that require redundancy might have one or two infrastructure servers. For
example, in a small farm with an Access data store, the data store might be configured on
the same server as the data collector and the XML Broker and, perhaps also the Citrix
License Server and the Web Interface.
Medium and large farms might group infrastructure servers and services together when they
have similar functions. For example, the XML Broker might be grouped with the data
collector. In some larger deployments, each infrastructure service would likely have one or
more dedicated servers. In large farms, the Citrix License Server and the Web Interface are
typically hosted on separate servers.
108
Farm Hardware Considerations
The number of users a XenApp server can support depends on several factors, including:
•
The server’s hardware specifications
•
The applications deployed (CPU and memory requirements)
•
The amount of user input being processed by the applications
•
The maximum desired resource usage on the server (for example, 90% CPU usage or 80%
memory usage)
General recommendations for selecting and configuring farm hardware include:
•
RAID - In multiprocessor configurations, Citrix recommends a RAID (Redundant Array of
Independent Disks) setup. XenApp supports hardware and software RAID.
•
Reducing hard disk failure - Hard disks are the most common form of hardware failure.
You can reduce the likelihood of hardware failure with a RAID 1 (mirroring) and RAID 5
(striped set with distributed parity) configuration. If RAID is not an option, a fast Serial
Attached SCSI (SAS) or a Small Computer System Interface (SCSI) Ultra-320 drive is
recommended.
•
Disk speed - Faster hard disks are inherently more responsive and might eliminate or
curtail disk bottlenecks.
•
Number of controllers - For quad or eight-way servers, Citrix recommends installing at
least two controllers: one for the operating system and another to store applications
and temporary files. Isolate the operating system as much as possible, with no
applications installed on its controller. This principle also applies in small farms. If
possible (assuming a multicore or multiprocessor system), install the operating system
on a separate hard drive from XenApp and the applications. This prevents input/output
bottlenecks when the operating system needs to access the CPU. Distribute hard drive
access load as evenly as possible across the controllers.
Dual-processor (dual-core) deployments combine overall efficiency and a lower total
cost of ownership. However, once a system has a dual-core processor, implementing
additional processors does not necessarily provide proportionate performance
increases. Server scalability does not increase linearly with the number of processors:
scalability gains level off between eight to sixteen CPU cores.
109
•
Hard disk partitions - Partition and hard-disk size depend on the number of users
connecting to the XenApp server and the applications on the server. Because each
user’s Terminal Services profile is loaded on the server, consider that large numbers of
user profiles can use gigabytes of disk space on the server. You must have enough disk
space for these profiles on the server.
•
Operating system - Running Windows Server 64-bit edition on 64-bit computers can
optimize processor resources. Limitations on the amount of kernel memory available in
32-bit operating systems can reduce user scalability. You can work around 32-bit
Farm Hardware Considerations
architecture limitations by using 32-bit and 64-bit applications on a 64-bit operating
system.
110
Planning for Applications and Server
Loads
Before you can determine how many servers you need in your farm and on which servers to
install applications, decide which applications you want to deliver and how you want to
deliver them.
Consider these factors when defining your farm’s hardware and operating system
configuration:
•
Can I run the applications on the Windows Server platform, Terminal Services, or on
XenApp 5.0? For XenApp 5 for Windows Server 2008, Citrix recommends testing
non-Vista-compliant applications on Windows Server 2008 before you publish them on
your farm.
•
Some non-Vista-compliant applications run on Windows Server 2008 using its
Application Compatibility feature
•
Consider using XenApp 5 for Windows Server 2003 for applications that do not run
under the Windows Server 2008 Application Compatibility feature
If users require any features that are not supported on XenApp 5 for Windows
Server 2008, such as PDA Sync, you might need to deploy a farm that includes
XenApp 5 for Windows Server 2003
How many users do I anticipate will want to connect to each application during peak
and off-peak hours? Do I need to allocate servers for load balancing?
•
•
•
Will users be accessing certain applications frequently? Do I want to publish all of these
applications on the same server to facilitate session sharing and reduce the number of
connections to a server? If you want to use session sharing, you might also want users to
run applications in seamless windows. .
•
Will my organization need to provide proof of regulatory compliance for certain
applications? Will any applications undergo a security audit? If you intend to use
SmartAuditor to record sessions on these servers, install the SmartAuditor agent on
these servers. In addition, make sure the servers have sufficient system resources to
ensure adequate performance.
•
Will any of my applications be graphically intensive? If so, consider using the XenApp
SpeedScreen, Memory Utilization Management, or CPU Utilization Management features
as well as more robust hardware for sessions hosted on these servers.
If you have applications that require XenApp for Windows Server 2003, determine how you
want to manage your mixed-farm requirements. Use one of these scenarios:
•
111
One farm that runs both XenApp 5 for Windows Server 2003 and XenApp 5.0 for
Windows Server 2008. Use this as only part of a farm migration strategy and not as a
permanent solution.
Planning for Applications and Server Loads
•
112
One farm for XenApp 5 for Windows Server 2003 and one farm for XenApp 5 for Windows
Server 2008. Use the Web Interface to provide one consolidated access point for users.
Citrix recommends this strategy where a mixed farm is a permanent requirement.
Assessing Applications for XenApp
Compatibility
Ensure applications are compatible with the server operating system and are multiuser
compatible. Application compatibility drives the application delivery method (for example,
accessed from the server, streamed to server, or streamed to client desktops).
Evaluate whether or not applications are compatible with multiuser environments and, if
so, the application server’s scalability. Before testing applications for compatibility,
investigate how the application works with Terminal Services or XenApp. Terminal
Services-compliant and Windows Logo certified applications experience few, if any, issues
compared with noncompliant applications.
Initial application compatibility testing typically involves publishing the application so that
is installed and hosted on a server in a test farm and having multiple test users connect to
it. Applications that function correctly should be tested for conflicts with other applications
you want to install on the server and, then, scalability.
Applications that do not function correctly might not have been designed for multiuser,
multiapplication environments. Applications not designed for these environments can
conflict with other applications or have scalability or performance issues. Registry settings,
attempts to share files or DLLs, requirements for the exclusive use of files or DLLs, or other
functionality within an application can make it incompatible. You can resolve some
application issues through streaming, using features like Virtual IP, or siloing the
application.
After testing, if these solutions do not work, you might need to find and fix the root cause
of the problem. To identify root applications issues, consider using tools like the Microsoft
Application Compatibility Toolkit (ACT) or Microsoft’s Windows Sysinternals. Examples of
common issues include:
•
.INI files that contain hard-coded file path names, database connection settings, and
read/write file locking configurations that need to be reconfigured to prevent file
conflicts.
•
Custom applications developed with hard-coded paths in the registry.
•
Applications that use the computer name or IP address for identification purposes.
Because a server can run multiple instances of the application, all instances could use
the same IP address or computer name, which can cause the application to fail.
When you find any of these hard-coded settings or other conflicts, document the setting in
your farm design document. After you find resolutions to these issues, design your farm and
test your design by creating a pilot test farm.
113
Evaluating Application Delivery Methods
The application delivery method is a factor in determining the number of servers in a farm
and their individual hardware requirements.
How you choose to deliver applications depends on your organization’s needs. For example,
some organizations use XenApp to streamline administration. In other organizations, the
existing hardware infrastructure might affect the delivery method selected, as can the
types of applications to be delivered.
Applications can be delivered to users as:
•
Hosted and Accessed from Server - Applications are installed on the server, where the
processing takes place, and accessed from the server. This is the traditional XenApp
publishing model. For many organizations, this provides the lowest cost of ownership
for IT resources because it provides the highest scalability.
•
Streamed to server - Executables for applications are put in profiles and stored on a file
server; however, application processing takes place on the server. One of the main
differences between streaming an application to the server and hosting the application
on the server is that streamed applications are stored on a central file server, and
provide application isolation by design.
•
Streamed to client - Applications are stored on a file or Web server; however,
application processing takes place on the client device and not the server. When
applications are streamed to the client device (streamed to desktop), the user
experience is similar to running applications locally. The executables for applications
are stored on the streaming file share.
Installed and
hosted on the
server or
streamed to
server
114
Advantages
•
There is a more consistent user
experience regardless of the client
device.
•
You can maintain and manage
applications centrally.
•
In many cases, streaming to server
lets conflicting applications run on
the same server without needing to
silo them.
•
Client devices do not require
extensive resources, such as hard
drives. These delivery methods
support thin clients.
Disadvantages
•
Farm servers require
sufficient resources to
support the
applications.
Evaluating Application Delivery Methods
Streamed to
client
•
Users can have the local application
experience, but you manage the
applications centrally.
•
Users might have a better experience
when resource-intensive
applications, such as graphics or
CPU-intensive applications, are
streamed to client.
•
Client devices must
have sufficient
resources to run the
applications locally; the
client devices cannot
be thin clients.
Client devices must run
Windows XP or Vista
operating systems.
The requirement for a central file server is not necessarily an impediment to deploying
streamed applications in organizations with branch offices because the streaming file share
can be deployed on a Web Server.
•
Combining Application Delivery Methods
You can run applications in dual mode in which XenApp tries to stream the application to
the client device first but uses another access method if streaming to client is not
supported on the client device. You can specify that some users, such as sales personnel,
run applications streamed to client when they are accessing the applications from Windows
devices and then run them as hosted applications when they are accessing them from
handheld mobile or kiosk-type devices.
If users need to access applications when they are offline (not connected to the farm),
consider streaming applications. If your users have thin clients, install and deliver
applications from farm servers.
Choosing Between Published Desktops and
Published Applications
Before selecting the method for delivering applications, decide if you want to publish the
desktop or publish applications.
•
Publishing the desktop - Presents users with an entire Windows Server desktop when
they log onto XenApp. (For security, the desktop should be locked down .)
•
Publishing applications - Publishes specific applications and delivers only those
applications to users. This option provides greater administrative control and is used
most frequently.
You can use policies to prevent users from accessing local devices and ports with both
methods of application delivery.
115
Placing Applications on Servers
When designing your farm, consider the following:
•
The servers on which the applications are installed
•
If load balancing or preferential load balancing changes your need to dedicate servers
to mission-critical or highly used applications
•
The geographic location of the servers delivering applications (for WANs and
organizations with branch offices)
Grouping Applications on Servers
Traditionally, two strategies for grouping applications on servers are siloing applications
and not siloing applications.
When applications are siloed on farm servers, each server has a limited number of
applications. Some servers might have only one application; others might have a set of
interrelated applications. For example, you might install a medical application on Server A,
and on Server B install an enterprise resource planning (ERP) application. However, if the
ERP application is integrated with email, you might also have an email client on Server B.
Siloing is sometimes required when applications have unique hardware requirements, for
business reasons, to segregate mission-critical applications, or to separate
frequently-updated applications. However, siloing applications is not as efficient as
nonsiloed applications for hardware use and network traffic.
With a nonsiloed approach, you install all applications on each server. Applications can be
installed traditionally or in isolation (installing them in separate profiles).
Citrix recommends installing applications that interact with each other on the same server,
or including them in the same streaming profile. For example, if an application interacts
with an email client by letting users send email notifications, install the application and the
email client on the same server. Likewise, if applications share settings and preferences
(such as Microsoft Office), install them on the same server.
116
Advantages
Disadvantages
Placing Applications on Servers
Siloed
Nonsiloed
•
It is easy to track the application’s
location and usage
•
Centralization makes it is easy to
configure and maintain the
application
•
Other applications do not
interfere with the installed
application
•
Can be useful for mission-critical
applications
•
Reduces the number of servers
required for applications in smallto medium-sized farms
•
Might simplify user permissions
and ensure consistent settings
during application installation
•
Additional servers are
required to ensure sufficient
redundancy
•
Cannot be used when
applications conflict with
other applications
A single server is accessed by each
user and session sharing is ensured
By using features such as Load Manager and Preferential Load Balancing, you might not
need to silo mission-critical applications or applications with high levels of peak usage.
•
When an application conflicts with other applications, rather than silo it on one server,
consider streaming the application. Streaming the application effectively isolates it, which
allows conflicting applications to run on a single server, reducing the need for silos.
Planning Server Loads
Consider how you want to balance server loads. You might want to load balance
resource-intensive, mission-critical, or high-availability applications. XenApp offers two
methods of load balancing:
•
Load Manager - Lets you balance new connections to the server. When a user launches
the first published application, that user session is established on the least loaded
server in the farm, based on criteria you configured. When the user launches a second
application that is published on the same server, the existing session is shared, and no
load management occurs. However, if that application is not published on the same
server, Load Manager is invoked and another load-balancing decision is made.
Load-balancing is enabled by default. When you publish an application on multiple
servers, load balancing automatically ensures that the user is sent to the least-loaded
server.
•
117
Preferential Load Balancing - Lets you allocate a specific portion of CPU resources to a
specific session or application. You can use Preferential Load Balancing to assign
importance levels (Low, Normal, or High) to specific users and applications. For
example, doctors in a hospital could be specified as important users and MRI scans or
X-rays could be specified as important applications. These important users and
applications with higher levels of service have more computing resources available to
Placing Applications on Servers
them. By default, a Normal level of service is assigned to all users and applications.
Different application workloads can co-exist on a server; simply assign important
applications a higher importance level.
The key difference between the Load Manager and Preferential Load Balancing features is
that the Preferential Load Balancing can be used to treat each session differently, whereas
Load Manager treats each session the same.
Although you can use applications as the basis for Load Manager decisions, Citrix does not
recommend it. Citrix recommends invoking Load Manager based on the server only.
Citrix does not recommend load balancing across zones on a WAN.
Centralizing or Distributing Application Servers
For organizations with geographically dispersed sites, application servers might be located
centrally with the infrastructure servers (for example, in a data center) or decentrally,
near the users who access the applications or in the same geographic region as the users.
Citrix recommends placing application servers logically near any data sources. For example,
for an enterprise resource planning application, collocate those XenApp servers within the
same data center. Another example is a multinational corporation that uses Microsoft
Exchange 2007 as the data source for email. Although the company could centralize all the
Exchange servers at the primary data center, they would be more likely to enable the
Exchange servers within each region and then locate the XenApp servers hosting Outlook
there as well.
Servers centralized
at one site
Servers distributed
across multiple sites
Advantages
•
Centralized server
administration and support.
•
Centralized application
management.
•
Potentially better physical
security than in branch
offices.
•
Enhanced business continuity
and redundancy; if one site
loses connection, it does not
affect all application access.
•
When data is maintained at
different sites, placing servers
at those sites provides users
with local access to the data.
•
Sites can administer their own
servers.
•
118
Zone Preference and Failover
can be invoked if multiple
zones.
Disadvantages
•
Single point of failure; if
the site loses
connectivity, users have
no alternative access.
•
Server-to-server
communication crosses
the WAN.
•
If users need access to
multiple sites, you might
need to coordinate and
replicate domains,
trusts, user profiles, and
data.
•
Sites might need added
local administration and
support.
Placing Applications on Servers
Determining How to Install Applications
In large farms, installing applications on servers can be time consuming. Also, applications
on load-balanced servers require identical configuration options and settings. To solve
these issues, you can install these applications by using Installation Manager, installation
scripts, Microsoft System Center Configuration Manager (formerly known as Systems
Management Server (SMS)), or streaming the applications.
119
Deciding How Many Farms to Deploy
Most organizations deploy a single farm. However, there are some circumstances in which
deploying multiple farms makes sense. the decision to implement a single farm or multiple
farms is influenced by:
•
Location and needs of the users or your organization - If your organization is a service
provider, you might want to dedicate a farm to each organization for which you provide
service. Multiple farms might make it easier to demonstrate compliance with specific
service level agreements.
•
Geographic layout of your organization - If your IT infrastructure is organized by region
and managed in a decentralized manner, multiple farms could improve farm
performance. Multiple farms could also save time when coordinating farm
administration and simplify troubleshooting farm-wide issues.
•
Network infrastructure limitations - In WANs with high latency or error rates, multiple
farms may perform better than a single farm with multiple zones.
•
Organizational security policies concerning server communications - Consider multiple
farms if your organization needs to segregate data based on security level. Likewise,
you might need multiple farms for regulatory compliance.
There is no exact formula for determining the ideal number of farms, but general guidelines
can help:
•
In general, a single farm meets the needs of most deployments. A significant benefit to
deploying a single farm is needing only one data store database.
•
Consider using multiple farms when you have geographically dispersed data centers that
can support their own data store database, or when you do not want communication
between servers within the farm to cross a firewall or WAN. For very large deployments
with thousands of servers, breaking the environment into multiple farms can increase
performance.
Citrix regularly tests farm scalability based on 1000-server farms.
120
Farm Element or
Component
Single Farm
Multiple Farms
Data Store
The farm has one data store.
Each farm must have a data
store.
Data Store
Replication
Citrix recommends that you
replicate the data store to remote
sites when using one farm in a
WAN environment.
If each remote site is a farm
with its own data store, there is
no need for data store
replication.
Load Balancing
You can load balance an
application across the farm.
You cannot load balance an
application across servers in
different farms.
Deciding How Many Farms to Deploy
Firewall
Traversal
If the farm spans multiple sites,
firewall ports must be open for
server-to-server communication.
Site-based farms eliminate the
need to open firewall ports for
server-to-server communication.
Server-to-server
Communication
Data store information is
synchronized with member
servers through notifications and
queries. When a farm has multiple
zones, data collectors
communicate dynamic
information such as logons and
application use across the farm.
Multiple farms might improve
performance over a single farm
when server-to-server traffic
crosses a WAN link or when the
farm is very large.
Management
Tools
You can monitor and configure
the farm from a single
Management Console and need to
log on to only one farm to do so.
You can monitor and configure
multiple farms from the Access
Management Console.
Communicating with multiple
farms from the console requires
logging on to each farm.
Sharing Components Between Farms
Some Citrix components can be shared between multiple farms; consequently, it is not
necessary to consolidate all servers in one farm to prevent deploying these components
multiple times:
121
•
Web Interface - Sharing Web Interface between farms provides central access to
applications published on different farms.
•
SmartAuditor - With the exception of the SmartAuditor Agent, all components are
independent of the server farm. For example, you can configure multiple farms to use a
single SmartAuditor Server.
•
Citrix Licensing - You can manage multiple farms using one Citrix License Server;
however, performance might be affected if you use only one license server for all
servers in a WAN.
•
EdgeSight - You can use EdgeSight and Resource Manager powered by EdgeSight to
monitor multiple farms. Note that servers running Presentation Servers 4.5 agents
appear as endpoints.
Planning Infrastructure Servers
Regardless of your farm size, Citrix recommends having at least one server dedicated to
infrastructure functions. Publishing applications on the infrastructure server slows down
application enumeration. If you decide to install infrastructure functions on a server hosting
published applications, choose a server that hosts an infrequently used and not
resource-intensive application (or lower the load threshold for that server so that it accepts
fewer connections).
While farm size (small, medium, large) as determined by the number of servers, can
indicate the general category of your farm, another factors to consider is the number of
user connections. Because applications can scale differently from server to server (some
servers might support 100 user connections, others might support only ten), looking solely
at the number of servers might be misleading. Determine how you want to group
infrastructure functions by designing an initial configuration, then fine tune the design after
testing the pilot farm.
As you add user connections in your test configuration, watch the Windows Performance
Monitor counters:
•
When the peak number of users is connecting simultaneously to the farm; this usually
occurs in the morning.
•
When the peak number of users is connected to the farm; this usually occurs during the
day.
If the counters exceed the values listed in the table, move the infrastructure functions on
to separate servers until the counter metric no longer exceeds the value.
Performance Monitor Counter Name
Criteria
CPU
> 85% - 90%
Memory
> 80%
ResolutionWorkItemQueueReadyCount
> 0 for extended periods of time
WorkItemQueueReadyCount
> 0 for extended periods of time
LastRecordedLicenseCheck-OutResponseTime
> 5000 ms
Typically, you need to evaluate the LastRecordedLicenseCheck-OutResponseTime counter
only in large farms.
122
Planning the XenApp Data Store
When you deploy your server farm, it must have an associated data store. When servers in a
farm come online, they query the data store for configuration information. The data store
provides a repository of persistent information, including:
•
Farm configuration information
•
Published application configurations
•
Server configurations
•
Citrix administrator accounts
•
Printer configurations
For information about supported database versions, see
http://support.citrix.com/article/CTX114501.
Choosing a Database
For this XenApp version, you can use the following database software for the farm data
store:
•
Microsoft SQL Server, Oracle, and IBM DB2 — These are true client/server databases
that offer robust and scalable support for multiple-server data access.
Note: Do not install XenApp on the Microsoft SQL Server, Oracle, or IBM DB2 database
server.
•
Microsoft SQL Server 2005 Express Edition — This type of database is most appropriate
for small to medium-sized farms and can be administered using standard Microsoft SQL
Server tools.
•
Microsoft Access — Microsoft Access is the default database type. If you leave this at
the default, Setup creates the data store on the first server in the farm using Microsoft
Access.
Consider these factors before deciding which database product to use:
123
•
The number of servers you currently plan to have in the farm, and whether or not you
plan to expand that number
•
Whether or not you have a database administrator with the expertise to configure and
manage a data store running on SQL Server, Oracle, or DB2
•
Whether or not you foresee the enterprise expanding, which would result in expanding
the size and maintenance of the database
Planning the XenApp Data Store
•
Whether a server has the appropriate hardware configuration to also run an Access or
SQL Server Express database or whether you require that the database be located on a
server that is not also running XenApp
•
Any database maintenance requirements, such as backup, redundancy, and replication
General recommendations are listed below, based on the following size table.
Small
Medium
Large
Enterprise
Servers
1-50
25-100
50-100
100 or more
Named Users
< 150
< 3000
< 5000
> 3000
Applications
< 100
< 100
< 500
< 2000
•
Microsoft SQL, Oracle, and IBM DB2 are suitable for any size environment and are
recommended for all large and enterprise environments. When deploying large farms
across a WAN, you can obtain a performance advantage by replicating the data store
and distributing the load over multiple database servers. SQL Server, Oracle, and IBM
DB2 are suitable for large farms and support replication.
•
Microsoft Access and SQL Server Express are suitable for all small and many medium
environments located in one physical location (that is, do not have branch offices across
a WAN).
See the database product documentation for hardware requirements for the database
server.
Important: Ensure that the data store is backed up regularly. If the data store database is
lost, you must recreate the farm. You cannot recreate the data store from an existing
farm.
124
Connecting to the Data Store
A factor in planning your data store is deciding how you want servers in the farm to access
the server on which the data store database is running: directly or indirectly. (You specify
the access method when you run Setup to install XenApp on servers to join an existing
farm.)
•
Direct access - If you are in an large farm environment, have a mission-critical farm, or
are using Oracle, SQL Server, or DB2 as the database for your data store, Citrix
recommends accessing the data store directly. For direct access, a server must have
appropriate ODBC drivers installed and configured.
•
Indirect access - With indirect access, servers in the farm connect to an intermediary
server running XenApp, which connects to the data store directly. If you are in a small
to medium environment and are using SQL Server Express or Microsoft Access for your
data store, each server in the farm (other than the Create Farm server), must access
the data store indirectly.
Citrix does not recommend indirect access for mission-critical farms because the
intermediary server is a single point of failure.
By default, indirect access uses TCP port 2512 for communication between servers in
the farm and the intermediary server that connects to the data store. If the servers are
in different subnets divided by a firewall, be sure this port is open on the firewall.
Protecting the data store is part of securing your server farm; this includes protecting the
data and restricting who can access it. In a direct connection, all farm servers share a
single user account and password for accessing the data store. Keep the credentials secure
and provide them to administrators only for installing XenApp. See the XenApp security
documentation for more information.
125
Database Server Hardware Performance
Considerations
Increasing the CPU power and speed of the database server can improve the response time
of queries made to the data store when:
•
Starting the Citrix IMA Service on multiple servers simultaneously
•
Adding a server to the farm
•
Removing a server from the farm
The response time of other events (such as starting the IMA Service on a single server,
recreating the local host cache, or replicating printer drivers to all servers in the farm) is
affected more by the farm size than by the data store response time.
Adding processors to the server hosting the data store can improve response time when
executing multiple simultaneous queries. In environments with large numbers of servers
coming online simultaneously and at frequent intervals, additional processors can service
requests faster.
The capabilities of the processor on the database server affect Access Management Console
and Advanced Configuration tool performance, how long it takes to add (install) and remove
a server from the farm, and how long it takes to start multiple servers simultaneously.
In the following chart, five sample farm configurations (A through E) are listed, with
measurements of various metrics in the farm.
126
Configuration
A
B
C
D
E
Number of servers in farm
50
100
250
500
1000
Number of applications published to all
servers
50
50
50
50
50
Number of user policies
25
25
25
25
25
Printers per server
5
5
5
5
5
Printer drivers installed per server
25
25
25
25
25
Network print servers with printers
5
5
5
5
5
Number of Load Manager load evaluators
10
10
10
10
10
Number of application folders in Access
Management Console
10
10
10
10
10
Number of server folders in Access
Management Console
8
16
25
50
50
Number of Application Isolation
Environments
10
10
10
10
10
Number of Citrix administrators
10
10
10
10
10
Database Server Hardware Performance Considerations
Size of data store database in megabytes
32
51
76
125
211
The following table lists suggested hardware for the server hosting the data store, for each
configuration in the previous table.
Configuration
A
B
C
D
E
Dual Pentium 4/1.6GHz with 2GB RAM
X
X
X
Dual Pentium 4/3.0GHz with 4GB RAM
X
X
X
X
Quad Pentium 4/3.0GHz with 4GB RAM
X
X
X
X
X
The actual performance of a farm’s data store varies depending on the database engine and
the level of performance tuning achieved.
127
Replication Considerations
A significant amount of network traffic for XenApp farms consists of reads from the data
store; writes are infrequent. The amount of bandwidth required increases as farm size
increases. Actions such as data store reads and restarting multiple servers simultaneously
use disproportionately more bandwidth on larger farms.
Citrix recommends using a single data store for most deployments, but in some situations,
placing a replicated data store at remote sites can improve farm performance. Citrix
recommends replicating the data store across all high-latency or low-bandwidth WAN links.
A replicated data store ensures all data store reads occur on the network local to the
XenApp server.
In a WAN environment, place replicas of the data store at sites with a large number of
servers; this minimizes reads across the WAN link. Database replication consumes
bandwidth. Limit the use of replicated databases to configurations where the remote site
has enough servers to justify the bandwidth cost of placing a replicated copy of the
database at the site. For SQL Server, you must use immediate updating transactional
replication.
Crossing high latency links without using replicated databases can create situations where
the data store is locked for extended periods of time when performing farm maintenance
from remote sites. Data store reads do not adversely affect local connections but remote
sites can experience slower performance. This means that the Citrix IMA Service may start
after extended periods of time and some normal operations may fail when initiated from
the remote site.
Note: You might experience poor performance if you use a local XenApp management
console to perform farm maintenance on a remote site that has high latency. You can
resolve this issue by publishing the management consoles as applications on a server at
the remote site and use a Citrix XenApp plug-in to access the published management
tools.
128
Planning for Configuration Logging and
IMA Encryption
The IMA encryption feature provides a robust AES encryption algorithm to protect sensitive
data in the IMA data store. Enabling IMA encryption provides an additional layer of security
for the data preserved by the Configuration Logging feature.
If you do not enable IMA encryption, XenApp uses the standard encryption used in previous
versions of XenApp. The XenApp administration documentation contains more information
about IMA encryption, Configuration Logging, and when to enable these features.
You can enable IMA encryption during or after XenApp Setup; however, it is easier to enable
it during Setup. To enable IMA encryption during Setup, you specify a key which is used for
all the servers in your farm. You can generate the key before or during Setup.
For custom installations or provisioning servers in large environments, consider:
•
Deploying XenApp by using images, and including the key file as part of the server
image
•
Generating a key, putting the key in a folder on your network, using a UNC path to
specify the location, and performing an unattended installation
Important: If you add a key file to a network location, ensure that you have explicit
rights to the key file so that you are not prompted for your credentials during Setup.
Mapped drives are not supported for specifying the path for the key during
installation.
To generate the key before Setup, use CTXKEYTOOL, which is available on the installation
media.
If you have multiple farms in your environment, Citrix recommends you generate separate
keys for each farm.
Enabling IMA Encryption as a Local Administrator
Citrix recommends that if you plan to enable IMA encryption during Setup and want to
connect to the data store indirectly (as is the case with Microsoft SQL Server Express and
Microsoft Access databases, by default), install XenApp using a domain account that has
local administrative privileges on the server.
You cannot enable IMA encryption when you join a farm (either during Setup or when
changing farms) if you are logged in as a local administrator and you try to connect to the
data store indirectly. If you use a local administrator account that is not part of the Citrix
Administrator group, configure all local administrators as Citrix Administrators after running
Setup on the first server in the farm.
129
Planning for Configuration Logging and IMA Encryption
1. In the Access Management Console or Delivery Services Console, expand the XenApp
node.
2. In the left pane, under the Farm node, select the Administrators node and select Action
> New > Add administrator.
3. On the Add Citrix Administrator page, select the Add local administrators check box.
This adds all previously created local administrators to the Citrix Administrators group
and automatically adds any local administrators created in the future to the Citrix
Administrators group.
130
Planning for Data Collectors
When planning for data collectors, consider:
•
If you need a dedicated data collector
•
If you do not need a dedicated data collector, which infrastructure services can share
the same server
•
If you need a zone in each geographic region, which means that you need data
collectors for those regions as well
To maintain consistent information between zones, data collectors relay information to all
other data collectors in a farm, creating network traffic.
In general, data collector memory consumption increases as farm size increases. However,
it is not significant. For example, the Independent Management Architecture service
running on the data collector typically uses 300 MB on a 1000 server farm.
Likewise, CPU usage is not significant. A data collector hosted on a dual-processor server
can support over 1000 servers in its zone. In general, CPU usage increases as the number of
servers in a zone increases, the number of zones increases, and the number of users
launching applications increases.
On most networks, Citrix recommends reducing the number of data collectors and zones.
For example, if you have a farm with 100 servers in one location, Citrix recommends having
one zone with a dedicated data collector (although you can have backup data collectors).
Citrix recommends installing XenApp on the server you want to host the data collector
functionality and, after installing other member servers, configuring a server as the backup
data collector.
131
Planning for WANs by Using Zones
In general, Citrix recommends using the fewest number of zones possible, with one being
optimal. If all farm servers are in one location, configuring only one zone for the farm does
not reduce performance or make the farm harder to manage. However, in large networks,
such as organizations with data centers on different continents, grouping
geographically-related servers in zones can improve farm performance.
Keep in mind that data collectors must replicate changes to all other data collectors in the
farm. Also, bandwidth consumption and network traffic increase with the number of zones.
Separate zones are not required for remote sites, even ones on separate continents; latency
is the biggest factor in determining if servers should be put in their own zone. For large
farms with servers in different geographic regions, create zones based on the location of
significant numbers of servers.
Also decide if you want to configure failover zones or preferred zones. If a zone fails, you
can configure for user connections to be redirected to another zone (failover) or control to
which zones specific users connect (preference). Failover requirements might determine
the number of zones required.
For example, an organization with 20 farm servers in London, 50 servers in New York, and
three servers in Sydney could create two or three zones. If the Sydney location has good
connectivity to either New York or London, Citrix recommends grouping Sydney with the
larger location. Conversely, if the WAN connection between Sydney and the other locations
is poor or zone preference and failover is required, Citrix recommends configuring three
zones.
Consider these zone design guidelines:
132
•
If a site has a small number of servers, group that site in a larger site’s zone.
•
If your organization has branch offices with low bandwidth or unreliable connectivity,
do not place those branch offices in their own zone. Instead, group them with other
sites with which they have the best connectivity. When combined with other zones, this
might form a hub-and-spoke zone configuration.
•
If you have more than five sites, group the smaller sites with the larger zones. Citrix
does not recommend exceeding five zones.
Planning for the Web Interface and XML
Broker
The Web Interface and the XML Broker are complementary services. The Web Interface
provides users with access to applications. The XML Broker determines which applications
appear in the Web Interface, based on the user’s permissions.
When determining whether or not to dedicate servers to the Web Interface and the XML
Broker, consider scalability and security.
In small to medium farms, you can:
•
Run XenApp and the Web Interface on the same server, depending on your security
considerations.
•
Group the XML Broker with other infrastructure services, such as the data collector or
the data store, in very small farms (one to five servers). Citrix recommends grouping
the XML Broker with the data collector.
In larger farms, Citrix recommends:
•
Configuring the XML Broker on data collectors or dedicated servers. In deployments
with dedicated servers for infrastructure functions, dedicate a server to the XML Broker
to accommodate authentication traffic.
•
Running the Web Interface on dedicated Web servers.
Do not publish applications on the server functioning as the XML Broker
Important: If you change the port used by the Citrix XML Service on the XML Broker, set
the correct port in the plug-in.
Security Considerations
When users access the Web Interface from the Internet, Citrix recommends locating the
Web Interface server on the internal network and the Citrix XML Broker with the XenApp
farm. Shielding the XML Broker from the external Internet protects the XML Broker and the
farm from Internet security threats.
If you must place the Web Interface in the DMZ and want to secure the connection between
the XML Broker and the Web Interface, put the Web Interface server in the DMZ with Secure
Gateway or Access Gateway. This configuration requires putting the Web Interface on a
separate Web server. Install a certificate on the Web Interface server and configure SSL
Relay on the servers hosting the Citrix XML Broker.
In very small farms, configuring the Web Interface and the XML Broker on the same server
eliminates having to secure the link from the Web Interface to the farm. This deployment is
used primarily in environments that do not have users connecting remotely. However, this
133
Planning for the Web Interface and XML Broker
might not be possible if your organization does not want Web servers such as Internet
Information Services (IIS) in the farm.
134
Planning for Application Streaming
Streaming applications requires a workstation for creating the application profiles and a
streaming file share to store the profiles.
For the Streaming Profiler, use a separate, clean workstation with an operating system
similar to that of your end-users.
For the streaming file share server, Citrix suggests the following hardware:
•
Network-attached storage (NAS) or storage area network (SAN) solution, if feasible.
•
A RAID storage configuration, depending on the fault-tolerant solution desired.
•
A single 1 Gbps network card or multiple 100 Mbps cards. If your network infrastructure
and configuration does not support this speed, use dual network cards; this
configuration doubles the connection speed of a traditional single network-card
configuration.
Streaming file shares can be hosted on a file server or a Web server. There are two
configurations for a streaming file share in branch office environments:
•
A streaming file share in each branch office hosted on network file servers - For
performance (and in some countries, legal) reasons, branch offices cannot connect to a
network file server in a main office. To store streaming profiles on a network file
server, configure a streaming file share in each branch office.
•
A streaming file share in the main office hosted on a Web Server - Using a Web server
sends all the traffic between the client devices and the file share over HTTP or HTTPS,
which is faster than a file transmission protocol.
Using a Web server for the file share reduces the need to have a file share in each branch
office for performance reasons. Instead of putting a file share at each branch office, you
can put all the profiles on the Web server file share at the main office.
135
Designing Terminal Services User
Profiles
Terminal Services user profiles define the user-specific Windows Server environment and
preference settings, including desktop appearance and color options. Citrix recommends
setting Terminal Services profiles for all users to avoid inconsistencies. Terminal Services
user profiles are distinct from Windows user profiles.
Effectively designing Terminal Services user profiles can improve the performance and
manageability of a XenApp environment, reducing the occurrence of slow logons, loss of
user settings, profile corruption, and excessive administration effort.
When a user logs on, the user’s profile is loaded onto the XenApp server. If a Terminal
Services profile is not designated, the user’s Windows profile is used. If there is no Windows
profile, the user’s local profile on the server is used or created.
In a XenApp environment, Terminal Server profiles behave as follows:
Local Profiles
Local profiles are stored on each farm server and are initially
created based on the default user profile. A user accessing
applications in a load-managed XenApp farm creates an
independent profile on each server. Users can save changes to their
local profile on each individual server, but changes are only
available to future sessions on that server. Local profiles require no
configuration; if a user logging onto a XenApp server does not have
a profile path specified, a local profile is used.
Although local profiles are the default, Citrix does not recommend
using them because profiles are created for each user on every
server to which they have connected, which leads to an
inconsistent user experience.
Roaming Profiles
136
Roaming profiles are stored in a central location for each user. The
information in roaming profiles, such as a printer or a registry
setting, is available to all XenApp servers in the environment. To
configure a user for a roaming profile, you specify the user’s
Terminal Server Profile Path to a particular location on a file
server. The first time the user logs on to a XenApp server, the
default user profile is used to create the user’s roaming profile.
During logoff, the profile is copied to the specified location on a
file server.
Designing Terminal Services User Profiles
Mandatory Profiles
Mandatory profiles are stored in a central location for each user.
However, the user’s changes are not retained on logoff. To
configure a user for a mandatory profile, you create a mandatory
profile file (NTUSER.MAN) from an existing roaming or local profile,
and assign the users’ Terminal Services profile path to the location
where the file can be accessed.
Citrix recommends, where feasible, using mandatory profiles if they
address the defined requirements.
Multiple Profiles
Multiple profiles combine two or more of the profile types (local,
roaming, or mandatory) for the same user. Multiple profiles are
useful in environments with load-managed groups or application
silos. For example, in a XenApp farm with two load-managed groups
serving SAP and Microsoft Office, you can configure users with a
mandatory profile for the SAP servers and a roaming profile for the
Microsoft Office servers. Multiple profiles are also useful for farms
that span WAN connections, so that profiles can be accessed from
local file servers.
Multiple profiles are more complex to administer and maintain and
are not widely used.
When defining user profiles for your XenApp environment, consider:
•
If users run applications such as Microsoft Office where settings must be retained,
consider a roaming profile. If users do not need to save settings, using a mandatory
profile solution can ease administration.
•
If the application you are publishing references the HKEY_CURRENT_USER (HKCU) hive
in the registry, use a roaming or multiple profile design.
•
If you provision printers by auto-creating client printing devices and use client device
printing settings, you can use mandatory profiles. To save printer settings, use the
XenApp printer properties retention policy rule.
•
If applications are siloed in load-managed groups, roaming profile designs make profile
setting loss or corruption possible. For example, users accessing SAP and Microsoft
Office at the same time can overwrite roaming profile settings made in the Office
session if the user logs off from the Office session before the SAP session. Consider
multiple profile designs for farms employing load-managed groups.
This table compares the profile options:
Local Profile
Roaming
Profile
137
Advantages
Disadvantages
•
No requirement for file server
for profile storage
•
Settings are not consistent
across servers and sessions
•
Not susceptible to corruption
•
Consumes local disk space
•
Settings are saved across
sessions
•
Slower logon times
•
Consistency
Designing Terminal Services User Profiles
Mandatory
Profile
Multiple
Profiles
•
Fast Logon
•
Not susceptible to corruption
•
Benefits of both mandatory
and roaming profiles
•
Settings are not saved across
sessions
•
Potential for additional file
server space requirements
Additional administration and
maintenance
When configuring profiles, designate profiles within Active Directory policies, if possible,
not user properties.
•
Citrix recommends storing roaming profiles and permanent user data on a centralized file
server, storage area network (SAN), or Network Attached Storage (NAS) unit that supports
the environment. Locate this storage medium logically near XenApp to reduce the number
of router hops required and optimize logon times.
In addition to profile type, folder redirection is generally recommended. This ensures that
user data stored in the designated folders does not need to be written to the profile. Folder
redirection is typically useful for mandatory and roaming profiles. Although you can
configure folder redirection in Windows Server, Citrix provides a Special Folder Redirection
feature. For more information, see the Special Folder Redirection documentation.
138
Planning for Accounts and Trust
Relationships
Consider how users will access resources. When multiple servers host the same published
application, users could be connected to any of these servers when they access the
resource. Therefore, if a user does not have permissions for all servers, the user might not
be able to access the resource. To avoid these issues, you might need to establish domain
trust relationships between users or servers.
Caution: If you change the servers hosting applications and this changes the trust
intersection, applications can become unavailable to users who are not in that trust
intersection.
System Account Considerations
Consider the following when deciding how to configure your Citrix administrator accounts:
•
One full authority administrator account must always exist for the server farm. Citrix
XenApp prevents you from deleting the last full authority administrator account.
However, if no administrator accounts exist in the farm data store database, a local
administrator account can log on to the Access Management Console to set up Citrix
administrator accounts.
•
To create effective Citrix administrator accounts, ensure that all users you are going to
add as Citrix administrators are Domain Users for the domain in which your farm
resides. Users who are Citrix administrators who take server snapshots must also be
authorized Windows Management Instrumentation (WMI) users on each server for which
they are taking snapshots.
•
If you want to enable the Independent Management Architecture (IMA) encryption
feature during Setup, Citrix recommends that you install XenApp using the same
network credentials.
Including Servers from Other Domains
XenApp supports trust-based routing; servers in domains that do not trust each other can be
members of the same farm.
When a server needs to perform one of the following operations on an untrusted domain,
the server determines from the data store which servers can perform the operation and
routes the request to the most accessible server:
139
•
Authenticating a Citrix administrator
•
Refreshing the display or launching an application in Program Neighborhood and Web
Interface
Planning for Accounts and Trust Relationships
•
Enumerating users and groups
•
Resolving users or groups when adding users to published application, printer
auto-creation lists, or defining new Citrix administrators
Requests to enumerate applications are routed to a server that has the required domain
trust relationship if the originating server does not.
Substituting Domain Accounts for User Accounts
By default, XenApp Setup creates local accounts to run the following XenApp services:
XenApp Service
Default Local User Account
Citrix Print Manager Service
ctx_cpsvcuser
CPU Utilization Mgmt/CPU Rebalancer
ctx_cpuuser
Configuration Manager for the Web Interface
Ctx_ConfigMgr
Service
Citrix strongly recommends that if you want to change local accounts to domain accounts,
you do so before installing XenApp. Changing service accounts after Setup is not supported.
Run Setup as a domain administrator to ensure the accounts are created correctly. If you
are changing the accounts for services and your farm has servers in multiple domains, the
domains must have trust relationships with each other.
To substitute your newly-created domain account for the local account during XenApp
installation, use an installation method that employs Windows Installer Commands. Specify
the property for the service, and provide the new domain account name as a parameter.
140
Recommendations for Active Directory
Environments
Citrix recommends the following configuration for server farms with Active Directory:
•
XenApp servers are in their own Organizational Units (OUs).
•
All servers reside in the same domain.
•
The server farm domain has no trust relationships with non-Active Directory domains, as
this can affect operations requiring trusted domains.
•
The server farm is in a single Active Directory forest. If your farm has servers in more
than one forest, users cannot log on by entering user principal names (UPNs).
UPN logons use the format [email protected] identifier. With Active Directory, UPN logons
do not require a domain to be specified, because Active Directory can locate full UPN
logons in the directory. However, if the server farm has multiple forests, problems
occur if the same UPN identifier exists in two domains in separate forests.
Important: Citrix XenApp does not support UPN logons if a server farm spans multiple
Active Directory forests.
Active Directory User Permission
Active Directory security groups can affect authenticating to published applications, the
Advanced Configuration or Presentation Server Console, and Program Neighborhood
filtering. The tables that follow contain best practice guidance.
Also, if a user is a member of a domain local group, the group is in the user’s security token
only when the user logs onto a computer in the same domain as the domain local group.
Trust-based routing does not guarantee that a user’s logon request is sent to a server in the
same domain as the domain local group.
Network configurations do not affect authentication to the Access Management Console or
Delivery Services Console because that console allows only pass-through authentication.
Domain Global Groups
Authenticating to published applications
No adverse effects
Authenticating to Advanced Configuration
or Presentation Server Console
No adverse effects
Program Neighborhood filtering
No adverse effects
Domain Local Groups
141
Recommendations for Active Directory Environments
Authenticating to
published applications
Recommendation: All servers that load balance an application
must be in the same domain if a domain local group is
authorized to use the application.
Rationale: Domain local groups assigned to an application must
be from the common primary domain of all the load balancing
servers. When you publish applications, domain local groups
appear in the accounts list if the condition above is met and
accounts from the common primary domain are displayed. If a
published application has users from any domain local groups
and you add a server from a different domain, domain local
groups are removed from the configured users list, because all
servers must be able to validate any user with permission to
run the application.
Authenticating to
Advanced
Configuration or
Presentation Server
Console
Recommendation: If a user is a Citrix administrator only by
membership in a domain local group, the user must connect the
console to a server in the same domain as the domain local
group.
Rationale: If the user connects the console to a server in a
different domain than the domain local group, the user is
denied access to the console because the domain local group is
not in the user’s security token.
Program Neighborhood
filtering
Recommendation: All servers in the farm must be in the same
domain for Program Neighborhood filtering to work properly.
Rationale: If a user is a member of a domain local group, the
group is present in the user’s security token only when logging
on to a computer in the same domain as the domain local
group. Trust-based routing does not guarantee that a logon
request is sent to a server in the same domain as the domain
local group. It guarantees only that the request is handled by a
server in a domain that trusts the user’s domain.
Universal Groups
Authenticating to
published applications
Recommendation: If universal groups are assigned permission to
the application, all servers that manage the application must
be in an Active Directory domain.
Rationale: A server in a non-Active Directory domain could
authenticate the user to run the application. In this case,
universal groups are not in the user’s security token, so the
user is denied access to the application. It is possible for a
server in a non-Active Directory domain to load balance an
application with servers in an Active Directory domain if the
domains have an explicit trust relationship.
Authenticating to
Advanced
Configuration or
Presentation Server
Console
Recommendation: If a user is authenticating to the console and
is a Citrix administrator only by membership in a universal
group, the console must connect to a server that belongs to an
Active Directory domain in the universal group’s forest.
Rationale: Non-Active Directory domain controllers and
domains outside a universal group’s forest have no information
about the universal group.
142
Recommendations for Active Directory Environments
Program Neighborhood
filtering
Recommendation: No Active Directory domains in the forest to
which the servers belong have explicit trust relationships with
non-Active Directory domains.
Rationale: Non-Active Directory domains have no knowledge of
universal groups and the domain controllers exclude a universal
group from a user’s security token. As a result, applications
might not appear in Program Neighborhood.
Active Directory Federated Services
XenApp supports Active Directory Federated Services (AD FS) when used with the Citrix Web
Interface. If you need to provide a business partner with access to published applications,
AD FS might be a better alternative than creating multiple new user accounts on the
enterprise domain. If you plan to use AD FS with XenApp, Citrix recommends:
•
During Setup for each XenApp server in your farm, select the port sharing with IIS
option and ensure that IIS is configured to support HTTPS.
•
Set up a trust relationship between the server running the Web Interface and any other
servers in the farm communicating with the Web Interface through the Citrix XML
Broker. The Web Interface must be able to access the certificate revocation list (CRL)
for the Certificate Authority used by the federation servers.
•
If you are provisioning the farm by imaging, configure trust requests on the server
before you take the image. These trust requests must be enabled on each server in the
farm and cannot be set at a farm level.
•
To prevent external users from having unauthorized access to services on farm servers,
configure all XenApp servers for constrained delegation. To provide users with access to
resources on those servers, add the relevant services to the Services list using the MMC
Active Directory Users and Computers snap-in.
For more information about configuring support for AD FS, see the Web Interface
documentation.
143
Planning for System Monitoring and
Maintenance
When designing your XenApp farm, include a monitoring and management strategy to
ensure the sustainability of your environment. Consider incorporating one or more
monitoring tools into your environment and customizing them to provide alerts based on
metrics associated with hardware, software, and usage requirements.
Designing for monitoring and management should include hardware, software,
performance, and network areas. For hardware monitoring, Citrix recommends the
hardware management tools provided by most server vendors.
Citrix EdgeSight is an excellent technology for monitoring XenApp farms. Citrix suggests
customizing the default Resource Manager and EdgeSight metrics to meet your specific
monitoring needs.
144
Planning for UAC
Consider the following suggestions if you will be running Setup on a system with User
Account control (UAC) enabled.
•
If you are performing a wizard-based installation, start Setup by right-clicking Autorun
(autorun.exe) and selecting Run as Administrator. This runs Setup at its highest
manifest and elevates your privilege levels accordingly. (You cannot start Setup by
double-clicking mps.msi or MF_Autorun.msi.)
•
To perform Setup as any user other than the built-in administrator, start Setup by
right-clicking on the Autorun.exe file and selecting Run as Administrator. (If you
double-click the executable, you cannot install XenApp under User mode.)
•
Instruct Windows Server 2008 to elevate the UAC level automatically, without
prompting, by configuring a Local Security Policy setting. In the Local Security Policy,
specify Elevate without prompting for the User Account Control: Behavior of the
elevation prompt for administrators.
•
Instruct Windows to elevate the UAC level without prompting, through an Active
Directory Default Domain Policy. On your Domain Controller, edit the Default Domain
Policy to set the Security Policy Setting in User Account Control: Behavior of the
elevation prompt for administrators in Admin Approval Mode to Elevate without
prompting.
This avoids having to enable this setting on each server before installation, provided
you join the domain before installing XenApp. When a computer joins the domain, the
domain policy is applied automatically.
•
Enable the Print Services role so you can manage printer drivers and print queues on
clients.
If you want to perform a custom installation of XenApp on a system with UAC enabled and
you are not a built-in administrator, you can:
•
Run the UnattendedInstall.exe by specifying it on the command line in an elevated
command prompt window (for example, run UnattendedInstall.exe MPS.msi
c:\Unattended.txt).
To elevate the command prompt, right-click on the command prompt menu command
and select Run as Administrator. This elevated mode is also known as Admin Approval
Mode.
145
•
Run the installation, including scripts, from an elevated command prompt.
•
Run the installation, using batch files, from an elevated command prompt. Specify the
batch file on the command line in an elevated command-prompt window (as described
above).
Planning for UAC
Accounts Required for Citrix Management Features
The following XenApp management features and tools require users be domain
administrators, delegated administrators, or part of the Administrators group on the local
computer:
•
Access Management Console
•
Advanced Configuration tool
•
XenApp Commands
•
SSL Relay tool
•
Speedscreen Latency Reduction Manager
These permissions are in addition to any requirements for the feature, such as having a
Citrix administrator account.
Multiuser Access to Applications
To allow multiuser access to an application, install the application as a built-in
administrator or enable the Create Users setting when prompted by UAC.
146
Planning for Shadowing
Session shadowing monitors and interacts with user sessions. When you shadow a user
session, you can view everything that appears on the user’s session display. You can also
use your keyboard and mouse to remotely interact with the user session. Shadowing can be
a useful tool for user collaboration, training, troubleshooting, and monitoring by
supervisors, help desk personnel, and teachers.
Shadowing is protocol-specific. This means you can shadow ICA sessions over ICA and
Remote Desktop Protocol (RDP) sessions over RDP only.
Important: Shadowing restrictions are permanent. If you disable shadowing, or enable
shadowing but disable certain shadowing features during Setup, you cannot change the
restrictions later. You must reinstall XenApp on the server to change shadowing
restrictions.
Any user policies you create to enable user-to-user shadowing are subject to the
restrictions you place on shadowing during Setup.
Shadowing is a server-level setting, so you can enable shadowing on one server and disable
it on another.
Citrix does not recommend disabling shadowing as a substitute for user and group
connection policies.
147
Securing Delivery and Access
XenApp allows secure access to resources by users. It also enables administrators to control
and monitor access to each resource and component. The XenApp administration
documentation includes detailed information about securing server farms.
Complementary XenApp technologies help provide end-to-end security, including Citrix
Single Sign-on, Citrix Access Gateway, and Secure Gateway. If you use one of these
technologies to control remote access to the farm, set your firewall ports to communicate
with the technology and the server farm.
If users will connect to your farm over the Internet, consider:
•
Increasing security through two-factor authentication (adding a second authentication
method such as RSA tokens).
•
Limiting automatic printer driver installation on servers (enabled by default) if users
are connecting from devices with locally attached printers.
•
Employing a SmartAccess strategy (for example, using the Access Gateway and
configuring policies that limit access according to conditions on the user’s client device
or location).
•
Determining how you will deploy plug-ins to users, especially if they connect from
airport kiosks or other public locations.
•
Securing connections to published applications with SSL/TLS. If plug-ins communicate
with your farm across the Internet, Citrix recommends enabling SSL/TLS encryption
when you publish a resource. If you want to use SSL/TLS encryption, use either the SSL
Relay feature (for farms with fewer than five servers) or the Secure Gateway to relay
ICA traffic to the XenApp server. You can also use SSL Relay to secure Citrix XML Broker
traffic.
Important: On Windows Server 2008 systems, XenApp Setup reconfigures the default
Windows Firewall port settings to allow incoming connections, such as those from ICA
traffic and the Citrix Independent Management Architecture service.
148
Planning for Supported Languages and
Windows MUI Support
XenApp Language Edition
Operating System Language Edition
XenApp, English edition
Windows Server 2008, English edition
Windows Server 2008, Russian edition
Windows 2008 Simplified Chinese
Windows 2008 Traditional Chinese
Windows 2008 Korean
XenApp, French edition
Windows Server 2008, French edition
XenApp, German edition
Windows Server 2008, German edition
XenApp, Japanese edition
Windows Server 2008, Japanese edition
XenApp, Spanish edition
Windows Server 2008, Spanish edition
Windows Multilingual User Interface Pack (MUI) is supported only on the English edition of
Windows.
XenApp supports Windows MUI for Windows Server. Users connecting from non-English
language clients see their environment and applications in the language that corresponds to
their language setting, provided the server operating system and applications support it,
and the corresponding language packs are installed on the server. While XenApp supports
Windows MUI, some XenApp components and features do not display in the non-English
language.
1. Before you install XenApp, make sure the Windows Server language option is set to
English. The language setting is located in Regional and Language Options. For more
information, see the Microsoft documentation.
2. Install the English version of XenApp.
3. Install the Windows MUI language packs you want to deliver to users, and install any
applications required, MUI or native.
Caution: Changing the Windows Server language option to another language after you
install XenApp might lead to display issues.
149
Planning for Passthrough Client
Authentication
Citrix recommends enabling passthrough client authentication. When the user connects to
applications published on different servers, passthrough client authentication enables
XenApp to automatically pass user credentials from the initial server to the server hosting
the next application. This prevents the user from having to re-authenticate when opening
applications on different servers.
In this illustration, XenApp passes the user credentials from the server hosting Microsoft
Outlook to the server hosting Microsoft Excel when the user opens the Microsoft Excel
attachment from an email message hosted on a different server
(The passthrough authentication functionality described in this topic is not the same
functionality provided by Citrix Single Sign-on or password management applications in
general.)
Enabling passthrough authentication requires configuring components on all XenApp
application servers and enabling passthrough authentication in the plug-ins installed on
end-user client devices. If the passthrough authentication feature is not enabled before
deploying the plug-ins to end users, users must reinstall the plug-ins with this feature
enabled before passthrough authentication will work.
To configure passthrough authentication functionality on the server, install a XenApp
hosted plug-in on each XenApp server. If you are deploying the XenApp plug-in as the client
for users, install the XenApp plug-in on your server as the passthrough client.
150
Planning a Successful User Experience
Two key factors impact your users' satisfaction with working in a multi-user environment:
how quickly sessions start, and how easily users can print.
Session Start-up Times
Certain factors can cause sessions to start slower than necessary.
•
Printer autocreation policy settings - Consider limiting the number of printers that are
autocreated if session start time is a factor.
•
Network activities occurring independently of sessions - Operations such as logging on
to Active Directory, querying Lightweight Directory Access Protocol (LDAP) directory
servers, loading user profiles, executing logon scripts, mapping network drives, and
writing environment variables to the registry, can affect session start times. Also,
connection speed and programs in the Startup items within the session, such as virus
scanners, can affect start times.
•
Roaming profile size and location - When a user logs onto a session where Terminal
Services roaming profiles and home folders are enabled, the roaming profile contents
and access to that folder are mapped during logon, which uses additional resources. In
some cases, this can consume significant amounts of the CPU usage. Consider using
Terminal Services home folders with redirected personal folders to mitigate this
problem.
•
Whether the data collector has sufficient resources to make load balancing decisions
efficiently - In environments with collocated infrastructure servers, Citrix suggests
hosting the Citrix XML Broker on the data collector to avoid delays.
•
License server location - For WANs with multiple zones, where the license server is in
relation to the zone.
Printing Configuration
Your printing configuration directly affects how long sessions take to start and the traffic on
your network. Planning your printing configuration includes determining the printing
pathway to use, how to provision printers in sessions, and how to maintain printer drivers.
Consider these recommendations:
151
•
Use Citrix Universal printer drivers and the Universal Printer whenever possible. This
results in fewer drivers and less troubleshooting.
•
Disable the automatic installation of printer drivers, which is the default setting.
•
Adjust printer bandwidth using XenApp policy rules, if appropriate.
Planning a Successful User Experience
•
If printing across a WAN, use the XenApp Print job routing policy rule to route print jobs
through the client device.
•
Test new printers with the Stress Printers utility, which is described in the Citrix
Knowledge Center.
Choose printers that are tested with multiuser environments. Printers must be PCL or PS
compatible and not host-based. The printing manufacturer determines whether printers
work in a XenApp environment, not Citrix.
The XenApp administration documentation contains details about printing configurations.
152
Integrating Other XenApp Features and
Technologies
Each XenApp edition comprises a different set of features and technologies.
Usually, you install the XenApp farm and its required features first. Then, after installing
XenApp and the supporting infrastructure servers, you can optionally install other features
and technologies supported in your XenApp edition. In some cases, this includes installing
plug-ins or clients on farm servers or user workstations.
For complete information about design considerations, installing, and using the features
and technologies, see their documentation. The following notes may also help with your
XenApp farm planning.
•
EdgeSight or Resource Manager Powered by EdgeSight - The EdgeSight Server includes a
database server and a Web server, which can be located on the same computer or on
different computers. Alternatively, if your XenApp data store is hosted on an SQL
Server, you can collocate the EdgeSight database with the data store. However, Citrix
recommends monitoring the database server to ensure it is not overloaded. To avoid
errors in performance measurement, do not install the EdgeSight database on any farm
servers hosting user sessions.
•
Password Manager - The Password Manager service is typically installed on its own
server. The server hosting the Password Manager Service and central store contains
highly sensitive user-related information. Citrix recommends using a dedicated server
and placing that server in a physically secure location.
•
SmartAuditor - The player requires a separate desktop workstation. The administration
components are typically installed on a server dedicated to administration.
•
Access Gateway - The Access Gateway can control access to published applications on a
XenApp server. The Access Gateway is typically installed in the DMZ. There are specific
design considerations when you are deploying the Access Gateway with the Web
Interface.
Installation Sequence
You can launch the Setup programs for several XenApp features and technologies from the
XenApp wizard-based installation. Some of these and other XenApp features and
technologies have different installation prerequisites and considerations than the core
XenApp software. This documentation does not provide complete Setup instructions nor
does it provide prerequisites for those features and technologies. With the exception of the
XenApp management consoles, instructions for installing these features and technologies
are provided in their respective documentation.
The wizard-based method installs the features and technologies you select in the correct
order. For a custom installation, follow the order listed below. Although the sequence is
not mandatory, it reduces the need to manually configure options after Setup because
153
Integrating Other XenApp Features and Technologies
information was not available, such as server or site names.
1. Citrix Licensing, including the Citrix License Server and the License Management
Console.
2. Web Interface. Installing the Web Interface and creating a Web Services site before
installing XenApp lets you provide a response for the site name when prompted by
XenApp Setup. If you are deploying a Citrix XenApp plug-in, install the Web Interface
and create a XenApp Services site. (You can also install the Web Interface after
installing XenApp. In some situations, this might be easier and preferable.)
3. XenApp.
4. XenApp management consoles. (You can install these consoles on a remote computer as
well as on XenApp servers. However, for the Web Interface, you must install the Access
Management Console (also known as the Delivery Services Console, depending on your
XenApp version) on the same server.)
To install the management consoles for XenApp, Password Manager, and the Access
Gateway on the same server, install the extensions in the following order:
a. Access Gateway
b. Password Manager
c. XenApp
5. EdgeSight or Resource Manager powered by EdgeSight.
6. Secure Gateway. (Installing the Secure Gateway after installing XenApp lets you
complete the Secure Gateway configuration wizard. If you install the Secure Gateway
before you create your farm, you must re-run the Secure Gateway configuration wizard
by re-running Setup. Secure Gateway is not typically installed on a XenApp server.)
7. Password Manager.
8. SmartAuditor.
9. Other features and technologies supported on your XenApp edition.
Installing Agents for XenApp Features and
Technologies
If you plan to deploy the following features and technologies (if available in your XenApp
edition), consider these notes:
Note: You can also install some of these features during XenApp Setup.
154
•
EdgeSight - Install the EdgeSight agent on the XenApp servers and client devices you
want to monitor.
•
Citrix Password Manager - Install and publish the Citrix Password Manager plug-in on
each server that publishes applications requiring authentication. The plug-in provides
credentials for published applications only. You can also install the Citrix Password
Integrating Other XenApp Features and Technologies
Manager plug-in locally on client devices.
155
•
SmartAuditor - Install the SmartAuditor agent on the servers hosting the applications
you want to monitor. Install the agent after you install the XenApp server software.
•
EasyCall - Install the EasyCall client on the client devices or make it available to users
by publishing it on your farm.
Choosing an Installation Method
There are two general XenApp installation methods: wizard-based and custom.
The installation method you choose is related to the way you want to provision the servers
in your farm. Select an installation method that lets you install servers quickly in the event
of server failure or network growth. Having a repeatable way to build XenApp servers
quickly saves time and resources, and ensures consistent configurations.
Setup is the process of installing XenApp and its components and features. You invoke or
run Setup with an installation method.
Wizard-Based XenApp Installations
Wizard-based installations are initiated from the Autorun program, autorun.exe. Use
wizard-based installations if you need to install an individual component, install XenApp on
small farms, or when creating images for server provisioning. During a wizard-based
installation, Setup automatically installs many non-Windows system requirements; custom
installations might not perform those tasks automatically.
A wizard-based installation manually installs XenApp and requires selecting options for
every page of the wizard. Deploying XenApp across a farm can involve repeating the same
installation on many servers. Often, performing a wizard-based installation on each server
in the farm is too time consuming to be feasible.
Custom XenApp Installations
Custom installations provide more control over installation options than wizard-based
installations (for example, the ability to change local accounts for Citrix services to domain
accounts, prevent non-administrative users from connecting to the desktop of the server,
and control the reboots after Setup). Custom installations often provide a scalable approach
for server provisioning.
XenApp supports the following types of custom installations:
156
•
Transforms - In large environments, if you deploy XenApp to multiple servers
simultaneously through Active Directory or Configuration Manager, you can use
transforms with XenApp Setup (mps.msi). Use the sample transforms included with
XenApp to customize the XenApp Setup properties. To perform this type of installation,
Citrix recommends that you have Windows Installer and installation database
knowledge. You also need a third-party MSI editing tool.
•
Windows Installer commands (msiexec) - As with transform-based installations, Windows
Installer command installations require a solid understanding of the XenApp Setup
properties. Windows Installer commands can be used separately, or you can combine
them with transforms for Active Directory deployments. You can create scripts
containing Windows Installer commands that install system prerequisites and XenApp in
Choosing an Installation Method
one action.
•
Unattended installation with an answer file - Using the Unattended Installation
Template, you can create an answer file that provides responses to installation options
during XenApp Setup. A sample answer file that uses XenApp Setup properties is
included in the XenApp installation media. Answer files provide an installation that is
ready to use with minimal customization on your part. Consequently, unattended
installations are one of the easiest ways to perform custom installations and generate
Windows Installer command lines. Since answer files are text files with a small file size,
they are easy to store and compare to other answer files using a file comparison utility.
However, unattended installations are not as powerful as Windows Installer Commands
or transforms, and you cannot use unattended installations to provision servers using
Active Directory.
When performing custom installations, consider enabling Windows Installer logging, which
provides a detailed summary of installation actions.
157
XenApp Installation
Use this documentation to help prepare your XenApp environment and then install the
XenApp server software.
XenApp comprises many features and technologies, many of which have their own
preparation, installation, and configuration instructions. This documentation does not cover
those topics; see the documentation for the feature or technology (for example, Web
Interface, Access Gateway, Secure Gateway, and Citrix plug-ins). Additionally, features and
technologies offered in the XenApp editions (such as Single sign-on, Provisioning services,
Load testing services) have their own installation documentation.
158
Building a XenApp Farm
The first time you install XenApp, you create a farm. When you install XenApp on other
computers, you join the farm you created on the first computer.
Before you build a XenApp farm, read about XenApp deployment planning, and complete
the preparation tasks.
A typical high-level installation sequence is:
1. Install Citrix Licensing. (You can do this before, during, or after Setup; see the Citrix
licensing documentation for instructions.)
Note: If you plan to install multiple components on the same 64-bit server, install the
Web Interface before the License Management Console or XenApp.
2. Install the Web Interface, if you will be using it. (See the Web Interface documentation
for installation instructions; it is not covered in this section.)
3. Install one or more Citrix plug-ins on the server on which you are creating the farm.
(You can do this before or during XenApp Setup.)
4. Install the management consoles. (These tools can be installed on a XenApp server
either before or during Setup; they can also be installed on other systems.)
5. Create a farm by installing XenApp on the server you want to function as the data
collector for the first (or only) zone.
6. Install XenApp on other infrastructure servers and then on servers that will host
published applications.
7. XenApp prompts you to restart at the end of installation. You must restart XenApp for it
to integrate properly with Terminal Services.
After installing XenApp, perform the required post-installation configuration tasks.
The information that follows is based on using the wizard-based installation. Generally, the
sequence and explanations also apply to custom installations.
159
Preparing Your Environment
Before installing XenApp, complete the following preparation tasks, in any order. Some
tasks are required only if you want to use a particular feature or technology. Most tasks
apply when you are creating the XenApp farm; for preparation tasks when joining a farm,
see Joining a Server Farm.
Use the left column to mark completed tasks.
Review the Installation Checklist and install any prerequisites that will not be
installed by Setup.
Know which XenApp edition you will be installing (Platinum, Enterprise, or
Advanced).
Choose a name for your farm. Farm names can include spaces, and up to 32
characters. If you plan to use the Configuration Logging feature with an Oracle
database, do not use hyphens in the farm name.
Choose an installation method.
Obtain the domain credentials for the user who will be the first administrator on
the XenApp farm. That administrator has full permissions to the farm and can
create additional administrator accounts.
Ensure the operating system clock on each server has the correct time.
Complete the requirements for the database you will be using for the XenApp data
store. (This can include installing the database software, installing the database
client, and (for direct access) installing appropriate ODBC drivers.) For database
planning information, see Planning the XenApp Data Store. If you plan to use the
IMA encryption features, see Planning for Configuration Logging and IMA
Encryption.
The Data Store Database Reference topics contain database installation guidance,
plus additional information that might affect installation.
If you are using a Microsoft SQL Server, Oracle, or IBM DB2 database for the data
store, and are not using the wizard-based Setup, see Creating a DSN File for XenApp
Setup.
160
If you will be running Setup on a system with User Access Control (UAC) enabled,
see Planning for UAC.
Install Citrix licensing, unless you choose to install it during or after Setup (Setup
prompts you for licensing information).
Install the Web Interface (if you plan to use it), unless you choose to install it
during Setup. If you want the XML Service to share a port with IIS, you must install
the Web Interface before running Setup. Configure a XenApp Web or XenApp
Services site. For more information, see Planning for the Web Interface and XML
Broker and the Web Interface documentation.
If you want to change the accounts under which certain XenApp services run, see
Substituting Domain Accounts for User Accounts.
Preparing Your Environment
161
Install XenApp plug-ins on each server in the farm, unless you want Setup to install
them. Setup requires installing at least one XenApp plug-in for functionality such as
pass-through client authentication and shadowing to work correctly. If you invoke
Setup from Autorun, the XenApp hosted plug-in and the XenApp streaming plug-in
are installed automatically by default.
If you plan to use Philips SpeechMike devices with XenApp, install the drivers on all
servers hosting sessions that record audio.
If you plan to enable Windows Multilingual User Interface (MUI) support, see
Planning for Supported Languages and Windows MUI Support.
If you plan to use session shadowing, see Planning for Shadowing.
If you plan to use passthrough client authentication, see Planning for Passthrough
Client Authentication.
If you plan to use the XenApp Management Pack for Microsoft Operations Manager
2005 or Microsoft Systems Center Operations Manager 2007 to monitor either your
XenApp farm or Citrix Licensing, install the XenApp Provider and the Licensing
Provider, which are the XenApp Windows Management Instrumentation (WMI)
providers.
Creating a Farm
Start the wizard-based installation by double-clicking autorun.exe. (You cannot start Setup
by double-clicking mps.msi.)
The following list summarizes the task sequence to create a XenApp farm. Links are
provided to separate topics if a task is extensive or requires further description.
•
Choosing the Edition
•
Choosing an Installation Category
After selecting Application Virtualization as the installation category, the License
Agreement page appears. Read the License Agreement and indicate your agreement.
The Prerequisites Installation page lists the items to install before installing XenApp. If
you are using the wizard-based installation, some of these prerequisites are installed
automatically. This information is also available in the XenApp Installation Checklist.
•
Selecting Components
•
Enabling and Configuring Passthrough Client Authentication
•
Installing the License Server
•
Installing the Access Management Console
The Access Management Console is a framework into which you install snap-ins or
extensions. Each extension provides additional administrative functionality for your
Citrix environment. For example, when installing XenApp Platinum Edition, extensions
for features such as Password Manager are installed.
Important: Do not install different versions of Access Management Console on the
same server.
162
•
Selecting Components of XenApp
•
Specifying the Farm Name, Data Store, Zone, and Credentials
•
Enabling and Configuring IMA Encryption
•
Specifying the Citrix License Server
•
Enabling and Configuring Session Shadowing
•
Configuring the Citrix XML Service Port
•
Adding Users to the Remote Desktop Users Group
•
Installing XenApp Advanced Configuration
Creating a Farm
Important: Do not install different versions of XenApp Advanced Configuration on the
same server.
•
Installing the XenApp Document Library
Important: The XenApp Documentation Library contains information available when
this version of XenApp released. The most current documentation is in Citrix eDocs.
163
Choosing the Edition
Start the installation by double-clicking autorun.exe. (You cannot start Setup by
double-clicking mps.msi.)
The initial Autorun page has the following options:
Option
Description
Installation Checklist
Displays XenApp installation prerequisites and system
requirements. Reading this can help avoid delays during Setup.
Platinum Edition,
Enterprise Edition,
Advanced Edition
XenApp is available in three editions. The components and
features available for installation vary with each edition.
Citrix on the Web
Provides links to the Citrix Web site and the Citrix Support
Web site.
To continue installation, select your XenApp edition.
164
Choosing an Installation Category
Select an installation category. The components and features displayed vary according to
the XenApp edition you selected previously; the following display is for the Platinum
Edition.
Option
Description
Application Virtualization
Installs Citrix Licensing, XenApp, Web Interface, Access
Management Console, Advanced Configuration tool,
and documentation.
Application Session Recording
Installs SmartAuditor administration features, the
SmartAuditor Player, and the SmartAuditor Agent.
Application Performance
Monitor
Installs EdgeSight Server and the EdgeSight Agent.
Single Sign On
Installs the Citrix Password Manager service, the
plug-in, and the Central Store.
Common Components
Installs components such as the Citrix XenApp plug-ins,
Streaming Profiler, Access Management Console,
XenApp Configuration tool, Web Interface, Secure
Gateway, Citrix Licensing, and documentation
To install the XenApp server, select Application Virtualization.
165
Selecting Components
On the Component Selection page, select the major components you want to install. By
default, all components except the license server and the EdgeSight agent are enabled for
installation. When you click Next, a sequence of separate wizards guides you through the
installation of the selected components.
Depending on the components selected, some configuration options might not be available
or might appear in a different order.
Option
Description
Citrix Licensing (disabled by
default)
Installs or upgrades the licensing components for
your Citrix product. Every server farm must have
access to a Citrix License Server. Do not install
Citrix Licensing every time you run XenApp Setup.
Instead, point your XenApp servers to a common
license server.
Access Management Console
Installs the console framework for managing Citrix
components; this console snaps in to the Microsoft
Management Console (MMC).
Web Interface
Installs the Web Interface.
Citrix XenApp
Installs XenApp and its components. There are two
suboptions:
•
Pass-through client. Installs Program
Neighborhood and the XenApp hosted plug-in.
You can select either or both.
•
Citrix XenApp Plugin for Streamed Apps.
Installs the XenApp streaming plug-in. Even if
you are not streaming applications on this
server, install this client to stream
applications on other servers in the farm.
XenApp Advanced Configuration or
Presentation Server Console
Installs the tool that manages printing, policies,
load manager, and zones.
XenApp Document Library
Installs the XenApp Document Library, which is a
help system for all major XenApp components and
plug-ins. If you disable this component, no help
will appear in any server-side XenApp components.
Note: See Citrix eDocs for the most current
documentation.
EdgeSight Presentation Server
Installs the agent for Resource Manager powered
Agent (disabled by default)
by EdgeSight.
If you select Citrix Licensing, see the Citrix Licensing documentation. For Web Interface and
EdgeSight installation information, see their respective documentation.
166
Enabling and Configuring Passthrough
Client Authentication
To enable passthrough client authentication, select Yes on the Passthrough Authentication
for the Passthrough Client page.
After you enable passthrough client authentication, the Server Address for the Passthrough
Client page appears.
•
If you installed the XenApp hosted plug-in as the passthrough client, specify the URL for
your XenApp Services site (for example, http://yourservername/Citrix/PNAgent).
•
If you installed the Web Interface on this server, specify either localhost or the full URL
for the XenApp Services site. If you installed the Web Interface on a different server,
specify the full URL for the XenApp Services site.
If you are provisioning your servers using a third-party cloning program or using them in
a virtual environment, specify the name of the Web Interface server, not localhost.
•
If you have not installed the Web Interface, click Next and enter the address after
installation.
For more information, see Planning for Passthrough Client Authentication.
167
Installing the License Server
If you deselected the Citrix Licensing component in the Component Selection page, a
Warning! page appears, containing two options:
168
Option
Description
Install a license server now
Launches the license server Setup, which
installs the Citrix License Server and the
License Management Console.
I already have a license server, or will use
the installation media to install one later.
Defers the requirement to specify a license
server name until later in Setup. You can
also defer installing the licensing
components until after Setup.
Selecting Components of XenApp
This page might not appear for all XenApp editions, and the components listed may vary.
This page contains the following options:
•
Application Streaming (enabled by default)
•
Load Manager (enabled by default)
•
WMI Providers (enabled by default)
Click Disk Cost to display the amount of disk space required by the selected components.
169
Specifying the Farm Name, Data Store,
Zone, and Credentials
Three pages appear during the process of creating a server farm.
Create or Join a Server Farm Page
Select Create a new farm. The Create a Server Farm page appears.
Create a Server Farm Page
1. Enter a name for the new server farm. Farm names can contain up to 32 characters and
include spaces. If you will be using Oracle as your Configuration Logging database, do
not use hyphens in the farm name.
2. Select the data store database.
•
If you are using a Microsoft SQL Server, Oracle, or IBM DB2 database for the data
store, select Use the following database on a separate database server, and select
the database from the list. If your driver does not appear on the list, cancel Setup,
install the driver, and then restart Setup. (After you complete this page, Setup
creates a Data Source Name (DSN) file and names it MF20.dsn.)
If you are using a Microsoft Access or SQL Server Express database for the data
store, select Use a local database on this server, and select the database from the
list.
3. If you want to change the default server farm zone name (Default Zone), clear the Use
default zone name check box and enter the new name.
•
For more information about the data store, see Planning the XenApp Data Store and Data
Store Database Reference. For information about zones, see Planning for WANs by Using
Zones.
Assign Farm Administrator Credentials Page
Enter the domain credentials for the user who will be the first farm administrator. This
administrator has full permissions to the farm after XenApp is installed, and can create
additional administrator accounts in the Access Management Console.
170
Enabling and Configuring IMA Encryption
If you enable IMA encryption when you create a farm, you must enable it on all servers that
join that farm, using a key specified during Create Farm Setup. After enabling IMA
encryption, you cannot disable it without reinstalling all existing farm servers.
To enable IMA encryption during Setup, keys must be specified and loaded (activated in the
data store). Specifying a key does not necessarily load it.
If you have multiple farms in your environment, Citrix recommends that you generate
separate keys for each farm.
Citrix recommends installing XenApp using network credentials when enabling IMA
encryption during Setup.
1. On the Enable IMA Encryption page, select the Enable IMA Encryption check box and
click Next.
2. On the IMA Encryption Key Type page, select one of the following options:
Option
Description
Install Key From File
Select this option if you already generated a key file for
this farm.
This option specifies the key file and loads it. If you
already loaded the key, use the Use Previously Loaded
Key option.
Generate and Install New
Key
Select this option if you have not yet generated a key
for this farm. This option generates a key and installs it
on the local computer.
Use Previously Loaded Key
•
Select this option if you already generated a key using
the CTXKEYTOOL and loaded the file on this server
before you started Setup. (This option is not available if
the key file is not on this server.)
If you select Install Key From File, browse to the location of the key file (USB flash
drive, diskette, or other location you can access). If the key file is on a network
location, use a UNC path to specify the location.
After you select the key file, the Citrix License Settings page appears; this indicates
you successfully loaded the key.
•
If you select Generate and Install New Key, save the key to any folder on your local
computer.
Important: Citrix recommends choosing a meaningful key name, such as one that
matches the farm (for example, C:\Alpha Farm Key\alphafarmkey.ctx). You can
specify any extension that is not in use. Citrix also recommends backing up the
key file.
171
Enabling and Configuring IMA Encryption
After you click Save, the Citrix Licensing Settings page appears. This indicates you
successfully configured and enabled IMA encryption.
•
If you select Use Previously Loaded Key and you loaded a valid key, the Citrix
Licensing Settings page appears. This indicates you successfully configured and
enabled IMA encryption.
For more information, see Planning for Configuration Logging and IMA Encryption.
172
Specifying the Citrix License Server
Before users can connect to XenApp, you must configure the first server in the farm to use a
Citrix License Server. Select one of the following options:
Option
Description
Enter the host name for the
machine hosting your Citrix License
Server
Type the host name. If the license server is not
using the default port number (27000), enter the
port number. By default, servers joining the farm
use the information you enter here.
You cannot leave the license server name blank.
Enter the correct host name later
173
If you do not know the license server name and
port number, you can enter this information later
using the Access Management Console.
Enabling and Configuring Session
Shadowing
Session shadowing lets you monitor and interact with user sessions. When you shadow a user
session, you can remotely view the user session display and interact with the session using
your own keyboard and mouse.
Caution: Shadowing restrictions are permanent. If you disable shadowing or shadowing
features during Setup, you cannot reconfigure them after Setup, and they apply to any
policies for user-to-user shadowing.
Choose among the following options:
Option
Description
Prohibit shadowing of user sessions
on this server
Disables user session shadowing on this server.
Allow shadowing of user sessions on
this server
Enables user-session shadowing by the server.
You can apply the following restrictions:
•
Prohibit remote control. By default,
authorized users can view a session they are
shadowing and use their keyboard and mouse
to interact with it. This option lets
authorized users know their session is being
shadowed.
•
Force a shadow acceptance popup. By
default, an acceptance prompt notifies users
when an authorized user attempts to shadow
their sessions. This option prevents
authorized users from shadowing sessions
without sending an acceptance prompt.
Log all shadow connections. Enables logging
of shadowing attempts, successes, and
failures in the Windows event log.
For more information, see Planning for Shadowing.
•
174
Configuring the Citrix XML Service Port
XenApp uses the Citrix XML Service to supply the Web Interface server and its connecting
clients with the names of applications available in a farm. By default, Internet Information
Services (IIS) uses port 80 for HTTP traffic and port 443 for HTTPS traffic, if configured.
Important: All servers in the farm must use the same TCP port for the Citrix XML Service.
This page has the following options:
Option
Description
Share default TCP/IP port with
Internet Information Services
(default)
The XML Service and IIS use the same port for
communications. This option requires the Web
Interface be installed before running XenApp
Setup.
Use a separate port
Opens a different port number on the XenApp
server for XML Service communications with the
Web Interface and the clients.
Make sure other applications do not use the port
number. For a list of ports in use, type netstat
-a at a command prompt. Configure Web
Interface servers (and any clients connecting to
it) to use the new port number.
Select the port sharing option if:
•
You plan to send data to the Web Interface over a secure HTTP connection using SSL.
You can run the Citrix XML service over port 443 using SSL in two ways:
•
Configure IIS for HTTPS traffic on port 443.
Configure SSL relay on port 443. It does not matter whether you choose port sharing
or not.
The Web Interface and XenApp are installed on the same server.
•
•
•
The Web Interface and the Citrix XML Service are installed on the same server.
Select the separate port option if:
•
You want to install the Citrix XML Service on a dedicated XML server
•
You do not want the Citrix XML Service to share the TCP port with IIS
If you want to change the Citrix XML Service port after installation, you must do it
manually; there is no option on the Server Properties > XML Service page.
For more information, see Planning for the Web Interface and XML Broker,
175
Adding Users to the Remote Desktop
Users Group
Only users who are members of the Remote Desktop Users group can connect to published
applications. By default, there are no users in the Remote Desktop Users group. Until you
add users to this group, only administrators can connect remotely to the server.
This page has the following options:
176
Option
Description
Add the Authenticated Users now
Adds domain accounts in the Windows Users group
to the Remote Desktop Users group. Users added
to the Windows Users group in the future will also
added to the Remote Desktop Users group.
Add the list of users from the Users
group now
Copies all current users from the Users group to
the Remote Desktop Users group. After Setup, if
you add user accounts, you must add the accounts
to the Remote Desktop Users group manually.
Skip this step, and add users later
Does not add any users to the Remote Desktop
Users group.
Joining a Server Farm
After installing XenApp on the first server in the farm (creating the farm), you can install
XenApp on other servers. When you install XenApp on other servers, you join the farm, and
see a subset of the options in the Create Farm Setup.
This topic provides information about the tasks in Join Farm Setup that differ from Create
Farm Setup.
Preparation for Join Farm Setup
Before you join servers to an existing server farm, have the following information available:
•
The farm name.
•
If you are using a Microsoft SQL Server, Oracle, or IBM DB2 database on a dedicated
server for the data store, you need the logon credentials of a user authorized to access
the database.
•
If you are using a Microsoft Access or SQL Server Express database on the first server in
the farm for the data store, you need the name of that server and the logon credentials
of a user authorized to access the database.
•
If you enabled IMA encryption when you created the farm, either:
•
Copy the key you used for the first server in the farm to a network share that you
specify with a UNC path, or
Access the key you generated when you created the farm from a portable storage
device (such as a USB flash drive).
You cannot generate a new key when joining a farm.
•
Citrix recommends that you delete the key from the server after you complete the
installation of the farm.
Initial Setup When Joining a Farm
Until you reach the Create or Join a Server Farm page, Setup is identical to creating a farm.
Install the components and features you want on that server. Servers joining farms might
not need as many components as the first server in the farm.
On the Create or Join a Server Farm page, select Join an existing farm. The Join a Server
Farm page appears.
177
Joining a Server Farm
Configuring Zones and the Server Connection to the
Farm
On the Join a Server Farm page:
1. If you have more than one zone in your farm, clear the Use default zone name check
box, and enter name of the zone where you want add the server. For environments with
only one zone, leave the Use default zone name check box selected.
2. To connect to the data store directly (typically when using a Microsoft SQL Server,
Oracle, or IBM DB2 database on a dedicated server for the data store):
a. Select Connect directly to the database using ODBC
b. Select your database from the list and click Next.
c. Configure the ODBC driver associated with the database, using the instructions in
the database vendor documentation.
To connect to the data store indirectly (typically when using a Microsoft Access or
Microsoft SQL Server Express database):
a. Select Connect to a database on this server, specify the name of the server hosting
the database, and click Next. The default communication port is 2512.
b. On the Access the Database on a Citrix XenApp computer page, specify credentials
for the server to which you are connecting, and click Next.
After completing the Join a Server Farm page, either the Citrix Licensing Settings page or
the IMA Encryption Key Type page appears, depending on whether or not IMA encryption is
enabled on the farm you are joining.
Specifying the IMA Encryption Key File Location
Setup automatically detects if IMA encryption is enabled on the farm you are joining, and
prompts you to specify the location of the same key used on the first server in the farm.
To configure IMA encryption during Join Farm Setup, complete one of the following:
•
Add the key file to each computer before installation
•
Put the key file in a shared network location that is accessible by specifying a UNC path
•
Put the key file on a portable storage device, such as CD or USB drive that you use for
every installation
Select one of the following methods of specifying the key file location:
178
Option
Description
Install Key From File
Select this option if you did not load a key file on
this server. Browse to the location of the key file.
If the key file is on a network location, use a UNC
path to specify the location.
Joining a Server Farm
Use Previously Loaded Key
This option is available only if you already loaded
the key for this farm onto this server. If you
loaded a valid key, the Citrix Licensing Settings
page appears.
To verify that IMA encryption is enabled and configured properly on the servers, use the
CTXKEYTOOL command with the query option, which is located in the Support folder on the
installation media.
Using Farm Licensing Settings
When joining a farm, you can use the same settings as the farm or point to a different
license server. On the Citrix Licensing Settings page, select one of the following options:
179
Option
Description
Enter the host name for the machine
hosting your Citrix License Server
Points to a different license server than
the other servers in the farm.
Use the global farm settings for the license
server
Points to the same license server as the
other servers in the farm.
Enter the correct host name later
If you do not know the license server name
and port number, you can enter this
information later using the Access
Management Console.
Migrating to XenApp 5.0
The term migrating means the process of moving data and settings from an older release to
this release. There are three ways in which you can move servers in your farm to the next
release.
Server Migration
A new installation of XenApp on a clean system in an existing farm.
Because you do this by performing a full installation (not the Upgrade
wizard), no settings are carried over on the server. However, the
server gets its farm settings from the existing farm.
Farm Upgrade
The existing farm and data store are maintained, but at least one
server in the farm is migrated to the new XenApp release.
Farm Migration
A new farm and data store are created, based on the installation of at
least one new server (that is, the first server in the farm).
A mixed farm comprises servers running different versions of XenApp and Presentation
Server.
Important:
180
•
Citrix does not support upgrading any components from Windows Server 2003 to
Windows Server 2008 unless noted.
•
Migrating from Release Preview versions of XenApp to the official released version is not
supported.
•
To have a mixed farm, you must add the XenApp 5.0 for Windows Server 2008 servers to
the XenApp 5.0 for Windows Server 2003 or Presentation Server 4.5 with Feature Pack 1
farm. You cannot add computers running Presentation Server 4.5 with Feature Pack 1 to
a XenApp 5.0 for Windows Server 2008 farm.
•
Interoperability of XenApp 5.0 for Windows Server 2008 with servers and farms prior to
Presentation Server 4.5 with Feature Pack 1 is not supported.
•
Downgrading a server from XenApp 5.0 for Windows Server 2008 to Presentation Server
4.5 or XenApp 5.0 for Windows Server 2003 is not supported.
Choosing a Farm Migration Strategy
There are two migration methods.
•
Migrating servers individually, which gradually converts the farm to the current release
and maintains the existing farm name and data store; this is a phased migration
•
Creating a new farm and, as you reimage or create servers with the next release,
adding them to the new farm and manually copying farm settings and policies
When determining whether to migrate all or part of a farm, consider the features users
require. For example, if users sync PDAs, consider keeping one server with either XenApp
5.0 for Windows Server 2003 or Presentation Server 4.5 with Feature Pack 1 in your farm.
Phased Migration
If your farm is running Presentation Server 4.5 with Feature Pack 1, you can perform a
phased migration by joining newly imaged XenApp 5.0 for Windows Server 2008 servers to
the existing farm, as you remove Presentation Server 4.5 with Feature Pack 1 servers.
This type of migration maintains existing policies and their rules. When a XenApp 5.0 for
Windows Server 2008 server joins a Presentation Server 4.5 with Feature Pack 1 farm, any
policy rules introduced with the new release are set to Not Configured. On the XenApp 5.0
for Windows Server 2008 server, you can enable new rules in existing farm policies.
However, servers running earlier releases disregard the new rules.
The migration of any server in a farm, regardless of zone designation, upgrades the entire
farm and places the farm into a mixed-farm mode. If a pilot zone is used for pre-production
testing and XenApp 5.0 for Windows Server 2008 is installed on a server in this zone, the
farm is now running in mixed mode. Unexpected issues might develop. Citrix strongly
recommends that all testing be done in a segregated farm to avoid impacting production
users.
Running a mixed-farm environment for the period that you are migrating individual servers
can make administration more complex. Although you can keep your farm in production, it
is not as clean a method as creating a new farm. Citrix recommends running in mixed-mode
for the shortest period of time possible.
Creating a New Farm
Consider creating a new farm when a significant number of changes will be implemented.
This reduces the possibility of data corruption. If your existing farm is based on any version
except Presentation Server 4.5 with Feature Pack 1 or XenApp 5.0 for Windows Server 2003,
you must create a new farm.
This method does not retain settings, so you must manually key in all policies and
configurations. While migrating your farm, consider using the Web Interface as the primary
point of entry. Users can access both the old farm and the new farm during the migration
181
Choosing a Farm Migration Strategy
period, because the Web Interface can merge applications available from different farms
and display them on the same Web page.
182
Creating a Migration Plan
An effective migration plan defines four key steps: requirements, the design, testing, and
implementation.
•
Identify and confirm requirements - Business (such as cost of ownership or personnel),
technical (such as existing infrastructure, complexity), and user requirements (such as
passthrough authentication and ease of access).
•
Document the design - The design document is a blueprint for the new environment; it
incorporates new features and major changes that will impact the server farm. Citrix
recommends creating detailed design documents for migration similar to those you
created for the initial installation.
•
Test - Check the effect of new functionality, such as how using a Windows Server 2008
system affects your farm configuration.
•
Implementation plan - Create a timeline. An implementation plan is often based on the
design document and includes a project plan with schedules, resources, and
dependencies. The implementation plan can also include the method of imaging
servers, configuration of settings, application installation method, help desk training,
user training, the stages of the rollout (if applicable), and the plan for decommissioning
the old farm (if applicable).
Infrastructure Server Design Considerations
As farms expand in size or the number of user connections increases, you might need to
increase the number of servers dedicated to hosting infrastructure in your environment. For
example, if you have added application servers to your farm, you might need to migrate
from a infrastructure server hosting the Citrix License Server, the data collector and the
XML Broker to a server hosting just the data collector and the XML Broker or a dedicated
server for each function.
Load Manager Design Considerations
Because 64-bit servers support a higher number of users, check the Load Manager design in
your farm to ensure its efficiency, particularly if you are using the Default or Advanced
Load Evaluator. If your load evaluators use percentages primarily (such as CPU or memory),
you might not need to reconfigure your load-balancing implementation. If you migrated
your servers to 64-bit hardware, you might be able to reduce the number of load balanced
servers, because 64-bit servers can support more resources.
183
Creating a Migration Plan
Consider Replacing Secure Gateway with Access
Gateway
Evaluate your security configuration and determine if you want to replace the Secure
Gateway with the Access Gateway for remote access. Access Gateway:
•
Supports additional applications and protocols.
•
Consolidates all remote access solutions in one appliance, and secures remote farm
connections and access to non-published resources (such as email, internal Web
applications, and network file shares).
•
Replaces a server in the DMZ with a hardened appliance.
•
Allows you to add VPN functionality while retaining the ability to access published
applications.
•
Allows a broad range of client devices to connect to published applications in the
secure network using XenApp plug-ins.
Migrating to the Access Gateway can change your farm topology. When you remove Secure
Gateway from the DMZ and replace it with the Access Gateway, you can move the Web
Interface to your internal secure network. The Access Gateway authenticates and
authorizes users and then connects to the Web Interface. This provides greater security
because there are fewer Windows servers in the DMZ.
Migrating from the Secure Gateway to the Access Gateway includes:
•
Opening the appropriate firewall ports
•
Either migrating the security certificates from Secure Gateway or creating new ones for
the Access Gateway
•
Installing the Access Gateway appliance
For more information, see the Access Gateway documentation.
184
Changes in This Release of XenApp
XenApp 5.0 for Windows Server 2008 introduces changes that might affect your farm design
and installation methods, plus feature offerings and operations.
Changes Affecting Farm Design
These changes might affect the location of components in your Citrix environment:
•
Unless your farm is dispersed across a WAN, Citrix recommends having only one zone in
your environment. See the documentation about planning your XenApp deployment for
more information.
•
Due to operating system requirements, Citrix does not recommend installing the
SmartAuditor server on the same server as XenApp.
Changes to Setup
These changes affect the sequence or packaging of installation components:
185
•
The XenApp Media Kit, which contains the installation media, is now on a DVD.
•
The server URL in the Server Address for the Passthrough Client page no longer defaults
to localhost because this can create issues for server provisioning.
•
The XenApp Hosted Plug-in now has its own .msi file, XenAppHosted.msi.
•
The XenApp Advanced Configuration tool now has its own installation package,
CMC.msi. This package is on the installation media in Administration\XenApp Advanced
Configuration. Although still installed by default, the XenApp Advanced Configuration
tool is no longer included as part of the core XenApp Setup (mps.msi).
•
XenApp_Documentation.msi replaces the previous documentation installation package,
docs.msi.
•
The Create a Server Farm page in XenApp Setup no longer uses your server subnet as
the default zone name.
•
The Access Management Console now supports uninstalling all Access Management
Console extensions simultaneously.
Changes in This Release of XenApp
Changes Affecting Custom Installations
•
There is no longer a default installation type. When using Windows Installer commands
(msiexec), set the CTX_MF_SERVER_TYPE property regardless of the type of installation;
otherwise, Setup fails.
•
XenApp plug-ins must be installed before you begin XenApp Setup (plug-ins are installed
by default only in the wizard-based installation).
•
The XenApp Hosted Plug-in in XenApp Setup now references XenAppHosted.msi. This
affects XenApp server installation scripts.
•
Because plug-ins must be installed before XenApp Setup begins, add commands to
install the them before the commands for installing XenApp.
•
Configure passthrough authentication as part of the XenApp Hosted Plug-in
installation.
•
Plug-in Setup properties have changed: CLIENT_INSTALLDIR is now INSTALLDIR, and
ADDLOCAL was added.
XenApp Setup fails without the plug-ins, and you might not get a warning message
during a silent installation.
Update your scripts to accommodate new .msi files and their associated properties, and
ensure they are in the correct sequence:
•
•
•
Separate .msi files for the XenApp Advanced Configuration tool
(Administration\XenApp Advanced Configuration\cmc.msi)
•
XenApp_Documentation.msi replaces docs.msi
Component and Feature Changes
These changes might affect your farm design or how you install components:
186
•
To run this release, you must have the license server that is available from Autorun or
from the Citrix download site.
•
This version of XenApp does not support Active Sync or Windows Mobile. If you must
support PDAs or other mobile devices, use a computer running Presentation Server 4.5
with Feature Pack 1 (that is, run two farms in parallel or have a mixed-farm
environment).
•
Remapping server drive letters is no longer supported.
•
Conferencing Manager is no longer included with XenApp. Citrix recommends using
Citrix GoToMeeting.
•
The Access Management Console now supports uninstalling all Access Management
Console extensions simultaneously.
•
Citrix has replaced Resource Manager with Resource Manager powered by EdgeSight.
Changes in This Release of XenApp
•
If you use Resource Manager, see Finding EdgeSight Documentation.
•
Resource Manager powered by EdgeSight cannot monitor computers running
Presentation Server 4.5 with Feature Pack 1
For monitoring in a mixed-farm environment, use Resource Manager for the
computers running Presentation Server 4.5 with Feature Pack 1 and Resource
Manager powered by EdgeSight for the XenApp servers. Alternatively, you can use
EdgeSight for XenApp to monitor both versions.
Using XenApp on Windows Server 2008
It is important to understand the differences in settings and behavior between Windows
Server 2003 and Windows Server 2008. Some applications published successfully in a
Windows Server 2003 environment might not behave as expected if they are not Windows
Vista or User Account Control (UAC) compliant.
There are restrictions on running non-Vista compliant applications on Windows Server 2008.
In Windows Server 2008, the Restrict each user to a single session option in the Terminal
Services Configuration tool is now enabled by default. To ensure users can connect to
multiple sessions simultaneously, Citrix recommends setting this option to No.
Citrix recommends using the server and farm-wide settings in XenApp to control the number
of concurrent sessions a user can launch.
187
Migration Requirements and Restrictions
Migrating to XenApp 5.0 has the following requirements and restrictions:
•
If you are running the license server that came with Presentation Server 4.5 with
Feature Pack 1, you must upgrade to the license server included with this release (or
the current version). Your existing license files are compatible with the new license
server.
•
If you migrate printer drivers, the drivers must be compatible with Windows Server
2008. For example, Windows NT 4.0 Kernel mode drivers are not supported in Windows
Server 2008. Ideally, drivers installed on XenApp servers should be Vista certified.
•
When you upgrade the Access Management Console from versions supplied with previous
releases of XenApp, note that there are restrictions on how the later version of the
console recognizes any My Views created with, or items discovered by, the earlier
version. If, after upgrading, you are prompted whether or not you want to upgrade your
.msc configuration file, choose one of the following:
•
188
•
Upgrade - The file is upgraded; you cannot use the earlier version of the console to
open the file or see any My Views created with it. However, you can use the later
version.
•
Don’t Upgrade - The file is not upgraded; you can use both versions of the console
to see the My Views. However, you can edit and save My Views only in the earlier
version.
•
If you are using Secure Gateway, you must install and configure version 3.1 or later.
Important:
•
Citrix does not support upgrading any components from Windows Server 2003 to
Windows Server 2008 unless noted.
•
Migrating from Release Preview versions of XenApp to the official released version
is not supported.
•
To have a mixed farm, you must add the XenApp 5.0 for Windows Server 2008
servers to the XenApp 5.0 for Windows Server 2003 or Presentation Server 4.5 with
Feature Pack 1 farm. You cannot add computers running Presentation Server 4.5
with Feature Pack 1 to a XenApp 5.0 for Windows Server 2008 farm.
•
Downgrading a server from XenApp 5.0 for Windows Server 2008 to Presentation
Server 4.5 or XenApp 5.0 for Windows Server 2003 is not supported.
To migrate from the previous release
Before beginning this procedure, review To uninstall XenApp and remove a server from a
farm.
1. Upgrade the Citrix License Server and download current licenses.
2. Migrate your data store to a version supported by XenApp 5.0, if necessary.
3. Upgrade or perform a new installation of the XenApp Advanced Configuration tool,
Access Management Console, and Web Interface.
(To upgrade these components automatically and preserve custom configuration
settings, use the default settings in their Setup programs when invoked from Autorun.)
Note: You can use the Upgrade wizard in Setup to upgrade the Access Management
Console and XenApp Advanced Configuration only if you are upgrading these
components on the same operating system platform (for example, Windows Vista to
Windows Vista).
4. Remove any servers from the farm that you want to reimage; see To uninstall XenApp
and remove a server from a farm.
5. Install XenApp 5.0 for Windows Server 2008 on the reimaged or new servers using Join
Farm Setup. Migrate the servers in this order:
a. Zone data collectors
b. Infrastructure servers
c. Servers hosting published applications
6. If you are using Secure Gateway, install and configure version 3.1 or later.
Rebuilding and Renaming XenApp Servers
When replacing a server due to hardware failure, or renaming a farm server using the
operating system, follow specific steps in the XenApp farm maintenance documentation to
prevent corruption of the data store records and ensure the server is properly integrated in
the farm.
189
To uninstall XenApp and remove a server
from a farm
Before uninstalling XenApp and removing a server from a farm:
•
In farms with direct and indirect connections to the data store, Citrix recommends
uninstalling indirectly connected servers before uninstalling the server they connect
through (that is, the server connecting directly). If XenApp is uninstalled from a server
with a direct connection to the data store, indirectly connected servers cannot access
the data store. Information such as applications or Citrix Administrators is lost, and
indirectly connected servers cannot be uninstalled from the data store.
•
Citrix does not recommend uninstalling XenApp from within a Remote Desktop
Connection (RDC) session because the uninstall program logs off all remote users as it
uninstalls XenApp. If you need to uninstall XenApp remotely, use tools such as Microsoft
Configuration Manager.
•
Although you can remove a server from a farm using only the Access Management
Console, Citrix recommends using the method described below because it is safer.
1. With the server on the network and online in the farm, uninstall XenApp. From the Start
menu, select Control Panel > Programs and Features > Citrix XenApp 5.0 > Uninstall.
2. On a different server, open the Access Management Console, run Discovery and verify
that the server was removed from the farm successfully. If the server from which you
uninstalled XenApp still appears in the Access Management Console:
a. In the left pane of the Access Management Console, select the server.
b. From the Action menu, select All Tasks > Remove from farm.
3. After verifying the server no longer appears in the farm in the Access Management
Console, disconnect the server from the network.
Caution: Do not reconnect the server to the network until you reimage it or remove
its XenApp software. If it reconnects to the network, it can corrupt your farm.
4. Run the dscheck command on the data store to repair any consistency errors.
5. If you want to reuse the hardware for that server, perform a new installation of the
operating system (that is, a clean installation and not an upgrade) and XenApp 5.0.
190
To migrate a server farm by creating a
new farm
1. Use the Citrix Client Packager to provide the latest plug-ins to users, repackage the
XenApp plug-in, and include the URL of your XenApp Services site.
Some XenApp 5.0 features require new plug-ins. Citrix recommends upgrading user
plug-ins before migrating so you can address any issues that arise before migrating the
farm. Upgrading plug-ins before migrating the farm makes it easier to determine if
issues are related to the plug-ins or the farm servers.
Instead of using the Citrix Client Packager, you can deploy the new package to client
desktops using an Active Directory Group policy, Microsoft System Center Configuration
Manager, or another third-party deployment product. This deployment method requires
no user input.
For more information, see the plug-in documentation.
2. If the data store is not hosted on a Microsoft Access database, create a new data store.
Install XenApp 5.0 for Windows Server 2008 on a server that is independent of your
existing farm and give it a name that is different from the existing farm. This is the first
server in the new farm.
3. Use the Access Management Console and the XenApp Advanced Configuration tool to
configure your newly installed XenApp server to match the settings of your existing
farm. Ensure that you also match the settings for published applications. Alternatively,
you can create a script to export and import published application information. See the
Citrix Developer Network for additional information.
4. Deploy the Web Interface as the primary entry point for your newly installed farm. Use
DNS CNAME (alias) records for the Web Interface servers. Use a simple mnemonic for
the DNS alias, such as myapps. (For example, Citrix could have an internal Web
Interface deployment with multiple servers that share the DNS alias
myapps.citrix.com.) See the Web Interface documentation for more information.
5. Open the new deployment for testing by pilot users.
6. After refining the pilot deployment, switch users to it. Instruct users to access your
Web Interface server URL. (Using the example above, http://myapps.citrix.com.)
7. Decommission the farm running the legacy release of XenApp.
191
Mixed Farms
Citrix recommends that, where possible, you upgrade all of the servers in a farm
simultaneously so that you do not have different versions of XenApp and Presentation
Server running in the same farm. However, XenApp 5.0 for Windows Server 2008 servers can
coexist with XenApp 5.0 for Windows Server 2003 or Presentation Server 4.5 with Feature
Pack 1 servers. In addition, XenApp 5 for Windows Server 2008 supports both 32-bit and
64-bit editions of Windows operating systems in the same farm.
To discover a mixed farm, run discovery using the latest Access Management Console for a
XenApp 5.0 for Windows Server 2008 server. New features might not be available if you do
not use the latest Access Management Console.
After discovery completes, the functionality and display vary depending on the version of
the server you select. For example, if you select a server running Presentation Server 4.5
with Feature Pack 1, you see Resource Manager information (if installed); if you select a
server running XenApp 5.0 for Windows Server 2008, you will not see this.
You can also manage multiple farms; for example, one farm comprising XenApp 5.0 for
Windows Server 2008 servers and another farm comprising either Presentation Server 4.5
with Feature Pack 1 servers or XenApp 5.0 for Windows Server 2003 servers. Again, you
must use the latest Access Management Console to discover the farms.
When installing XenApp 5.0 for Windows Server 2008 in a mixed-farm environment, if you
are creating domain accounts for services, make sure that the accounts do not have the
same name as the accounts on the servers running the earlier release. If the privileges
associated with one of the accounts are higher for one version of XenApp than another, the
accounts might conflict.
Citrix does not recommend running in mixed-mode indefinitely. If it is necessary to retain
Presentation Server 4.5 with Feature Pack 1 or XenApp 5.0 for Windows Server 2003 for
specific features, Citrix suggests having two farms and using the Web Interface to integrate
them.
Important:
192
•
To have a mixed farm, you must add the XenApp 5.0 for Windows Server 2008 servers to
the XenApp 5.0 for Windows Server 2003 or Presentation Server 4.5 with Feature Pack 1
farm. You cannot add computers running Presentation Server 4.5 with Feature Pack 1 to
a XenApp 5.0 for Windows Server 2008 farm.
•
Interoperability of XenApp 5.0 for Windows Server 2008 with servers and farms prior to
Presentation Server 4.5 with Feature Pack 1 is not supported; only Presentation Server
4.5 with Feature Pack 1 and XenApp 5.0 for Windows Server 2003 are supported for a
mixed farm.
•
The Access Management Console included with XenApp 5.0 for Windows Server 2008 can
manage servers running Presentation Server 4.5 with Feature Pack 1 only when at least
one XenApp 5.0 for Windows Server 2008 server is installed in the farm.
•
Downgrading a server in your farm from XenApp 5.0 for Windows Server 2008 to
Presentation Server 4.5 or XenApp 5.0 for Windows Server 2003 is not supported.
Mixed Farms
Increasing Graphics Memory Limit in a Mixed Farm
In XenApp 5.0 for Windows Server 2008, the default graphics memory limit is 32MB and the
maximum graphics memory limit is 64MB. In a mixed farm, the default graphics memory
limit is 5MB; the maximum graphics memory limit is 8MB. These limits derive from the
Presentation Server 4.5 with Feature Pack 1 defaults.
In a farm comprising only XenApp 5.0 for Windows Server 2008 servers, you can use the
Access Management Console to increase the graphics memory limit for all servers in the
farm or for individual servers. In a mixed farm, only the XenApp 5.0 for Windows Server
2008 servers respect the limits set using the Access Management Console. The Citrix
Knowledge Center has information about how to allow more memory for session graphics on
Windows Server 2003.
Administering Resource Manager in a Mixed Farm
In XenApp 5.0 for Windows Server 2008, Resource Manager has been replaced by Resource
Manager powered by EdgeSight. As a result, Dashboard and My Knowledge are no longer
available. However, in a mixed-farm environment, you can administer the Resource
Manager that is installed on a server running Presentation Server 4.5 with Feature Pack 1.
For farms containing XenApp 5.0 for Windows Server 2003 servers and XenApp 5.0 for
Windows Server 2008 servers, you can use either the original Resource Manager or the new
Resource Manager.
On a server running Presentation Server 4.5 with Feature Pack 1, the original Resource
Manager documentation is available in the Documentation Center; it is also available in the
Citrix Knowledge Center.
Administering Installation Manager in a Mixed Farm
In XenApp 5.0 for Windows Server 2008, Installation Manager has been replaced by a new
tool, also called Installation Manager, which is based on Microsoft Windows Task Scheduler
2.0 and Windows PowerShell 1.0. However, in a mixed-farm environment, the previous
version of Installation Manager on a Presentation Server 4.5 with Feature Pack 1 or XenApp
5.0 for Windows Server 2003 server is available through those servers' versions of the Access
Management Console and the Presentation Server Console.
Administering Isolation Environments in a Mixed Farm
In XenApp 5.0 for Windows Server 2008, application streaming replaces isolation
environments. In a mixed-farm environment, you can administer isolation environments on
Presentation Server 4.5 with Feature Pack 1 or XenApp 5.0 for Windows Server 2003 servers
using those servers' versions of the Presentation Server Console.
193
Mixed Farms
SNMP Considerations in a Mixed Farm
In XenApp 5.0 for Windows Server 2008, Simple Network Management Protocol (SNMP) traps
can be enabled/disabled through the Access Management Console. In a mixed-farm
environment, you can enable/disable SNMP alerts on Presentation Server 4.5 with Feature
Pack 1 or XenApp 5.0 for Windows Server 2003 using the Resource Manager on those servers.
194
Provisioning Servers and Configuring
XenApp
Provisioning refers to the process of distributing XenApp software across a group of servers.
After XenApp Setup completes, you can refine the configuration of infrastructure servers
and zones, and configure application servers.
You can run scripts to perform configuration tasks such as publishing applications, setting
data collector election preferences, and applying load evaluators. You can make changes on
a per-server basis, as needed. For information about scripting, see the Citrix Developer
Network.
195
Provisioning Farm Servers
After you install XenApp on the second server in your farm, you can provision other servers
in the farm.
When provisioning farm servers, consider these methods:
•
Using Citrix Provisioning services - Certain XenApp editions support Citrix Provisioning
services, which streams operating systems and applications, including XenApp, to farm
servers. The streamed data is not persistent, so images must include everything you
want to stream (that is, the operating system, XenApp, published applications). For
more information, see the Citrix Knowledge Center; an implementation guide is
available in CTX120513, and an integration utility in CTX116063.
•
Deploying Windows Installer Packages using Active Directory - You can use Active
Directory to push out Windows Installer packages to multiple servers and workstations
simultaneously. You can use XenApp transforms to select the installation options and
enter data. Using Active Directory for imaging can reduce the number of times you need
to directly interact with a server during the imaging process. You can install
prerequisites (depending on the vendor for the prerequisite support), run XenApp
installation, and then install applications. You do not need to connect to the target
server to invoke the installation programs manually.
•
Cloning servers with preconfigured images - You can use third-party imaging programs,
such as Symantec Altiris, to create a copy of the installation and configuration of a
server that joined the farm. Then, use this image to create additional servers in the
farm. This process is referred to as cloning. You can also clone virtual machines with
products such as XenServer.
•
Using the XenApp unattended installation - With unattended installations, you create an
answer file that specifies your configuration. You then run Setup on a system, using
that answer file. This method does not let you include prerequisites in the installation
and requires more manual interaction; however, a template is provided.
See the Custom XenApp Installation topics for more information about using Windows
Installer packages and unattended installations.
Simultaneous Installation Considerations
When you install multiple servers simultaneously, servers write configurations to the same
data store indexes. Consequently, the more servers you install simultaneously, the more
likely you are to create deadlocks on the database server.
During XenApp Setup, deadlocks can occur when one server times out while waiting to write
to a piece of data that is locked by another server. Deadlocks can cause installation to fail
on some servers or cause them to install much slower than necessary.
When installing servers simultaneously, Citrix recommends:
196
Provisioning Farm Servers
Server Hosting Data Store
Maximum Number of Servers to Install
Simultaneously
Dual processor or greater
30
Older server
10
Do not install multiple servers and create a zone at the same time. Create the zone first
and then perform the simultaneous installations. Having the zone in place before running
simultaneous installations prevents the new servers from being configured as the data
collector.
197
Cloning XenApp Servers
Cloning a XenApp server involves the following:
1. Creating a template image from a configured farm server, which means removing the
image identity so that the image becomes a template you can reuse (servers have
properties that contribute to their unique identity, such as the server name, domain
membership, and Security ID (SID)).
2. Distributing the image to the farm servers.
3. Recreating the unique identity of each of these servers.
Cloning techniques are used when creating a XenApp farm with provisioning technologies
such as Citrix Provisioning services or Symantec Altiris. These techniques are also used with
virtualization technologies that host XenApp, such as Citrix XenServer, the Windows Server
2008 Hyper-V feature, and VMWare environments.
Typical candidates for cloning are servers you must repeatedly install. In small or medium
farms, you might only need to make cloned images of servers that will host published
applications. In large farms, you might also create cloned images for the Create Farm
server and infrastructure servers.
When preparing a server for cloning with Citrix Provisioning services, you can include any
applications and other settings you want to appear in that image.
Although XenApp is compatible with server cloning, issues resulting from cloning software
can cause the operating system or its add-ons to function incorrectly. When cloning XenApp
servers, clone one server and check its operation in a test environment before deploying
the image to the rest of the farm.
Preparing your Servers for Cloning
Before changing the SID on the server used to access the XenApp Advanced Configuration
tool, add one of the following as a Citrix Administrator with read-write privileges:
•
A domain administrator
•
The Local Administrators group
•
A local administrator from a server where the SID will remain static
Important: Do not create an image of a server with an SSL certificate installed; SSL
certificates are unique to the hardware.
198
Cloning XenApp Servers
Configuring Servers after Cloning
Zone settings are not retained when cloning a server. When the Citrix Independent
Management Architecture service on the cloned server starts for the first time, the cloned
server joins the Setup default zone. When deploying images to servers in multiple zones,
assign zone information for each server after the cloning process.
After imaging your servers, join these servers to your farm by using the CHFARM command.
199
To clone a server
This task requires a system preparation utility, such as Microsoft Sysprep, third-party
imaging software, and a text editor.
This task assumes you want to clone a server for the purpose of hosting published
applications and that a relational database (Oracle, SQL Server, or DB2) is hosting the data
store. C is the drive on which XenApp is installed.
If you are using Citrix Provisioning services, using the PVS PS Integration Utility can
accelerate the integration process by automating some steps.
Important: Citrix strongly recommends that you create initial images on a test farm, not
in a production environment. These instructions are for guidance only, and will vary
depending on the environment and imaging software.
Caution: The following procedure requires editing the registry. Using Registry Editor can
cause serious problems that can require you to reinstall the operating system. Citrix
cannot guarantee that problems resulting from incorrect use of Registry Editor can be
solved. Use Registry Editor at your own risk.
1. After creating your farm, install XenApp on another server using Join Farm Setup, and
join the farm you created.
2. Configure the server with settings you want on all servers. (For example, you might
want to configure policies, set the data collector election preference to Not Preferred
if this image will be used for servers hosting published applications, or add printer
drivers.)
3. Configure XenApp services.
•
Stop the Citrix MFCOM Service, and set its Startup type to Manual.
•
Stop the Citrix Independent Management Architecture, and set its Startup type to
Manual.
Stop the Citrix WMI Service
4. Configure the registry.
•
a. In the registry on the server, set
HKLM\SOFTWARE\Wow6432Node\Citrix\IMA\RUNTIME\PSRequired to 1. This key is in
HKLM\SOFTWARE\Citrix\IMA\Runtime\PSRequired on XenApp, 32-bit edition. This
forces the server to communicate with the data store so that the local host cache is
updated with the new information.
b. Delete the value for HKLM\SOFTWARE\Wow6432Node\Citrix\IMA\ServerHost. This
key is in HKLM\SOFTWARE\Citrix\IMA\ServerHost on XenApp, 32-bit edition.
5. Delete the contents of database local persistent cache files.
a. Delete the contents of the Local Host Cache in C:\Program Files
(x86)\Citrix\Independent Management Architecture\imalhc.mdb by running dsmaint
recreatelhc.
200
To clone a server
b. Delete the contents of the Application Streaming Offline database cache in
C:\Program Files (x86)\Citrix\Independent Management
Architecture\RadeOffline.mdb by running dsmaint recreaterade.
c. In mixed farm environments, if you are cloning a Presentation Server 4.5 with
Feature Pack 1 server, delete the Resource Manager database cache in C:\Program
Files (x86)\Citrix\Citrix Resource Manager\LocalDB\RMLocalDatabase.mdb.
6. Remove the workstation Identification (WSID) from DSN files. Using a text editor, open
the files MF20.dsn and RadeOffline.dsn in C:\Program Files (x86)\Citrix\Independent
Management Architecture, and delete the line that specifies the WSID.
7. If you are cloning a system which might have had an older XenApp plug-in installed on it
at one time, delete the C:\WFCName.ini file. This file was created by previous versions
of the XenApp hosted plug-in.
8. Create an image of this installation using Citrix Provisioning services, Citrix XenServer,
or third-party imaging software.
9. Deploy this image to other servers using the tools provided by the imaging software.
10. To begin initializing the cloned image, restart the server where the image was
deployed.
11. Using a system preparation utility or the imaging software, assigned the cloned image a
new computer name.
12. Set HKLM\SOFTWARE\Wow6432Node\Citrix\IMA\Logging\HostName to the new computer
name. This key is in HKLM\SOFTWARE\Citrix\IMA\Logging\HostName on XenApp, 32-bit
edition.
13. Edit the CtxSta.config file to create a unique STA ID. (If you do not change this to a
unique STA ID, the Secure Gateway and other components cannot uniquely identify the
new server.)
a. Using a text editor, open the CtxSta.config file in C:\Program Files
(x86)\Citrix\System32.
b. Use the MAC address of the new server to which you applied the clone to create the
STA ID. Remove any colons or spaces from the MAC address and preface it with
“STA.” (For example, the MAC address 02-00-68-55-4D-01 becomes
STA020068554D01.)
c. Enter the STA ID in the UID field in the CtxSta.config file. (For example,
UID=STA020068554D01.)
14. In the Windows Services panel:
a. Set the Startup type for Citrix Independent Management Architecture and the Citrix
MFCOM service to Automatic.
b. Start the Citrix Independent Management Architecture service.
c. Start the Citrix MFCOM service.
d. Start the Citrix WMI service.
201
Configuring Infrastructure Servers After
Setup
Although you can configure infrastructure servers when you install your initial farm
components, you can refine the configurations for certain infrastructure elements after
XenApp Setup.
Configuring Data Collectors After Setup
By default, Setup configures the Create Farm server as the data collector by setting its
server election preference to Most Preferred. All servers that join the farm are set to
Default Preference.
To dedicate a server as the data collector, use the XenApp Advanced Configuration tool to
set it to Most Preferred and do not use it for any other functions, including hosting
published applications. After configuring the data collector, set the election preferences of
servers hosting published applications to Not Preferred, the lowest election preference so
that the possibility of those servers acting as a data collector is low.
Configuring Zones After Setup
When configuring zones for a WAN, Citrix recommends the following:
202
•
Do not enable load balancing across zones. Use the Zone Management feature in the
Advanced Configuration tool to specify the Do not share load information option.
•
Direct users requests for applications to the nearest geographic location by setting up a
preferred zone connection order in the User Workspace > Connections > Zone
preference and failover policy rule. Routing users to connect to servers in their own
zone can reduce traffic across high latency connections. This feature only affects the
XenApp plug-in and the Web Interface.
Configuring XenApp after Installation
After you install XenApp and configure infrastructure servers, complete the following tasks.
For details, see the XenApp administrator documentation.
1. Change essential settings, including the following:
•
To allow users to reconnect to sessions consistently, set the Restrict each user to a
single session option to No in the Terminal Services Configuration tool. (In Windows
Server 2008, this setting is enabled by default.)
Citrix recommends using the server and farm-wide settings in XenApp to control the
number of sessions users can launch.
2. After installing the Web Interface, use the Access Management Console or Delivery
Services Console to create one or more sites, so that users can connect through the
Web Interface or the XenApp plug-in.
•
3. Use the console to discover the servers in your farm.
4. Create administrative accounts.
5. Publish applications.
6. Perform other customization, such as setting policies, configuring printing, changing
server election settings, and configuring load balancing.
7. Create plug-in packages and deploy them to users. See the plug-in documentation for
details.
203
Custom XenApp Installation
XenApp offers alternatives to the wizard-based installation. Custom installations are useful
when installing XenApp on large numbers of servers. See Custom XenApp Installations for
custom installation method descriptions.
See XenApp Windows Installer Properties Reference for information about the properties
specified in custom installations.
Custom Installations of the XenApp Management
Consoles
The XenApp management consoles have their own .msi files. The .msi file referenced by
Autorun cannot be used for custom installations.
204
•
Delivery Services Console or Access Management Console - The .msi file is in
Administration\console_name\setup on the XenApp installation media. Citrix
recommends running CtxInstall.exe, which installs all of the extensions. If you install
this console using another method, the extensions must be installed in a specific
sequence or installation fails. To install this console silently, run CtxInstall.exe /silent.
•
Advanced Configuration or Presentation Server Console - The .msi file is in
Administration\console_name\setup on the XenApp installation media. Citrix
recommends running cmc.msi.
Generating an Installation Log File
Installation and uninstallation log files are not created automatically for Windows Installer
packages. You can create log files with the following methods:
•
Use the logging command to create log files for only the Windows Installer operations
•
Turn on automatic logging for all Windows Installer operations by creating a new
registry string value.
Caution: Using Registry Editor incorrectly can cause serious problems that can
require you to reinstall the operating system. Citrix cannot guarantee that problems
resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at
your own risk. Make sure you back up the registry before making changes to it.
Key
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Install
er
Type
REG_SZ
Name
Logging
Value data
voicewarmup
A log file is created in the %Tmp% directory for each operation.
•
205
Use the Active Directory Group Policy Editor to configure logging properties for an
Active Directory group. To edit the Logging policy, open the Group Policy Editor and
select Computer Configuration > Administrative Templates > Windows Components >
Windows Installer.
Preparing for Custom XenApp
Installations
Generally, preparing for a custom installation is the same as preparing for a wizard-based
installation; see Preparing Your Environment. There are several exceptions and
considerations.
Prerequisites that are automatically installed during a wizard-based Setup are not installed
during a custom installation. Therefore, install all prerequisites.
A wizard-based Setup includes automatic installation of a XenApp plug-in by default. For a
custom installation, install the plug-in before you install XenApp; otherwise, functionality
such as pass-through authentication and shadowing might not work correctly.
•
The Citrix online plug-in installation packages,CitrixOnlinePluginFull.exe and
CitrixOnlinePluginWeb.exe, are in the Online Plug-in folder in the installation media.
You can install the online plug-in, the online plug-in web, or a combination. Install the
online plug-in web package if you are configuring the Web Interface on the server.
•
Citrix recommends also installing the Citrix offline plug-in, CitrixOfflinePlugin.exe,
which is in the Offline Plug-in folder in the installation media.
Important: If you are upgrading plug-ins/clients on the server, uninstall all previous
versions, including offline plug-ins, and then install the new plug-ins.
206
Installing XenApp by Modifying Windows
Installer Packages
XenApp and several of its components and features are compiled into a Windows Installer
package (.msi) file. Windows Installer technology comprises the Windows Installer Service
for the Windows operating systems and the package .msi file format used to hold
information about the application setup. The XenApp Windows Installer package, mps.msi,
is located in the XenApp Server folder in the XenApp installation media.
If you encounter problems when running a Windows Installer package, check the Windows
Event Viewer. Also check the Application Log for entries in the Source column of type
“MSIInstaller.”
Using the Windows Installer msiexec Command
Use the msiexec command to install, modify, and perform operations on Windows Installer
(.msi) packages from the command line. Set properties by adding Property=”value” after
other switches and parameters.
The following sample command line installs the XenApp Windows Installer package and
creates a log file to capture information about this operation. This example does not
include required properties.
msiexec /i mps.msi /L*v c:\output.log
The following table lists several common options for the msiexec command.
Option
Syntax
Install or configure a product
msiexec /i {package|ProductCode}
Uninstall a product
msiexec /x {package|ProductCode}
Set a logging level (use with
Install or Uninstall option)
msiexec /L [i][w][e][a][r][u][c][m][p][v][+][!] LogFile
To include the v option in a log file using the wildcard
flag, type /L*v.
Install a transform (use with
Install or Uninstall option)
msiexec /i package TRANSFORMS=TransformList
Set the user interface level
msiexec /q {n|b|r|f}
(use with Install or Uninstall
option)
See the Microsoft documentation for more command information. See XenApp Windows
Installer Properties Reference for property descriptions and XenApp Windows Setup
Properties Script Examples for sample scripts.
207
Applying Transforms to Setup
XenApp provides four sample Windows Installer transform (.mst) files in the Support\Install
directory for XenApp Create Farm, Join Farm, and Citrix Licensing installations. Applying
transforms is one method of installing XenApp through Active Directory.
Transforms you create to customize a XenApp installation package remain cached on your
system. They are re-applied to the base installation package (mps.msi) when you install
hotfixes (whenever the Installer needs to modify mps.msi). However, you can apply
transforms only when you initially install XenApp; you cannot apply transforms to XenApp
after it is installed.
To set a property in the .msi file to “Null,” delete the property in the transform file.
Creating a Customized Transform Using the Sample
Transform
You need a third-party tool to edit Windows Installer packages.
1. Using the Windows Installer package editing tool, open the XenApp installation package
(mps.msi) in the XenApp Server\w2k8x64 and the XenApp Server\w2k8 folders of the
XenApp installation media.
2. Apply the transform that includes the properties and values you want to modify. At a
command prompt, type the following, where package is the name of the XenApp
installation package and TransformList is the list of the transforms you want to apply
(separate multiple transforms with a semicolon):
msiexec /i package TRANSFORMS=TransformList
3. Enter new values for the properties you want to change.
4. Generate the transform file and save it with a new name.
Sample Transforms
Sample transforms are provided in the Support\Install folder of the XenApp installation
media.
thirdpartydb_create_direct.m
st
208
Creates a new XenApp farm that uses an enterprise
database (Microsoft SQL Server, Oracle, or IBM DB2) for
the data store on a separate dedicated server. The
database is configured for direct access.
Applying Transforms to Setup
thirdpartydb_join_direct.mst
Joins an existing XenApp farm that uses an enterprise
database for the data store on a separate dedicated
server. The new server joining the farm accesses the
data store directly.
Localdb_access_create.mst
Creates a new XenApp farm that uses a Microsoft Access
or Microsoft SQL Server Express database for the data
store. The database is stored locally on the first server
in the farm on which XenApp is installed.
Join_Indirect.mst
Joins an existing XenApp farm that uses Microsoft Access
or Microsoft SQL Server Express for the data store. The
database is stored on one of the XenApp servers.
This transform does not enable IMA encryption. If you
want to enable IMA encryption, enable it manually after
installation using CTXKEYTOOL.
To install the Citrix License Server through Active Directory, you can use the transform
ActiveDirectoryLicensingInstallSupport.mst, which is associated with ctx_licensing.msi. For
information, see the Citrix Licensing documentation.
The following table lists the property values in the sample transforms. The columns are:
•
A - thirdpartydb_create_direct.mst
•
B - thirdpartydb_join_direct.mst
•
C - Localdb_access_create.mst
•
D - Join_Indirect.mst
An empty cell indicates that property is not included in the sample transform.
209
Property
A
B
C
D
CTX_MF_CREATE_FARM_DB_CHOICE
ThirdPart
y
Local
CTX_MF_DOMAIN_NAME
Domain1
Domain1
CTX_MF_ENABLE_VIRTUAL_SCRIPTS
Yes
Yes
CTX_MF_FARM_SELECTION
Create
Join
Create
Join
CTX_MF_INDIRECT_JOIN_DOMAIN_NAME
Domain1
CTX_MF_INDIRECT_JOIN_PASSWORD
(see note
2)
CTX_MF_INDIRECT_JOIN_USER_NAME
Administr
ator
CTX_MF_JOIN_FARM_DB_CHOICE
Direct
Indirect
CTX_MF_JOIN_FARM_SERVER_NAME
Server1
CTX_MF_JOIN_FARM_SERVER_PORT
2512
CTX_MF_LICENSE_SERVER_NAME
License_
Server
License_S
erver
License_S
erver
License_S
erver
Applying Transforms to Setup
CTX_MF_LOCAL_DATABASE
SQLEXPR
ESS
CTX_MF_MSDE_INSTANCE_NAME
CITRIX_M
ETAFRAM
E
CTX_MF_NEW_FARM_NAME
Farm-Thi
rdParty
FarmAcc
ess
CTX_MF_ODBC_PASSWORD
citrix
citrix
CTX_MF_ODBC_RE_ENTERED_PASSWORD
citrix
citrix
CTX_MF_ODBC_USER_NAME
sa
sa
CTX_MF_SERVER_TYPE
e
e
a
a
CTX_MF_SHADOW_PROHIBIT_NO_LOGGI
NG
No
No
No
Yes
CTX_MF_SHADOW_PROHIBIT_NO_NOTIFI
CATION
Yes
Yes
No
No
CTX_MF_SHADOW_PROHIBIT_REMOTE_IC
A
No
No
No
No
CTX_MF_SHADOWING_CHOICE
Yes
Yes
Yes
CTX_MF_SILENT_DSNFILE
(see note
1)
(see note
1)
CTX_MF_USER_NAME
Administr
ator
Administr
ator
CTX_MF_XML_CHOICE
Separate
Separate
Share
Share
CTX_MF_XML_PORT_NUMBER
180
180
80
80
Note 1. Add this row to the transform because it is not available in the default Windows
Installer package used for mps.msi:
CTX_MF_SILENT_DSNFILE=\\fileserver\image\TestSQL.DSN
Note 2. Properties for the database password are not included. If the database has a
password , add this row to the transform (if the database has a blank password, do not
add the password property): CTX_INDIRECT_JOIN_PASSWORD=Password
210
Performing an Unattended Installation
with an Answer File
You can perform an unattended installation of XenApp by creating an answer file to respond
to XenApp Setup prompts. A sample answer file is provided, with instructions for setup
options.
You can also use the answer file to generate a Windows Installer command line with the
silent option. This command line results from running the XenApp unattended installation.
To perform an unattended installation with an answer file:
1. Copy the sample answer file (UnattendedTemplate.txt in the Support\Install directory
on the installation media) to another location.
2. The file includes definitions and possible values for each entry. Using a text editor,
enter values for entries you want to set, then save the file.
3. At a command prompt, type the following, where path-to-mps.msi is the full path to
your XenApp installation, and answer_file.txt is the name of the text file you created
and edited in the previous steps.
UnattendedInstall.exe <path-to-mps.msi> <answer_file.txt> [MSIPROPERTY1=”VALUE1”]
... [MSIPROPERTYN=“VALUEN”]
Note: Passwords are not stored in the answer file; they must be provided on the
command line when you invoke UnattendedInstall.exe. The sample file contains password
command-line options.
The following example command includes the ODBC password.
c:\XenApp\UnattendedInstall.exe "c:\Setup\MPS.msi"
c:\cps\x32ORCL10-1.txt CTX_ODBC_PASSWORD="password"
CTX_MF_ADD_LOCAL_ADMIN=Yes
The following example command includes the indirect join password.
c:\XenApp\UnattendedInstall.exe "c:\Setup\MPS.msi"
c:\cps\x32Access-2All.txt
CTX_INDIRECT_JOIN_PASSWORD="password"
CTX_MF_ADD_LOCAL_ADMIN=Yes
For property descriptions, see XenApp Windows Installer Properties Reference.
211
XenApp Windows Installer Properties
Reference
For custom XenApp installations, XenApp Setup properties are used with Windows Installer
(msiexec) commands and transforms.
212
•
Some values, such as passwords, may be case-sensitive.
•
When performing an unattended install (UnattendedInstall.exe), use Setup properties in
the command line to specify user credentials; these are not included in the XenApp
answer file. You can also use the command line to specify other Setup properties, such
as installation directories.
•
When using Setup properties in a command line as part of an unattended installation,
enclose values that include spaces in quotation marks (""). If you use quotation marks
when running Setup properties in the command line, set them explicitly by prefacing
them with the escape character (\). For example, use INSTALLDIR=\"C:\Program
Files\Citrix\" instead of INSTALLDIR="C:\Program Files\Citrix".
•
Setup properties for XenApp features, technologies, and plug-ins are described, when
available, in their documentation.
•
See the licensing documentation for Windows Installer commands for Citrix Licensing.
•
The management consoles have their own .msi files; they are not specified using
Windows Setup properties as part of XenApp installation. For more information, see
Custom Installations of the XenApp Management Consoles.
XenApp Setup Properties for Create Farm
and Join Farm
The following table indicates the properties used for the Create Farm and Join Farm
installations.
For an Unattended Installation, values are provided with a different syntax from Windows
Installer commands; equivalent parameters are provided in the table.
Unless otherwise noted, the property is supported on XenApp 5 for Windows Server 2003
and XenApp 5 for Windows Server 2008 installations. The property descriptions indicate
valid and default values.
213
Property
Creat
e
Farm
Join
Farm
Unattended
Installation Equivalent
CTX_ADDLOCAL
X
X
CTX_CONFIGMGR_USER
X
X
CTX_CONFIGMGR_USER_PASSWORD
X
X
CTX_CPSVC_SERVICE_USER_NAME
X
X
CTX_CPSVC_SERVICE_USER_PASSWORD
X
X
CTX_IGNORE_MCM *
X
X
CTX_IMA_PROTECTION_ENABLE
X
X **
EncryptionEnable
CTX_MALOO_SERVICE_USER
X
X
CTX_MALOO_SERVICE_USER_PASSWORD
X
X
CTX_MF_ADD_ANON_USERS
X
X
CTX_MF_ADD_LOCAL_ADMIN
X
CTX_MF_CREATE_FARM_DB_CHOICE
X
X
DirectConnect
CTX_MF_CREATE_REMOTE_DESKTOP_USERS
X
X
CTX_MF_DOMAIN_NAME
X
FarmAdministratorDo
main
CTX_MF_ENABLE_VIRTUAL_SCRIPTS
X
X
EnableVirtualScripts
CTX_MF_FARM_SELECTION
X
X
CreateFarm
CTX_MF_INDIRECT_JOIN_DOMAIN_NAME
X
DomainName
CTX_MF_INDIRECT_JOIN_PASSWORD
X
CTX_MF_INDIRECT_JOIN_USER_NAME
X
UserName
CTX_MF_JOIN_FARM_DB_CHOICE
X
DirectConnect
CTX_MF_JOIN_FARM_SERVER_NAME
X
IndirectServerName
XenApp Setup Properties for Create Farm and Join Farm
214
CTX_MF_JOIN_FARM_SERVER_PORT
X
IndirectServerPort
CTX_MF_LIC_CHOICE_FOR_CREATE
X
LicenseServerChoice
CTX_MF_LIC_CHOICE_FOR_JOIN_OR_UPGRADE
X
LicenseServerChoice
CTX_MF_LICENSE_SERVER_NAME
X
X
LicenseServerName
CTX_MF_LICENSE_SERVER_PORT
X
X
LicenseServerPort
CTX_MF_LICENSE_SERVER_PORT_DEFAULT
X
X
LicenseServerPortDef
ault
CTX_MF_LOCAL_DATABASE
X
X
LocalDBType
CTX_MF_MSDE_INSTANCE_NAME
X
X
InstanceName
CTX_MF_NEW_FARM_NAME
X
FarmName
CTX_MF_ODBC_DRIVER
X
X
CTX_MF_ODBC_PASSWORD
X
X
CTX_MF_ODBC_USER_NAME
X
X
UserName
CTX_MF_ONLY_LAUNCH_PUBLISHED_APPS
X
X
CTX_MF_SERVER_TYPE
X
ServerType
CTX_MF_SHADOW_PROHIBIT_NO_LOGGING
X
ProhibitLoggingOff
CTX_MF_SHADOW_PROHIBIT_NO_NOTIFICATION
X
ProhibitNotificationOf
f
CTX_MF_SHADOW_PROHIBIT_REMOTE_ICA
X
ProhibitRemoteContro
l
CTX_MF_SHADOWING_CHOICE
X
AllowShadowing
CTX_MF_SILENT_DSNFILE
X
DSNFilePath
CTX_MF_USER_NAME
X
FarmAdministratorUse
rname
CTX_MF_XML_CHOICE
X
ExtendIIS
CTX_MF_XML_PORT_NUMBER
X
DedicatedPortNumber
CTX_MF_ZONE_NAME
X
X
ZoneName
CTX_PROTECT_KEY_PATH
X
KeyPath
CTX_PROTECT_KEY_TYPE
X
X
KeyType
CTX_PROTECT_NEW_KEY_PATH
X
NewKeyPath
CTX_RDP_DISABLE_PROMPT_FOR_PASSWORD
X
DisableRDPPromptFor
Password
CTX_REMOVE_WI_TURNKEY *
X
X
CTX_SERV_MALOO_LOGON *
X
X
CTX_SERV_PRINTER_LOGON *
X
X
CTX_USE_EXISTING_JRE *
X
X
INSTALLDIR
X
X
REBOOT
X
X
REINSTALLMODE
X
X
XenApp Setup Properties for Create Farm and Join Farm
* This property is valid only on XenApp for Windows Server 2003 installations.
** This property is valid when creating a farm with a XenApp 5 for Windows Server 2003
installation. It is valid when creating or joining a farm with a XenApp 5 for Windows
Server 2008 installation.
215
CTX_ADDLOCAL
Specifies one or more XenApp features to install. The features must be installed locally.
Separate multiple values with commas. (This property is similar to the Windows Installer
ADDLOCAL property.)
For XenApp 5 for Windows Server 2008 installations, this property does not provide values
for installing the Access Management Console or XenApp Advanced Configuration. For
XenApp 5 for Windows Server 2003 installations, this property does not provide a value for
installing XenApp Advanced Configuration.
Valid values
See tables below for valid values in XenApp 5 for Windows Server
2008 and XenApp 5 for Windows Server 2003 installations.
Default value
Blank
Installation type
Create Farm, Join Farm
The following table lists valid values for XenApp for Windows Server 2008 installations.
Description
Blank
(default)
All
Installs all XenApp features and components
CTX_MF_MetaFrame_Core
Installs only the XenApp core server software
CTX_MF_LM
Installs the Load Manager
WMI
Installs the XenApp Provider
CTX_MF_IMA_Core
Installs the Citrix Independent Management
Architecture service
CTX_MF_CTXCPU
Installs the Citrix CPU Utilization Management
feature
CTX_MF_CTXSFO
Installs the Memory Optimization Management
feature
CSS_SS
Installs support for application streaming
Caution: Do not specify CSS_SS value if you
have an Advanced Edition license. Specifying
this property can cause issues after Setup
when applying hotfixes.
The following table lists valid values for XenApp for Windows Server 2003 installations.
Important:
216
•
For readability, the table contains spaces between multiple values. When entering
multiple values, do not use spaces.
•
@Core is a placeholder and should not actually be used in the command.
CTX_ADDLOCAL
217
Value(s)
Description
Blank
(default)
All
Installs all XenApp features and components
MetaFrame_XP,
CTX_MF_MetaFrame_Core,
CTX_MF_IMA_Core,
CTX_MF_ICA_Shell_Editor, CTX_SMA,
CTX_MF_CTXCPU, CTX_MF_CTXSFO
Installs only the core server software, required
for any configuration (referred to below as
@Core)
PN, PN_ENGINE
Installs the full Program Neighborhood client
as the passthrough client (referred to below as
PN)
PN_AGENT, PN_ENGINE
Installs the Program Neighborhood Agent as
the passthrough client
CTX_MF_CMC, CTX_MF_IM_Plugin,
CTX_MF_RM_Plugin
Installs the Advanced Configuration (referred
to below as @CMC)
CTX_MF_IM_Service
Installs the Installation Manager installer
service
CTX_MF_IM_Packager
Installs the Installation Manager packager
CTX_MF_IM, CTX_MF_IM_Service,
CTX_MF_IM_Packager
Installs all Installation Manager components
(referred to below as @IM)
CTX_MF_RM
Installs the Resource Manager
@Core, CTX_MF_LM, WMI, @CMC, PN,
@IM, CTX_MF_RM, CTX_MF_ASCII
Installs default Enterprise or Platinum Edition
components
@Core, CTX_MF_LM, @CMC, PN
Installs default Advanced Edition components
CTX_CONFIGMGR_USER
Defines the account for Configuration Manager for the Web Interface Service. If this
property is not specified, the service is installed with the default local user account
(Ctx_ConfigMgr). You can change this to run under a different account by using this
property with CTX_CONFIGMGR_USER_PASSWORD.
To specify a domain account for a service, log on to the server on which you are running
Setup as a domain administrator of the domain on which you want to run the server.
To specify another account to use for Setup, specify the following privileges when you
create the account: Log on as a service (SeServiceLogonRight) and Log on as a batch job
(LogonAsBatch). Without these privileges, the Configuration Manager for the Web Interface
Service service will not start.
218
Format
Domain\Username
Valid values
User defined
Default value
Ctx_ConfigMgr
Installation type
Create Farm, Join Farm
CTX_CONFIGMGR_USER_PASSWORD
Specifies the password for the Configuration Manager for the Web Interface Service. Use
with CTX_CONFIGMGR_USER.
219
Valid values
User defined
Installation type
Create Farm, Join Farm
CTX_CPSVC_SERVICE_USER_NAME
Specifies a different user account for the Citrix Print Manager Service. If this property is not
specified, the service is installed under the account ctx_cpsvcuser. To change the account,
specify this property with a value representing the account you already created, and
specify the password with CTX_CPSVC_SERVICE_USER_PASSWORD.
To specify a domain account for a service, log on to the server on which you are running
Setup as a domain administrator of the domain on which you want to run the server.
To specify another account to use for Setup, specify the following privileges when you
create the account: Log on as a service (SeServiceLogonRight) and Log on as a batch job
(LogonAsBatch). Without these privileges, the Citrix Print Manager Service will not start.
Note: The Citrix Print Manager Service now uses the ctx_cpsvcuser account instead of the
Ctx_SmaUser account, which the service used in Presentation Server 4.0.
220
Format
Domain\Username
Valid values
User defined
Default value
ctx_cpsvcuser
Installation type
Create Farm, Join Farm
CTX_CPSVC_SERVICE_USER_PASSW
ORD
Specifies the password for the Citrix Print Manager Service.
221
•
Specifying this property without specifying CTX_CPSVC_SERVICE_USER_NAME installs the
service under the default account (ctx_cpsvcuser) and changes the password.
•
Specifying this property with CTX_CPSVC_SERVICE_USER_NAME changes the user name
and password for this account.
Valid values
User defined
Installation type
Create Farm, Join Farm
CTX_IGNORE_MCM
Note: This property is valid only on XenApp 5 for Windows Server 2003 installations.
This XenApp release is not compatible with Conferencing Manager 2.0. If you upgrade to
this XenApp version before upgrading Conferencing Manager, Conferencing Manager fails on
this server. Therefore, upgrade Conferencing Manager before upgrading to this version of
XenApp. The latest version of Conferencing Manager is available on the installation media.
If the installer detects Conferencing Manager 2.0 on the server, an error message appears.
When you set this property value to Yes, the installer ignores the error message and
continues the installation.
Valid values
222
•
Yes
•
No
Default value
No
Installation type
Create Farm, Join Farm
CTX_IMA_PROTECTION_ENABLE
Enables or disables IMA encryption.
Valid values
Default value
Installation type
223
•
1 - enables IMA encryption; use with CTX_PROTECT_KEY_TYPE
•
0 - disables IMA encryption
•
XenApp 5 for Windows Server 2003: Create Farm
•
XenApp 5 for Windows Server 2003: Create Farm, Join Farm
0
CTX_MALOO_SERVICE_USER
Specifies a different user account for the CPU Utilization Mgmt/CPU Rebalancer service. If
this property is not specified, the service is installed under the ctx_cpuuser account. To
change the account, specify this property with a value representing the account you
already created, and specify the password with CTX_MALOO_SERVICE_USER_PASSWORD.
This service is only installed on servers with multiple processors.
To specify a domain account for a service, log on to the server on which you are running
Setup as a domain administrator of the domain on which you want to run the server.
To specify another account to use for Setup, specify the following privileges when you
create the account: Log on as a service (SeServiceLogonRight), Log on as a batch job
(LogonAsBatch), Debug programs (SeDebugPrivilege), and Increase scheduling priority
(SeIncrementBasePriorityPrivilege). Without these privileges, the CPU Utilization Mgmt/CPU
Rebalancer service will not start.
224
Format
Domain\Username
Valid values
User defined
Default value
ctx_cpuuser
Installation type
Create Farm, Join Farm
CTX_MALOO_SERVICE_USER_PASSW
ORD
Specifies the password for the Citrix CPU Utilization Mgmt/CPU Rebalancer service.
225
•
Specifying this property without specifying CTX_MALOO_SERVICE_USER installs the
service using the default value for the CTX_MALOO_SERVICE_USER property
(ctx_cpuuser) as the user name, and changes the password.
•
Specifying this property with CTX_MALOO_SERVICE_USER changes the user name and
password for this account.
Valid values
User defined
Installation type
Create Farm, Join Farm
CTX_MF_ADD_ANON_USERS
Specifies whether or not anonymous users can connect remotely.
Valid values
•
Yes
•
If CTX_MF_CREATE_REMOTE_DESKTOP_USERS is set to
“CopyUsers” or “DoNothing,” anonymous users are added
to the Remote Desktop Users group in Windows Server
If CTX_MF_CREATE_REMOTE_DESKTOP_USERS is set to
“AddEveryone,” this property is ignored because the
Remote Desktop Users group is configured so that every
user in the Users group is also a remote desktop user
No - prohibits anonymous connections to XenApp
•
•
226
Default value
Yes
Installation type
Create Farm, Join Farm
CTX_MF_ADD_LOCAL_ADMIN
Enables or disables the creation of Citrix administrator accounts for all user accounts in the
local Administrators group.
Valid values
227
•
Yes
•
No
Default value
No
Installation type
Create Farm
CTX_MF_CREATE_FARM_DB_CHOICE
Specifies whether the database is a local database stored on the first server in the farm or
an enterprise (third-party) database stored on a separate server.
Valid values
228
•
Local — Microsoft Access or Microsoft SQL Server Express. (Use
with CTX_MF_LOCAL_DATABASE and, if using Microsoft SQL
Server Express, CTX_MF_MSDE_INSTANCE_NAME.)
•
Third Party — Microsoft SQL Server, Oracle, or IBM DB2. (Use
with CTX_MF_ODBC_USER_NAME and
CTX_MF_ODBC_PASSWORD.)
Default value
Local
Installation type
Create Farm, Join Farm
CTX_MF_CREATE_REMOTE_DESKTO
P_USERS
Determines whether or not to add users to the Windows Remote Desktop Users group if the
accounts are already created on the system. Users must be members of the Remote Desktop
Users group to log on remotely to a Windows Server system.
Setting this property has no effect if the Remote Desktop Users group already has members.
Note: This property takes precedence over CTX_MF_ADD_ANON_USERS. If this property is
set to “AddEveryone” and CTX_MF_ADD_ANON_USERS is set to “No,” anonymous
connections to XenApp are enabled on this server.
Valid values
229
•
AddEveryone — Adds the Authenticated Users group to the
Remote Desktop Users group. All current members of the Users
group are allowed to log on remotely to the server, and
whenever you add a user to the Users group, XenApp
automatically adds the user to Remote Desktop Users group.
•
CopyUsers — Copies all current users from the Users group to
the Remote Desktop Users group. After Setup, any user
accounts you add must be added manually to the Remote
Desktop Users group.
•
DoNothing — Does not add any users to the Remote Desktop
Users group. No users will be allowed to log on remotely to the
server until you add users to the Remote Desktop Users group
in Windows Server.
Default value
CopyUsers
Installation type
Create Farm, Join Farm
CTX_MF_DOMAIN_NAME
Specifies the domain name for the first Citrix administrator account you create in the farm.
230
Valid values
User defined
Default value
DomainName
Installation type
Create Farm
CTX_MF_ENABLE_VIRTUAL_SCRIPTS
Enables or disables port sharing with IIS during Setup. This property directs XenApp Setup to
create the virtual scripts directory, which is required for IIS.
If you are running a silent installation and this property is not set to “Yes” or “1” and the
XML port on the server is shared with IIS (for example, if you are installing the Web
Interface on the same server as XenApp), Setup fails and the following error message is
added to the installation log file:
“ERROR: SetIISScriptsDir - Could not get the scripts path because the Virtual Scripts
directory in not enabled in IIS or the property CTX_MF_ENABLE_VIRTUAL_SCRIPTS is not set
to Yes.”
If the property is defined, the silent installation continues with no error.
Valid values
231
•
Yes or 1 — Creates the virtual scripts directory if it does not
already exist. Setup does not prompt you to create the virtual
scripts directory, even if you are running Setup in wizard-based
mode.
•
Not defined, 0, or No — Does not create the virtual scripts
directory if it does not already exist. You are prompted during
Setup to create the virtual scripts directory.
Default value
Not defined
Installation type
Create Farm, Join Farm
CTX_MF_FARM_SELECTION
Specifies whether you are creating a new server farm or joining an existing farm. If this
server is joining an existing farm, you must also set CTX_MF_JOIN_FARM_DB_CHOICE.
Valid values
232
•
Create
•
Join
Default value
Create
Installation type
Create Farm, Join Farm
CTX_MF_INDIRECT_JOIN_DOMAIN_NA
ME
Specifies the domain name of a user account that has full administrative rights in XenApp.
Use this property if you are joining a farm that uses a Microsoft Access or Microsoft SQL
Server Express database stored locally on the first server in the farm (indirect connection).
233
Valid values
Any domain in which the user account has full administrative rights
on the XenApp farm
Default value
DomainName
Installation type
Join Farm
CTX_MF_INDIRECT_JOIN_PASSWORD
Specifies the password for a user account that has full administrative rights in XenApp. Use
this property if you are joining a farm that uses a Microsoft Access or Microsoft SQL Server
Express database stored locally on the first server in the farm (indirect access).
234
Valid values
Password for the user name specified in
CTX_MF_INDIRECT_JOIN_USER_NAME
Default value
“” (null)
Installation type
Join Farm
CTX_MF_INDIRECT_JOIN_USER_NAM
E
Specifies the user name for an account that has full administrative rights in XenApp. Use
this property if you are joining a farm that uses a Microsoft Access or Microsoft SQL Server
Express database stored locally on the first server in the farm (indirect connection).
235
Valid values
Any user account that has full administrative rights on the XenApp
farm (ideally, the same account used to create the farm)
Default value
Administrator
Installation type
Join Farm
CTX_MF_JOIN_FARM_DB_CHOICE
Specifies whether the existing farm connects directly or indirectly to the data store.
Valid values
236
•
Direct — Set this value if you are using a Microsoft SQL, Oracle,
or IBM DB2 database stored on a separate, dedicated database
server.
•
Indirect — Set this value if you are using a Microsoft Access or
Microsoft SQL Server Express database stored locally on the
first server in the farm on which you installed XenApp.
Default value
Direct
Installation type
Join Farm
CTX_MF_JOIN_FARM_SERVER_NAME
Specifies the name of the first server in the farm that you want to join.
237
Valid values
The name of a server hosting the Microsoft Access or Microsoft SQL
Server Express database as the data store
Default value
ServerName
Installation type
Join Farm
CTX_MF_JOIN_FARM_SERVER_PORT
Specifies the IMA communication port number used to communicate with the farm data
store. This property applies if you are using a Microsoft Access or Microsoft SQL Server
Express database stored locally on the first server in the farm on which you installed
XenApp.
238
Valid values
User defined
Default value
2512
Installation type
Join Farm
CTX_MF_LIC_CHOICE_FOR_CREATE
Configures the server to point to an existing Citrix License Server when creating a farm. If
set to “Point,” ensure that CTX_MF_LICENSE_SERVER_NAME points to a valid license server.
If you plan to install the license server after installing XenApp, set
CTX_MF_LIC_CHOICE_FOR_CREATE to “DontKnow.”
Note: You can also configure the server to point to the license server after running Setup.
Valid values
239
•
Point
•
DontKnow
Default value
Point
Installation type
Create Farm
CTX_MF_LIC_CHOICE_FOR_JOIN_OR_
UPGRADE
Configures XenApp to point to an existing Citrix License Server.
•
If set to “Point”, ensure that CTX_MF_LICENSE_SERVER_NAME points to a valid license
server.
•
If set to “UseFarmSettings,” ensure that the existing server farm is configured to use a
license server.
•
Set this property to "DontKnow" if you plan to install the license server after installing
XenApp.
Note: You can also configure XenApp to point to the license server after running Setup.
Valid values
240
•
Point
•
UseFarmSettings
•
DontKnow
Default value
UseFarmSettings
Installation type
Join Farm
CTX_MF_LICENSE_SERVER_NAME
Specifies the license server the XenApp server uses. This applies only:
241
•
When performing a new installation when joining an existing server farm and
CTX_MF_LIC_CHOICE_FOR_JOIN_OR_UPGRADE is set to “Point”
•
When performing a new installation while creating a new server farm and
CTX_MF_LIC_CHOICE_FOR_CREATE is set to “Point”
Valid values
User defined
Default value
localhost
Installation type
Create Farm, Join Farm
CTX_MF_LICENSE_SERVER_PORT
Specifies a different port number (other than the default 27000) to use when
communicating with the Citrix License Server. The value must match the port number
configured on the license server. Use with CTX_MF_LICENSE_SEVER_PORT_DEFAULT set to
“” (null).
242
Valid values
An integer representing the port number through which the license
server listens for requests
Default value
27000
Installation type
Create Farm, Join Farm
CTX_MF_LICENSE_SERVER_PORT_D
EFAULT
Controls whether XenApp communicates with the license server through the license server
default port (27000).
Valid values
243
•
1 — XenApp uses the default port number, 27000
•
“” (null) — XenApp uses the value of
CTX_MF_LICENSE_SERVER_PORT as the port number when
communicating with the Citrix License Server
Default value
1
Installation type
Create Farm, Join Farm
CTX_MF_LOCAL_DATABASE
Specifies the type of local database for the farm data store.
Valid values
244
•
Access
•
SQL (for Microsoft SQL Server Express)
Default value
Access
Installation type
Create Farm, Join Farm
CTX_MF_MSDE_INSTANCE_NAME
If you install the Microsoft SQL Server Express database using the batch file
SetupSqlExpressForCPS.cmd, the default instance name is CITRIX_METAFRAME. However, if
you defined a different instance name, use this property to specify that name. That is, use
this property if you modified the instance name in the batch file or did not install Microsoft
SQL Server Express using the batch file.
245
Valid values
User defined
Default value
CITRIX_METAFRAME
Installation type
Create Farm, Join Farm
CTX_MF_NEW_FARM_NAME
Specifies the name of the new farm. (If you are joining a farm, use
CTX_MF_JOIN_FARM_SERVER_NAME.)
246
Valid values
User defined
Default value
NewFarmName
Installation type
Create Farm
CTX_MF_ODBC_DRIVER
Specifies the ODBC driver name for the database hosting the farm data store. Use when
joining a farm directly.
247
Valid values
The ODBC driver name such as “SQL Server”, “Oracle in
OraClient11g_home1”, or “IBM DB2 ODBC DRIVER - DB2COPY1”
Default value
“” (null)
Installation type
Create Farm, Join Farm
CTX_MF_ODBC_PASSWORD
Specifies the password for a directly connected database that stores the farm data store.
Use with MF_ODBC_USER_NAME.
248
Valid values
User defined
Default value
Password
Installation type
Create Farm, Join Farm
CTX_MF_ODBC_USER_NAME
Specifies the user name for a directly connected database that stores the farm data store.
Use with CTX_MF_ODBC_PASSWORD.
249
Valid values
User defined
Default value
UserName
Installation type
Create Farm, Join Farm
CTX_MF_ONLY_LAUNCH_PUBLISHED
_APPS
By default, XenApp prohibits non-administrative users from connecting to the published
desktops and the desktop of the servers hosting XenApp. When this property is set to either
“Yes” or “” (null), users can only connect to published applications. This setting is a server
setting and not farm wide. To allow users to connect to some server desktops but not all,
change this property value for those servers.
Valid values
•
Yes — users cannot connect to published desktops or server
desktops with clients
•
No — users can connect to published desktops or server
desktops with clients
•
“” (null) — users cannot connect to published desktops or
server desktops with clients
Note: If set to a value other than Yes or No:
250
•
For XenApp 5 for Windows Server 2008 installations, this
security enhancement is enabled
•
For XenApp 5 for WIndows Server 2003 installations, this
security enhancement is enabled for clean installs, but
disabled for upgrades
Default value
“” (null)
Installation type
Create Farm, Join Farm
CTX_MF_SERVER_TYPE
Specifies the edition of XenApp to be installed.
Valid values
Default value
•
P — Platinum Edition
•
E — Enterprise Edition
•
A — Advanced Edition
•
XenApp 5 Feature Pack 2 for Windows Server 2003 and XenApp
5 for Windows Server 2008: none
Important: Because there is no edition type set as the
default, Setup fails if you do not set this property or leave it
as “” (null)
•
Installation type
251
XenApp 5 for Windows Server 2003: P
Create Farm
CTX_MF_SHADOW_PROHIBIT_NO_LO
GGING
Prohibits or allows shadow connections without logging.
Valid values
252
•
Yes — prohibit
•
No — allow
Default value
No
Installation type
Create Farm
CTX_MF_SHADOW_PROHIBIT_NO_NO
TIFICATION
Prohibits or allows shadowing connections without user notification.
Valid values
253
•
Yes — prohibit
•
No — allow
Default value
No
Installation type
Create Farm
CTX_MF_SHADOW_PROHIBIT_REMOT
E_ICA
Prohibits or allows remote control of mouse and keyboard in shadowed sessions.
Valid values
254
•
Yes — prohibit
•
No — allow
Default value
No
Installation type
Create Farm
CTX_MF_SHADOWING_CHOICE
Enables or disables session shadowing.
Important: If you turn session shadowing off when you install XenApp, you cannot enable
it later through user policies or connection configuration.
Valid values
255
•
Yes — turn it on
•
No — turn it off
Default value
Yes
Installation type
Create Farm
CTX_MF_SILENT_DSNFILE
Specifies the path to the Data Source Name (DSN) file used to connect to the data store
when the database is Oracle, SQL, or DB2. During a wizard-based installation, Setup creates
the DSN file for you. For a custom installation, you must create the DSN file and use this
property to specify its location.
256
Valid values
Complete path to the DSN file
Default value
“” (null)
Installation type
Join Farm
CTX_MF_USER_NAME
Specifies the user name for the first Citrix administrator account you create in the farm.
257
Valid values
User defined
Default value
“UserName”
Installation type
Create Farm
CTX_MF_XML_CHOICE
Specifies whether Microsoft Internet Information Services (IIS) and the Citrix XML Service
share the same port on this server or use separate ports. If you do not want IIS and the
Citrix XML Service to share the same port, set the Citrix XML Service port number using
CTX_MF_XML_PORT_NUMBER.
Valid values
258
•
Share — share with IIS
•
Separate — use separate port, set in
CTX_MF_XML_PORT_NUMBER
Default value
Share
Installation type
Create Farm
CTX_MF_XML_PORT_NUMBER
Port number the Citrix XML Service will use (when you do not want the Citrix XML Service
and IIS to share ports).
259
Valid values
User defined
Default value
80
Installation type
Create Farm
CTX_MF_ZONE_NAME
Specifies the name of the zone to which the server belongs. For a Create Farm Setup, this
property specifies the name of the first zone in the farm. For a Join Farm Setup, this
property specifies the name of the zone where you want to add the server.
Valid values
Default value
Installation type
260
Not applicable
•
XenApp 5 for Windows Server 2008: Default Zone
•
XenApp for Windows Server 2003: None; the default value is
generated programmatically, based on the server subnet
address
Create Farm, Join Farm
CTX_PROTECT_KEY_PATH
Specifies where a valid encryption key file is stored. Use this property with
CTX_PROTECT_KEY_TYPE with a value of “file.” Failure to set both key properties correctly
causes XenApp Setup to not activate the encryption settings for the current server.
261
Valid values
The full path where an encryption key file is stored
Default value
“” (null)
Installation type
Join Farm
CTX_PROTECT_KEY_TYPE
Specifies how the IMA encryption key is provided.
Valid values
262
•
file — Provides a path to the location where the key file
resides. Use with CTX_PROTECT_KEY_PATH.
•
generate — Provides a writable location where the key file is
stored after Setup generates a new encryption key. Use with
CTX_PROTECT_NEW_KEY_PATH.
•
existing — Indicates a key is already loaded on the computer;
Setup will not attempt to replace the existing key with a new
key from the file.
Default value
file
Installation type
Create Farm, Join Farm
CTX_PROTECT_NEW_KEY_PATH
Specifies the location of the writable folder where you want the IMA encryption key file
created. If the folder is not writable, Setup fails. Use this property with
CTX_PROTECT_KEY_TYPE containing a value of “generate.” Failure to set both properties
correctly causes XenApp Setup not to activate the encryption settings for the current
server.
263
Valid values
The full path where an encryption key file will be created
Default value
“” (null)
Installation type
Create Farm
CTX_RDP_DISABLE_PROMPT_FOR_P
ASSWORD
Setting this property to “Yes” changes the security setting on the server so that passwords
from users of Microsoft Remote Desktop Web Connection software are not required. Users
must still enter credentials when logging on to the Web Interface, but can launch
applications without further prompts for credentials by the server.
Valid values
264
•
Yes
•
No
Default value
No
Installation type
Create Farm
CTX_REMOVE_WI_TURNKEY
Note: This property is valid only on XenApp 5 for Windows Server 2003 installations.
When upgrading from earlier versions of Presentation Server that include the Web
Interface, you must upgrade the Web Interface before upgrading Presentation Server;
otherwise, the Web Interface may be removed from the server. Set this property to Yes if
you do not object to the removal of the Web Interface from the server.
Valid values
265
•
Yes
•
No
Default value
No
Installation type
Create Farm, Join Farm
CTX_SERV_MALOO_LOGON
Note: This property is valid only on XenApp 5 for Windows Server 2003 installations.
Defines the Citrix CPU Utilization Mgmt/CPU Rebalancer Service as the CPU user rather than
using the build in accounts created by XenApp.
266
Format
USERID:PASSWORD:DOMAIN/MACHINENAME
Default value
ctx_cpuuser
Installation type
Create Farm, Join Farm
CTX_SERV_PRINTER_LOGON
Note: This property is valid only on XenApp 5 for Windows Server 2003 installations.
Defines the Citrix Print Manager Service as the printer user rather than the built in accounts
created by XenApp.
267
Format
USERID:PASSWORD:DOMAIN/MACHINENAME
Default value
ctx_cpsvcuser
Installation type
Create Farm, Join Farm
CTX_USE_EXISTING_JRE
Note: This property is valid only on XenApp 5 for Windows Server 2003 installations.
Instructs the installer to accept the JRE version currently installed on the computer.
Valid values
268
•
Yes
•
No
Default value
No
Installation type
Create Farm, Join Farm
INSTALLDIR
Target location for the installation.
269
Valid values
User defined
Default value
%Program Files%\Citrix
Installation type
Create Farm, Join Farm
REBOOT
Specifies whether you restart a server manually or are prompted for the server to be
restarted.
Note: XenApp requires that you reboot the server after running Setup.
Valid values
270
•
Force — forces restart to occur; no further prompts are
displayed
•
Suppress — forces restart to not occur by default; a prompt
appears if action is necessary
•
ReallySuppress — forces restart to not occur; no prompts
appear
Default value
Force
Installation type
Create Farm, Join Farm
REINSTALLMODE
Specifies the type of reinstall to perform. Options are case-insensitive and
order-independent.
Important: Citrix recommends that you do not modify this property.
Valid values
Default value
•
p — install missing files
•
o — replace older versioned or missing files
•
c — replace corrupt files (checksum validation)
•
e — replace same versioned or missing files
•
d — replace files of differing versions
•
a — replace all files regardless of version
•
u — replace user registry settings
•
m — replace registry settings on the server
•
s — replace shortcuts
•
v — replace the cached .msi package with the package
currently being installed
oums
Installation type
Create Farm, Join Farm
In XenApp for Windows Server 2008 installations, this property performs the same function
as the Repair function in Control Panel > Programs and Features.
271
XenApp Windows Setup Properties Script
Examples
Create Farm Sample Windows Installer Command
Script
This sample script creates a farm using a local database (Microsoft Access) with port
sharing, IMA encryption, and shadowing enabled.
msiexec.exe /i MPS.msi /qb- /l*v C:\mps.log CTX_MF_SERVER_TYPE="P"
INSTALLDIR="C:\XenApp\" CTX_MF_FARM_SELECTION="Create"
CTX_MF_CREATE_FARM_DB_CHOICE="Local" CTX_LOCAL_DATABASE="Access"
CTX_MF_NEW_FARM_NAME="NewFarmName" CTX_MF_XML_CHOICE="Share"
CTX_MF_USER_NAME="Administrator" CTX_MF_DOMAIN_NAME="DomainName"
CTX_MF_LIC_CHOICE_FOR_CREATE="Point"
CTX_MF_LICENSE_SERVER_NAME="LicenseServerName"
CTX_MF_LICENSE_SERVER_PORT_DEFAULT="1"
CTX_MF_LICENSE_SERVER_PORT="27000" CTX_IMA_PROTECTION_ENABLE="1"
CTX_PROTECT_KEY_TYPE="generate"
CTX_PROTECT_NEW_KEY_PATH="C:\KeyFile.key"
CTX_MF_SHADOWING_CHOICE="Yes"
CTX_MF_SHADOW_PROHIBIT_NO_NOTIFICATION="No"
CTX_MF_SHADOW_PROHIBIT_REMOTE_ICA="No"
CTX_MF_CREATE_REMOTE_DESKTOP_USERS="AddEveryone"
CTX_MF_ADD_ANON_USERS="Yes" CTX_MF_ENABLE_VIRTUAL_SCRIPTS="Yes"
CTX_MF_ADD_LOCAL_ADMIN="Yes" CTX_MF_ONLY_LAUNCH_PUBLISHED_APPS="No"
Join Farm Sample Windows Installer Command Script
This sample script joins a farm whose data store is hosted on a third-party, or enterprise,
database (SQL Server). The farm has IMA encryption and shadowing enabled.
msiexec /i MPS.msi /qb- /l*v C:\mps.log CTX_MF_SERVER_TYPE="E"
INSTALLDIR="C:\XenApp\" CTX_MF_FARM_SELECTION="Join"
CTX_MF_CREATE_FARM_DB_CHOICE="Thirdparty"
CTX_MF_JOIN_FARM_DB_CHOICE="Direct"
CTX_MF_ODBC_USER_NAME="DomainName\UserName"
CTX_ODBC_PASSWORD="****" CTX_MF_ODBC_RE_ENTERED_PASSWORD="****"
CTX_MF_SILENT_DSNFILE="C:\SQLWin.dsn"
CTX_MF_SELECTED_DRIVER_NAME="SQL Server"
272
XenApp Windows Setup Properties Script Examples
CTX_MF_XML_CHOICE="Separate" CTX_MF_XML_PORT_NUMBER="8080"
CTX_MF_LIC_CHOICE_FOR_JOIN_OR_UPGRADE="UseFarmSettings"
CTX_IMA_PROTECTION_ENABLE="1" CTX_PROTECT_KEY_TYPE="file"
CTX_PROTECT_KEY_PATH="C:\KeyFile.key" CTX_MF_SHADOWING_CHOICE="Yes"
CTX_MF_SHADOW_PROHIBIT_NO_NOTIFICATION="No"
CTX_MF_SHADOW_PROHIBIT_NO_LOGGING="No"
CTX_MF_SHADOW_PROHIBIT_REMOTE_ICA="No"
CTX_MF_CREATE_REMOTE_DESKTOP_USERS="CopyUsers"
Citrix Licensing Sample Windows Installer Command
Script
This sample script installs Citrix Licensing.
msiexec.exe /i ctx_licensing.msi
CTX_LICENSING_INSTALLDIR="C:\program files\citrix\"
CTX_LIC_FILE_PATH="C:\program files\citrix\licensing\my files\"
CTX_WEB_SERVER="IIS" CTX_LICENSE_SERVER_PORT="23456"
CTX_VENDOR_DAEMON_PORT="65432" /l*v "C:\Lic.log" /qb-
Web Interface Sample Windows Installer Command
Script
This sample script installs the Web Interface.
WebInterface.exe -q -v %systemdrive%\WI.log
273
Data Store Database Reference
This section contains data store reference information, including installation requirements.
•
For data store planning considerations, see the XenApp planning documentation
•
Supported database versions are detailed in
http://support.citrix.com/article/CTX114501
See the database vendor documentation before installing, configuring, and using the
database software.
Important:
274
•
Citrix does not support case-sensitive databases.
•
To avoid corruption, do not directly edit data in the data store database with utilities
or tools other than those provided by Citrix.
Microsoft Access Database
The Microsoft Access database engine and ODBC drivers are default components of Windows
servers. The ODBC connection to Access uses the Microsoft Jet Engine. To use this database
engine, you do not have to install any drivers or perform any database configuration before
installing XenApp.
The database has the following minimum requirements:
•
Approximately 50MB of disk space for every 100 servers. More disk space is needed for
greater numbers of published applications.
•
32MB of additional RAM if the server also hosts connections.
Changing the Password to a Microsoft Access
Database File
When you create a local Microsoft Access database for the data store, Setup creates a
database file named Mf20.mdb. The default user name and password for this database file
are both “citrix.”
The Mf20.mdb file and all automatic backup files are located by default in the
%ProgramFiles(x86)%\Citrix\Independent Management Architecture folder.
To change the password for the database file, use the dsmaint config /pwd:newpassword
command. The Citrix IMA Service can be running when you use the command.
Important: Back up the Access database using the dsmaint backup command before
changing the password used to access the database.
Backing Up and Restoring a Microsoft Access
Database
Use the dsmaint command to back up or recover a Microsoft Access data store. Back up the
data store regularly with a batch file script and before activities such as changing the
configuration.
Automatic backups occur each time the Citrix IMA Service is stopped or a server is
restarted. During an automatic backup, the existing Mf20.mdb file is backed up,
compacted, and copied as Mf20.bak. Each time the IMA Service starts, it deletes Mf20.bak if
it exists and renames the Mf20.unk file to Mf20.bak. This process ensures that the Mf20.bak
file is a valid farm database.
If the server runs out of disk space on the drive where the Mf20.mdb file is stored,
automatic backups stop. Ensure that the amount of free disk space is at least three times
the size of the Mf20.mdb file.
275
Microsoft Access Database
Caution: The dsmaint recover command removes the existing Mf20.mdb file from the
server. Therefore, do not try to recover the data store with this command without first
verifying that the Mf20.bak file exists. If the Mf20.bak file does not exist, run dsmaint
backup prior to recovering the data store.
For more information, see Maintaining and Recovering a XenApp Data Store.
276
Microsoft SQL Server Express Database
Windows authentication is supported for the SQL Server Express database. For security
reasons, Microsoft SQL Server authentication is not supported.
Installing Microsoft SQL Server Express
Install SQL Server Express on the server before running XenApp Setup.
The server hosting the database should meet the following requirements:
•
Approximately 50MB of disk space for every 100 servers and 25 applications in the farm
•
32MB of additional RAM if the server also hosts connections
•
70MB of disk space for the database
Important: Do not use double-byte characters in the name of the server on which the
database is installed. You must reboot the system after installing the database software,
before installing Citrix XenApp.
There are two methods for installing Microsoft SQL Server Express:
•
If you do not have an instance of SQL Server Express already installed on the database
server and you want to use the default instance name (CITRIX_METAFRAME) and system
administrator password (CITRIX):
Run the SetupSqlExpressForCPS.cmd batch file, which is on the XenApp installation
media in the \Support\SqlExpress_2005_SPx directory.
The required files and directories are created in the %ProgramFiles(x86)%\Microsoft SQL
Server directory and the named instance directory MSSQL$CITRIX_METAFRAME.
•
If you cannot or do not want to use the default instance name and administrator
password:
1. At a command prompt, change to the \Support\SqlExpress_2005_SPx directory on
the XenApp installation media. (For example, if your media drive is E, type: E:cd
\Support\SqlExpress_2005_SPx, where x is the Service Pack number.)
2. Change to installation mode by typing change user /INSTALL.
3. Launch the SQL Server 2005 Express Edition Service Pack installer, specifying the
instance name and system administrator password: setup.exe INSTANCENAME=name
SAPWD=password
Important: If you install SQL Server Express with a nondefault instance name , you
must install XenApp using a manual installation method so that you can specify the
new instance name with the XenApp Setup property CTX_MF_MSDE_INSTANCE_NAME.
277
Microsoft SQL Server Express Database
Backing Up and Restoring a Microsoft SQL Server
Express Database
Use dsmaint backup to back up a data store hosted on SQL Server Express. Specify a local
path for the location of the database backup files. Use dsmaint recover to restore a back up
copy of a SQL Server Express data store.
Note: If you are moving a SQL Server Express data store to a different server in the farm,
perform dsmaint failover on all indirect servers to point them to the new database
server.
278
Microsoft SQL Server Database
The server hosting the SQL Server database should meet the following minimum
requirements:
•
Approximately 100MB of disk space for every 250 servers and 50 published applications
in the farm. More disk space is needed for greater numbers of published applications.
•
Set the "temp" database to automatically grow on a partition with at least 1GB of free
disk space. Citrix recommends 4GB if the farm is large and includes multiple print
drivers.
Microsoft SQL Server supports Windows and Microsoft SQL Server authentication. For
high-security environments, Citrix recommends using Windows authentication only.
The user account for installing, upgrading, or applying hotfixes to the data store must have
database owner (db_owner) rights to the database. When you finish installing the database
with database owner rights, set the user permissions to read/write only. This increases the
security of the database.
If you change the rights from database owner to read/write, change the rights back to
database owner before installing service packs or feature releases. Those installations can
fail if the user account you use to authenticate to the data store during Setup does not
have database owner rights.
When using Microsoft SQL Server in a replicated environment, use the same user account
for the data store on each Microsoft SQL Server.
Each farm requires a dedicated database. However, multiple databases can be running on a
single server running Microsoft SQL Server. Do not configure the farm to use a database that
is shared with any other client/server applications.
During database installation, the default settings and database sizes usually suffice for
XenApp data store needs.
Back up the database regularly and follow Microsoft recommendations for configuring
database and transaction logs for recovery (for example, setting the Truncate log on
Checkpoint option to control log space).
279
Microsoft SQL Server Database
Using Sockets to Connect to a Microsoft SQL Server
Database
Two common protocols used to connect to a database are TCP/IP sockets and named pipes.
Named pipes is an authenticated communication protocol, so any time you attempt to open
a connection to the SQL Server database using this protocol, the Windows authentication
process occurs. TCP/IP sockets do not rely on Windows authentication to establish a
connection, but do provide user/password authentication to the database after the
connection is established. Windows authentication reduces the possibility of an error
occurring when the server running SQL Server and the server running XenApp do not have
the correct domain or Active Directory trust relationship. Therefore, Citrix recommends
that you use TCP/IP sockets to connect servers running XenApp to a server hosting Microsoft
SQL Server.
If you are running Microsoft SQL Server and configure named pipes to establish a connection
to the database, manually enable the named pipes option on the database server. To
enable named pipes, use the Surface Area Configuration tool packaged with SQL Server. For
additional information, see the SQL Server documentation.
Creating a Microsoft SQL Server Data Source
Connection
1. On the Create a New Data Source to SQL Server screen, enter the data source
description and select the SQL Server to which to connect.
2. Select Windows NT Authentication or SQL Server Authentication.
3. Click Client Configuration.
4. Select TCP/IP from the available network libraries.
5. After installing XenApp, modify the Data Source Name (DSN) you created during
installation and change its client configuration to use TCP/IP.
To modify a DSN, use the Windows ODBC Data Source Administrator utility to open the
File DSN, which is located by default in the %ProgramFiles(x86)%\Citrix\Independent
Management Architecture folder, and select TCP/IP as the connection protocol for the
client configuration.
Using Failover with Microsoft SQL Server
For fault tolerance with Microsoft SQL Server, use Microsoft clustering, which provides
failover and failback for clustered systems. Failover of the SQL Server database in a
clustered environment is transparent to XenApp.
A Microsoft Cluster Services cluster group is a collection of resources such as disk drives,
that are owned by one of the failover cluster nodes. You can transfer the ownership of the
group from one node to another, but each group can be owned by only one node at a time.
280
Microsoft SQL Server Database
The database files for an instance of Microsoft SQL Server are placed in a single cluster
group owned by the node on which the instance is installed. If a node running an instance of
Microsoft SQL Server fails, the cluster group containing the data files for that instance is
switched to another node. Because the new node already has the executable files and
registry information for that instance of Microsoft SQL Server on its local disk drive, it can
start up an instance of Microsoft SQL Server and start accepting connection requests for
that instance.
Note: Microsoft Cluster Services clustering does not support load balancing among
clustered servers because it functions in active/passive mode only.
Using Distributed Databases with Microsoft SQL
Server
XenApp supports distributed (replicated) databases. Replicated databases are useful when
too many read requests to the data store create a processing bottleneck. Microsoft SQL
Server uses replication to create the distributed database environment.
XenApp requires data coherency across multiple databases. Therefore, a two-phase commit
algorithm is required for storing data in the database.
When configuring Microsoft SQL Server for a two-phase commit, use the Immediate
Updating Subscriber model. See the Microsoft SQL Server documentation for more
information.
Caution: To avoid corruption, do not use merged replication.
To set up a distributed environment for an existing farm:
1. Configure a Publisher (the Microsoft SQL Server currently hosting the data store) and
Subscribers (remote sites) using Microsoft SQL Server Enterprise Manager.
2. Run the dsmaint publishsqlds command on a server in the farm. This executes the
necessary SQL statements to create the published articles on the current Microsoft SQL
Server (Publisher).
3. Configure the remote sites (Subscribers) to subscribe to the published articles created
in the previous step.
281
Oracle Database
The server hosting the Oracle database should meet the following minimum requirements:
•
Approximately 100MB of disk space for every 250 servers and 50 published applications
in the farm. More disk space is needed for greater numbers of published applications.
•
20 MB minimum tablespace size.
Oracle supports Windows and Oracle authentication. See the Oracle documentation for
information about configuring Windows authentication.
Oracle for Solaris supports Oracle authentication only; it does not support Windows
authentication.
In the Oracle sqlnet.ora file, set SQLNET.AUTHENTICATION_SERVICES= (NONE). The default
setting (NTS) will cause connection failures.
Install the Oracle client on the server and then reboot the server before you install XenApp.
The Oracle user account must be the same for every server in the farm because all servers
running XenApp share a common schema.
If you are using one database to hold information for multiple farms, each farm represented
in the database must have a different user account because the data store information is
stored in the Oracle user account.
The account used to connect to the data store database has the following Oracle
permissions:
•
Connect
•
Resource
•
Unlimited Tablespace (optional)
Important:
•
Citrix does not support case-sensitive databases.
•
Do not install Citrix XenApp on the server hosting an Oracle database.
•
To avoid corruption, do not directly edit data in the data store database with utilities
or tools other than those provided by Citrix.
Consider the following guidelines when configuring an Oracle server to host the farm data
store.
•
282
Use Shared/Multi-Threaded Server mode to reduce the number of processes in farms
with more than 100 servers. However, performance may be affected during periods of
high data store load.
Oracle Database
•
If you are using Multi-Threaded Server mode, verify that values in the Init.ora file are
greater than or equal to the values shown here. If you are running multiple farms on
the same Oracle database, include all servers running XenApp in the calculations.
Round up fractional values.
shared_servers = Number of servers / 10
max_shared_servers = Number of servers / 5
Where Number of servers is the total number of servers running XenApp.
•
When using an Oracle server in dedicated mode, add one additional process for each
server connected directly to the Oracle database. For example, if the Oracle server
uses 100 processes before installing XenApp, and the farm has 50 servers, set the
processes value to at least 150 in the Init.ora file on the Oracle server.
•
Create online backups using Archivelog mode, which reduces the recovery time of an
unresponsive database.
•
If you are using the same Oracle database for multiple server farms, create a unique
tablespace with its own user name and password for added security for each farm. Do
not use the default system account within Oracle.
Using Failover with Oracle
Maintain a standby database for quick disaster recovery. A standby database maintains a
copy of the production database in a permanent state of recovery. See the Oracle
documentation for setup instructions.
Using Distributed Databases with Oracle
Oracle uses replication to create the distributed database environment. To reduce the load
on a single database server, install read/write replicas and distribute the farm servers
evenly across the master and replicas.
XenApp requires data coherency across multiple databases. Therefore, a two-phase commit
algorithm is required for writes to the database.
Using Oracle as a distributed database solution has the following requirements:
283
•
All participating databases must be running Oracle.
•
All participating databases must be running in Multi-Threaded Server/Shared mode
(rather than Dedicated mode).
•
All Oracle clients (servers running XenApp that connect directly to the Oracle database)
must be SQL*Net Version 2 or Net8.
•
Install the farm data store database first on the master site, then configure replication
at the sites used for database replication snapshots.
Oracle Database
•
Replicate all objects contained in the data store user schema (tables, indexes, and
stored procedures).
If the performance at the replicated database site is significantly slower, verify that all the
indexes for the user’s schema are successfully replicated.
When configuring Oracle for a two-phase commit:
284
•
Use synchronous snapshots that can be updated with a single master site. XenApp
requires write access to snapshot.
•
Use the Oracle Fast Refresh feature where possible (this requires snapshot logs).
•
When setting up the replication environment, do not configure conflict resolution.
•
Set the replication link interval to be as frequent as the network environment allows.
With Oracle replication, if no changes are made, data is not sent over the link.
•
When Oracle is configured in Multi-Threaded Server mode and remote data transfers are
initiated from the remote site, they can block local data transfers (because all
connections share a set of worker threads). To remedy this, increase the value of the
Max_Mts_Servers parameter in the Init.ora file.
IBM DB2 Database
When you install the database, Citrix recommends the following settings:
•
Prefetch Size = 32
•
Overhead = 8.3
•
Transfer = 0.18
•
Use the 'grant all' option for the selected tablespace
•
User privileges should be 'grant all' to the public group
If you have multiple farms, create a separate database/tablespace for each farm data
store.
Approximately 100MB of disk space is required for every 250 servers and 50 published
applications in the farm. More disk space is required for larger numbers of published
applications.
Install the IBM DB2 Run-Time Client on each server accessing the database server. Restart
the server after you install the IBM DB2 Run-Time client and before you install XenApp.
If you create a data source name (DSN) for use with an unattended installation of IBM DB2,
create the DSN using the Microsoft ODBC Data Source Administration page. Doing so ensures
that the DSN is populated according to server requirements for proper connectivity to the
DB2 database or tablespace.
Give the following permissions to the IBM DB2 user account for the farm:
•
Connect database
•
Create tables
•
Register functions to execute to database manager’s process
•
Create schemas implicitly
System administrator (DB2Admin) account permissions are not needed for data store access.
Important:
•
Citrix does not support case-sensitive databases.
•
Do not install Citrix XenApp on the server hosting an IBM DB2 database.
•
To avoid corruption, do not directly edit data in the data store database with utilities
or tools other than those provided by Citrix.
When migrating a farm data store to an IBM DB2 database, the migration is completed as a
single transaction for roll-back purposes. Before migrating the database, verify that the
285
IBM DB2 Database
target IBM DB2 server has sufficient log space to support the migration. If the DB2 server
runs out of log space, the migration fails and rolls back
Using Distributed Databases with IBM DB2
IBM DB2 uses replication to create the distributed database environment.
XenApp uses the data type of binary large object (BLOB) to store information in an IBM DB2
database. IBM DB2 does not support the use of BLOB data types in a replication scenario
that can be updated. Therefore, if your farm requires replicas that can be updated, use
Microsoft SQL Server or Oracle for the farm data store instead of IBM DB2.
286
Creating a DSN File for XenApp Setup
If you do not use the wizard-based Setup to install XenApp and your data store is on an
Oracle, Microsoft SQL Server, SQL Microsoft SQL Server Express, or IBM DB2 database,
create a Data Source Name (DSN) file before running Setup to configure the XenApp
connection to the data store.
The DSN file must be on each server in the farm. You can create the file once and copy it to
other servers, or put it on a network share, provided you remove the value for any
workstation-specific information (such as the Oracle WSID).
Use the CTX_MF_SILENT_DSNFILE Setup property to specify the file location during Setup.
You can use DSN files during a wizard-based Setup if you specify them when you configure
the ODBC driver. That occurs after completing the Create a Server Farm or Join a Server
Farm pages in Setup.
287
Maintaining and Recovering a XenApp
Data Store
Most database maintenance requires running the dsmaint and dscheck commands. (The
XenApp Commands Reference documentation contains syntax and use details. You can also
display information from a command prompt on a XenApp server by typing the command
name and /?.)
For example, use dsmaint to:
•
Upgrade the XenApp data store
•
Move the data in the data store to a different database server
•
Migrate the data store from a Microsoft Access database to a Microsoft SQL Server
database
•
Change the name of the DSN file
With the exception of Microsoft Access, dsmaint is run on XenApp farm servers and not the
database server. Many dsmaint parameters affect how XenApp connects to the data store,
although some affect the data store.
Citrix strongly recommends creating a backup copy of the data store (dsmaint backup).
Without a backup, you must manually recreate all of the farm policies, settings, accounts,
and other persistent data in the data store.
If the data store fails, each farm server can run off the data in its Local Host Cache
indefinitely (provided it can contact the license server). However, you cannot make any
modifications to the farm or use the Access Management Console or the XenApp Advanced
Configuration tool.
To restore a backup database or migrate to a new server, use the dsmaint migrate
command. Without a backup, prepare a new data store the way you did before running
XenApp Setup and run chfarm from any farm server. Using chfarm is equivalent to running
XenApp Setup to configure the data store. After running chfarm, manually reenter the lost
settings. If you use the same name as the previous data store, you do not need to
reconfigure the farm servers.
288
Migrating a Farm Data Store
Migrating a XenApp 5 farm data store is supported for certain versions, as listed below. For
comprehensive version information, see CTX114501. Data store migration uses the DSMAINT
command; see DSMAINT.
Migrating a Farm Data Store from Microsoft Access to
Microsoft SQL Server Express
Run the MigrateToSqlExpress utility, which is located in the Support\SqlExpress_2005_SPx
directory of the installation media (where x is the Service Pack number supported by the
XenApp release). For more information, see MIGRATETOSQLEXPRESS.
Migrating a Farm Data Store from MSDE to Microsoft
SQL Server Express
Microsoft SQL Server Desktop Engine (MSDE) is not supported for use as a data store on
XenApp 5. For migration information, see Migrating a Farm Data Store from MSDE to SQL
Server Express.
Migrating a Farm Data Store to Microsoft SQL Server
For XenApp 5 for Windows Server 2003, migrating a farm data store to a Microsoft SQL
Server database is supported for the versions listed in the following table.
Original database
Supported target database
Microsoft Access
Microsoft SQL Server 2000 SP 3a
Oracle 9.2.0.1
Oracle 10.2.0.1.0
IBM DB2 8.2
289
Migrating a Farm Data Store
Microsoft Access
Microsoft SQL Server 2005
SQL Server 2005 Express Edition
Oracle 9.2.0.1
Oracle 10.2.0.1.0
IBM DB2 8.2
Microsoft SQL Server 2000 SP 3a
For XenApp 5 for Windows Server 2008, migrating a farm data store to a Microsoft SQL
Server database is supported for the versions listed in the following table.
Original database
Supported target database
Microsoft Access
Microsoft SQL Server 2005 SP2
Oracle 10.2.0.3
Microsoft SQL Server 2008
Oracle 11.1
IBM DB2 8.2
IBM DB2 9.5
Migrating a Farm Data Store to Oracle
For XenApp 5 for Windows Server 2003, migrating a farm data store to an Oracle database is
supported for the versions listed in the following table.
Original database
Supported target database
Microsoft Access *
Oracle 9.2.0.1
Microsoft SQL Server 2005 Express Edition
Oracle 10.2.0.1.0
Microsoft SQL Server 2000 SP 3a
Microsoft SQL Server 2005
IBM DB2 8.2
For XenApp 5 for Windows Server 2008, migrating a farm data store to an Oracle database is
supported for the versions listed in the following table.
Original database
290
Supported target database
Migrating a Farm Data Store
Microsoft Access
Oracle 10.2.0.3
Microsoft SQL Server 2005 Express SP2
Oracle 11.1
Microsoft SQL Server 2005 SP2
Microsoft SQL Server 2008
IBM DB2 8.2
IBM DB2 9.5
Migrating a Farm Data Store to IBM DB2
For XenApp 5 for Windows Server 2003, migrating a farm data store to an IBM DB2 database
is supported for the versions listed in the following table.
Original database
Target database
Microsoft Access
IBM DB2 8.2
Microsoft SQL Server 2005 Express Edition
Microsoft SQL Server 2000 SP 3a
Microsoft SQL Server 2005
Oracle 9.2.0.1
Oracle 10.2.0.1.0
For XenApp 5 for Windows Server 2008, migrating a farm data store to an IBM DB2 database
is supported for the versions listed in the following table.
Original database
Target database
Microsoft Access
IBM DB2 8.2
Microsoft SQL Server 2005 Express SP2
IBM DB2 9.5
Microsoft SQL Server 2005 SP2
Microsoft SQL Server 2008
Oracle 10.2.0.3
Oracle 11.1
291
Migrating a Farm Data Store from MSDE
to SQL Server Express
The Microsoft SQL Server Desktop Engine (MSDE) is no longer supported for a XenApp farm
data store. If you are migrating from a previous release of Presentation Server, you must
migrate the data store from an MSDE database to another database, such as SQL Server
Express Edition.
The procedure comprises the following tasks:
1. Give the Network Service Account Access to the MSDE CITRIX_METAFRAME instance,
using one of the two following methods:
Using SQL Server Management Studio Express:
a. Download and install the following, which are available from Microsoft:
•
Microsoft Core XML Services (MSXML) 6.0, which includes the Microsoft XML
Parser to update your XML services.
SQL Server Management Studio Express, which provides tools not included in the
standard SQL Server Express installation. (The procedure below assumes you are
using the version for SQL Server Express 2005; the instructions may vary if you
use another version.)
b. Start SQL Server Management Studio Express and connect to the CITRIX_METAFRAME
instance.
•
c. In SQL Server Management Studio Express, open the Security folder.
d. Right-click the Logins folder, then click New Login.
e. With the Windows authentication option selected, type:
Login name: NT AUTHORITY\NETWORK SERVICE.
f. Open the Databases folder, the MF20 folder, and then the Security folder.
g. Right-click the Users folder, then click New User.
h. With the Login name option selected, type:
User name: NETWORK SERVICE
Login name: NT AUTHORITY\NETWORK SERVICE.
i. In the Database role membership section, select the db_owner checkbox.
Using a script:
a. Set the environment variable for your system path to the bin directory for your
MSDE instance.
292
Migrating a Farm Data Store from MSDE to SQL Server Express
b. Create a folder and name it Netservice.
c. In that folder, save the following script in a text file; name the file
netservice_perm.txt.
USE MF20
go
sp_grantlogin 'NT AUTHORITY\NETWORK SERVICE'
go
sp_grantdbaccess 'NT AUTHORITY\NETWORK SERVICE'
go
sp_addrolemember 'db_owner','nt authority\network service'
go
d. From a command prompt within the Netservice folder, type: osql -E -S
localhost\CITRIX_METAFRAME -i netservice_perm.txt.
2. Migrate your Presentation Server farm to XenApp 5. After restarting the XenApp server,
you may receive event log messages because XenApp is temporarily using MSDE for the
data store.
3. On the XenApp server, stop the Citrix Independent Management Architecture service,
using one of the following methods:
•
Stop the service in the Windows Services panel
At a command prompt, type net stop "Citrix Independent Management Architecture"
and enter y when prompted.
4. Run the MigrateToSqlExpress utility, which is located in the
Support\SqlExpress_2005_SPx folder on the installation media. See
MIGRATETOSQLEXPRESS for details.
•
5. Restart the XenApp server on which you performed the migration.
293
XenApp Administration
The administration of your Citrix XenApp server farm consists of tasks in the management
console to manage administrators, publish resources, manage user sessions, secure your
deployment, and maintain your printing resources and server farms.
Before you install Citrix XenApp, review the Readme for Citrix XenAppdocument and the
Installation Checklist.
For planning and installation information, see the XenApp Installation.
294
Management Consoles and Other Tools
Citrix provides a comprehensive set of tools for managing servers, farms, published
resources, and connections.
You can launch all tools by accessing the Citrix program group on the Start menu.
Access Management Console and Delivery Services
Console
The Access Management Console and Delivery Services Console are two names for a tool
that snaps into the Microsoft Management Console (MMC) and enables you to perform a
number of management functions. The name of this tool depends on the version of XenApp
you have installed.
You can manage items administered through other Citrix products, such as Citrix Secure
Access and Citrix Password Manager. For Citrix XenApp, you can set up and monitor servers,
server farms, published resources, and sessions. Create a variety of reports and configure
application access (both through the Web Interface and the Citrix XenApp plugin).
In addition, you can troubleshoot alerts, diagnose problems in your farms, view hotfix
information for your Citrix products, set up health checks on servers and farms, and track
administrative changes.
XenApp Advanced Configuration and Presentation
Server Console
XenApp Advanced Configuration and Presentation Server Console are two names for a tool
that allows you to:
•
Connect to any server farm in your deployment
•
Set up policies and printers
•
Configure and manage your deployment with Load Manager
The name of this tool depends on the version of XenApp you have installed.
License Management Console
Use this console to manage and track Citrix software licenses. For more information about
licensing, see the License Management console Help and the Getting Started with Citrix
Licensing Guide in Licensing Your Product.
295
Management Consoles and Other Tools
Citrix SSL Relay Configuration Tool
Use this tool to secure communication between a server running the Web Interface and your
farm.
Shadow Taskbar
Shadowing allows users to view and control other users’ sessions remotely. Use the Shadow
Taskbar to shadow sessions and to switch among multiple shadowed sessions. You can also
shadow ICA sessions with the Access Management Console or Delivery Services Console.
SpeedScreen Latency Reduction Manager
Use this tool to configure local text echo and other features that improve the user
experience on slow networks.
296
Choosing the Console or Tool to Use
Managing your XenApp deployment involves working with the Access Management Console
or the Delivery Services Console and the tool known as XenApp Advanced Configuration or
Presentation Server Console, depending on the version of XenApp you have installed.
To manage your deployment more flexibly, install the Access Management Console (or
Delivery Services Console) and XenApp Advanced Configuration (or Presentation Server
Console) on a computer that is not running XenApp. However, for the best console
performance, Citrix recommends running the Access Management Console or Delivery
Services Console on a XenApp server.
For more information about the installation requirements of each of the management tools,
see the Installation Checklist for XenApp.
297
Use the Access Management Console or
Delivery Services Console to perform these
tasks:
Use XenApp Advanced Configuration or
Presentation Server Console to perform
these tasks:
Assign load evaluators to applications
Create and manage zones in a farm.
Create Citrix administrators and modify
their privileges.
Create policies for users’ connections.
Create reports with Report Center.
Configure and manage printers.
Configure access to published resources
through the Web Interface and Citrix
XenApp plugin.
Configure, adjust, and monitor server and
application loads with Load Manager.
Configure and manage applications
(including Streamed Applications), servers,
and farms.
Configure health tests for servers and
farms using Health Monitoring & Recovery.
Create trace logs to assist Citrix Technical
Support with problem analysis.
Manage plugin sessions and server
processes.
Monitor server performance and view zones
in multiple farms.
Track administrative changes made
through the console by setting up
Configuration Logging.
View hotfix information.
To start the console
Do not run the Access Management Console or Delivery Services Console in two sessions
simultaneously on one computer using the same account. Changes made on the console in
one session can overwrite changes made in the other.
1. Click Start > All Programs > Citrix > Management Consoles > Access Management Console
or Delivery Services Console.
Important: Interoperability of XenApp 5.0 for Windows Server 2008 with versions
prior to Presentation Server 4.5 for Windows Server 2003 is not supported.
298
Displaying Items in the Console
Discovery is an important operation that checks for items (such as devices or applications)
that were added to or removed from your XenApp environment. Appropriate changes then
appear in the console tree.
The first time you open the Access Management Console or Delivery Services Console you
are automatically prompted to start the discovery process: you select the components you
want, configure the discovery process, and find the items to manage.
After this, run the discovery process only if you want to configure discovery for a
component, or if items were added to or removed from your deployment.
When using discovery to connect to your XenApp deployment, you must specify the name or
IP address of at least one server in each farm that you want to manage. When discovery is
complete, the console tree displays the items that you specified.
You can configure discovery only for some components. The configuration process can vary
among components. The Configure and run discovery task appears in the task pane only for
configurable components; otherwise, only the Run discovery task is available.
To use the discovery process to specify more than
one server farm for console management
1. In the console tree, select Citrix Resources.
2. Click Configure and run discovery.
3. Specify the name or IP address of at least one server running XenApp in each farm that
you want to manage.
To run the discovery process for more than one
product or component
1. In the console tree, select Citrix Resources.
2. Click Configure and run discovery.
299
Displaying Items in the Console
To run the discovery process for a single product or
component
1. In the console tree, select the product or component.
2. To configure discovery, click Configure and run discovery. To run discovery without any
configuration, click Run discovery.
300
The Console User Interface
The main user interface of the Access Management Console and Delivery Services Console
consists of three panes:
•
The left pane contains the console tree.
•
The task pane in the middle displays administrative tasks and tools. This pane is
typically not present in other MMC snap-ins.
•
The details pane on the right displays items and information associated with the
selected node in the console tree.
Typically, you use the console as follows:
•
Select a node in the left pane, which updates the items and information displayed in
the details pane
•
The Change display menu in the task pane allows you to view different items and
information associated with the node
•
To modify or otherwise administer an item, select it and click a task in the task pane or
details pane
Be aware that there is a limit of 1000 unique application icons. When that limit is
exceeded, the console displays a generic icon for all new applications in the left pane.
Note: When you are browsing a list of objects in the console (for example, the list of
administrators) and the list table in the right pane is too small to list all the objects, a
dialog box might appear stating there was an unhandled exception. The exception might
prevent the table from populating properly. To avoid this, enlarge the table by dragging
the horizontal line separating the table of items in the upper-right pane from the list of
tasks in the lower-right pane.
This screen capture shows the layout of the console after running discovery. The left pane
contains the console tree. The task pane is in the middle. The details pane is on the right.
301
The Console User Interface
These nodes are available under the top-level node in the console tree:
•
Alerts. Lists the alerts created by all the items in your deployment. Double-click an
alert to drill down to the affected item.
•
Search Results. Displays the results of any search that you perform. Click Search in the
task pane to perform a standard or advanced search.
•
My Views. Allows you to customize the information that you display in the details pane.
See Customizing Your Displays Using My Views for instructions about creating My Views.
In addition, nodes are also created by some snap-ins when they are installed. Some snap-ins
are not visible as nodes in the console tree but they add features, such as extra tasks, to
other snap-ins. The Access Management Console Framework (or Delivery Services Console
Framework) is another component that performs functions common to all snap-ins. All
installed snap-ins require the Framework to be present; the console as a whole cannot
function without it.
Depending on your console installation, some or all of these snap-ins are available:
302
•
Report Center. Allows you to create and schedule reports describing many aspects of
your deployment.
•
Licensing. Launches the License Management Console on your Citrix License Server(s),
allowing you to manage your Citrix product licenses. For information about this console,
see the Getting Started with Citrix Licensing Guide in Licensing Your Product.
The Console User Interface
303
•
Diagnostic Facility. Creates and packages trace logs and other system information to
assist Citrix Technical Support in diagnosing problems.
•
XenApp. Allows the console to establish contact with your deployment and lets you
manage applications and servers, and view zones in your farms. You also use this
snap-in to create Citrix administrators, audit the changes they make with the console,
and configure and run health checks on servers. XenApp is contained in the Citrix
Resources node.
•
Web Interface. Allows you to manage how users access applications through the Web
Interface and Citrix XenApp plugin sites. Web Interface is located in the Configuration
Tools node under Citrix Resources.
•
Hotfix Management. Manages hotfixes for your Citrix products. Hotfix Management is
located in the Configuration Tools node under Citrix Resources.
Performing Tasks with the Console
When you install the first server in a new server farm, you provide credentials for a full
authority Citrix administrator. This account has the authority to manage and administer all
areas of farm management. If you are logging on to the Access Management Console or the
Delivery Services Console for the first time, use this account to log on and to add other
individuals to the Citrix administrators group.
Citrix recommends that you use a domain account to run the console. You can use your
local administrator account, but the user name and password should be the same for all
local administrator accounts for all servers in your farms. This is necessary to ensure that
access to every server is available when you use Report Center.
Assigning Farm Administrator Credentials
When you install the first server in a new server farm, you provide credentials for a full
authority Citrix administrator. This account has the authority to manage and administer all
areas of farm management. If you are logging on to the Access Management Console or the
Delivery Services Console for the first time, use this account to log on and to add other
individuals to the Citrix administrators group.
Customizing Your Displays Using My Views
My Views are configurable displays that give you quick access to items you must examine
regularly or items in different parts of the console tree that you want to group together.
For example, create a My View display to monitor your preferred performance data for two
sets of servers in different server farms. The performance-related information in a My View
display is refreshed at regular intervals.
Managing Applications and Servers in Multiple Farms
View and change details about any farm or its applications and servers in your enterprise.
Farms and their servers are controlled by the XenApp snap-in. For example, you can publish
applications, add or remove servers, and configure server and farm properties.
Viewing Zones
Zones enhance the performance of a server farm by grouping geographically related servers
together, whether or not they are connected to the same network subnet. By default, all
servers in a farm that are on the same network subnet belong to the same zone. Each zone
in a server farm contains one server that is designated as the data collector for the zone.
Zones are view-only.
304
Performing Tasks with the Console
Managing User Sessions and Server Processes
Manage all user sessions in multiple farms in your enterprise. Alternatively, list sessions
accessing a specific published application, sessions connecting to a specific server, or view
a specific user’s sessions and applications.
View details of server processes, including the names of the executable files that generated
the processes.
Creating Reports
Use Report Center to easily generate reports from a variety of real-time and historical data
sources. Wizards help you select the type of report, the data to be displayed, and the
schedule for running the report. View the status of your scheduled reports and adjust the
report parameters. Report Center contains these reports:
•
Application
•
Configuration Logging
•
Policy
•
Virtual Memory Optimization
Configuring Application Access
Use the console with a Citrix Web Interface site to configure how users access published
applications and content through a standard Web browser or through the Citrix XenApp
plugin.
For more information about configuring application access, see Web Interface.
Creating Trace Logs
Use the Diagnostic Facility to gather system data for servers in multiple farms to assist
Citrix Technical Support with problem analysis. In the left pane of the console, select the
required servers and in the task pane, click Diagnose problems > Start trace log and follow
the on-screen instructions. At the request of Citrix Technical Support, you then select the
Diagnostic Facility node and click Set packaging details to send the packaged trace log by
File Transfer Protocol (FTP).
Viewing Citrix Hotfix Information
With Hotfix Management, check which hotfixes are applicable to your Citrix products,
search for particular updates on your system, and identify servers where up-to-date
hotfixes must be applied. In the left pane of the console, select Citrix Resources >
Configuration Tools > Hotfix Management.
305
To view zones
Zones can be viewed but not configured in the console. For information on configuring
zones, see To configure zones in your farm.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, under the Zone node, select a zone.
3. In the Details pane, choose Servers in the drop-down menu to display the servers in the
chosen zone.
306
Enabling Citrix Administrators to Manage
Farms Remotely
If you use the Access Management Console or Delivery Services Console to connect to,
discover, or manage remote servers, you may receive an error message when you attempt
to discover a server in your farm. Check the details of the discovery failure error to narrow
down the potential causes of the failure.
One of the reasons this might occur is that you are using an account that does not have
Distributed Component Object Model (DCOM) Remote Launch permissions on the remote
server. To prevent this error from occurring, grant DCOM Remote Launch permissions to any
Citrix administrators whom you allow to access the farm. You can grant DCOM Remote
Launch permissions to administrators on remote servers running Windows Server 2008.
307
Enabling Citrix Administrators to Manage Farms Remotely
To grant DCOM Remote Launch permissions to
administrators
1. On each server in the farm, install Remote COM+ support.
a. From the Server Manager, choose Roles, Add Roles, and then click Server Roles in
the left pane.
b. Select Application Server.
c. Select COM+ Network Access, click Next, and then click Install.
2. On each server in the farm, add all users permitted to manage the farm remotely to the
Distributed COM Users group and give them farm administrator privileges. Alternatively,
you can create a domain group for this task to centralize management by following
these steps:
a. Create a group named Citrix Administrators. To simplify and centralize group
administration, Citrix recommends that this be a domain group.
b. Add the Citrix Administrators group to the built-in Distributed COM Users group on
the remote server. Perform this step on all servers that are used to discover farms
or that are managed by the console remotely.
c. Add the Citrix administrator accounts to the Citrix Administrators group.
3. On the remote server, set the DCOM Default Impersonation Level to Impersonate.
a. Run the MMC and add the Component Service snap-in.
b. Select Computers, right-click My Computer, and select Properties.
c. Select the Default Properties tab.
d. From the Default Impersonation Level drop-down list, select Impersonate.
4. Depending on the version of XenApp you have installed, allow access to the Access
Management Console or Delivery Services Console and the tool known as XenApp
Advanced Configuration or Presentation Server Console through any software or
hardware firewalls between the remote servers and the farm or disable these firewalls.
308
XenApp Advanced Configuration and
Presentation Server Console
XenApp Advanced Configuration and Presentation Server Console are two names for the
same tool. The name of of the tool depends on the version of XenApp you have installed.
To use this tool, you must be a Citrix administrator. Citrix administrators can have varying
levels of access to areas of server farm management. If you try to access an area of the tool
that you are not authorized to use, the details pane on the right does not display the
associated information.
XenApp Setup installs the tool on each server in the farm by default. Use the XenApp
installation media to install the tool on other workstations you want to use to manage
server farms.
Important: Earlier versions of this tool do not recognize settings you configure using your
most current version. If you run this tool from devices that do not have XenApp installed,
such as workstations or laptops, upgrade those devices to your most current version.
Conserving Bandwidth for Remote Monitoring
When using this tool to monitor a farm at a remote site, conserve bandwidth across the
WAN by publishing the Advanced Configuration tool application on a remote server and
connecting to it using the Citrix XenApp plugin locally.
To configure the tool for screen reader accessibility
Screen reader software might not readily interpret some of the text that appears in XenApp
Advanced Configuration or Presentation Server Console. By default, screen readers do not
interpret static text areas separate from input elements such as text boxes or check boxes.
You can configure the tool so that you can use the Tab key to move to static text areas you
want screen readers to interpret.
1. On a computer where XenApp Advanced Configuration or Presentation Server Console is
installed, locate and open the Isctx.log file using a text editor. If you installed the tool
in the default location, Isctx.log is located in the \Program Files\Citrix\Administration
folder.
2. On the second line of Isctx.log, type this text, including the hyphen:
-labelsGetFocus:true
3. Save and close the file, then restart the tool.
309
Managing Citrix Administrators
Citrix administrators are individuals tasked with managing server farms.
To create a Citrix administrator
You can make any member of a Windows or Novell Directory Services account authority a
Citrix administrator.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select a farm. Then select Action > New > Add Administrator.
3. Look up or select the name of the configured user or user group account you want to
designate as a Citrix administrator and click Add.
4. On the Privileges page, select the authority level you want to grant the administrator
account.
5. If you are creating a custom administrator account, in the Tasks pane, select the tasks
you want to delegate to the custom administrator.
To modify a Citrix administrator
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. From the left pane, select the Administrators node.
3. In the details pane, select the administrator whose properties you want to change.
4. From the Tasks menu, click Modify administrator properties.
5. Choose from the following options:
•
To change an administrator's privilege level, open the Privileges page
•
To assign or update custom permissions, open the Permissions page
To disable a Citrix administrator
Disable a Citrix administrator if you want to temporarily remove access for an administrator
but retain the account and settings.
310
Managing Citrix Administrators
1. Select the administrator whose privileges you want to disable.
2. Under Tasks, click Disable.
When an administrator is disabled, the administrator icon appears in grey and an Enable
task becomes available.
To re-enable a Citrix administrator
1. Select the administrator whose privileges you want to enable and then, under Tasks,
select Enable.
To remove a Citrix administrator
Remove a Citrix administrator if you want to delete the account and settings. Only
administrators with full access can disable or remove other Citrix administrator accounts.
Important: If only one Citrix administrator account with full access remains on the list,
you cannot remove it.
1. Select the administrator or administrators whose account you want to remove.
2. Under Tasks, click Delete administrator.
311
Delegating Tasks to Custom
Administrators
Depending on the version of XenApp you have installed, you can delegate tasks through the
Access Management Console or the Delivery Services Console by associating custom Citrix
administrator accounts with permissions to perform select tasks.
Citrix recommends you create Windows, Active Directory, or NDS groups to assign these
permissions. When you create custom Citrix administrators, simply select the group instead
of individual users. This allows you to add and remove users to these groups without
reconfiguring all of the permissions.
Permissions you set on nodes apply farm wide. Permissions you set on folders (applications,
servers, and any folders within) apply only to the applications and servers contained within
the selected folder.
You cannot grant permissions to applications and servers directly. To grant permissions to
applications and servers, you must first place the applications or servers in folders and then
grant permissions at the folder level. Therefore, before you delegate tasks for applications
and servers, make sure you group the applications and servers in folders that allow you to
delegate the tasks in a meaningful way.
Note: To apply the same permissions to a new folder as to its parent folder, select the
Copy permissions from the parent folder option when you create the new folder.
To delegate tasks to existing custom administrators
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the Administrators node and then in the detail pane, select an
administrator.
3. Under Tasks, click Modify Administrator Properties.
4. Click Permissions to view the task permissions assigned to the administrator.
5. Click on a folder in the Folders list to view additional tasks.
6. To select the tasks to which the administrator has access, select or clear the check
boxes, as appropriate.
7. If you set permissions on a node or a folder that contains a subfolder, the Copy to
Subfolders button becomes active. Click this button if you want to copy the permissions
from the parent node or folder to the constituent folder.
312
Delegating Tasks to Custom Administrators
Note: If you change an administrator’s OBDA permissions, he or she will need to manually
rerun discovery.
To assign folder permissions
To allow custom administrators to perform specific tasks in the farm, you assign object
permissions at the farm level. You can view and change permission on objects, such as
printers, that are managed primarily in the tool named XenApp Advanced Configuration or
Presentation Server Console (depending on the version of XenApp you have installed). You
must be a Citrix administrator with full access to view and change object permissions.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. From the left pane, select the folder under the farm to which you want to grant access.
3. From the task pane, under Other Tasks, click Permissions. The resulting dialog box lists
the administrators who currently have access to the selected folder.
4. To give access to an administrator that is not on the Administrators list, click Add and
then click the check box to allow access to the folder.
If the administrator to whom you want to give access does not appear in the Add Access
to folder dialog box, click Add to create the administrator.
To assign or change object permissions
To allow custom administrators to perform specific tasks in the farm, you assign object
permissions at the farm level. You can view and change permission on objects, such as
printers, that are managed primarily in the tools known as XenApp Advanced Configuration
or Presentation Server Console (depending on the version of XenApp you have installed).
You must be a Citrix administrator with full access to view and change object permissions.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. From the left pane, select a farm and then, in the task pane under Other Tasks, click
Set permission on objects.
3. Select the object whose permissions you want to change and click Permissions.
Under Administrators, you can see the administrators who have access to tasks related
to the object.
4. From the Administrators list select the administrator to whom you want to assign
additional or change existing folder permissions. If the administrator you want is not on
the list, click Add and select the administrator.
If the administrator you want is not a custom administrator, click Edit and change the
administrator's privilege level to Custom. This allows you to change the administrator's
313
Delegating Tasks to Custom Administrators
permissions.
5. With the administrator selected, use the check boxes to change specific permissions in
the Tasks pane.
If the folder contains subfolders, the following options become available:
•
Choose Copy the permissions of this administrator for this folder to its subfolders to
copy newly configured permissions to all folders nested in the selected folder for the
custom administrator.
•
Choose Copy the permissions of all administrators for this folder to its subfolders to
copy the newly configured permissions of each custom administrator who has access to
the selected folder to the folders nested within it.
Note: If you change the permissions later in the top level folder, the changes are not
automatically copied to the nested folders. When you make changes to top level
folders, use either the Copy the permissions of this administrator for this folder to its
subfolders or the Copy the permissions of all administrators for this folder to its
subfolders function to copy the permissions again.
314
Publishing Resources
With XenApp, you provide users with access to information by publishing the following types
of resources that can be virtualized on servers or desktops:
•
Applications installed on servers running XenApp. When users access them, the
published applications appear to be running locally on client devices.
•
Streamed applications installed in application profiles and stored on a file server in
your App Hub. Users access the profile and virtualize the applications on their client
desktops. For information about preparing and publishing applications for streaming,
see the topics for Application Streaming.
•
Data files such as Web pages, documents, media files, spreadsheets, and URLs. In
XenApp, the combined total of data types you publish is referred to as content.
•
The server desktops, so users can access all of the resources available on the server.
Note: Citrix recommends that server desktops be locked down to prevent user access
to sensitive areas of the operating system.
Publish all of these resource types using the Publish Application wizard in the XenApp
console. To further refine how your users launch and access published resources, refer to
information about configuring content redirection and XenApp policies.
Important: Before you begin, refer to Getting Started with Citrix XenApp to review the
new and discontinued features for publishing applications.
Additionally, refer to the System Requirements for supported platforms and system
prerequisites.
315
Publishing Resources for Users
When you publish an application, configuration information for the application is stored in
the data store for the server farm. The configuration information includes which types of
files are associated with the application; users who can connect to the application;
importance level for Preferential Load Balancing; and client-side session properties that
include window size, number of colors, level of encryption, and audio setting.
When delivered to users, published applications appear very similar to applications running
locally on the client device.
Users start applications depending on the delivery options you select in the publishing
wizard and the plug-in they are running on their client devices. Consult the appropriate
plug-in sections in eDocs or other documentation for more information about the plug-in
with which your users start published applications.
Publishing in Domains with Thousands of Objects
For directory services or domain environments, such as Novell Directory Service or Microsoft
Active Directory Service, containing over 10,000 objects, Citrix recommends the following:
316
•
Use groups to categorize and assign permissions to large numbers of users. An
application published to one group of 1,000 users requires XenApp to validate only one
object for all 1,000 users. The same application published to 1,000 individual user
accounts requires IMA to validate 1,000 objects.
•
When adding users through the Citrix User Selector, if the Users container holds
thousands of objects, add a list of names.
To configure servers to publish for
multiple users
For information about configuring Terminal Services and User Account Control (UAC), and
how they affect published application to multiple users, see Planning Your Xenapp
Deployment in Citrix eDocs. Also, see the Installation Checklist for more information about
recommended changes in Terminal Services configuration for Windows Server 2008, such as
clearing the default setting that restricts users to a single session.
To ensure applications are enabled for multiple users, install the applications using one of
the following methods:
•
Install applications as the Built-in Administrator
•
Select an “install for multiple users” option in the installation wizard for the
application, if the Setup for the application provides this option
•
Install the application for all users from a command line
To install an application for all users, after enabling Terminal Services, use these steps
before installing the application:
1. Open a command prompt so that you are running it with Administrator privileges; for
example, right-click the command prompt and select Run as Administrator.
2. Run the following command at a command prompt: change user /install
3. From the command prompt, run the Setup executable for the application.
317
To publish a resource using the Publish
Application wizard
Run the console included with your version of XenApp (Access Management Console or
Delivery Services Console) from any computer that can connect to the farm.
Steps and options in the wizard vary depending on the application type you select. This
procedure describes the basic options.
1. Under the XenApp node, expand the farm or server to which you want to publish an
application.
Tip: To add a server to the list of servers for a published desktop or application (after
publishing the application), drag and drop the server onto the published desktop or
application in the left pane of the console. You can also drag and drop the published
desktop or application onto the server.
2. Select the Applications node and from the Common Tasks pane choose New > Folder.
Create a folder for the application you are publishing.
3. Select the folder you created and from the Common Tasks pane choose New > Publish
application.
4. In the Publish Application wizard, on the Name page, provide a display name (maximum
256 characters) and application description. The name appears on user devices when
users access the application and on the console for the farm applications. XenApp
supports application names that use Latin-1 and Unicode character sets, including
characters used in Japanese, Chinese, and Korean.
5. On the Type page, specify the type of resource you want to publish and the delivery
method. Three types of resources can be published (server desktop, content, and
application). The next few steps in the wizard differ based on which type you select.
6. On the Location page, add the command-line and working directory (optional) to locate
the application.
7. On the Servers page, add the individual servers on which the published application runs
when accessed by an ICA connection.
8. On the Users page, create the Configured users list for users or groups who have access
to the application. Use the options to allow access to configured user accounts only or
to anonymous users.
9. On the Shortcut presentation page, select the icon for the application and choose how
the application is enumerated on the user device. The console has a limit of 1,000
unique application icons. When that limit is exceeded, the console displays a generic
icon for all new applications.
10. On the Publish immediately page, choose whether or not to make the published
application immediately available to users.
318
To publish a resource using the Publish Application wizard
•
By default, the published application is available when you click Finish.
•
To prevent users from accessing the application until you manually enable it
through application properties, select Disable application initially.
11. To view and select advanced options, check Configure advanced application settings
now. Alternatively, modify the advanced settings using the application properties.
When you finish, published resources (unless disabled) are available for users.
319
Publishing App-V Sequences in XenApp
You can deliver the Microsoft Application Virtualization (App-V) sequences to users by
publishing the sequences in XenApp and delivering the Microsoft Application Virtualization
Desktop client through Citrix Merchandising Server and Citrix Receiver Updater.
To deliver App-V sequences using the Citrix application streaming feature, Citrix provides a
conduit utility that supports a dual mode execution. With dual-mode, users launch
applications as they normally do, and the conduit checks for presence of the App-V client.
If the App-V client is installed, the App-V sequence streams to the user device; if not, the
application launches from a XenApp server and streams to the user device.
System requirements:
•
Citrix supports App-V sequences on all operating systems supported by Microsoft App-V.
•
Citrix Receiver Updater for Windows supports App-V clients 4.5 and 4.6.
•
User devices must have the Citrix Offline Plug-in 6.x installed locally.
Citrix recommends the following process:
•
Deliver the App-V client to users through Citrix Merchandising Server and Citrix Receiver
Updater
•
Publish App-V sequences for virtualizing on user devices if possible, otherwise
virtualizing on XenApp servers
Users can then launch the App-V sequences on their desktops by clicking on the icons
delivered through XenApp.
Before you start, locate the following files and have them available:
•
Microsoft Application Virtualization Desktop Client installer (setup.exe) from your
Microsoft Desktop Optimization Pack (MDOP) installation media, to upload to the
Merchandising Server.
•
App-V Integration Kit from Citrix
(https://www.citrix.com/English/ss/downloads/details.asp?downloadId=1863811).
Save the unzipped contents locally:
320
•
Save the App Streaming To AppV Conduit folder on your App Hub (the server where
you store your profiles). The folder contains a pre-created
AppStreamingToAppVConduit.profile file, as well as the required support files for
the profile. This single profile can be used to publish an unlimited number of App-V
sequences.
•
Upload the App-V MetaData files and the App-V client's setup.exe file to the
Merchandising Server to create an App-V client. Citrix provides these files to add
the functionality to the client needed for Citrix Receiver Updater. These files
Publishing App-V Sequences in XenApp
include:
•
AppV_MetaData.xml
•
AppVReg.msi
AppVReg_MetaData.xml
Save the Streaming Conduit - source code folder locally. These files are not needed
to publish your applications, but you can use them to modify the conduit, if
needed. This folder contains the source code for the conduit.
•
•
To deliver the App-V client with the Citrix
Merchandising Server and Citrix Receiver Updater
1. In the Merchandising Server Administrator Console, navigate to the Plug-in > Upload
page.
2. To upload the App-V_Reg plug-in components:
a. For the Metadata File, click Browse to navigate to the unzipped location of
AppVReg_MetaData.xml.
b. For the Plug-in File, click Browse to navigate to the unzipped location of
AppVReg.msi.
c. Click Upload.
3. To upload the App-V client components:
a. For the Metadata File, click Browse to where you downloaded App-V_MetaData.xml.
b. For the Plug-in File, click Browse to navigate to the location of the Microsoft
Application Virtualization Desktop Client installer, setup.exe.
c. Click Upload.
4. Configure a delivery to communicate with your App-V server. (For additional
information on creating and scheduling deliveries, see the Merchandising Server
documentation.)
An overview of the entire Plug-in upload and delivery process when using Merchandising
Server 1.0 can be viewed at http://www.citrix.com/tv/#videos/773.
If users have the Self-service Plug-in, they can add published App-V sequences as they
normally add applications.
321
Publishing App-V Sequences in XenApp
To publish App-V sequences for streaming to
desktops
The conduit utility AppStreamingToAppVConduit (which is the pre-created Citrix .profile)
provides pre-launch and post-exit scripts that enable a dual-mode delivery method. This
delivery method uses the App-V client to stream the application to the user device. If the
user device does not support streaming or lacks the App-V client, the conduit triggers the
secondary method and delivers the application to a XenApp server, which then delivers the
application through session virtualization using a remote display protocol. The application
can be locally installed on the XenApp server, or streamed through Citrix application
streaming using the App-V client installed on the server.
1. In the Citrix AppCenter, open the application publishing wizard and follow the
on-screen instructions.
2. Name the application with a name familiar to users, such as "Microsoft PowerPoint
2007."
3. On the Type page, configure the dual-mode delivery method:
•
Select Application.
•
For application type, select the dual-mode option: Streamed if possible, otherwise
accessed from a server.
For the server application type, select the secondary delivery method, such as
Installed application.
4. On the Location page:
•
•
Browse to your App-V server where both the conduit utility and App-V sequence are
located.
•
The application to launch is AppStreamingToAppVConduit.
•
Add the command-line parameters to locate the specific App-V sequence on your
App-V server.
For Command Line:
Enter the full path to your Microsoft Application Virtualization Client executable,
followed by the location of your App-V sequence, such as:
"C:\\Program Files\Microsoft Application Virtualization
Client\sfttray.exe" "\\appv\content\Off2k7\Microsoft Office
PowerPoint 2007 12.0.6425.0000.osd"
5. On the Shortcut presentation page, manually select the icon from your icons directory
(no icon by default), such as the icon for Microsoft PowerPoint.
6. Finish the publishing wizard as you normally do.
For more information about the AppStreamingToAppVConduit utility, see
http://support.citrix.com/article/CTX124860 in the Citrix Knowledge Center.
322
Publishing App-V Sequences in XenApp
To launch the App-V sequences
When users log on:
•
Citrix Receiver Updater informs them of Plug-in updates, and if they accept the App-V
client, it installs silently in the background.
•
If they use the Citrix Self-service Plug-in for the Receiver, they can subscribe to App-V
sequences through that Plug-in.
Users launch applications as they normally do, and the conduit checks for presence of the
App-V client:
323
•
If the App-V client is installed, the App-V sequence streams to the user device, where it
runs in the App-V isolation environment.
•
If the client is not installed (or the device does not support streaming for other
reasons), the conduit triggers the Offline Plug-in to initiate a XenApp server session
where the application executes and is presented to the user over a remote display
protocol.
To select a resource type and delivery
method
In the Publish Application wizard, select the resource type that you want to deliver and the
delivery method. To change the resource type, from the Action menu, select All Tasks >
Change application type and follow the instructions in the wizard.
1. Select one of the following resource types:
•
Server desktop. Publishes the entire Windows desktop of a server in the farm. When
the plug-in connects to the server, the user sees a desktop interface from which
any application installed on that server can be started. After selecting this
application type, you must specify the server that you want to publish.
To publish a desktop, you must be running XenApp. If you are running the console
on a computer that is not running XenApp, you cannot publish the local desktop.
•
Content. Publishes nonexecutable information, such as media, Web pages, or
documents. After selecting this application type, you must specify the URL (Uniform
Resource Locator) or UNC (Uniform Naming Convention) path to the file you want to
publish. Click Browse to view available content resources on your network.
•
Application (selected by default). Publishes an application installed on one or more
servers in the farm. Note that if you are running the console on a computer that is
not a member of the farm, you cannot publish local applications.
You need to indicate one of the following application types:
324
•
Accessed from a server. Grants users access to applications that run on a
XenApp server and use shared server resources. If you choose this option, you
must then enter the location of the executable file for the application and the
XenApp server on which it will run. Choose this option as the application type
unless you intend to stream your applications.
•
Streamed if possible, otherwise accessed from a server (also called dual mode
streaming). Grants users access to a profiled application that streams from the
file share to their client devices and launches locally from within an isolation
environment. Alternatively, for client devices that do not support streamed
applications (for example, if the XenApp Streaming Plug-in is not installed), use
an ICA connection to access the application installed on or streamed from a
XenApp server.
•
Streamed to client. Grants users access to a profiled application that streams
from the file share to their client desktops and launches locally from within an
isolation environment. With this option, the application uses client resources
instead of server resources. Users must have the XenApp Streaming Plug-in
installed and access the application using XenApp Hosted Plug-in or a Web
Interface site. If selected, client devices that do not support client-side
application virtualization (such as, they use a non-Windows client) or do not
have the XenApp Streaming Plug-in installed locally cannot launch the
To select a resource type and delivery method
application.
2. If you selected Accessed from a server or Streamed if possible, otherwise accessed from
a server, you also need to select the Server application type. These are:
•
Installed application. Enables users to launch an application installed on a XenApp
server.
•
Streamed to server. Grants users access to stream a profiled application from the
file share to a XenApp server and launch it from XenApp through an ICA connection.
Note: For more information about client-side application virtualization through
streaming, see the information for application streaming.
325
To configure locations of published
applications
To access this option in the Access Management Console, from the Publish Application
wizard, continue to the Location page. Alternatively, to modify a location, select a
published application and under Common Tasks, select Modify application properties >
Modify all properties > Basic > Location.
When you publish an application, specify the command-line and working directory
(optional) for the application:
•
Command-line. The full path of the application's executable file. Append the symbols
“%*” (percent and star symbols enclosed in double quotation marks) to the end of the
command-line to act as a placeholder for client-supplied application parameters. When
a plug-in makes a connection request, the server replaces the symbol “%*” in the
command-line with application parameters provided by the plug-in.
If the path to the application's executable includes directory names with spaces,
enclose the command line for the application in double quotation marks. Include a
space between the closing quotation mark and the double quotation marks around the
percent and star symbols. An example of the format to use with a path with spaces and
a placeholder is:
“C:\Program Files\Windows Media Player\mplayer1.exe” “%*”
Important: Changing the command-line text removes all file type associations from
the application. If you change the command-line text, use the Content Redirection
property page to select the file types you want to associate with the application for
client to server content redirection.
•
326
Working directory. By default, this path is the same as the path in the Command line
field. To run the application from a different directory, add an absolute path to this
field.
To configure locations of published
content
When you publish content, specify the location using address formats such as the following
types (examples shown in parentheses):
327
•
HTML Web site address (http://www.citrix.com)
•
Document file on a Web server (https://www.citrix.com/press/pressrelease.doc)
•
Directory on an FTP server (ftp://ftp.citrix.com/code)
•
Document file on an FTP server (ftp://ftp.citrix.com/code/Readme.txt)
•
UNC file path (file://myServer/myShare/myFile.asf) or
(\\myServer\myShare\myFile.asf)
•
UNC directory path (file://myServer/myShare) or (\\myServer\myShare)
To disable command-line validation
XenApp provides command-line validation for content that is redirected from the client to
the server only. By default, XenApp validates published application command-line
parameters passed from the client to the server. When you use the symbols "%*", XenApp
ensures the parameters are valid before the application launches. If the parameters are
invalid, the application launches without passing the parameters. XenApp records all failed
validation attempts in the server's system log and in the security event log.
If your environment includes published applications that use customized client-supplied
parameters for purposes other than content redirection from client to server, these
applications might not function correctly when command-line validation is enabled. To
ensure client-supplied parameters are passed from client to server, disable command-line
validation for these published applications.
When using command-line validation, add all servers that store content, such as Word
documents or PDF files, to the Trusted Sites list on the XenApp server. When adding servers
to the Trusted Sites list, ensure you are logged on to the XenApp server as Administrator. If
the content servers reside in separate domains, ensure trust relationships are established
between these servers and the XenApp server.
You can disable command-line validation for selected published applications or all
published applications on a server.
Caution: Using Registry Editor incorrectly can cause serious problems that may require
you to reinstall your operating system. Citrix cannot guarantee that problems resulting
from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own
risk.
•
If your environment includes published applications that use customized client-supplied
parameters for purposes other than content redirection from client to server, these
applications might not function correctly when command-line validation is enabled. To
ensure client-supplied parameters are passed from client to server, disable
command-line validation for these published applications. To disable command-line
validation for selected published applications, from the Location page of the
application properties, append the symbols “%**” (percent and two star symbols
enclosed in double quotation marks) to the command-line parameter.
•
If your XenApp environment consists of a mixed farm and includes published
applications that use customized client-supplied parameters, use the following steps to
disable command-line validation for all applications:
1. On the server where the applications reside, run regedit.
2. Modify the following entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI
Name: PublishedAppCommandLineFlag
Type: DWORD
328
To disable command-line validation
Data: 1 (enable validation, default) or 0 (disable validation)
329
Managing Streamed Applications
After you create profiles for streaming applications using the Streaming Profiler, you make
them available to users by publishing the applications.
The Publish Application wizard in the console installed with your version of XenApp
(Delivery Services Console or Access Management Console) guides you through the process
of selecting the streaming options. Configure the application streaming delivery method as
you publish the application. Choose delivery options based on the users who will access the
applications and their environments.
The profiled applications must be stored on a file share or Web server that is accessible
from your XenApp server so you can publish the application, and it must be accessible by
your users so they can launch the application.
330
Publishing Streamed Applications
Before publishing a streamed application, you must use the Citrix Streaming Profiler, a
stand-alone utility, to create a streaming application profile and save the profile on a
network file share in your App Hub.
An integral function of XenApp is to make profiled applications available to users. When you
publish an application, you also make choices about the application properties. Use the
Publish Application wizard in the Access Management Console to publish streamed
applications in your farm.
As you publish the application, choose how to deliver streamed applications. Use the
application streaming options to stream profiled applications to the server or the client
desktop.
Important: To launch streamed applications, client devices must have sufficient RAM
locally.
331
To select a streaming delivery method
You select the resource type in the Citrix AppCenter while running the Publish Application
wizard.
Important: For users to stream applications through a Web site using an Internet Explorer
or Firefox browser, add the site to the Trusted sites list in Internet Explorer on the user
devices.
1. To open the Publish Application wizard, from the AppCenter, under the XenApp node,
expand the farm or server to which you want to publish an application. Select the
Applications node, and from the Actions pane, choose Publish application and follow
the instructions in the wizard.
Optionally, to change the delivery method after publishing an application, from the
Action menu, select Other Tasks > Change application type and follow the instructions
in the wizard.
2. In the Publish Application wizard, on the Type page, select Application.
3. Select a delivery method from the Application type list:
•
Accessed from a server. Users launch the application that runs on a XenApp server
and uses shared server resources, or launch it from a Web browser using a Web
Interface site you create. If you choose this option, you must then enter the
location of the executable file for the application and the XenApp server on which
it will run. This is the typical application type unless you intend to stream your
applications to the client desktop. With this method, users access the applications
using the Citrix Receiver. This method does not support desktop integration or
offline access to applications.
From the Server application type list, select the delivery method:
•
Installed application. Users launch the application installed on a XenApp server.
Streamed to server. The application in the profile is streamed from the App Hub
to the XenApp server, where the Offline Plug-in is installed by default. The
application displays on the user devices using the Citrix Receiver; the Offline
Plug-in is not required on the user device. With this method, users access the
applications using the Citrix Receiver. This method does not support desktop
integration or offline access to applications.
Streamed if possible, otherwise accessed from a server (called dual mode
streaming). Grants users access to a profiled application that streams from the file
share to their user devices and launches locally from within an isolation
environment. Alternatively, user devices that do not support streamed applications
(such as when they do not have the Offline Plug-in installed) instead use an ICA
connection to access the application installed on or streamed from a XenApp
server.
•
•
From the Server application type list, select the alternative delivery method for
user devices that do not support streaming to user device:
332
To select a streaming delivery method
•
•
Installed application. Users launch the application installed on a XenApp server.
•
Streamed to server. The application in the profile is streamed from the App Hub
to the XenApp server, where the Offline Plug-in is installed by default. The
application displays on the user devices using the Citrix Receiver; the Offline
Plug-in is not required on the user device. With this method, users access the
applications using the Citrix Receiver. This method does not support desktop
integration or offline access to applications.
Streamed to client. With this method, you make available the full set of application
streaming features. When you stream applications directly to client desktops, some
of the application files are cached locally and the application runs locally from
within an isolation environment using the resources of the user device.
•
Users must have both the Offline Plug-in and Citrix Receiver installed locally.
•
With this delivery method, you can configure the application and users for
offline access. When this configuration is completed, the entire application is
fully cached on the user device. Users can disconnect from the network and
continue using the application for the time specified in the offline license.
•
User devices that do not support client-side application virtualization (such as,
they use a non-Windows client) or do not have the Offline Plug-in installed
locally cannot launch the application.
Note: You can also force a delivery method for applications published as
"Streamed to client" based on filters. To do this, configure the Load Balancing
policy setting (located in the AppCenter) for Streamed App Delivery. The policy
setting overrides the selection in the publishing wizard.
333
To force a delivery method for streamed
applications
Use the Load Balancing Policies to apply settings to sessions that are filtered for Web
access, specific users, client devices, IP addresses, or server. Use the delivery method
policy to override the delivery method of applications published as stream to client.
If you disable the policy setting or do not configure it, the delivery method specified in the
Publish Application wizard is used
1. From the Citrix AppCenter, select the farm.
2. Under the server, select Load Balancing Policies.
3. From the Actions pane, configure the policy settings for Streamed App Delivery.
4. Select one of the following options:
•
Allow applications to stream to the client or run on a Terminal Server (default
setting).
•
Force applications to stream to the client. User devices always stream the
application from the App Hub to the user devices. Users must have the Offline
Plug-in installed and access the application using the Citrix Receiver or a Web
Interface site. For example, you might use this setting to prevent the use of server
resources. User devices without the Offline Plug-in and Citrix Receiver cannot
launch the application.
•
Do not allow applications to stream to the client. Users always launch streamed
applications from the server. For example, you might use this option to prevent
applications from streaming to specific clients. In addition:
•
If you publish a streaming application with Streamed if possible, otherwise
accessed from a server (dual mode streaming), users always launch the
application from the server using the alternative method you selected.
If you publish an application as Streamed to client (without dual mode), the
connection fails.
This table describes the default delivery of each application type and the results of setting
the policy. The policy setting overrides the delivery protocol for applications that are
published as “streamed to client.”
•
334
Application type
No policy (default delivery)
With policy: Do
not allow
stream to
client
With policy:
Force stream
to client
Streamed to client
Offline Plug-in streams
application to desktop.
Connection
fails.
Connection
works.
To force a delivery method for streamed applications
Accessed from a
server:
Citrix Receiver virtualizes the
application installed on
XenApp (not streamed).
Policy does not
apply.
Policy does not
apply.
—Streamed to server
Offline Plug-in streams
application from file share to
XenApp and Citrix Receiver
virtualizes the application
from XenApp.
Policy does not
apply.
Policy does not
apply.
Streamed if
possible; otherwise
accessed from a
server (dual mode):
Dual mode: Offline Plug-in
streams application to
desktop.
Citrix Receiver
always
connects to
application
installed on
server.
Offline Plug-in
always streams
application to
desktop.
Offline Plug-in
always streams
application to
the server.
Offline Plug-in
always streams
application to
desktop.
—Installed
application
—Installed
application
—Streamed to server
Otherwise, Citrix Receiver
connects to the application
installed on server (not
streamed).
Dual mode: Offline Plug-in
streams application to
desktop.
Otherwise, Offline Plug-in
streams application to the
server.
335
To provide HTTP or HTTPS delivery
method
To stream a profile using the HTTP or HTTPS protocol delivery method, use the following
example to configure a virtual directory on the Web server.
These steps assume that you already profiled the application and saved it to a file share
using a UNC path.
To stream from an HTTPS address, see the additional steps at the end of this procedure.
Note that HTTPS requires additional certificate setup. For assistance, contact your network
administrator.
The Basic authentication scheme for HTTP is not allowed by default. To allow Basic
authentication, create the following registry key:
•
For 32-bit systems:
HKEY_LOCAL_MACHINE\Software\Citrix\Rade\AllowUnsecuredHttpAuth
•
For 64-bit systems: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Citrix\Rade
\AllowUnsecuredHttpAuth
•
Type: REG_DWORD
•
Value: 1
In the following example, the XenApp server, Web server, and file server are located on the
same physical server. This is not a requirement.
To configure the Web server:
1. Create a file share, if one does not already exist. For example: Web server name:
WebServer Physical location on Web server: c:\webProfiles The share name:
webProfiles An administrator must share this folder with the “everyone” group
assigned READ access and the “administrators” group assigned WRITE access at both the
share level and NTFS level. UNC path: \\WebServer\webProfiles
2. On the Web site hosting the profile, add the following MIME type information:
•
Extension:*
•
MIME type: application/octet-stream
Set "Execute Permissions" to NONE
You can set this information for the Web site hosting the profiles or for a specific folder
in the virtual directory that holds the profiles.
•
3. In addition, if the profile includes pre-launch or post-exit scripts, also add the following
MIME type information for the file extension of each script, such as .bat or .com.
Extension: <file extension>, and MIME type: application/octet-stream
336
To provide HTTP or HTTPS delivery method
4. In the directory hosting the profiles:
a. Open Properties and select the Directory tab.
b. In the Configuration area, keep one application file extension (it doesn't matter
which one you keep) and remove all the rest of the file extensions.
c. Create a placeholder extension for application mapping; for example, ".testcitrix,"
which should not occur in the profile.
d. Copy the settings from the file extension that remains (Step 4b) to the placeholder
extension.
e. Delete the file extension that remained in Step 4b, leaving only the placeholder
extension from Step 4c.
5. Create a virtual Web site that points to the file share using the UNC path. For best
results, do not use spaces in the URL. For example: HTTP (or HTTPS) path of virtual
directory: http://WebServer.domain.com/webProfiles
6. Turn on Directory Browsing on the virtual Web site. Now you can test the configuration;
continuing the example, browse to http://WebServer.domain.com/webProfiles
/myApplication/myApplication.profile. If the Web server is configured correctly, the .profile fi
file (not an error message). For HTTP, you have now completed the configuration of the
Web server.
7. For HTTPS, additional binding configuration of the Web server is required. See the
additional steps following this procedure, based on your operating system.
8. In the Citrix AppCenter, publish the application as Streamed to client, Streamed to
server, or Streamed if possible, otherwise accessed from a server and continue in the
wizard.
9. On the Location page, enter the full URL path (starting with HTTP or HTTPS) to the
profile (browsing to an HTTP location is not supported at this time). Use a fully
qualified domain name, not a relative domain name.
10. Click in the field titled Application to launch from the Citrix streaming application
profile to select the application.
11. Finish the remaining pages of the wizard. The application is ready to stream to the
client device using the HTTP delivery method.
To stream from an HTTPS address from Windows Server 2008 additional configuration is
required on the Web server. An appropriate Web Server Certificate must be already
installed:
1. From IIS, edit the Bindings for the Web Site.
2. In the Site Bindings dialog, click Add.
3. Under Type, choose https.
4. For SSL certificate, choose the installed Web Server Certificate.
5. Using the previous example, browse to https://WebServer/webProfiles on the Web
server, which must be a member of the domain and have the root certificate installed.
337
To provide HTTP or HTTPS delivery method
To stream from an HTTPS address from Windows Server 2003, install a Web Server
Certificate from a domain certificate authority:
1. From IIS, open Properties for the virtual Web site.
2. Click the Directory Security tab.
3. Under Server Communications, click Server Certificate.
4. Complete the Web Server Certificate wizard, and using the previous example, browse
to https://WebServer/webProfiles on the Web server, which must be a member
of the domain and have the root certificate installed.
338
Configuring Offline Access
Administrators can configure applications that are published to stream to desktops for
offline access. This feature allows users to disconnect from the company network and
continue to run their applications in offline mode for a specified length of time. No
additional configuration is needed while profiling the application to create application
profiles or targets that can be accessed offline.
After you configure the offline application policy settings and configure a streamed
application for offline access, the next time the user device connects to XenApp, the
Offline Plug-in downloads the application and caches it on the user device.
Important: Before you configure offline access, refer to System Requirements for
Application Streaming for the supported platforms and system prerequisites for user
devices.
•
Step 1: Configure policy settings for offline access
•
Step 2: Install the Citrix Receiver and Offline Plug-in on user devices
•
Step 3: Publish the application for offline access
You can complete these steps in any order, but users cannot run applications in offline
mode until all steps are completed.
Step 1: Configure Policy Settings for Offline
Applications
Configure these Citrix policy settings for Offline Applications:
•
Offline app users (required). Create a list of users or groups who have offline access
permission and add that list both when creating the policy for Offline app users and
when publishing the application.
Users or groups listed in the offline app users policy setting and who are also configured
for the application have permission to run offline-enabled applications in online and
offline mode. Users who are configured for the application, but who are not added to
the policy list can access the application online, but not offline.
Users or groups on this list use an offline license to launch applications regardless of
whether they are connected to the network or disconnected.
•
Offline app license period (required). Specify the number of days applications can work
offline before users have to renew the license (21 days by default, but can range from 2
to 365 days).
For versions 1.0 through 5.1 of the plug-in, the license for each application in the
profile is activated when the user launches the application the first time, for online or
offline use. Beginning with version 5.2 of the plug-in, when the user launches an
339
Configuring Offline Access
application in the profile for the first time, for online or offline use, the offline license
is activated for all other applications in the profile, as well. This occurs at the farm
level. Thus, the offline license for all applications in the profile expires based on the
date of the first application launched the first time, regardless of when the other
applications are launched.
To configure licenses, administrators can use the License Management Console or
command-line tools. They must also ensure they have a sufficient number of licenses to
support the total number of users with offline access permission. Users who run XenApp
hosted applications can also stream applications to user devices without requiring a
separate license. For general information, in the topics for Licensing Your Product, see
Getting Started with Citrix Licensing.
When users with offline access log on using the Receiver, they automatically either
check out an offline license or renew a license already checked out. If users stay logged
on, licenses are renewed automatically each day. If the license is near its expiration
date while a user is running the application in offline mode, a notice appears reminding
the user to log on (that is, change to online mode). When the user logs on, the offline
license is renewed automatically if a license is available.
If the license expires and no license is available, the user cannot launch the application
offline.
•
Offline app client trust (optional). Use this setting to enable offline application user
devices that have disconnected to recreate sessions when reconnecting, without
authenticating again.
•
Offline app event logging (optional). Use this setting to enable logging of offline
application events to the event log on the server.
Step 2: Install the Receiver and Offline Plug-in on User
Devices
To use the offline access feature, install both the Offline and the Receiver on the user
device. The Offline Plug-in caches each streamed application on the hard drive of the user
device. After the application is cached, the user can disconnect from the network or server
and continue to run the application in offline mode for the period of time specified in the
license.
Step 3: Publish the Application for Offline Access
The offline access feature is available only for applications that you publish as Streamed to
client or Streamed if possible, otherwise accessed from a server.
In addition, when publishing an application for offline access, check the application's
documentation and Web site to determine whether any special configuration is required on
the user device to enable offline access of that application. For example, to stream
Microsoft Outlook to the user device for offline access, users must enable the Microsoft
Exchange Setting to "Use Cached Exchange Mode."
Configure the application for offline access while publishing the application or later using
the application properties:
340
Configuring Offline Access
341
•
Enable the application for offline access and select the caching preference.
•
Create a list of users or groups who have offline access permission and add that list
both when creating the policy for Offline app users and when publishing the
application.
Configuring Content Redirection
The capability to redirect application and content launching from server to client or client
to server is referred to as content redirection.
Content redirection allows you to decide whether users access information with
applications published on servers or with applications running locally on client devices.
Note: For your users to access content published with a specified universal naming
convention (UNC) path and through the Web Interface, you must publish and configure an
application for content redirection so it is associated with the file type of the published
content.
Redirecting Content from Client to Server
Configure content redirection from client to server by associating published applications
with file types and then assigning them to the users you want to be affected. When you
configure client to server content redirection, users running the XenApp Plug-in for Hosted
Apps open all files of the associated type with applications published on the server.
Content redirection from client to server is available only for users connecting with Citrix
XenApp. You must use the Web Interface server to allow users to connect to published
applications. Citrix XenApp gets updated properties for published applications from the
server running the Web Interface. When you publish an application and associate it with file
types, the file type association is changed to reference the published application in the
Windows registry on the client device.
If you have users who run applications such as email programs locally, use the content
redirection capability with Citrix XenApp to redirect application launching from the client
device to the server. When users double-click attachments encountered in an email
application running locally, the attachment opens in an application that is published on the
server, associated with the corresponding file type, and assigned to the user.
Important: You must enable client drive mapping to use this feature.
Redirecting Content from Server to Client
When you enable server to client content redirection, embedded URLs are intercepted on
the XenApp server and sent to the client device. The browser locally installed on the client
device is used to play the URL. Users cannot disable this feature.
For example, users may frequently access Web and multimedia URLs they encounter when
running an email program published on a server. If you do not enable content redirection
from server to client, users open these URLs with Web browsers or multimedia players
present on servers running XenApp. To free servers from processing these types of requests,
redirect application launching for supported URLs from the server to the local client device.
342
Configuring Content Redirection
Note: If the client device fails to connect to a URL, the URL is redirected back to the
server.
The following URL types are opened locally through client devices for Windows and Linux
when this type of content redirection is enabled:
•
HTTP (Hypertext Transfer Protocol)
•
HTTPS (Secure Hypertext Transfer Protocol)
•
RTSP (Real Player and QuickTime)
•
RTSPU (Real Player and QuickTime)
•
PNM (Legacy Real Player)
•
MMS (Microsoft Media Format)
Important: If content redirection from server to client is not working for some of the
HTTPS links, verify that the client device has an appropriate certificate installed. If the
appropriate certificate is not installed, the HTTP ping from the client device to the URL
fails and the URL is redirected back to the server. Content redirection from server to
client requires Internet Explorer Version 5.5 with Service Pack 2 on systems running
Windows 98 or higher.
343
To enable content redirection from server
to client
Complete the following tasks in the Access Management Console to enable content
redirection from server to client and to publish content to be accessed with local
applications.
When you configure XenApp to enable users to open published content with applications
running locally on client devices, the client passes the name of the published content file to
the local viewer application. The server does not download the file to the client device.
Instead, the local viewer application accesses the file the same as it would if a user
double-clicked the file in Windows Explorer (and a file type association specified the
application to use).
Accessing published content with local client devices does not use XenApp resources or
licenses because local viewer applications do not use ICA sessions to display the published
content.
•
To enable content redirection for the farm, select the farm in the left pane:
1. Select Action > Modify farm properties > Modify all properties.
2. From the Properties list, select Server default > XenApp.
3. Select Content Redirection to enable users to open URLs found in remote published
applications in a local Web browser.
•
4. Select Content redirection from server to client.
To enable content redirection for a specific server, select the server in the left pane:
1. Select Action > Modify server properties > Modify all properties.
2. Select Content Redirection to enable users to open URLs found in remote published
applications in a local Web browser.
•
3. Select Use farm settings (available on server level only) or Content redirection from
server to client.
To enable content redirection for specific connections:
1. Use XenApp Advanced Configuration or the Presentation Server Console, depending
on the version of XenApp you have installed. In a policy, enable the rule User
Workspace > Content Redirection > Server to client.
•
2. Assign the policy to only those connections for which you want to open supported
URL file types on client devices.
To publish content to be accessed with local applications:
1. Publish the content file you want users to access.
344
To enable content redirection from server to client
2. If you publish the application that corresponds to the content file type, do not
associate it with any file types if you want users to open the published content with
locally installed applications.
345
To configure content redirection from
client to server
1. Determine which of your users or groups connect to published applications using Citrix
XenApp.
2. Verify that client drive mapping is enabled, either for the entire farm, for specific
servers, or for specific users or groups with user policies.
3. Publish the application to be shared or the application that corresponds to the file type
for the published content. For example, if you publish a Microsoft Word document
named “Quarterly_Sales.doc,” make sure to also publish Microsoft Word on a XenApp
server so that the .doc file can open in Word.
4. Associate the appropriate file type with the application.
Note: When you associate a file type with a published application, several file
extensions can be affected. For example, when you associate the Word document file
type, file extensions in addition to the .doc extension are associated with the
published application.
5. Assign the published application to the users you want to access it.
When you configure content redirection from client to server, context menu commands
available from within Windows Explorer function differently than on client devices that do
not use this feature. For example, if you right-click a file in Windows Explorer on a client
device with content redirection from client to server enabled for the file type, the Open
command opens the file with the remote application on XenApp. For a streamed
application, the file could be opened either on the client device or on the XenApp server,
depending on the delivery configuration.
Most commands on the Windows Explorer context menu are unaffected because they are
not configured under keys modified by XenApp. Context menu items are generally defined
by each application when installed.
346
Managing Application Properties
After publishing applications through the Publish Application wizard, manage the published
applications and their properties:
•
Rename, move, disable, and delete published applications
•
Change, duplicate, import, and export published application settings
Only a Citrix administrator with full access to the Published Applications task can change
published applications. Use the application properties to change settings for a published
application, including the location of the published application, the servers on which the
published application is available, and the user accounts allowed to access the published
application.
From the Action menu, select Modify application properties > Modify all properties.
Important: The resource type you publish (application, content, or server desktop)
determines your path through the Publish Application wizard; consequently, the
properties associated with the resource may vary.
347
To rename a published application
Use the Name property to change the application name and description that appears in Web
Interface. Changes take effect after the user reconnects or refreshes the user device. This
feature can distinguish among multiple versions of the same application.
1. In the left pane of the console, select the published application.
2. From the Action menu, select Modify application properties > Modify all properties >
Name.
3. The Display name is the name users will see on their user device, and it must be unique
within the folder.
4. The Application name appears in the console and should be unique within a farm
(maximum 38 characters). When the application is published, this name is the same as
the display name by default.
5. The Application description appears in Web Interface.
Important: If a duplicate application name is found in the farm, a four-digit hexadecimal
number is appended to the original string. If the character limit is reached and
duplicated, the console replaces the end characters with four-digit hexadecimal
numbers, starting from the right. The application name appears in the left pane of the
Properties dialog box for an application.
348
To configure locations of servers for
published resources
Choose the server on which the published application or desktop is available through the
Servers page of the Publish Application wizard, or from the Action menu, select Modify
application properties > Modify servers.
Important: For installed applications, select the server where the published application is
installed. For streamed-to-server applications, select the server to which the profiled
application will stream and execute.
•
The Servers list displays the servers that belong to the farm. Initially, all servers in the
farm appear. Use a filter to display only servers running a particular operating system
or Citrix version.
Note: If you apply a filter (in the Select Servers dialog box), the filter settings remain
in effect each time the Publish Application wizard is run until the filter is removed or
changed.
•
Use the Import from file option to import an application server list file (*.asl). You
export the server list of a previously published application and then import this settings
file when creating a new published application.
If you modify your servers for a published application, some users may not be in a trusted
domain for that server. If you receive an error message when trying to modify configured
servers for a published application, duplicate the application and then modify the servers
and users lists of the new application.
349
To specify locations of applications for
streaming
Before you publish applications for streaming, you must create an application profile using
the Citrix Streaming Profiler, a stand-alone utility, and save the profile to a network file
share in your App Hub that is accessible to the Publish Application wizard.
As you publish the application in the Publish Applications wizard, specify the location of the
profile:
1. Citrix streaming application profile address. Provide the location of the manifest file
(.profile). For example, enter the Full Universal Naming Convention (UNC) path (such as
\\citrixserver\profiles\Adobe Reader\Adobe Reader.profile).
2. Application to launch from the Citrix streaming application profile. After this field
populates with files, choose the application from the drop-down menu.
3. Extra command-line parameters. (Optional) These parameters are used when the
profiled application includes asterisks (**) as a placeholder for additional parameters. If
no asterisks are in the command-line string, the extra parameters are added at the end
of the command-line.
350
To enable an application for offline access
Before you publish applications for streaming, you must create an application profile using
the Citrix Streaming Profiler, a stand-alone utility, and save the profile to a network file
share in your App Hub that is accessible to the Publish Application wizard.
Configure streamed applications for offline access as you publish them or later in the
Application Properties:
•
As you publish applications in the Publish Applications wizard, click the Enable offline
access check box on the Offline Access page.
•
In Application Properties, select Basic > Streaming settings > Offline Access. Click the
Enable offline access check box to enable the feature.
Tip: If, later, some operation in the application fails offline due to a missing component,
it will fail while connected as well. The solution is to ensure that you package all the
necessary components by thoroughly testing the profile.
The server fully caches applications enabled for offline access on user devices; the entire
application is sent to user devices while the user is online so that the user can launch the
application offline and have full functionality of the application. By default, applications
are cached when a user logs on.
Select when to cache the streamed application:
•
Pre-cache application at login. Caches the application when the user logs on (selected
by default). However, concurrent logons may slow network traffic.
•
Cache application at launch time. Caches the application when users launch it. Use this
option if the number of users logging on at the same time (and pre-caching their
applications) could overload the network.
Pre-caching is also possible using third-party tools, such as Microsoft System Management
Server (SMS) or Altiris. If you use a third-party caching method, ignore this setting because
it is not used; that is, applications are not cached twice.
351
To configure user access to applications
Choose the user accounts that can access applications through the Users page of the Publish
Application wizard. To change the user accounts, from the Actions menu in the console,
select Modify application properties > Modify users.
Before you publish resources, consider how the configuration of user accounts can affect
their access, including anonymous access and explicit (configured) user account access.
Note: As a best practice, use groups for unique roles to categorize and assign permissions
to large numbers of users. An application published to one group of 1,000 users requires
the validation of only one object for all 1,000 users. That same application published to
1,000 individual user accounts requires the validation of 1,000 objects.
1. Select how to configure user accounts:
•
Select Allow anonymous users to let all users log on anonymously and start the
streamed application without specifying a user name, domain name, and password
(selected by default). This selection disables the remaining options on the page.
•
Select Allow only configured users to allow only configured users to start the
application. For example, select this option for all streamed applications.
Selecting this option enables the Select directory type drop-down list, which allows
you to configure the users for this application. You can configure the list later in
the application properties.
Note: Streamed applications do not support anonymous users. Additionally, if you
enable the streamed application for offline access, these options are not shown.
2. Use the Select directory type drop-down box to select either Citrix User Selector or
Operating System User Selector.
3. Click Add.
If you selected Citrix User Selector, complete the following tasks in the Select Users or
Groups dialog box:
•
Select your account authority from the Look in drop-down list. The drop-down list
contains all trusted account authorities configured on the servers in the farm.
These include Novell Directory Services (NDS) trees, Windows NT domains, Active
Directory domains, and local servers. (NDS trees appear only if previously
configured.) When you select an account authority, the user accounts that are part
of the selected authority appear in the window below the drop-down list. By
default, only user groups appear.
•
Select Show users to display all user names in the selected domain. This option
displays every user in the selected domain. For NDS, alias objects also appear. The
user accounts you select are listed in Configured users.
Tip: Instead of selecting names from the list, type them in a text box. To do this,
click Add List of Names and use semicolons (;) to separate names.
352
To configure user access to applications
If you selected Operating System User Selector, use the standard Windows dialog box to
select your user or group.
Note: This option has several limitations. You can browse only account authorities
and select users and groups that are accessible from the computer running the
console. In addition, you might initially select users and groups outside the trust
intersection of the farm, which causes errors later. Other limitations include the
inability to add NDS users and groups.
The list of user accounts is added to the Configured Accounts list. Changes take effect the
next time the user launches the application.
353
Granting Access to Explicit or Anonymous
Users
Before you publish resources, decide how to configure user accounts so that as you publish
applications in the wizard, you can select appropriate user access.
Granting Access to Explicit Users
An explicit user is any user who is not a member of the Anonymous group. Explicit users
have user accounts that you create, configure, and maintain with standard user account
management tools.
There are limitations on explicit users who log on to a server farm to run applications:
administrators can specify the type of profile, settings, and other configurations for these
users.
Important: Do not assign any explicit users to the Anonymous group.
Granting Access to Anonymous Users
During XenApp installation, Setup creates a special user group named Anonymous. By
default, anonymous users have guest permissions. Publishing applications for this special
Anonymous user group lets you completely eliminate the need for user authentication for
those applications. When a user starts an application that is configured for anonymous
users, the server does not require an explicit user name and password to log the user on to
the server and run the application.
Anonymous users are granted minimal session permissions that include the following
restrictions:
•
Ten-minute idle (no user activity) time-out
•
Logoff from broken or timed out connections
•
The user cannot change the password (none is required)
When an anonymous user session ends, no user information is retained. The server does not
maintain desktop settings, user-specific files, or other resources created or configured for
the user device.
Note: The anonymous user accounts that XenApp creates during installation do not
require additional configuration. If you want to modify their properties, do so with the
standard Windows user account management tools.
354
To configure shortcuts for user devices
Configure or modify the application shortcut presented to user devices on the Shortcut
presentation page of the Application Publishing wizard or by selecting Modify application
properties > Modify all properties > Basic > Shortcut presentation.
1. To select a new icon for the application, click Change icon and use the options on the
window.
2. To organize applications within folders on the user device, under Client application
folder, enter a folder name for this application. When users view their Citrix XenApp
applications, this application is listed in the folder you entered.
3. To specify the placement of the application shortcut, in the Application shortcut
placement section, select one or more of these options:
•
Add to the client’s Start menu. Creates a shortcut to this application in the user’s
local Start menu. A folder appears in the first pane of the Start menu in the
location you select:
•
Place under Programs folder. This option creates a shortcut under the Programs
folder of the local Start menu. If a folder structure is specified in the Start
Menu Folder text box, the folder structure is created within the local Programs
folder.
Start menu folder. The location of the shortcut within the Start menu (or
Programs folder, if selected). For example, to have the application appear
under a folder called “Reports,” enter Reports. For more than one level of
folders, separate each folder name with a backslash; for example,
“Reports\HR\survey.” If no folder structure is specified, the application is
available from the top level of the Start menu.
•
Add shortcut to the client’s desktop. Creates a shortcut to this application on the
user’s local desktop.
Changes take effect after the user reconnects or refreshes the user device.
•
355
To configure access controlled by the
Access Gateway
Use the Access control page of the Publish Application wizard or the application properties
to specify the types of connections through which users can start sessions to access
published applications on the farm.
If Access Gateway (Version 4.0 or later) is installed, use the Access Control page of the
Publish Application wizard or select Access Control from the Advanced Application
Properties page to specify the type of connections that allow the application to appear in
the list of published applications on the user device.
For example, if Access Gateway is installed and the application has software requirements,
define a filter in Access Gateway and apply the filter to the published application using
XenApp.
Important: To use this feature, set your servers that receive XML requests to trust those
requests.
Use this page to view or modify connection types:
•
•
Allow connections made through Citrix Access Gateway Advanced Edition (Version 4.0 or
later). This is the default. Select the type of connections that allow the application to
appear in the list of applications:
•
Any connection. Allows connections made through Access Gateway (Version 4.0 or
later), regardless of filters. This is the default.
•
Any connection that meets any of the following filters. Allows connections made
through Access Gateway (Version 4.0 or later) that meet one or more of the
connection filters specified in the list.
To Add or Edit a filter, click the respective button and enter the predefined Access
Gateway farm name and filter.
Allow all other connections. Allows all connections except those made through Access
Gateway (Version 4.0 or later). This is the default.
Users who do not have the required software running on the user device cannot access the
published application.
356
To associate published applications with
file types
As you publish applications, you associate the published item with certain file types present
in the Windows registry on the server. You associate published applications with file types
initially in the Publish Application wizard or later from a Properties page for the published
application. By associating published applications with file types and then assigning the
applications to users, you implement the following automatically:
•
Content redirection from user device to server. Users running the Citrix online or offline
plug-in open all files of an associated type with a specific published application and
delivery method. For example, when users double-click an email attachment, the
attachment opens in an application based on the file type and delivery method set for
those users.
Note: If you do not want specific users to launch published applications automatically
when opening published content, do not assign published applications associated with
file types to those users.
•
Content publishing. Users connecting through the Web Interface or using Citrix XenApp
open content published on servers with applications published on servers. For example,
you publish a Microsoft Word document. When you also publish the Microsoft Word
application, associate it with a list of file types (files with the .doc extension, for
example), and assign it to a group of users, the published content is opened in the
Microsoft Word application published on the server.
File type association is a two-step process. For example, if you want to associate Microsoft
Word with the .doc file extension:
•
Publish a document of the Microsoft Word for Windows file type.
•
Publish the Microsoft Word application and associate it with the Microsoft Word for
Windows file type. When users double-click the document from the user device, it
opens in the Microsoft Word application published on the server. Users connecting
through the Web Interface or using a Citrix plug-in can open published content with
published applications.
Associate published applications with file types initially from the Publish Application
wizard, on the Content redirection page, or later from the Action menu, select Modify
application properties > Modify content redirection properties
1. Select one or more of the buttons to select the file types that you want the application
to open when a user opens a file. Published applications can be associated with one or
more file types.
2. To list all file types associated with the application, click Show all available file types
for this application. Clear the check box to display only the selected file types.
When changing the available file types for an application, select this check box to
display the superset of file types available, not just those selected when initially
357
To associate published applications with file types
publishing the application.
Note: When you associate a file type with a published application, several file
extensions can be affected. For example, when you associate the Word document file
type, file extensions in addition to the .doc extension are associated with the
published application.
358
To update file type associations
File types are associated with applications in a server’s Windows registry. If you install and
then publish applications after installing XenApp, you must update the file type associations
in the Windows registry on the server. Use Update file types to associate these file types
with the application in the server farm’s data store. To verify which file types are
associated with a published application, use the Content redirection tab of the Properties
page for the application.
Important: Updating the file type association data for a farm can take a long time. It
depends on the number and availability of servers, the number of streamed applications,
and the availability of the streamed application file shares. If you do not have permission
to access these file shares, an alert appears.
Update the file type associations in the data store if:
•
You installed an application but have not yet published it.
•
You plan to enable content redirection from user device to server or have users open
published content using the application.
•
The data store does not already contain the file type associations. If you updated the
file types from the registries of other servers hosting the application, the data store
already contains the associations.
Choose which file types are opened with a published application. When you publish an
application, a list of available file types appears on the Content redirection page. This list
is current only if the data store was updated with the file type associations for the
application. Update the data store from the registries of several servers containing an
application to associate a complete set of file types with the application.
If needed, update file types for the farm or for an individual server:
1. In the console, select a farm in the left pane and from the Action menu, select All Tasks
> Update file types.
2. Select a server in the left pane and from the Action menu, select All Tasks > Update file
types from registry.
If you publish applications to be hosted on more than one server, be sure to update the file
types on each server.
359
To configure alternate profiles
For streamed applications only, use this feature to add an alternate profile for connections
that come from specific IP addresses. For example, use an alternate profile to allow one
published application for users on either side of a WAN with file servers on their side. When
you create an alternate profile, you create a duplicate of the primary profile that is located
on a different file share, which is more accessible to the user device.
Note that if the alternate profile is different from the primary package, the user device
may exhibit strange behavior.
To access this dialog box, from the Publish Application wizard, continue to the Alternate
profiles page. Alternatively, select a published application in the left pane and from the
Action menu, select Modify application properties > Modify all properties > Advanced >
Alternate profiles.
When you click Add, enter the starting and ending IP range for which the alternate profile
applies.
Specify the full path of the alternate profile or browse to locate the profile, such as a UNC:
\\citrixserver\profiles\Adobe Reader\Adobe reader.profile. After you configure the range,
user devices from IP addresses within the specified range access the applications from the
alternate profile instead of from the default profile.
360
To pass parameters to published
applications
Use the Location page of the application properties in the console to pass parameters to
published applications. When you associate a published application with file types, the
symbols “%*” (percent and star symbols enclosed in double quotation marks) are appended
to the end of the command line for the application. These symbols act as a placeholder for
parameters passed to user devices.
If a published application does not launch when expected, verify that its command line
contains the correct symbols. By default, XenApp validates parameters supplied by user
devices when the symbols “%*” are appended. For published applications that use
customized parameters supplied by the user device, the symbols “%**” are appended to the
command line to bypass command-line validation. If you do not see these symbols in a
command line for the application, add them manually.
If the path to the executable file includes directory names with spaces (such as
“C:\Program Files”), you must enclose the command line for the application in double
quotation marks to indicate that the space belongs in the command line. To do this, follow
the instructions below for adding quotation marks around the %* symbols and then add a
double quotation mark at the beginning and the end of the command line. Be sure to
include a space between the closing quotation mark for the command line and the opening
quotation mark for the %* symbols.
For example, change the command line for the published application Windows Media Player
to the following:
“C:\Program Files\Windows Media Player\mplayer1.exe” “%*”
361
To reduce user privileges for a streamed
application
For applications configured to stream to client devices, only, use this setting to reduce the
user privileges for the application, thus reducing security risks. From the User privileges
page of the Publish Application wizard or from the Action menu, select Modify application
properties > Modify all properties > User privileges.
Important: Before you select this option, test the application with a limited access
configuration. Some applications expect users to have elevated privileges and might fail
to operate correctly when launched by users with a least-privileged user account.
Select Run application as a least-privileged user account (not selected by default). This
setting configures all users, even those with an administrator account, to run the
application with normal user privileges.
For more information about least-privileged user accounts, search the Microsoft Technet
Web site.
362
To configure application limits and
importance
When a user starts a published application, the plug-in establishes a connection to a server
in the farm and initiates a session. If the user then starts another published application
without logging off from the first application, the user has two concurrent connections to
the server farm. Use this page to limit the number of concurrent connections that users can
make.
You can configure application limits and importance from the Publish Application wizard
Limits page, or from the Action menu > Modify application properties > Modify all properties
> Advanced > Limits.
Under Concurrent instances, select from the following options:
•
Limit instances allowed to run in server farm and then enter the numerical limit in
Maximum instances
•
Allow only one instance of application for each user
If Preferential Load Balancing is available in your XenApp edition, this setting (along with
the session importance policy setting) determines the Resource Allotment associated with
the session. The higher the Resource Allotment of the session, the higher the percentage of
CPU cycles allotted to it.
In the Application Importance list box, set the priority that is used with the Session
Importance setting to determine the level of service for the session in the XenApp farm:
High, Normal, and Low.
363
To configure audio and encryption options
for published applications
For applications published for an online connection, use the Client Options page of the
application Properties to configure the Citrix plug-in audio and encryption options for when
users connect to a published application.
To locate the page, open the console, select the application, and from the Action menu,
select Modify application properties > Modify all properties > Advanced > Client options.
The settings that Citrix plug-ins use to communicate with a published application vary
according to the type of plug-in. The Citrix online plug-in and Web Interface automatically
use the settings you specify here to communicate with this published application.
You can set the encryption level for communications in multiple places in XenApp and your
Windows operating system. If a higher priority encryption level is set elsewhere, the
settings that you specify can be overridden. The most secure setting out of the following
settings is used:
•
The setting in Terminal Services Configuration (TSCC) and/or the setting in Citrix
Connection Configuration Tool (Mfcfg.exe)
•
The policy setting that applies to the connection
•
The application setting (that is, the level you are setting in this dialog box)
•
The Microsoft Group Policy
The encryption settings specified here when publishing an application should be at the
same level as the encryption settings you specified elsewhere. That is, any encryption
setting you specify in the TSCC or connection policies cannot be higher than the application
publishing setting.
If the encryption level for an application is lower than any settings you specified for TSCC
and connection policies, those settings override the application settings. If the minimum
requirements check box is selected and the plug-in connection does not meet the most
restrictive level of encryption, the server rejects the connection when the plug-in tries to
connect to the application. If the minimum requirements check box is selected, the plug-in
setting is always used. However, the plug-in setting must be as secure as the server setting
or the connection is denied.
If you select Minimum requirement under the Encryption list box, plug-ins can connect to
the published application only if they are communicating using the specified level of
encryption or higher. After you set this encryption level on the server, any plug-ins
connecting with that server must connect at that encryption level or higher.
If a plug-in is running on a 64-bit computer, only basic encryption is supported. In this
situation, setting a level of encryption higher than Basic and selecting the minimum
requirements check box prevents plug-ins from connecting.
364
To configure audio and encryption options for published applications
•
Select Client audio options:
•
Enable legacy audio. Select this option to allow audio support for applications to
which SpeedScreen Multimedia Acceleration does not apply.
Note: By default, audio is disabled on the user device. To allow users to listen to
audio in sessions, turn on audio or give the users permission to turn on audio
themselves in the plug-in interface they are using, such as Citrix XenApp.
Minimum requirement. Select this option to allow plug-ins to connect to the
published application only if they have audio support. The Minimum requirement
check box under the Client audio list box applies only to the legacy audio setting. It
does not apply to SpeedScreen Multimedia Acceleration.
In the Connection encryption section, select one or more of the following options:
•
•
•
•
365
Select Enable SSL and TLS protocols to request the use of the Secure Sockets Layer
(SSL) and Transport Layer Security (TLS) protocols for plug-ins connecting to the
published application.
•
Select Encryption to apply the RC5 encryption level for the connection.
In the Printing section, select or clear Start this application without waiting for client
printers to be created. Selecting this option can allow the plug-in to connect faster.
However, if you select this option, the printers may take a few seconds to be created;
do not select this option for applications that print to the printer immediately after
being launched.
To configure application appearance
Define how the application appears to the user through the Appearance page of the Publish
Application wizard, or from the Action menu, select Modify application properties > Modify
all properties > Advanced > Appearance.
366
•
To set the default window size, select the Session window size. Specify window size as
a standard resolution, custom resolution, percentage of the screen, or full screen.
•
To set the color depth for the application, select the Colors. The available options are
16 Colors, 256 Colors, High Color (16-bit), or True Color (24-bit).
•
To hide the application title bar and maximize the application at startup, change the
setting in the Application Startup Settings.
To disable or enable a published
application
Take published applications offline temporarily or indefinitely when you are maintaining a
published application, such as applying an upgrade or a service pack to it. While an
application is offline, it is not accessible to users. You can disable multiple applications
simultaneously.
You might initially disable an application as you publish it in the publishing wizard or enable
or disable it anytime from the console.
•
From the Publish Application wizard, continue to the Publish immediately page and
select the Disable application initially check box. When checked, the application is
published but users cannot access it until you enable it.
•
In the console, select the application in the navigation pane, and from the Action
menu, select Enable application or Disable application.
•
In the console, select the application in the navigation pane, and from the Action
menu, select Modify application properties > Modify all properties. From the Name
property, select Disable application.
Note: If the Disable application initially option is selected and cannot be cleared, either
the application requires configured users but none are specified, or the application is of a
type that runs on a server (such as an installed application or streamed-to-server
application) but no servers are specified.
367
To delete a published application
As you publish updated applications on your servers, delete the older or less-frequently
used applications. Deleting a published application does not uninstall the application. It
simply removes access to the application through plug-in connections. You can delete
multiple applications simultaneously.
1. In the left pane of the console, select the application.
2. On the Action menu, select Delete application.
368
To move a published application to
another folder
Use this option to move a published application to another folder in the console tree or to
move servers to another server folder. Published applications can be moved only to
Applications or folders under Applications. Similarly, servers can be moved only to Servers
or folders under Servers. You can move multiple applications simultaneously.
1. In the left pane of the console, select the application.
2. On the Action menu, select Move to folder.
3. Use the Select destination folder dialog box to change the location of the application.
Alternatively, drag applications into a new folder.
369
To duplicate published application
settings
Use the settings of a published application as a template to publish other applications. For
example, if you published an application with a specified user list, you might want to apply
the same user list to a new application hosted on the same set of servers. If so, copy the
first published application, change the name and location to those of the second
application, and thereby publish a different application with the same user and server
properties. You can duplicate multiple applications simultaneously.
1. In the left pane of the console, select the application.
2. From the Action menu, select Duplicate application and a copy of the application
appears under the Applications node.
3. Select the duplicated application and change the required properties.
370
To export published application settings to
a file
Exporting published application settings to a file allows you to import these settings files
and create new applications at a later time. First you export the desired settings to a
settings file, and then you import this file to create new applications easily. In particular,
import these settings files to overwrite the settings on a previously published application.
This export option offers choices to export a single application, the user list only, or server
list only.
A Citrix administrator requires the View permission for the application folder in which the
application resides to export published application settings.
1. In the left pane of the console, select the application whose settings you want to
export. To export multiple published application settings to a file simultaneously, in the
right pane of the console, press CTRL and select the names of the applications you want
to export.
2. From the Action menu, select All Tasks > Export application settings to a file. Select
what to export:
•
Entire Application. Exports the application and all the settings associated with the
published application to an .app file. If you choose this option, you can export
settings from multiple applications; select them from the left pane of the console
before selecting the export task.
Important: If application settings are exported as a batch, they must be imported
as a batch.
•
User List Only. Exports only the list of configured users for the application to an
AUL file. This option can export the user list associated with one published
application only. Then select a published application and import the user list,
replacing the existing user list.
•
Server List Only. Exports only the list of configured servers for the application to an
ASL file, including any per-server command-line overrides, if applicable. Then
select an application and import the server list, replacing the existing server list.
Alternatively, import this list of servers when publishing an application by clicking
Import from file on the Servers page of the Publish Application wizard.
Note: This task is available only for applications that have servers associated with
them. For this reason, this task is unavailable for published content or
streamed-to-client applications. You can export the server list associated with
one published application only.
3. Settings files are saved in XML format. The settings associated with your published
application are saved to a settings file with one of the following extensions: APP, AUL,
or ASL. The file name is the same as the application by default. For example, if you
choose to export all the application settings of a published application called
Notepad123, the default file name for the exported application settings file is
371
To export published application settings to a file
Notepad123.app.
372
To import published application settings
from a file
After you export published application settings to a file, use them to create a new
application or alter the user or server settings of a previously published application.
Citrix administrators require Published Application permissions for the application folder in
which the application resides to import application settings.
1. In the left pane of the console, select either the folder into which you would like to
place a new published application or the published application whose user or server
settings you want to change.
2. From the Action menu, select All Tasks > Import application settings from a file.
3. Use the Open dialog box to locate the settings file you want to import.
•
If you selected a folder in Step 1 of this procedure and an APP file in Step 2, the
new application appears under the folder you selected.
•
If you selected a previously published application in Step 1 and either an ASL or AUL
file in Step 2, click Yes to confirm that you want to overwrite existing settings. The
imported ASL or AUL file updates the server settings or user settings of the
application, respectively.
Note: If any of the servers or users that were exported for a published application cannot
be imported, a warning message appears identifying the list of users or servers that could
not be imported. You either proceed or cancel the import at that point. Cancelling the
import cancels the entire import operation. This situation might occur if a server was
removed from the farm after a published application was exported, if a user was removed
from the domain, or if the administrator does not have proper permissions to publish the
application on one or more of the servers that were exported.
373
Making Virtual IP Addresses Available to
Applications
Some applications, such as CRM and CTI, use an IP address for addressing, licensing,
identification, or other purposes and thus require a unique IP address or a loopback address
in sessions. Other applications may bind to a static port, which, because the port is already
in use, causes the failure of multiple attempts to launch an application in a multiuser
environment. For such applications to function correctly in a XenApp environment, a unique
IP address is required for each device.
Use the virtual IP address feature to assign a static range of IP addresses to a server and
have these addresses individually allocated to each session so that configured applications
running within that session appear to have a unique address.
Processes require virtual IP if either:
•
They use a hard-coded TCP port number, or
•
They do both of the following:
•
Use Windows sockets, and
Require a unique IP address or require a specified TCP port number
Also, this feature lets you configure applications that depend on communication with
localhost (127.0.0.1 by default) to use a unique virtual loopback address in the localhost
range (127.*).
•
Processes require virtual loopback if either:
•
They use the Windows socket loopback (localhost) address (127.0.0.1), or
•
They use a hard-coded TCP port number
If the application requires an IP address for identification purposes only, configure your
server to use the client IP address.
374
How Virtual IP Addressing Works
The virtual IP Address feature works as follows:
•
During IMA startup, the virtual IP address assigner binds the assigned IP addresses to the
NIC that matches the same subnet as the virtual addresses.
•
When the virtual IP feature is enabled on a specific server, the virtual IP address
allocator allocates all new sessions connecting to the server an address from the pool of
available addresses that were assigned by the virtual IP address assigner.
•
Each new session is allocated an address that is removed from the pool of available
addresses. When the session logs off, the allocated address is returned to the available
address pool.
•
After an address is allocated to a session, it uses the allocated virtual address rather
than the primary IP address for the system whenever the following calls are made:
Bind¸closesocket¸connect, WSAConnect, WSAAccept, getpeername,
getsockname, sendto, WSASendTo, WSASocketW, gethostbyname,
gethostbyaddr, getnameinfo, getaddrinfo
Note: All processes that require this feature must be added to the Virtual IP Process list.
Child processes do not inherit this functionality automatically. Processes can be
configured with full paths or just the executable name. For security reasons, Citrix
recommends that you use full paths.
375
Configuring Virtual Loopback
When enabled, the Virtual Loopback function does not require any additional configuration
other than specifying which processes use the feature. When an application uses the
localhost address (127.0.0.1) in a Winsock call, the Virtual Loopback feature simply
replaces 127.0.0.1 with 127.X.X.X where X.X.X is a representation of the session ID + 1. For
example, a session ID of 7 is 127.0.0.8. In the unlikely event that the session ID exceeds the
fourth octet (more than 255), the address rolls over to the next octet (127.0.1.0) to the
maximum of 127.255.255.255.
Virtual Loopback enables multiple published applications that depend on the localhost
interface for interprocess communication to function correctly within the session.
376
Binding Applications
Applications are bound to specific IP addresses by inserting a “filter” component between
the application and Winsock function calls. The application then sees only the IP address it
is supposed to use. Any attempt by the application to listen for TCP or UDP communications
is bound to its allocated virtual IP address (or loopback address) automatically, and any
originating connections opened by the application are originated from the IP address bound
to the application.
In functions that return an address such as gethostbyname() and GetAddrInfo(), if the local
host IP address is requested, virtual IP looks at the returned IP address and changes it to
the virtual IP address of the session. Applications that try to get the IP address of the local
server through such name functions see only the unique virtual IP address assigned to that
session. This IP address is often used in subsequent socket calls (such as bind or connect).
Often an application requests to bind to a port for listening on the address 0.0.0.0. When
an application does this and uses a static port, you cannot launch more than one instance of
the application. The virtual IP address feature also looks for 0.0.0.0 in these types of calls
and changes the call to listen on the specific virtual IP address. This enables more than one
application to listen on the same port on the same computer because they are all listening
on different addresses. Note this is changed only if it is in an ICA session and the virtual IP
address feature is turned on. For example, if two instances of an application running in
different sessions both try to bind to all interfaces (0.0.0.0) and a specific port, such as
9000, they are bound to VIPAddress1:9000 and VIPAddress2:9000 and there is no conflict.
377
To determine whether an application
needs to use virtual IP addresses
Some applications cannot run in multiple sessions on XenApp. For example, if the
application binds to a fixed TCP port on a specific IP address such as 0.0.0.0 or 127.0.0.1,
this prevents multiple instances of the application from running in multiple sessions
because the port is already in use. The virtual IP feature of XenApp can help solve this
problem.
To determine whether or not the application needs to use virtual IP addresses:
1. Obtain the TCPView tool from Microsoft. This tool lists all applications that bind
specific IP addresses and ports.
2. Disable the Resolve IP Addresses feature so that you see the addresses instead of host
names.
3. Launch the application and, using TCPView, note which IP addresses and ports are
opened by the application and which process names are opening these ports.
To use the virtual IP address feature, configure any processes that open the IP address of
the server, 0.0.0.0, or 127.0.0.1.
To ensure that an application does not open the same IP address on a different port, launch
an additional instance of the application.
378
To make virtual IP addresses available to
applications running in sessions
Use virtual IP addresses to provide published applications with unique IP addresses for use
in sessions. This is especially important for Computer Telephony Integration (CTI)
applications that are widely used in call centers.
Users of these applications can access them on a XenApp server in the same fashion that
they access any other published application.
To assign virtual IP address ranges, you must have a reserved range of static IP addresses to
assign to the server. Work with your network administrator to obtain a list of free addresses
that are not part of your DHCP pool. Ensure that you do not include broadcast addresses.
Before assigning virtual IP address ranges, determine the maximum number of users you
may have connecting concurrently to the server. Because every session connecting to the
server is assigned an IP address (not just sessions launching the application that require
virtual IP addresses), assign at least as many static IP addresses to the server as the
maximum number of users who may be connecting concurrently to that server.
Note: In the event more sessions are launched on a server than IP addresses are
available, the server displays the error message: “No virtual IP address is available for
this session, please contact your administrator.” The inability of the server to assign a
virtual IP address to a session does not prevent the user from launching an application
that requires a virtual IP address within the session; however, the application may not
function correctly.
•
At the farm level, configure virtual IP address ranges and assign them to servers.
•
Enable applications to use virtual IP addresses.
In addition to configuring virtual IP address ranges and enabling applications for use with
virtual IP addresses, this feature can control and monitor virtual IP addresses available from
each server.
379
To assign virtual IP address ranges to
servers
Before enabling the virtual IP address feature, configure ranges of IP addresses that are
excluded from any DHCP servers or otherwise duplicated. These ranges must share the
same subnets as the assigned IP addresses of the XenApp servers that are configured for
virtual IP, because there is no routing mechanism in place to traverse subnets.
The pool of IP addresses assigned to the server farm must be large enough to include all
concurrent user sessions on every server that is configured, not just the sessions running the
applications requiring virtual IP address functionality. Add the servers that require virtual IP
address functionality that share the same subnet as the address range to the range. The
addresses in the range are distributed equally (by default) among the selected servers and
assigned. You can then change the number of addresses assigned to each server. Citrix
recommends that you configure a Load Management Server User Load rule that is equal to
or fewer than the total number of addresses assigned to the server.
Use the Access Management Console to assign a specific address range to each XenApp
computer or group of computers. This may be a viable option within environments where
the servers span subnets or where insufficient IP addresses exist within the current subnet.
You can also modify existing ranges to increase or decrease the number of addresses in the
range. When programs running in multiple, concurrent user sessions have problems with
TCP port conflicts, the system uses these virtual addresses to assign each user session a
unique IP address. Servers with virtual IP disabled appear in the left pane with a red circle
and “x” in their icon. When virtual IP is enabled, server icons do not have the red circle or
“x.”
1. In the left pane of the Access Management Console, select a farm. Then select Action >
Modify farm properties > Modify Virtual IP properties.
2. From the Virtual IP page, select Address Configuration.The Virtual IP address ranges list
appears. This displays the ranges defined for the farm, the servers assigned to the
range, and the number of assigned addresses for each server.
3. Use the Address Configuration dialog box to configure the virtual IP address ranges and
assign them to servers. Use the buttons provided to configure the ranges:
•
Add IP Range. Allows you to define a new range of IP addresses. Make sure all
addresses in the range are valid and on the same subnet as the XenApp server.
Specifically, do not include:
•
IP addresses in use by other devices on the network
Broadcast addresses
Configure Servers. Opens a dialog box to add or remove servers in the selected
range and modify the number of addresses assigned to each server.
4. Select the Enable logging of IP address assignment and release check box to log IP
address assignments and releases in the system’s application log (not selected by
default). This information includes virtual IP addresses, user names, and session IDs.
Clear the check box to remove information from the log.
•
•
380
To assign virtual IP address ranges to servers
Important: When you finish, restart all affected servers to apply the changes.
By default, servers use the settings selected for the farm. To customize the setting for
individual servers, use the Server Properties page to override the farm settings.
After configuring virtual IP address ranges, continue by specifying the application processes
that are enabled to use virtual IP addresses.
381
To enable application processes to use
virtual IP addresses or virtual loopback
After you configure virtual IP addresses or virtual loopback for a farm, continue by
specifying the application processes (that is, the executables that run the applications) that
can use the virtual IP addresses or virtual loopback.
You configure the virtual IP feature for application processes through the Process
Configuration page of the Access Management Console. This page displays two lists of
processes that are enabled for virtual IP and virtual loopback, respectively.
1. In the left pane of the management console, select the farm.
2. Select Action > Modify farm properties > Modify Virtual IP properties.
3. From the Virtual IP page, select Process Configuration.
4. In the Processes Configuration dialog box, use the buttons to control lists of processes
to which the server provides virtual IP and loopback addresses.
The Add Process option allows you to type the executable name to add the process to
the list. You can add executables to one or both lists. (Do not specify the path; specify
only the executable name.)
When adding files to the lists, select the executable files associated with the
applications you want to enable to use virtual IP and virtual loopback.
Depending on the list to which you add a process, the next time the process starts in a
session, it uses a virtual IP address or virtual loopback.
382
To supply client IP addresses to
published applications on a server
Use the Client IP Address feature if an application fails because it requires a unique address
strictly for identification or licensing purposes, and the application does not require a
virtual address for communication. This feature hooks only calls that return a host IP
address, such as gethostbyname(). Only use this feature with applications that send the
value in this type of call to the server application for identification or licensing.
If you deploy this feature, consider the IP addresses used by each client device. For
example, if two remote users use the same IP address, a conflict will arise due to the
duplicate address.
When these values are configured, configure either the Virtual IP Processes or Virtual
Loopback Processes with the same process names. This function creates and manages the
following registry entry, which is still required for the Client IP feature to work:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\
CtxHook\AppInit_Dlls\VIPHook\Processname
On XenApp, 32-bit Edition, this entry is:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\
AppInit_Dlls\VIPHook\Processname
Note: The virtual IP address feature functions only with applications that load the
user32.dll system dynamic link library.
For identification purposes, some applications require the IP address be unique for a
session. Such IP addresses are not needed for binding or addressing purposes. In such a
case, configure the session to use the IP address of the client device.
1. On the server on which the applications reside, start regedit.
Caution: Using Registry Editor incorrectly can cause serious problems that can
require you to reinstall the operating system. Citrix cannot guarantee that problems
resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at
your own risk. Make sure you back up the registry before you edit it.
2. Using regedit, create the following two registry entries:
•
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\VIP\
Name: UseClientIP
Type: REG_DWORD
Data: 1 (enable) or 0 (disable, which is the default)
•
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\VIP\
Name: HookProcessesClientIP
383
To supply client IP addresses to published applications on a server
Type: REG_MULTI_SZ
Data: multiple executable names representing application processes that use client
IP addresses
Note: On XenApp, 32-bit Edition, these entries are found in
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VIP\.
3. Close regedit and restart your server.
4. After making the prescribed registry modifications, add the application process. For
instructions, see To enable application processes to use virtual IP addresses or virtual
loopback. Do not configure the use of client IP addresses if:
384
•
Plugins connect using network protocols other than TCP/IP
•
Plugins reconnect to disconnected sessions from different client devices
•
Sessions use a pass-through plugin
To make a virtual loopback address
available to applications running in
sessions
Use virtual loopback to provide published applications with loopback addresses to use in
sessions hosted on a server. An administrator can publish applications that require separate
loopback addresses per session. Users of these applications can access them on XenApp
servers in the same way that they access any other published application. Use virtual IP
addresses or virtual loopback for applications that fail or do not behave properly when
running in multiple, concurrent user sessions. These problems occur mainly with in-house or
customized applications that have trouble running on Windows Terminal Services.
The behavior of the applications determines whether they use virtual IP or virtual loopback.
1. At the farm level, enable virtual loopback on servers.
2. Enable application processes to use virtual loopback.
After you configure virtual loopback on your servers, control and monitor this feature at the
server level.
385
To enable or disable virtual loopback for a
farm
You configure virtual loopback for the servers in a farm through the Loopback Configuration
page of the Access Management Console. You have the option to configure this feature for
specified servers or all servers associated with a farm.
1. In the left pane of the Access Management Console, select a farm. Then select Action >
Modify farm properties > Modify Virtual IP properties.
2. On the Virtual IP page, select Loopback Configuration.
3. Select the servers in the list for which you want to enable virtual loopback and click
Add, or click Add All to enable virtual loopback on all servers in the farm.
4. Select Include subfolders if you want to configure servers contained in subfolders.
5. To disable virtual loopback, select a server in the Selected items list and click Remove,
or click Remove All to disable virtual loopback on all the servers in the farm.
After configuring virtual IP loopback on your servers, continue by specifying the application
processes on each server for which you want virtual loopback available.
After enabling the option for the farm, continue by configuring virtual IP addresses and
virtual loopback on an individual server.
386
To configure virtual IP addresses and
virtual loopback on an individual server
After you configure virtual IP address ranges or virtual loopback at the farm level, use
virtual IP configuration settings at the server level to:
•
Enable and disable the use of virtual IP and virtual loopback on a server
•
View the IP address ranges available on a server
•
Control logging of the assignment and release of virtual IP addresses
By default, servers in a farm use the settings defined for the farm. To override the farm
setting, configure an individual setting for a particular server. For example, use this feature
to temporarily disable the use of virtual IP addresses for a server.
Configure the options on each server:
1. In the left pane of the management console, select a server. Then select Action >
Modify server properties > Modify all properties.
2. From the Server Properties list, select Virtual IP.
3. On the Virtual IP page, if you want to enable virtual IP, select Enable virtual IP for this
server. This option allows sessions to use virtual IP addresses on the server. Virtual IP
addresses are enabled by default when you assign an address range to a server.
Note: This option is available only after you enable virtual IP on the Farm Properties
page and then add this server to one or more address ranges. The list in the dialog
box shows the address ranges already defined for the server.
Clear the check box to disable the use of virtual IP addresses for this server. Disabling a
server’s virtual IP addresses does not affect the assignment of addresses to the server.
The assigned addresses remain reserved for the server.
4. If you want to enable logging, select the Use farm settings for IP address logging check
box.
By default, servers use the farm setting for logging events to the system’s Application
log. This option applies the farm setting to the selected server.
Clear the check box to customize the logging option for the server.
5. If desired, select the Enable logging of IP address assignment and release on this server
check box. This option logs IP address assignments and releases in the system’s
Application log. This information includes virtual IP addresses, user names, and session
IDs.
6. If you want to enable virtual loopback, select the Enable virtual loopback for this server
check box. This option allows sessions to use virtual loopback on the server (selected by
387
To configure virtual IP addresses and virtual loopback on an individual server
default if you assigned addresses for this server on the Properties page for the farm).
388
Working with XenApp Policies
To control user access or session environments, configure a XenApp policy. XenApp policies
are the most efficient method of controlling connection, security, and bandwidth settings.
You can create policies for specific groups of users, devices, or connection types. Each
policy can contain multiple rules. For example, you can configure rules to:
•
Control sound quality for client devices
•
Allow users to access the Documents folder on their local client device
•
Prevent remote users from being able to save to their hard drives from a session
•
Prevent users from accessing the Windows clipboard
•
Route print jobs from specific workstations directly from the server to the printer,
rather than through the client device
•
Set a required encryption level for specific Citrix XenApp Plugins
•
Direct users to connect to servers in a specific remote zone in the event of failure
•
Set the session importance level, which, along with the application importance level,
determines Resource Allotment for Preferential Load Balancing
If you create more than one policy in your environment, make sure that you prioritize the
policies so that it is clear, if there is conflict, which policy should take precedence.
In Citrix products, Citrix policies always supersede all other policies and settings in your
environment, including Active Directory policies and Windows settings.
The process for configuring policies is:
1. Create and name the policy.
2. Configure policy rules.
3. Apply the policy to connections by filtering according to access control, client IP
address, client name, servers, and users.
4. Prioritize the policy.
In general, policies override similar settings configured for the entire server farm, for
specific servers, or on the client. However, the highest encryption setting and the most
restrictive shadowing setting always override other settings.
Policies are applied when users connect to the server farm and remain in effect for the
length of the session. Changes you make to policies do not affect users who are already
connected. The changes take effect the next time the users connect.
389
Creating XenApp Policies
Before you create a policy, decide which group of users or devices you want it to affect.
You may want to create a policy based on user job function, connection type, client device,
or geographic location. Alternatively, you can use the same criteria that you use for
Windows Active Directory group policies.
If you already created a policy that applies to a group, consider editing the policy and
configuring the appropriate rules instead of creating another policy. Avoid creating a new
policy solely to enable a specific rule or to exclude the policy from applying to certain
users.
Note:
In addition to the procedures described here, you can use the XenApp Management SDK
(MPSSDK) to create and edit policies. For information about the XenApp Management SDK,
see the Citrix Developer Network.
To create a policy
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
•
From the ICA toolbar, open the Presentation Server Console.
2. Select Policies in the left pane and select Actions > New > Policy.
3. In the New Policy dialog box, enter the policy name and, optionally, a description.
Consider naming the policy according to who or what it affects; for example,
Accounting Department or Remote Users.
4. If you want to use a preconfigured set of rules for the policy, select Optimize initial
policy settings for a connection type and select the connection type from the
drop-down list. The rules are optimized for:
390
•
WAN. Configures policy rules suitable for most networks.
•
Satellite. Configures policy rules suitable for high latency conditions.
•
Dial-up. Configures policy rules suitable for low-bandwidth, high latency conditions.
Creating XenApp Policies
To edit a policy
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
•
From the ICA toolbar, open the Presentation Server Console.
2. Select Policies in the left pane.
3. Right-click the name of the policy you want to edit and select one of the following:
391
•
Edit Description
•
Rename Policy
•
Properties
Applying XenApp Policies
For a policy to become active, you must create a filter for it so the server can apply it to
matching connections.
You can create filters based on a combination of the following criteria:
•
IP address of the client device used to connect to the session
•
Name of the client device from which the session is connected
•
User or group membership of the user connecting to the session
•
Server hosting a session
•
Access control through which a client is connecting to a session
You can add as many filters as you want to the policy. The policy is applied only to
connections that meet all filtering conditions.
When a user logs on, all policies that match the filters for the connection are identified.
XenApp sorts the identified policies into priority order, compares multiple instances of any
rule, and applies the rule according to the priority ranking of the policy.
Any rule that is disabled takes precedence over a lower-ranked rule that is enabled. Policy
rules that are not configured are ignored.
To apply a policy
You must add at least one filter to a policy for that policy to be applied.
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
From the ICA toolbar, open the Presentation Server Console.
2. In the left pane, select Policies.
•
3. From the Contents tab, select the policy you want to apply.
4. From the Actions menu, select Policy > Apply this policy to.
5. In the Policy Filters dialog box, configure filters:
a. From the policy filters list, select a filter for the policy. You can filter based on:
•
392
Access Control. See To apply a policy filter based on existing Access Gateway
policies for details.
Applying XenApp Policies
•
Client IP Address. See To filter based on client IP address for details. If you are
concerned about network access and identity and want to use filters to enforce
your security goals, Citrix does not recommend filtering by client IP address,
because a malicious user can change the IP address reported by the client.
•
Client Name. See To filter based on client name for details. If users can change
the name of their client devices, you may not want to filter policies by client
device name. If you are concerned about network access and identity and want
to use filters to enforce your security goals, Citrix does not recommend filtering
by client device name, because a malicious user can change the IP address
reported by the client.
•
Servers. See To filter based on servers for details.
•
Users. See To filter based on users for details.
b. To enable the filter for the policy, select Filter based on type of filter.
c. Repeat these steps for each filter you want to apply.
The policy is applied the next time the relevant users establish a connection.
To filter based on client IP address
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
From the ICA toolbar, open the Presentation Server Console.
2. In the left pane, select Policies.
•
3. From the Contents tab, select the policy you want to apply.
4. From the Actions menu, select Policy > Apply this policy to.
5. In the Policy Filters dialog box, select Client IP Address.
6. Select Filter based on client IP address.
7. Select one of the following:
393
•
Apply to all client IP addresses to apply this policy to all connections. To add most
but not all addresses, select Apply to all client IP addresses and then create
exceptions. To create exceptions, add the addresses to which you do not want the
policy to apply, then select Deny for each address.
•
Add to add specific client addresses. Make sure Allow is selected for each address
or range chosen.
Applying XenApp Policies
To filter based on servers
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
•
From the ICA toolbar, open the Presentation Server Console.
2. In the left pane, select Policies.
3. From the Contents tab, select the policy you want to apply.
4. From the Actions menu, select Policy > Apply this policy to.
5. In the Policy Filters dialog box, select Servers.
6. Select Filter based on servers.
7. To specify servers to which you do not want to apply this policy, from the check mark
drop-down list beside the server name, select Do not apply to this server.
Important: If you filter a policy based on a server, the Configure delivery protocol policy
rule, which is used to configure the Citrix application streaming feature, does not apply.
For more information about application streaming, see Application Streaming .
394
Applying XenApp Policies
To filter based on users
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
•
From the ICA toolbar, open the Presentation Server Console.
2. In the left pane, select Policies.
3. From the Contents tab, select the policy you want to apply.
4. From the Actions menu, select Policy > Apply this policy to.
5. In the Policy Filters dialog box, select Users.
6. Select Filter based on users.
7. Use the controls to apply the policy to all users, all explicit users, all anonymous users,
or a list of users.
Tip: You can add users or groups by clicking Add List of Names or using the Look in
list box. The Look in list box locates all trusted account authorities configured on the
farm servers, including Novell Directory Services (NDS) trees, Active Directory
domains, and local servers.
To add a list of names in the Add List of Names dialog box, do one of the following:
•
Enter the user names you want to add. Separate user names with a semicolon.
•
Enter Windows NT Domain account names in the “domain\account” format and
Active Directory account names in the “[email protected]” format.
Important: To use Active Directory Domain Local Groups and Universal Groups,
your server farm must meet specific network configuration conditions. For more
information, see the XenApp Installation.
•
If NDS is enabled, enter NDS account names in the “ndstree\account” format,
where account is the distinguished name of the account.
Note: When adding NDS users, you must have rights to edit farm settings. Use the
Look In list to assign NDS users to objects in any area of management; for
example, applications to which you want them to have access.
395
Applying XenApp Policies
To filter based on client name
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
•
From the ICA toolbar, open the Presentation Server Console.
2. In the left pane, select Policies.
3. From the Contents tab, select the policy you want to apply.
4. From the Actions menu, select Policy > Apply this policy to.
5. In the Policy Filters dialog box, select Client Name.
6. Select Filter based on client name.
7. Select one of the following:
•
Apply to all client names to apply this policy to all connections. To add most but
not all client names, select Apply to all client names and then create exceptions.
To create exceptions, add the client names to which you do not want the policy to
apply, then select Deny for each name.
•
Add to add specific client names. Make sure Allow is selected for each name
chosen.
In the Add Client Name to Policy Filter dialog box, you can include wildcard
characters.
Important: Web Interface client names are assigned randomly with a prefix of
WI_; therefore, specific client names cannot be anticipated. To filter Web
Interface connections by client name, use the wildcard expression WI_*. Consider
using client name filtering in conjunction with IP address filtering for users who
access XenApp servers from the Web Interface.
396
Configuring Policy Rules
Citrix recommends the following when configuring policy rules:
397
•
Assign user policies to groups rather than individual users. If you assign user policies to
groups, assignments are updated automatically when you add or remove users from the
group.
•
Do not enable conflicting or overlapping settings in Terminal Services Configuration tool
or in the farm settings of the Access Management Console. In some cases, the Terminal
Services Configuration tool and the farm-wide settings in the Access Management
Console provide similar functionality to XenApp policy rules. When possible, keep all
settings consistent (enabled or disabled) for ease of troubleshooting.
•
Disable unused policies. Policies with all the rules set to Not Configured create
unnecessary processing.
•
Set unused policy rules to Not Configured. Disabling unused policy rules disables the
rule in all policies lower ranked policies.
To configure policy rules
Policies contain rules that define and configure connection settings to be applied when the
policy is enforced. Policy rules can be enabled, disabled, or not configured. By default,
most rules are not configured. Rules are applied only when they are enabled.
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
From the ICA toolbar, open the Presentation Server Console.
2. Select the policy, then select Actions > Properties.
•
3. Expand the folders to view the rules you can apply.
4. Decide how to use rules in the policy and change their state accordingly. Policy rules
can be in one of three states:
•
Not Configured. By default, most rules are not configured, meaning they are
ignored when users log on to the server. If you want to disable a rule in this policy
but you want to be able to enable this rule in a lower-ranked policy, select Not
Configured.
•
Enabled. Adds the rule to the policy and allows you to set the rule options in the
details pane.
Disabled. Explicitly disallows the rule. If you disable a rule, it is not enabled in any
lower-ranked policies. Disabling a feature’s rule does not enable the inverse of the
rule. That is, you cannot turn a feature on in the product by disabling its rule.
The policy rule changes come into effect the next time the relevant users establish a
connection, provided you already applied the policy by enabling a filter.
•
398
Using Multiple Policies
You can use multiple policies to tailor XenApp to meet users’ needs based on their job
functions, geographic locations, or connection types. For example, for security reasons you
may need to place restrictions on user groups who regularly work with highly sensitive data.
You can create a policy that requires a high level of encryption for sessions and prevents
users from saving sensitive files on their local client drives. However, if some of the people
in the user group do need access to their local drives, you can create another policy for
only those users. You then rank or prioritize the two policies to control which one takes
precedence.
When using multiple policies, you need to determine how to prioritize them, how to create
exceptions, and how to view the effective policy when policies conflict.
In general, policies override similar settings configured for the entire server farm, for
specific servers, or on the client. The exception to this principle is security. The highest
encryption setting in your environment, including the operating system and the most
restrictive shadowing setting, always overrides other settings and policies.
XenApp policies interact with policies you set in your operating system. Some Windows
policies take precedence over XenApp policies. For some policy rules, such as Secure ICA,
the settings in policies must match the settings in the operating system. If a higher priority
encryption level is set elsewhere, the settings that you specify in the Secure ICA policy or
when you are publishing an application can be overridden.
For example, the encryption settings that you specify when you are publishing an
application should be at the same level as the encryption settings you specified throughout
your environment.
399
Using Citrix policies with Active Directory
Active Directory and Windows policies do not take precedence over XenApp policies. In a
XenApp environment and with XenApp features, Citrix policies always take precedence over
Windows policies and settings. Citrix designed XenApp policies so that they do not conflict
with Active Directory policies.
In a Citrix environment, XenApp policy rules override the same settings configured in an
Active Directory policy or using the Terminal Services Configuration tool. They also override
Microsoft policies, including those that are related to typical Remote Desktop Protocol
(RDP) client connection settings such as the policies for Desktop wallpaper, Menu
animations, and Windows contents while dragging.
However, XenApp policy rules do not always override policies for encryption and shadowing.
These policies behave according to the most restrictive settings configured by the Terminal
Services Configuration tool, Active Directory group policies, application configuration, and
Citrix policies.
If you are familiar with Active Directory, note these important distinctions:
400
•
For Active Directory policies, the disabled setting affects how the feature functions.
That is, it disables or enables the feature.
•
For XenApp policies, the disabled setting only prevents a lower-priority policy from
being able to enable the policy rule. Disabling a XenApp policy rule does not disable its
corresponding feature in the product.
Prioritizing Policies and Creating
Exceptions
Prioritizing policies allows you to define the precedence of policies when they contain
conflicting rules. The process XenApp uses to evaluate policies is as follows:
1. When a user logs on, all policies that match the filters for the connection are
identified.
2. XenApp sorts the identified policies into priority order and compares multiple instances
of any rule, applying the rule according to the priority ranking of the policy.
You prioritize policies by giving them different priority numbers. By default, new policies
are given the lowest priority. If policy settings conflict, a policy with a higher priority (a
priority number of 1 is the highest) overrides a policy with a lower priority. Rules are
merged according to priority and the rule’s condition; for example, whether the rule is
disabled, enabled, or not configured. Any disabled rule overrides a lower-ranked rule that is
enabled. Policy rules that are not configured are ignored and do not override the settings of
lower-ranked rules.
When you create policies for groups of users, client devices, or servers, you may find that
some members of the group require exceptions to some policy rules. To more effectively
manage exceptions, you can create new policies for only those group members needing the
exceptions, and then rank that policy higher than the policy for the entire group.
To display the priorities of all policies
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
From the ICA toolbar, open the Presentation Server Console.
2. In the left pane, select Policies.
•
3. From the View menu, select Details.
401
Prioritizing Policies and Creating Exceptions
To give a policy a higher priority
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
•
From the ICA toolbar, open the Presentation Server Console.
2. Select the policy.
3. From the Actions menu, select Policy > Priority.
4. Select Increase Priority until the policy has the preferred rank.
402
Determining Which Policies Apply to a
Connection
Sometimes a connection does not respond as expected because multiple policies apply. If a
higher priority policy also applies to a connection, it can override the rules you set in the
original policy. Use the Policy Search feature to:
•
Find all policies that can apply to a specific connection
•
Determine how final policy rules are merged for the connection (that is, determine the
resultant policy)
To find out which policies apply to connections, you can search by specifying the same
filters that are used to apply policies, adding more search filters if necessary.
If the expected policies are not listed in the Search results, check the filters assigned to the
policies and your search criteria. For example, verify that you have the Allow option set for
a configured account within a user filter assigned to a policy.
403
Determining Which Policies Apply to a Connection
To discover which policies apply to a connection
1. From the Actions menu, select Search.
2. In the Search Criteria list, select a filter name. You can narrow the selection by
defining multiple search criteria.
3. Click Edit.
4. Depending on the search criteria you selected:
•
Enter Access Control Search Criteria. Select an Access Control connection to find all
policies that match or partially match this connection type.
•
Enter Client IP Search Criteria. Select a client IP address to find all policies with
filters that match or partially match this address.
•
Enter Client Name Search Criteria. Select a client name to find all policies with
filters that match or partially match this name.
•
Enter Server Search Criteria. Select a server to find all policies with filters that
match or partially match this server.
•
Enter User Search Criteria. Select a user or group to find all policies with filters
that match or partially match this name.
If you search to see which policies apply to a domain user, the search results do not
list any policies that are applied to any local groups of which the user is a member.
5. Click Search. Accept any prompts that appear. The results appear in the Search Results
display at the bottom of the dialog box.
To resolve partial matches, see Resolving Search Results that Partially Match Criteria.
To display the resultant policy, see Troubleshooting Policies with Conflicting Rules
404
Resolving Search Results that Partially
Match Criteria
When you use the Search feature to discover which policies apply to a connection, the
results list all policies that match or partially match the search criteria that you selected. A
policy is a partial match if matches some but not all of the search criteria.
You can eliminate partial matches when you locate all valid matches for the connection
about which you want information.
To resolve search results that partially match search
criteria
This procedure assumes that you performed a search and the search results included a
policy that partially matches the search criteria.
1. Right-click the policy in the Search Results pane and select Why is this policy a partial
match?
2. Return to the Search dialog box and supply any additional search criteria to the
connection about which you want information.
3. Eliminate partial matches when you locate all valid matches for the connection about
which you want information. If a message appears saying that no rules are configured
for a policy, see When No Policy Rules are Configured for further details.
Note: Partial matches might make some of the resultant policy settings appear in an
indeterminate state. However, settings that are not affected by the partially matched
policies still appear normally.
405
Troubleshooting Policies with Conflicting
Rules
Because rules set in some policies can conflict with rules set in others and policies can have
multiple filters, a policy may not behave in the way you expect or it may not run at all.
Users, IP addresses, and other filtered objects can have more than one policy that applies
to them simultaneously. When this happens, XenApp merges these policies’ rules to form, in
effect, a new policy resulting from the existing ones. This combination of rules is known as
the resultant policy. When there are multiple policies that can apply to a session, it is the
resultant policy that XenApp enforces.
If you have multiple policies in your environment and you are having trouble figuring out
why a policy won’t run, Citrix recommends that you determine the resultant policy.
To determine a resultant policy
1. Search to determine which policies apply to a connection. See Determining Which
Policies Apply to a Connection.
2. In the Search results dialog box, make sure partial matches are not selected in the
Include column, then select View Resultant Policy.
When No Policy Rules are Configured
When a resultant policy does not contain any configured rules, users connecting to their
applications under conditions that match the search criteria are not affected by any policy
rules.
When you perform a search, you can end up with a resultant policy that has no configured
rules when:
•
No policies have a filter set that matches the search criteria
•
Policies that match the filter do not have any rules configured
•
Policies that match the filter have their rules disabled
If you want to apply policy rules to the connections that meet the specified criteria:
406
•
Make sure the rules that you want to apply to those connections are enabled
•
Rank the policy that you want to apply higher than other policies
Disabling, Reenabling, and Deleting
Policies
Disable unused policies to prevent unnecessary processing. Disabled policies can be
reenabled.
If you delete a policy rather than disabling it, you cannot undelete the policy.
To disable a policy
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
From the ICA toolbar, open the Presentation Server Console.
2. Select Policies in the left pane.
•
3. In the Contents tab, select the policy you want to disable.
4. From the Actions menu, select Policy > Disable Policy. The policy appears in the right
pane with an orange bar through it.
To reenable a policy
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
From the ICA toolbar, open the Presentation Server Console.
2. Select Policies in the left pane.
•
3. In the Contents tab, select the policy you want to reenable.
4. From the Actions menu, select Policy > Enable Policy.
407
Disabling, Reenabling, and Deleting Policies
To delete a policy
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
•
From the ICA toolbar, open the Presentation Server Console.
2. Select Policies in the left pane.
3. In the Contents tab, select the policy you want to delete.
4. From the Actions menu, select Policy > Delete Policy.
408
Changing Settings Based on User
Location
You can use multiple policies to selectively apply XenApp settings to users tailored to how
they connect.
For example, you may have staff members who download high resolution graphics. You can
create two policies, one that enables compression when users employ dial-up connections,
and one that disables compression when they use high-speed connections.
To create policies to customize the user experience
based on how users connect
1. Determine how you want policy rules to apply to specific connections. For example, you
may want to enable compression for everyone except those connecting from a specific
IP address range.
2. Create policies for the connections to which you want to apply specific rules.
3. Use filters to set conditions that a connection must meet for a policy to be applied. For
example, when you assign an IP address range filter to a policy, that policy applies only
to connections in that IP address range. A user’s connection must meet all filtering
conditions in a policy for that policy to be applied to the user’s session.
4. Prioritize policies so that rules are applied in the correct order. For example, rank a
policy that disables compression for specific IP addresses higher than the policy that
enables compression for everyone in general.
5. Use Search to confirm how final policy rules are merged for a specific connection.
Search calculates the final rule settings for any combination of a user, group, and IP
address after the rules’ priorities are taken into account.
409
Configuring Policies and Filters for Web
Access
You can create a policy that is applied to Access Gateway connections or to Access Gateway
connections with certain properties.
You can create XenApp policies to accommodate different access scenarios based on factors
such as authentication strength, logon point, and client device information such as endpoint
analysis. You can selectively enable client-side drive mapping, cut and paste functionality,
and local printing based on the logon point used to access the published application.
Prerequisites for Filtering on Access Gateway
Connections
For Citrix XenApp to filter on Access Gateway connections, you must complete all of the
following:
•
Create one or more filters within Access Gateway Advanced Edition. See the
Administrator's Guide for Access Gateway Enterprise in the Citrix Knowledge Center for
more information about creating filters.
Note: You must be using Access Gateway with the Access Gateway Advanced Edition
(Version 4.0 or later) to create filters that work with XenApp.
410
•
Select Allow connections made through Access Gateway Advanced Edition for published
applications.
•
On each server, select Trust requests sent to the XML Service.
•
Ensure that your farm is configured to allow Access Gateway connections, which it is by
default.
•
Create policies within XenApp that reference Access Gateway Advanced Edition filters.
Configuring Policies and Filters for Web Access
To apply a policy filter based on Access Gateway
connections
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
From the ICA toolbar, open the Presentation Server Console.
2. Select Policies in the left pane.
•
3. Select an existing policy or create a new policy for the access control filter.
4. From the Actions menu, select Policies > Apply this policy to.
5. In the left pane, select Access Control.
6. Select Filter based on Access Control.
7. Select Apply to connections made through Access Gateway.
8. Select Any connection to apply this policy to connections made through Citrix Access
Gateway servers (Version 4.0 or later) without considering Access Gateway policies.
411
Configuring Policies and Filters for Web Access
To apply a policy filter based on existing Access
Gateway policies
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
From the ICA toolbar, open the Presentation Server Console.
2. Select Policies in the left pane.
•
3. Select an existing policy or create a new policy for the access control filter.
4. From the Actions menu, select Policies > Apply this policy to.
5. In the left pane, select Access Control.
6. Select Filter based on Access Control.
7. Select Any connection that meets any of the following filters.
8. Click Add. The Add Access Gateway Filter dialog box appears.
9. In the Access Gateway farm list box, enter the name of the Access Gateway farm.
10. In the Access Gateway filter list box, select the Access Gateway policy for XenApp to
use.
Important: XenApp does not validate Access Gateway farm and filter names, so
always verify the names with the Access Gateway administrator.
To apply a policy to every connection except those
based on Access Gateway
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
•
From the ICA toolbar, open the Presentation Server Console.
2. Select Policies in the left pane.
3. Select an existing policy or create a new policy for the access control filter.
4. From the Actions menu, select Policies > Apply this policy to.
5. In the left pane, select Access Control.
6. Select Filter based on Access Control.
7. Select Apply to all other connections. Doing so applies this policy to all connections
except those made through Access Gateway (Version 4.0 or later).
412
Configuring Policies and Filters for Web Access
413
Enabling Scanners and Other TWAIN
Devices
XenApp lets users control client-attached TWAIN imaging devices, such as scanners and
cameras, from published applications. This feature is known as TWAIN redirection because
XenApp provides TWAIN support by redirecting commands sent from a published application
on the server to the client device.
Users can connect regardless of connection type. However, XenApp requires the following
for TWAIN support:
•
The imaging device must be connected locally to the client and have the associated
vendor-supplied TWAIN driver installed locally.
•
Citrix Presentation Server Client Version 9.x or later, the Citrix XenApp Plugin for
Hosted Apps, or the Citrix XenApp Plugin for Streamed Apps.
•
XenApp 32-bit and 64-bit servers support TWAIN redirection for 32-bit TWAIN
applications only. XenApp does not support 16-bit TWAIN drivers.
•
The Configure TWAIN redirection policy rule must be enabled.
The following table lists the TWAIN hardware and software tested with XenApp. While other
TWAIN devices may work, only those listed are supported.
Scanners and Scanning
Devices
Canon CanoScan 3200F
Canon CanoScan 8000F
Canon CanoScan LiDE600F
Epson Perfection 3170 Photo
Fujitsu fi-6140
HP Office Jet 7130 All-In-One
HP ScanJet 8250
HP ScanJet 8290
Microtek ScanMaker 5950
Visioneer OneTouch 9320
Xerox DocuMate 510
Web/Digital Cameras
D-Link VisualStream DSB-C310 PC Camera
Logitech QuickCam Messenger
414
Enabling Scanners and Other TWAIN Devices
Software
Adobe Acrobat Capture
Adobe Pagemaker 7.0
Corel Paint Shop Pro
Microsoft Digital Image Suite 9
Microsoft Digital Image Suite 10
Microsoft Office Document Scanning
Microsoft Office Publisher 2003
Microsoft Office Publisher 2007
Microsoft Picture It!
OmniPage SE Version 2.0
415
To enable TWAIN redirection
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
From the ICA toolbar, open the Presentation Server Console.
2. Open the Properties dialog box of the policy in which you want to control TWAIN
redirection.
•
3. Enable the rule Client Devices > Resources > Other > Configure TWAIN redirection.
4. Use the options to allow and disallow TWAIN redirection, as well as control the level of
data compression.
Consider the following after enabling TWAIN redirection:
•
The image acquisition software must be installed on the XenApp server.
•
Image acquisition software that provides the USB device drivers must be installed on
the client platform.
•
Some applications are not Terminal Server aware and look for Twain32.dll in the
\Windows directory of the user profile (by default, C:\Documents and
Settings\UserName\Windows). Copying Twain32.dll into the \Windows directory of each
user profile resolves this issue. You can also correct this by adding the application to
the Terminal Server application compatibility list with the following two flags specified:
•
Windows application: 0x00000008
Do not substitute user Windows directory: 0x00000400
This feature supports the following modes of TWAIN information transfer:
•
•
•
Native
•
Buffered Memory (most scanning software works by default in Buffered Memory
mode)
Note: The disk file transfer mode is not supported.
416
Managing Session Environments and
Connections
Provide user access to your farm’s resources by:
•
Customizing user environments
•
Controlling connections
•
Monitoring, managing, and optimizing sessions
When a user initially connects to your farm and opens a published application, the server
opens the application in a session. In XenApp, the term session refers to a particular
instance of a user’s activity on the server; sessions are the virtualization of the user’s
environment.
Users access published applications in sessions after the client device establishes a
connection with the server.
When a user logs on to the farm, the client device links to the server through a connection
and establishes a session. This connection is known as the client connection. Users access
published resources through client connections, inside of sessions.
As an administrator, you can customize users’ environments, including whether or not users
can access mapped drives, such as the local client device’s hard disk; if they can access
local special folders, the printers that are available, and the amount of bandwidth used for
audio support. You can change these settings based on the location from where the users
are connecting.
417
Managing Session Environments and Connections
XenApp provides settings to ensure sessions remain reliable. You can also monitor users’
sessions, and their sessions’ status, by shadowing.
418
Defining User Environments in XenApp
XenApp provides different ways to control what users experience in their session
environments. You can customize user environments in the following ways:
•
By suppressing the number of progress bars users see when they first open an
application, so that XenApp appears to be an integrated part of their everyday
environment.
•
By either allowing or preventing users from accessing their local devices or ports during
a session. You can also prevent users from accessing devices and ports during remote
sessions.
•
By defining whether or not users can hear audio or use microphones during sessions. If
you enable audio support, you can specify the level of audio compression and limit
bandwidth, if necessary. You can control audio either at the group level through
policies or at the published application level.
•
By ensuring that mobile workers, such as travelling salespeople or workers inside a
hospital, always have the most appropriate printers and devices available to them
inside of a session.
For Citrix XenApp Plug-in for Hosted Apps, you can also customize the user’s experience by
choosing whether you want published applications and desktops to appear in a window
within a Remote Desktop window or “seamlessly.” In seamless window mode, published
applications and desktops appear in separate resizable windows, which make the
application appear to be installed locally. Certain features are available only in seamless
mode.
Some features that relate to session environments or connections, such as dual-monitor
mode support and information about logons, are plug-in specific. Details about these
features are located in the Citrix XenApp Plugin for Hosted Apps and the Web Interface
topics in the Citrix eDocs documentation library.
419
Controlling the Appearance of User
Logons
When users connect to a server, they see all connection and logon status information in a
sequence of screens, from the time they double-click a published application icon on the
client device, through the authentication process, to the moment the published application
launches in the session.
XenApp achieves this logon look and feel by suppressing the status screens generated by a
server’s Windows operating system when a user connects. To do this, XenApp Setup enables
the following Windows local group policies on the server on which you install the product:
•
Administrative Templates > System > Remove Boot / Shutdown / Logon / Logoff status
messages
•
Administrative Templates > System > Verbose versus normal status messages
However, Active Directory group policies take precedence over equivalent local group
policies on servers. Therefore, when you install XenApp on servers that belong to an Active
Directory domain, those Active Directory policies may prevent XenApp from suppressing the
status screens generated by the Windows operating systems of the individual servers. In
that case, users see the status screens generated by the Windows operating system when
connecting to that server. For optimal performance, do not configure these group policies
in Active Directory.
420
Controlling Access to Devices and Ports
Citrix XenApp Plugin for Hosted Apps supports mapping devices on client computers so users
can access the devices within sessions. Client device mapping provides:
•
Access to local drives and ports
•
Cut-and-paste data transfer between a session and the local clipboard
•
Audio (system sounds and .wav files) playback from the session
During logon, the plugin informs the server of the available client drives and COM ports. By
default, client drives are mapped to server drive letters so the drives appear to be directly
connected to the server. These mappings are available only for the current user during the
current session. The mappings are deleted when the user logs off and recreated the next
time the user logs on.
421
Mapping Client Drives
By default, the drives on the client system are mapped automatically to drive letters on the
server when users log on. The client’s disk drives appear as shared folders with mapped
drive letters. These drives are used by Windows Explorer and other applications like any
other network drive.
In general, XenApp tries to match the client drives to the client drive letters; for example,
the client device’s first floppy disk drive to A, the second floppy disk drive to B, the first
hard disk partition to C, and so forth. This allows the user to access client drive letters in
the same way locally and within sessions.
However, the same drive letters are often in use by the drives on the server. In this case,
client drives are mapped to different drive letters. The server starts at V and searches in
ascending order for unassigned drive letters.
You can turn off client drive mapping through policies you configure in XenApp. Similarly,
you can turn off mapping to client floppy disk drives, hard drive, CD-ROM drives, or remote
drives.
If access to the floppy disk drives is not needed, consider disabling access to speed up the
logon process.
As a security precaution, when a user logs on to XenApp, by default, the server maps client
drives without user execute permission. For users to be able to execute files residing on
mapped client drives, override this default by editing the value of
ExecuteFromMappedDrive in the registry on a XenApp server.
Caution: Using Registry Editor incorrectly can cause serious problems that can require
you to reinstall the operating system. Citrix cannot guarantee that problems resulting
from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
Make sure you back up the registry before you edit it.
To enable users to execute files on mapped drives
1. After installing XenApp, run regedit.
2. Find the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdm\Paramete
rs\ExecuteFromMappedDrive
3. To grant users execute permission on mapped drives, set ExecuteFromMappedDrive to
1. This is the default setting. To deny users execute permission on mapped drives, set
ExecuteFromMappedDrive to 0.
4. Restart the server.
422
Mapping Client COM Ports and Audio
Client COM port mapping allows a remote application running on the server to access
devices attached to COM ports on the client device. Client COM ports are not mapped
automatically to server ports at logon, but can be mapped manually using the net use or
CHGCDM commands.
Client audio mapping allows applications running on the server to play sounds through a
sound device on the client device. The server can control the amount of bandwidth used by
client audio mapping. Audio mapping is configured with Citrix policies.
For more information about client COM port and audio mapping, see the administrator’s
guides for the plugins you plan to deploy.
423
Displaying Local Special Folders in
Sessions
To make it easier for your users to save files to their special folders locally, you can enable
Special Folders Redirection. Special folders is a Microsoft term that refers to Windows
folders such as Documents, Computer, and the Desktop.
Without Special Folder Redirection enabled, the Documents and Desktop icons that appear
in a session point to the user’s Documents and Desktop folders on the server. Special Folder
Redirection redirects actions, such as opening or saving a file, so that when users save or
open files from special folders, they are accessing the special folder on their local
computers. In addition, for the Citrix XenApp plugin, the Documents folder in the Start
menu maps to the Documents folder on the client device.
Requirements
To use Special Folder Redirection, users must access the farm with the Citrix XenApp Plugin
11.x or the Web Interface.
Restrictions
Do not enable Special Folders Redirection in situations when a user connects to the same
session from multiple client devices simultaneously. For Special Folder Redirection to work,
the user must log off from the session on the first client device and start a new session on
the second client device. If users must run multiple sessions simultaneously, use roaming
profiles or set a home folder for that user in the User Properties in Active Directory.
Because Special Folder Redirection must interact with the client device, some settings
prevent Special Folder Redirection from working. You cannot have policy rules that prevent
users from accessing or saving to their local hard drives.
Currently, for seamless and published desktops, Special Folder Redirection works only for
the Documents folder. For seamless applications, Special Folder Redirection only works for
the Desktop and Documents folders. Citrix does not recommend using Special Folder
Redirection with published Windows Explorer.
Special Folder Redirection requires access to the Documents and Desktop folders on the
user’s local computer. When a user launches an application through the Web Interface and
uses File Security to select No Access in the File Security dialog box in Connection Center,
access is denied to the user’s local workstation drives, including the user’s local Documents
and Desktop folders. As a result, some applications might be unstable when trying to
perform read/write operations to the denied folders. To avoid this, always grant full local
access when Special Folder Redirection is enabled.
Caution: Special Folder Redirection does not redirect public folders on Windows Vista and
Windows Server 2008. If users are connecting to servers that are not in their domain,
424
Displaying Local Special Folders in Sessions
instruct users not to save to public folders. If users save documents to public folders,
they are saving them to a local folder on the server hosting the published application. In
large environments where many servers host the same application, it could be difficult to
determine which server contains the public folder where the user saved the document.
Considerations for Enabling Redirection
Special Folder Redirection support is enabled by default, but you must provide this feature
to users through the Citrix XenApp plugin and Web Interface. You can either enable Special
Folder Redirection for all users or configure that users must enable the feature themselves
in their client settings.
You can prevent specific users from having redirected special folders by enabling the
Special folders redirection policy rule.
The process for enabling Special Folder Redirection is:
1. Enable support for Special Folder Redirection for the clients in your environment
through the Access Management Console or Delivery Services Console (depending on the
version of XenApp you have installed).
2. Decide if you want to let users turn this feature on and off in their sessions.
Instructions for users are provided in their plugin help.
3. Exclude users that you do not want accessing local Special Folders by enabling the
Special folder redirection policy rule in the policies that apply to the users.
4. Ensure you do not have any policy rules enabled that are not supported with Special
Folder Redirection:
•
If the Mappings policy rule (Resources > Drives > Mappings) is enabled, clear the
Turn off Hard Drives check box
If the Connection policy rule (Resources > Drives > Connection) is enabled, clear the
Do Not Connect Client Drives at Logon check box
If you enable Special Folder Redirection without success, use Search to determine if any
rules are enabled that conflict with this feature.
•
Tip: Let your users know that other Special Folders, such as Music or Recent Documents,
still point to the server. If users save documents to these folders, they are saved to the
server.
425
To enable Special Folder Redirection
This procedure requires that you already created a XenApp Services site or a XenApp Web
site.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. To enable Special Folder Redirection for the Web Interface:
a. In the left pane, select Citrix Resources > Configuration Tools > Web Interface >
XenApp Web Site Name.
b. From the Action menu, choose Manage session preferences.
c. In the Managing Session Preferences page, select Remote Connection > Local
Resources.
d. Go to Step 4.
3. To enable Special Folder Redirection for the Citrix XenApp plugin:
a. In the left pane, select Citrix Resources > Configuration Tools > Web Interface >
XenApp Services Site Name> config.xml.
b. From the Action menu, choose Change session options.
c. In Change Session Options, click Local Resources.
d. Go to Step 4.
4. Select the correct check box.
To ...
426
select the options...
Enable Special Folder
Redirection by default
and let users turn it off
in their session options
•
Provide Special Folder Redirection to all users
•
Allow users to customize Special Folder Redirection
Disable Special Folder
Redirection by default,
but let users turn it on
in their session options
•
Allow users to customize Special Folder Redirection
Enable Special Folder
Redirection by default
and prevent users from
turning it on or off
•
Provide Special Folder Redirection to all users
To prevent local special folders from
being redirected
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Critrix > Administration Tools and choose
XenApp Advanced Configuration.
From the ICA toolbar, open the Presentation Server Console.
2. Select the policy that contains the users or devices you want to prevent from seeing
local special folders.
•
3. Choose Actions > Properties.
4. Select Client Devices > Resources > Drives > Special folder redirection.
5. Select Enabled. This prevents special folders from being redirected to the local client
device in the sessions to which this policy applies.
Tip: You can prevent this rule from affecting specific users or devices (for example)
in a group by specifying them in the Configured Accounts section of the Policy Filter
dialog box and selecting Deny. Selecting Deny for these individuals means that their
special folders will be redirected.
The policy rule changes take effect the next time the affected users establish a connection.
427
Configuring Audio for User Sessions
XenApp provides tools to manage and control the availability of sound in sessions, both in
terms of quality and cost in resources, including:
•
Audio properties you configure for individual published applications
•
Audio related policies and settings you configure for specific connection types
•
Audio settings the user configures on the client device
For example, you can use audio-related connection policies to control bandwidth usage and
server CPU utilization. You can configure a policy rule to enable audio for connections
where audio is essential, and configure another rule to disable audio for connections where
it is not essential.
You control the availability of speakers and microphones in sessions with policy rules. On
the client device, a single setting controls both. To enable audio on the client device, the
user selects an audio quality level from the Settings dialog box (for Program Neighborhood)
or from the Options dialog box (for the Citrix XenApp plugin). The connection policies you
configure on the server determine what audio quality levels are available to the user.
Connection policies permitting, enabling audio on the client device turns on speakers,
microphones, or both.
Important: This topic covers aspects of enabling audio support on servers. To use audio in
sessions, users must also enable audio on the client device. For more information about
enabling audio for plugins, see the administrator’s guides for the specific plugins.
When audio is enabled, you can also use policy rules to fine tune compression levels and
bandwidth allocation.
Note: The availability and quality of audio in sessions is determined by Terminal Services
(TS Config) settings and policies you configure. By default, Terminal Services settings are
configured, whereas XenApp policies are not. This means that Terminal Services settings
apply by default, making medium quality audio available in sessions until you configure
XenApp policies that override the Terminal Services settings. When configured, XenApp
policies override Terminal Services settings.
428
To enable or disable audio for published
applications
You can enable or disable audio for published applications. If you disable audio for a
published application, audio is not available within the application under any condition. If
you enable audio for an application, you can use policy rules and filters to further define
under what conditions audio is available within the application.
1. In the Access Management Console, select the published application for which you want
to enable or disable audio, and select Action > Modify application properties > Modify
all properties.
2. Under Advanced > Client options, select or clear the Enable legacy audio check box.
429
Limiting Bandwidth for Audio Throughput
Use policy rules to configure the amount of bandwidth you want to allocate to audio
transfers between servers and client devices. For example, you might want to create
separate policy rules for groups of dial-up users and for those who connect over a LAN,
accommodating the different amounts of bandwidth each group will have available.
To configure bandwidth limits for audio
In this procedure, you are editing an existing policy that applies to a specific group of
filtered objects, such as servers or users.
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
From the ICA toolbar, open the Presentation Server Console.
2. Select the policy for which you want to configure the rule.
•
3. From the Actions menu, select Properties.
4. Expand Bandwidth.
5. Select one of these folders:
•
Select Session Limits to specify the bandwidth available for audio in kilobits per
second (for example, 70Kbps).
•
Select Session Limits (%) to limit the bandwidth available for audio to a percentage
of the overall bandwidth available.
Note: If you want to specify bandwidth as a percentage using the Session Limits
(%) rule, you must enable the Overall Session rule in the Session Limits folder as
well.
6. Select Audio to configure the rule and enter the bandwidth limit.
430
To configure audio compression and
output quality
Generally, higher sound quality requires more bandwidth and higher server CPU utilization.
You can use sound compression to balance sound quality and overall session performance.
Use policy rules to configure the compression levels you want to apply to sound files.
Consider creating separate policies for groups of dial-up users and for those who connect
over a LAN. Over dial-up connections, where bandwidth typically is limited, users likely
care more about download speed than sound quality. For such users, create a policy for
dial-up connections that applies high compression levels to sound and another for LAN
connections that applies lower compression levels.
In this procedure, you are editing an existing policy that applies to a specific group of
filtered objects (such as, servers and users).
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
From the ICA toolbar, open the Presentation Server Console.
2. Select the policy for which you want to configure the rule.
•
3. From the Actions menu, select Properties.
4. Select Client Devices > Resources > Audio > Sound quality and configure the rule.
5. Choose from these levels of sound quality:
431
•
Low sound quality; best performance. This setting is recommended for
low-bandwidth connections. This setting causes any sounds sent to the client device
to be compressed to a maximum of 16Kbps. This compression results in a significant
decrease in the quality of the sound. The CPU requirements and benefits of this
setting are similar to those of the Medium setting; however, the lower data rate
allows reasonable performance for a low-bandwidth connection.
•
Medium sound quality; good performance. (Default.) This setting is recommended
for most LAN-based connections. This setting causes any sounds sent to the client
device to be compressed to a maximum of 64Kbps. This compression results in a
moderate decrease in the quality of the sound played on the client device.
•
High sound quality; lowest performance. This setting is recommended for
connections only where bandwidth is plentiful and sound quality is important. This
setting allows client devices to play a sound file at its native data rate. Sounds at
the highest quality level require about 1.3Mbps of bandwidth to play clearly.
Transmitting this amount of data can result in increased CPU utilization and
network congestion.
To configure audio compression and output quality
Note: High sound quality increases bandwidth requirements by sending more
audio data to client devices and increases server CPU utilization.
432
Enabling Support for Microphones and
Speakers
For users to use speaker and microphones in sessions, both audio input (for microphones)
and output (for speakers) must be enabled. Audio input and output are controlled by two
separate policy rules; you must configure both to ensure that audio input and output are
enabled.
This allows you to implement separate connection policies; for example, for users of mobile
devices and for users who connect over a LAN. For the mobile user group, you may want to
enable audio input but disable audio output. This lets mobile users record notes from the
field, but prevents the server from sending audio to the mobile devices, ensuring better
session performance. Enabling audio input and output also enables support for digital
dictation.
On the client device, users control audio input and output in a single step—by selecting an
audio quality level from the Settings dialog box (for Program Neighborhood) or from the
Options > Session Options dialog box (for the Citrix XenApp plugin).
By default, when you configure this rule, audio input is enabled on client devices. Web
Interface users can override the policy and disable their microphones by selecting No in the
Audio Security dialog box, which they access from the Citrix Connection Center.
To enable audio input for sessions
In this procedure, you are editing an existing policy that applies to a specific group of
filtered objects, such as servers or users.
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
From the ICA toolbar, open the Presentation Server Console.
2. Select the policy for which you want to enable audio input.
•
3. From the Actions menu, select Properties.
4. Select Client Devices > Resources > Audio > Microphones.
5. Select Enabled and Use client microphones for audio input.
Note: Microphone input is supported on Citrix XenApp Plugin for Hosted Apps for
Windows, Windows CE, and Linux.
433
Enabling Support for Microphones and Speakers
To enable audio output for sessions
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
•
From the ICA toolbar, open the Presentation Server Console.
2. Select the policy for which you want to enable audio output.
3. From the Actions menu, select Properties.
4. Select Client Devices > Resources > Audio > Turn off speakers. By default, the client
device’s speakers are turned off because this property is enabled.
5. Select Disabled.
434
Setting Up for Digital Dictation Devices
If you have enabled microphone and speaker support, XenApp requires no additional
configuration to allow users to record audio using a standard microphone. However, to
allow users to use digital dictation devices such as Philips SpeechMike devices and dictation
software such as WinScribe Internet Author and Internet Typist, you must install and
configure the associated software and set session sound quality to accommodate them.
Note: The plugins for Linux and Windows CE do not support Philips SpeechMike products,
nor does XenApp on 64-bit operating systems.
To make Philips SpeechMike devices or similar products available in user sessions, install
the device drivers associated with the products on the XenApp server and on client devices.
Citrix recommends you install Philips SpeechMike device drivers before installing XenApp.
To make dictation software such as WinScribe Internet Author and Internet Typist available,
install this software on the XenApp server. After installation, you might be required to
enable the controls for the dictation device within the dictation software. Refer to the
product documentation for instructions on installation and enabling controls.
Within the Web Interface, set sound quality for the XenApp service site to at least medium
quality. To enable the use of Philips SpeechMagic Speech Recognition server in conjunction
with WinScribe software, set sound quality to high to enable accurate speech-to-text
translation.
After installing XenApp, you can enable the use of Philips SpeechMike USB devices by
implementing certain changes to Microsoft Windows 2008 that include editing the Microsoft
Windows registry. Philips SpeechMike serial port devices do not require these changes.
Caution: Editing the Registry incorrectly can cause serious problems that may require you
to reinstall your operating system. Citrix cannot guarantee that problems resulting from
the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
Be sure to back up the registry before you edit it.
For information on enabling support for Philips SpeechMike USB devices, see Microsoft
article http://support.microsoft.com/kb/961918.
To set sound quality for digital dictation devices
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select Citrix Resource > Configuration Tools > Web Interface > XenApp
Services Site Name > config.xml.
3. From the Action menu, select Change session options.
4. In Change Session Options, select Color and Sound.
5. In the Sound area, select Medium quality or High quality.
435
Setting Up for Digital Dictation Devices
436
Ensuring Session Continuity for Mobile
Workers
The Workspace Control feature provides users with the ability to disconnect quickly from all
running applications, to reconnect to applications, or to log off from all running
applications. Workspace Control enables users to move among client devices and gain
access to all of their open applications when they log on.
For example, you can use Workspace Control to assist health-care workers in a hospital who
need to move quickly between workstations and access the same set of applications each
time they log on to XenApp. If you configure Workspace Control options to allow it, these
workers can disconnect from multiple applications at one client device and then reconnect
to open the same applications at a different client device.
For users accessing applications through the Web Interface or the Citrix XenApp plugin, you
can configure—and allow users to configure—these activities:
•
Logging on. By default, Workspace Control enables users to reconnect automatically to
all running applications when logging on, bypassing the need to reopen individual
applications. Through Workspace Control, users can open disconnected applications plus
applications active on another client device. Disconnecting from an application leaves
the application running on the server. If you have roaming users who need to keep some
applications running on one client device while they reconnect to a subset of their
applications on another client device, you can configure the logon reconnection
behavior to open only the applications that the user disconnected from previously.
•
Reconnecting. After logging on to the server farm, users can reconnect to all their
applications at any time by clicking Reconnect. By default, Reconnect opens
applications that are disconnected plus any applications currently running on another
client device. You can configure Reconnect to open only those applications that the
user disconnected from previously.
•
Logging off. For users opening applications through the Web Interface, you can
configure the Log Off command to log the user off from the Web Interface and all
active sessions together, or log off from the Web Interface only.
•
Disconnecting. Users can disconnect from all running applications at once without
needing to disconnect from each application individually.
Workspace Control is enabled in the server farm by default and is available only for users
accessing applications through the Web Interface or the Citrix XenApp plugin.
User policies, client drive mappings, and printer configurations change appropriately when
a user moves to a new client device. Policies and mappings are applied according to the
client device where the user is currently logged on to the session. For example, if a health
care worker logs off from a client device in the emergency room of a hospital and then logs
on to a workstation in the hospital’s X-ray laboratory, the policies, printer mappings, and
client drive mappings appropriate for the session in the X-ray laboratory go into effect at
the session startup.
437
Ensuring Session Continuity for Mobile Workers
You can customize what printers appear to users when they change locations as well as
control whether they can print to local printers, how much bandwidth is consumed when
users connect remotely, and other aspects of their printing experiences.
For more information about enabling and configuring Workspace Control for users, see Web
Interface topics.
438
Maintaining Session Activity
Users can lose network connectivity for various reasons, including unreliable networks,
highly variable network latency, and range limitations of wireless devices. Losing
connectivity often leads to user frustration and a loss of productivity. You can leverage
these three features of XenApp to optimize the reliability of sessions and to reduce the
amount of inconvenience, downtime, and loss of productivity users incur due to lost
network connectivity.
439
•
Session Reliability
•
Auto Client Reconnect
•
ICA Keep-Alive
Configuring Session Reliability
Session Reliability keeps sessions active and on the user’s screen when network connectivity
is interrupted. Users continue to see the application they are using until network
connectivity resumes.
This feature is especially useful for mobile users with wireless connections. Take, for
example, a user with a wireless connection who enters a railroad tunnel and momentarily
loses connectivity. Ordinarily, the session is disconnected and disappears from the user’s
screen, and the user has to reconnect to the disconnected session.
With Session Reliability, the session remains active on the server. To indicate that
connectivity is lost, the user’s display freezes and the cursor changes to a spinning
hourglass until connectivity resumes on the other side of the tunnel. The user continues to
access the display during the interruption and can resume interacting with the application
when the network connection is restored. Session Reliability reconnects users without
reauthentication prompts.
Users of Program Neighborhood can override the Session Reliability setting by selecting or
clearing the Enable session reliability option in their application or connection settings.
Users of the Citrix XenApp plugin and the Citrix XenApp Web Plugin cannot override the
server setting.
By default, Session Reliability is enabled at the server farm level through the Access
Management Console or the Delivery Services Console, depending on the version of XenApp
you have installed. You can customize the settings for this feature from the server farm’s
Properties page and modifying the Session Reliability settings as appropriate. You can edit
the port on which XenApp listens for session reliability traffic and edit the amount of time
Session Reliability keeps an interrupted session connected.
The Seconds to keep sessions active option has a default of 180 seconds, or three minutes.
Though you can extend the amount of time Session Reliability keeps a session open, this
feature is designed to be convenient to the user and it does not, therefore, prompt the user
for reauthentication. If you extend the amount of time a session is kept open
indiscriminately, chances increase that a user may get distracted and walk away from the
client device, potentially leaving the session accessible to unauthorized users.
Note: You can use Session Reliability in conjunction with Secure Sockets Layer (SSL).
If you do not want users to be able to reconnect to interrupted sessions without having to
reauthenticate, use the Auto Client Reconnect feature. You can configure Auto Client
Reconnect to prompt users to reauthenticate when reconnecting to interrupted sessions.
If you use both Session Reliability and Auto Client Reconnect, the two features work in
sequence. Session Reliability closes, or disconnects, the user session after the amount of
time you specify in Seconds to keep sessions active. After that, the settings you configure
for Auto Client Reconnect take effect, attempting to reconnect the user to the
disconnected session.
Important: If the Session Reliability feature is enabled, the default port used for session
communication changes from 1494 to 2598.
440
Configuring Automatic Client
Reconnection
The Auto Client Reconnect feature allows plugins for Windows, Java, and Windows CE to
detect broken connections and automatically reconnect users to disconnected sessions.
When a plug-in detects an involuntary disconnection of a session, it attempts to reconnect
the user to the session until there is a successful reconnection or the user cancels the
reconnection attempts.
When a connection breaks, it may leave the server session in an active state. Users can
reconnect only to sessions that are in a disconnected, or inactive, state. Cookies containing
keys to user credentials and session IDs are created on the client device when sessions are
started. Because users can be reconnected only to disconnected sessions, Auto Client
Reconnect uses the cookie on the client device to disconnect an active session before
attempting to reconnect.
By default, Auto Client Reconnect is enabled at the server farm level through the Access
Management Console or the Delivery Services Console, depending on the version of XenApp
you have installed. User reauthentication is not required. You can customize the settings
for this feature at the farm level and for individual servers. To do this, select ICA on the
corresponding farm or server Properties page and modify the Auto Client Reconnect settings
as appropriate.
Security in Auto Client Reconnect. Auto Client Reconnect incorporates an authentication
mechanism based on encrypted user credentials. When a user initially logs on to a server
farm, XenApp encrypts and stores the user credentials in memory, and creates and sends a
cookie containing the encryption key to the plugin. The plug-in submits the key to the
server for reconnection. The server decrypts the credentials and submits them to Windows
logon for authentication.
When cookies expire, users must reauthenticate to reconnect to sessions. Cookies are not
used if you select Require user authentication. Selecting this option displays a dialog box to
users requesting credentials when the plug-in attempts to reconnect automatically.
Note: For maximum protection of users’ credentials and sessions, use SSL encryption for
all communication between clients and the server farm.
Configuring Auto Client Reconnect Settings. You can configure these Auto Client Reconnect
settings:
441
•
Require user authentication upon auto reconnection. You can set this requirement at
the server farm level or for individual servers.
•
Enable or disable logging of reconnection events for the server farm or individual
servers.
•
Enable or disable auto reconnect functionality on the client device using an ICA file or
using Group Policy to configure Session reliability and automatic reconnection on client
devices.
Configuring Automatic Client Reconnection
To require user authentication for automatic reconnection and reconnection event logging,
you can use the acrcfg command or the Access Management Console (or Delivery Services
Console, depending on the version of XenApp you have installed). Reconnection event
logging is disabled by default. For more information about the acrcfg command, see XenApp
Commands Reference.
Disable Auto Client Reconnect on the plugin for Windows by using the icaclient.adm file.
For more information about plug-in configuration, see XenApp Plug-in for Hosted Apps.
Settings for connections also affect Auto Client Reconnect.
Configuring Connections for Automatic Client Reconnection. By default, Auto Client
Reconnect is enabled at the server farm level; user reauthentication is not required.
However, if a server’s ICA TCP connection is configured to reset sessions with a broken
communication link, automatic reconnection does not occur. Auto Client Reconnect works
only if the server disconnects sessions when there is a broken or timed out connection.
In this context, the ICA TCP connection refers to a XenApp’s virtual port (rather than an
actual network connection) that is used for sessions on TCP/IP networks.
By default, the ICA TCP connection on a XenApp server is set to disconnect sessions with
broken or timed out connections. Disconnected sessions remain intact in system memory
and are available for reconnection by the plugin.
The connection can be configured to reset, or log off, sessions with broken or timed out
connections. When a session is reset, attempting to reconnect initiates a new session;
rather than restoring a user to the same place in the application in use, the application is
restarted.
If XenApp is configured to reset sessions, Auto Client Reconnect creates a new session. This
process requires users to enter their credentials to log on to the server.
Logging Automatic Client Reconnection Events. To enable or disable log entries for
automatic reconnection events, open the ICA page in the Properties pages for the server
farm or individual servers.
Logging is disabled by default. When logging is enabled, the server’s System log captures
information about successful and failed automatic reconnection events to help with
diagnosis of network problems.
Automatic reconnection can fail if the plugin submits incorrect authentication information,
which might occur during an attack or the server determines that too much time has
elapsed since it detected the broken connection.
Each server stores information about reconnection events in its own System log. The server
farm does not provide a combined log of reconnection events for all servers.
442
Configuring Automatic Client Reconnection
To configure a default Auto Client Reconnect setting
for a farm
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select the farm.
3. From the Action menu, select Modify farm properties > Modify all properties.
4. From the Properties list, select Server Default > ICA > Auto Client Reconnect.
5. Choose one of these options:
•
Require user authentication. Select this option if you want users to be prompted for
credentials during automatic reconnection to an ICA session. Do not select this
option if you want users to be reauthenticated automatically during reconnection.
Settings for automatic client reconnection override similar settings configured in
Microsoft Windows Group Policy.
Reconnect automatically (default setting). Select this option if you do not want
users to be prompted for credentials. Selecting this option also allows reconnection
attempts to be logged.
6. If you selected Reconnect automatically in the previous step, you can select the Log
automatic reconnection attempts check box to record information about successful and
failed automatic reconnection events to each server’s system log.
•
To configure an Auto Client Reconnect setting for a
server
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select the server.
3. From the Action menu, select Modify server properties > Modify all properties.
4. From the Properties list, select ICA > Auto Client Reconnect.
5. If you want the server to use the default farm settings, select the Use farm settings
check box; otherwise, follow Steps 4 and 5 in the To configure an Auto Client
Reconnect setting for a farm procedure.
443
Configuring ICA Keep-Alive
Enabling the ICA Keep-Alive feature prevents broken connections from being disconnected.
When enabled, if XenApp detects no activity (for example, no clock change, no mouse
movement, no screen updates), this feature prevents Terminal Services from disconnecting
that session. XenApp sends Keep-Alive packets every few seconds to detect if the session is
active. If the session is no longer active, XenApp marks the session as disconnected.
However, the ICA Keep-Alive feature does not work if you are using Session Reliability.
Session Reliability has its own mechanisms to handle this issue. Only configure ICA
Keep-Alive for connections that are not using Session Reliability.
You can configure Keep-Alive as a farm-wide server default setting or as an individual
setting for a particular server.
To configure ICA Keep-Alive settings for a farm
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select the farm.
3. From the Action menu, select Modify farm properties > Modify all properties.
4. From the Properties list, select Server Default > ICA > Keep-Alive.
5. Select the ICA Keep-Alive time-out value (1-3600 seconds) check box to allow users to
reconnect to disconnected sessions and resume working where they were interrupted in
their published applications.
Do not select this option if you want your network monitoring software to close inactive
connections in environments where broken connections are so infrequent that allowing
users to reconnect to sessions is not a concern.
ICA Keep-Alive settings override Keep-Alive settings that are configured in Microsoft
Windows Group Policy.
6. Specify an interval between 1 and 3600 seconds.
Do not select this option if you want your network monitoring software to close inactive
connections in environments where broken connections are so infrequent that allowing
users to reconnect to sessions is not a concern.
ICA Keep-Alive settings override Keep-Alive settings that are configured in Microsoft
Windows Group Policy.
The 60 second default interval causes ICA Keep-Alive packets to be sent to client
devices every 60 seconds. If a client device does not respond in 60 seconds, the status
of the ICA sessions changes to disconnected.
444
Configuring ICA Keep-Alive
To configure ICA Keep-Alive settings for a server
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select the server.
3. From the Action menu, select Modify server properties > Modify all properties.
4. From the Properties list, select ICA > Keep-Alive.
5. If you want the server to use the default farm settings, select the Use farm settings
check box; otherwise, follow Steps 4 and 5 in the To configure ICA Keep-Alive settings
for a farm procedure.
445
Managing and Monitoring XenApp
Sessions
XenApp lets you monitor sessions either by displaying their status or monitoring the session
directly through shadowing. You can also interact with sessions directly by saving
disconnected sessions, terminating sessions and processes, and sending messages to users.
In general, if a session disconnects in which a user is running multiple applications, the
applications continue to run on the server until the user closes the applications. However,
some applications that rely on virtual channels, such as media players, may behave
differently. For example, if you disconnect from a session running Media Player while
playing audio, the audio stops playing because the audio virtual channel is no longer
available.
To end the application’s session, exit the application and log off from the farm. If users
disconnect without exiting the application or logging off from the farm, their session
remains active. In this case, when they reconnect from another client device, XenApp
reconnects them to the same session.
446
Monitoring Session Status
You can display the incoming and outgoing traffic for a session. When you display the
session status, you can see the number of bytes, frames, bytes per frame, and frame errors;
the percentage of frame errors; time-out errors; and compression ratios.
The session information that appears in the console is in table format and includes details
that help you identify the various types of sessions and the users associated with the
sessions.
To display information about a session
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select the server on which you want to monitor sessions.
3. From the Action menu, select Change display > Sessions. The right pane of the console
displays all sessions running on the server.
4. Click Choose columns to specify the columns that you want to display and the order in
which you want to see them.
5. Select a session and these tasks become available: Reset, Log off, Disconnect, Send
Message, and Shadow.
6. Click Show more tasks for the selected items to obtain a list of available displays
including Client Cache, Session Information, Client Modules, and Processes.
447
Monitoring Session Status
To display information about active sessions
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select a server.
3. From the Action menu, select Change display > Sessions. Information about active
sessions appears in the details pane. Each row in the table lists details for one session.
The following column labels appear on tabs that display session information.
•
User. The name of the user account that initiates a session. In the case of
anonymous connections, the user name is a string with the letters “Anon” followed
by a session number.
•
Session ID. A unique number that begins with 0 for the first connection to the
console. Listener sessions are numbered from 65,537 and numbered backward in
sequence.
•
Type. The type of session – ICA or RDP.
•
Application – The name of the published application running within this session.
•
State. A session’s state is listed as Active, Listen, Idle, Disconnected, or Down.
•
Client name. The name of the client device that is running the session.
•
Logon Time. The time at which the user logged on.
•
Server. The server on which the selected application is running.
To display session status
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select the server hosting the session.
3. From the Action menu, select Change display > Sessions.
4. Select the session for which you want to display the status.
5. From the Action menu, select All Tasks > Status.
A Session Status dialog box appears.
448
Monitoring Session Status
To display session properties
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select the server hosting the session.
3. From the Action menu, select Change display > Sessions. The right pane of the console
displays all sessions running on the server.
4. Select a session, click Show more tasks for the selected items, and select one of these
menu commands:
•
Client Cache. Displays the session cache, including the client and bitmap caches.
•
Session Information. Displays the details of the session, including the client name,
build number, directory, and address.
•
Client Modules. Lists the client modules associated with the session.
•
Processes. Lists the processes associated with the session.
To refresh user data automatically
Refreshing user data automatically is disabled by default. You can control the frequency of
automatic updates to server, server folder, and published application information on the
Access Management Console (or Delivery Services Console, depending on the version of
XenApp you have installed) you are running. The auto-refresh settings apply only to the
Access Management Console or Delivery Services Console you are running and not other
instances of the console on your network.
Note: Do not enable this feature if you have many sessions, because it can impact
performance.
1. In the left pane, select one of these nodes (depending on what type of user data you
want to refresh automatically):
•
The farm for which you want to refresh the user data automatically
•
The server for which you want to refresh the user data automatically
The application for which you want to refresh the user data automatically
2. In the center pane, from the Other Tasks section or the Common Tasks section
(depending on the node that you selected), click Refresh user data and choose one of
these options:
•
449
•
Automatically refresh user data for servers. Selecting this option enables automatic
refreshing of each server’s configuration and connection information. After
selection, the associated Refresh rate field becomes available.
•
Automatically refresh user data for server folders. Selecting this option enables
automatic refreshing of each server’s folder organization. After selection, the
Monitoring Session Status
associated Refresh rate field becomes available.
•
Automatically refresh user data for applications. Selecting this option enables
automatic refreshing of each published application’s configuration and connection
information. After selection, the associated Refresh rate field becomes available.
3. In the Refresh rate (seconds) box, select the number of seconds between each update
(10, 30, 60, or 90).
450
Viewing User Sessions
You can view another user’s session on another device by using shadowing. When
shadowing, you can monitor the session activity as if you are watching the screen of the
client device that initiated the session. If configured, you can also use your keyboard and
mouse to control the user’s keyboard and mouse remotely in the shadowed session.
Shadowing a session provides a powerful tool for you to assist and monitor users. Shadowing
is a useful option for your Help desk staff who can use it to aid users. Help desk personnel
can view a user’s screen or actions to troubleshoot problems and can demonstrate correct
procedures. You can also use shadowing for remote diagnosis and as a teaching tool. You
can shadow using either the Access Management Console (or Delivery Services Console,
depending on the version of XenApp you have installed) or the Shadow Taskbar.
You enable shadowing on a server when you install XenApp and select the default option,
which allows shadowing on all connections on the server. If you do not leave the shadowing
option enabled during Setup, you must reinstall XenApp to get shadowing functionality.
By default, the user is notified of the pending shadowing and asked to allow or deny
shadowing.
Important: Your client device and shadowing ICA session must be capable of supporting
the video resolution of the user’s ICA session (the shadowed session). If not, the
operation fails. You cannot shadow a system console from another session.
For shadowing options by connection type, such as keyboard, mouse, and user notification
options, use the Terminal Services Configuration tool.
451
Viewing User Sessions with the Shadow
Taskbar
Use the Shadow Taskbar to shadow multiple ICA sessions from a single location, including
the server console. Use the Shadow button to start shadowing one or more users.The
Shadow Taskbar uses the client to launch an ICA session to monitor a user. A separate ICA
session is started for each shadowed user.
You are required to enter your user name and password to start an ICA session on the server
running the Shadow Taskbar.
Note the following:
•
The client uses a license to log on to the server and start shadowing a user.
•
The Shadow Taskbar shows sessions on the server or domain you logged on to. You can
view servers in a different domain by logging on to an account in that domain and
restarting the Shadow Taskbar.
•
Each shadow session consumes memory on the server, so limit the number of
simultaneous shadow sessions.
Each shadowed session is represented by a task button on the Shadow Taskbar. Use this
button to switch quickly between the shadowing sessions you have open.
To start the Shadow Taskbar
1. From the Start menu, choose All Programs > Citrix > Administration Tools > Shadow
Taskbar
To configure options, click an empty area of the Shadow Taskbar and press SHIFT + F10. To
switch to a shadow session, click its button in the Shadow Taskbar.
To close the Shadow Taskbar
1. Click an empty area of the Shadow Taskbar and press ALT + F4.
To select users for shadowing
Use the Shadow Session dialog box to select users to shadow. The Available Users list shows
user sessions that can be selected for shadowing in the current domain. User sessions are
organized by servers, published applications, and users. You can shadow only client user
sessions. The Shadowed Users list shows user sessions selected for shadowing and existing
shadow sessions.
452
Viewing User Sessions with the Shadow Taskbar
The Shadowed Users list also displays the user name of currently shadowed users next to
the shadow icon. If a shadowed user is removed from the Shadowed Users list, the shadow
session ends when you click OK.
1. On the Shadow Taskbar, click the Shadow button.
2. In the Available Users list, select the user to shadow and click Add.
Tip: You can add multiple users to the Shadowed Users list. Shadowing is initiated for
all users in the Shadowed Users list when you click OK.
To end a shadowing session
1. On the Shadow Taskbar, click the Shadow button.
2. In the Shadowed Users list, select the users to stop shadowing and click Remove.
Tip: You can end a shadow session by right-clicking the session’s task button on the
Shadow Taskbar and clicking Stop Shadow. You can end all shadow sessions by
right-clicking the Shadow Taskbar and clicking Stop All Shadowed Sessions.
453
To view user sessions with the console
Depending on the version of XenApp you have installed, when you use the Access
Management Console or Delivery Services Console for shadowing, you must start each
shadowing session individually; if you select multiple sessions to shadow, the Shadow
command and button are not available. To start shadowing multiple sessions at once, use
the Shadow taskbar.
To use the console for shadowing, you must have Program Neighborhood installed on the
computer hosting the console.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the server to which the user is connected.
3. From the Action menu, select Change display > Sessions. The right pane of the console
displays all sessions running on the server.
4. Select the required session, and from the Action menu, select Shadow. If the user’s
permission is required, the session does not appear until the user grants permission.
5. On the Shadow dialog box, select the key sequence that will end shadowing.
454
Enabling Logging for Shadowing
After installation, you can enable shadow logging and configure it so that it outputs to one
of two locations on the server:
•
In a central file. Configuring this option records a limited number of logging events,
such as when and who started a shadowing session and who is being shadowed. If you
configure shadow logging through the Shadow Taskbar, the logged events are not
recorded in the Windows Event log. Instead, they go to a file that you specify.
•
In the Windows Event log. Configuring this option logs several different event types to
the Windows Event log. These include user shadowing requests, such as when users stop
shadowing, failure to launch shadowing, and access to shadowing denied. However,
these events are logged as they occur and it can be cumbersome to see a shadowing
history because the events are strewn throughout the Event log.
For ease of management, consider logging events in a central file. Because only shadowing
events go in to this file, they are more centralized and easier to review.
To configure shadow logging to log in a central file
When you enable this option on a XenApp server, the shadowing events are logged in a
central file on that server.
1. Click on an empty area of the Shadow Taskbar and press SHIFT + F10.
2. Click Logging Options.
3. Select the Enable Logging check box and specify a log file path.
Click Clear Log to empty the current log file.
To enable shadow logging in the Windows Event Log
When you enable this option on a XenApp server, the shadowing events are logged in the
Application log of the Windows Event log.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select the server in the left pane.
3. From the Action menu, select Modify server properties > Modify all properties.
4. From the Properties list, select XenApp > Shadow Logging
455
Enabling Logging for Shadowing
5. Select the Log shadowing sessions check box if you want all shadow sessions initiated
from the server to be written to the Application log.
456
Enabling User-to-User Shadowing with
Policies
You can use the Advanced Configuration tool to create a user policy to enable user-to-user
shadowing, which allows users to shadow other users without requiring them to be members
of the Citrix administrator group. With user-to-user shadowing, multiple users from
different locations can view presentations and training sessions, allowing one-to-many,
many-to-one, and many-to-many online collaboration. Also, you can enable Help Desk
personnel to shadow users’ sessions or allow your Sales Department to hold an online
meeting to review sales leads.
Important: You are prompted to configure shadowing settings during XenApp Setup. If
you choose to prohibit shadowing during Setup, you cannot enable shadowing with user
policies.
You enable user-to-user shadowing by creating policies that define users who can shadow.
You then assign the policies to the users to be shadowed.
457
To create a user policy to define users
who can shadow
1. Create a user policy that identifies the users who can shadow other users’ sessions.
2. Assign the policy to the users to be shadowed.
3. Publish the Citrix Shadow Taskbar and assign it to the users who will shadow. Be sure to
instruct these users how to initiate shadowing from their client devices.
Note: Instruct users not to launch the Shadow taskbar in seamless mode. The Shadow
taskbar cannot function in seamless mode.
Example: To create a user policy for user-to-user
shadowing
This example demonstrates how to enable user-to-user shadowing by creating a policy for
your “Sales” user group that allows them to shadow the department manager for online
collaboration on sales leads. This procedure shows the creation of a shadowing policy.
1. Create a new policy named “Sales Group Shadowing.”
2. Open the Sales Group Shadowing policy’s properties by selecting the policy and
choosing Actions > Properties.
3. Open the Shadowing folder under User Workspace in the left pane. Select the rule
named Configuration.
a. Set the rule’s state to enabled by selecting Enabled.
b. Select Allow shadowing to enable shadowing. Because the Sales Manager may work
with sensitive data, select the option Prohibit being shadowed without notification.
If the Sales Manager does not want other users to be able to take control of his
mouse and keyboard, select the option Prohibit remote input when being
shadowed.
4. In the left pane of the property sheet, select the rule named Permissions.
5. Set the rule’s state to enabled by clicking Enabled.
6. Click Configure to select the users who will shadow the Sales Manager. To allow the
members of the Sales Department to shadow the Sales Manager, select the Sales user
group and then click Add. The user group is listed in the Configured Accounts list. Click
OK when you are done adding users. The users and user groups you added to the
Configured Accounts list appear in the right pane of the policy’s property sheet. By
default, the shadowing permission for each user or user group is set to Allow. You can
deny shadowing permissions by clicking Deny.
458
To create a user policy to define users who can shadow
After you create the policy and configure the rules, you must assign the policy to the users
who you want to be shadowed.
Note: You can create and apply a policy that allows Novell Directory Services (NDS) users
to be shadowed. However, you cannot configure NDS users to have shadowing
permissions.
Example: To assign the shadowing policy to users
This procedure shows the assignment to the users in the Sales group of the policy you
created.
1. Select the Sales Group Shadowing policy and choose Actions > Policy > Apply this policy
to.
2. Select Users in the left pane and select Filter based on users. Select the users you want
to be shadowed. To allow the Sales Manager to be shadowed, select the domain of
which the manager is a member. Click Show Users to display the individual user
accounts in the selected domain.
3. Select the Sales Manager’s user name and then click Add to display the user account in
the Configured Accounts list.
Important: The list of users permitted to shadow is exclusive for each user for whom a
policy is assigned. For example, if you create a policy that permits User A to shadow User
B, this policy allows only User A to shadow User B, unless you add more users to the list
of users who can shadow in the same policy’s Property sheet. To publish the Shadow
taskbar utility to the users you want to be able to shadow, see .
459
To merge shadowers in multiple policies
If you create multiple shadowing policies, you must also select the option to merge
shadowers. If you do not enable this option, the resultant policy uses the shadowing policy
with the highest priority and ignores the rest of the shadowing policies, even if they do not
conflict.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select the farm in the left pane.
3. From the Action menu, select Modify farm properties > Modify all properties.
4. From the Properties list, select Farm-wide > XenApp > Shadow Policies.
5. Under Shadow policies, select the Merge shadowers in multiple policies check box.
460
Managing User Sessions
Depending on the version of XenApp you have installed, you can use the Access Management
Console or the Delivery Services Console to manage user sessions.
You can view information about active sessions and also perform session management
activities, including logging off, disconnecting, and sending messages to users. You can
select client sessions and choose commands to manage the sessions through the Action
menu or the Tasks list that appears at the bottom of the details pane.
If a connection breaks, a session using the connection can remain active until its state is
changed by Auto Client Reconnect or ICA Keep-Alive settings, or by a Citrix administrator.
You can perform these tasks to better manage your disconnected sessions:
•
Disconnecting sessions
•
Ending sessions
Disconnecting Sessions and Terminating Processes
You can use the console to disconnect a user session from a server or terminate a process in
a session. A disconnected session is still active and its applications continue to run, but the
client device is no longer communicating with the server.
A user can reconnect to a disconnected session from a different client device without loss
of data. For example, you might disconnect users’ sessions if they experience problems on
their client device and do not want to lose data from their applications.
When you disconnect a session, you close the connection between the client device and the
server. However, this does not log off the user, and programs that were running in the
session are still running on the server. If the client user then connects to the server (by
selecting a published application or custom connection to the server), the disconnected
session is reconnected. When a session is disconnected, the word Disconnected appears in
the State column on the tabs where session information appears.
You can log off users from their sessions. You can also reset a user’s client session or a
disconnected session.
You can also connect to a user’s disconnected session when you are using the console from
within a client session on a XenApp server. To connect, you must know the password of the
user who started the session. Your session must be capable of supporting the same video
resolution as the disconnected session.
Resetting a session with the Reset command terminates all processes that are running in
that session. You can use the Reset command to remove remaining processes in the case of
a session error. However, resetting a session can cause applications to close without saving
data.
461
Managing User Sessions
If you reset a disconnected session, the word Down appears in the State column for the
session. When you refresh the console display or when the next automatic refresh occurs,
the session no longer appears in the list of sessions.
Special sessions that listen for requests to connect to the server are identified by the word
Listen in the State column. If you reset a listener session, the server resets all sessions that
use the protocol associated with the listener. For example, if you reset the ICA listener
session, you reset the ICA sessions of all users who are connected to the server.
462
To terminate processes in a user’s
session
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, right click the server to which the user is connected and select Change
display > Users. The right pane of the console displays all users connected to the server.
3. Select the user’s session for which you want to terminate the process.
4. In the Tasks list at the bottom of the right pane, click Show more tasks for the selected
items.
5. In Available Displays, click Processes.
6. Select the process you want to terminate.
7. From the Action menu, select Terminate.
Note: Terminating a process may abruptly end a critical process and leave the server in
an unusable state.
463
To display session properties
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the server hosting the session.
3. From the Action menu, select Change display > Sessions. The right pane displays all
sessions running on the server.
4. Select a session, click Show more tasks for the selected items, and select one of these
menu commands:
464
•
Client Cache. Displays the session cache, including the client and bitmap caches.
•
Session Information. Displays the details of the session, including the client name,
build number, directory, and address.
•
Client Modules. Lists the client modules associated with the session.
•
Processes. Lists the processes associated with the session.
To connect to a user’s session from
Program Neighborhood
To connect to a disconnected or live session remotely through Program Neighborhood, your
session must support the video resolution of the disconnected session. Also, you can
connect only to disconnected sessions that were disconnected from the Access Management
Console (or Delivery Services Console, depending on the version of XenApp you have
installed).
1. Using Program Neighborhood, create a direct custom connection to the server hosting
the session.
a. In Program Neighborhood, create a Custom ICA Connection directly to the server.
b. Use your new custom ICA connection to connect to the desktop of the server
hosting the session.
2. After you authenticate to the host server, open the Access Management Console or
Delivery Services Console.
3. In the left pane, select the server to which the user was connected (that is, the server
to which you just connected).
4. From the Action menu, select Change display > Sessions. The right pane of the console
displays all sessions running on the server.
5. Select the session you want to log off and from the Action menu, select Connect.
465
To reset a session
Caution: Resetting effectively deletes the session and results in loss of data for the user.
Only reset a session when it is not responding or malfunctions.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the server to which the user is connected.
3. From the Action menu, select Change display > Sessions. The right pane of the console
displays all sessions running on the server.
4. Select the session you want to reset, and from the Action menu, select Reset. You can
select and reset multiple sessions at the same time.
466
To log off from a session
Important: Ending users’ sessions with the Logoff command can result in loss of data if
users do not close their applications first. Send a message to warn users to exit all
applications if you need to log off their sessions.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the server to which the user is connected.
3. From the Action menu, select Change display > Sessions. The right pane of the console
displays all sessions running on the server.
4. Select the session you want to log off and from the Action menu, select Log off. You
can select and log off multiple sessions at the same time.
5. Confirm the logoff when prompted.
467
To send a message to one or more users
You can send a message that appears in user sessions. For example, you can broadcast
information about new applications and upgrades, request a shadowing session, or warn of
system shutdowns.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the server to which the users are connected.
Tip: To send a message to all user sessions in the farm, you can select the Farm node
instead of a server.
3. From the Action menu, select Change display > Users.
4. In the right pane, select the sessions to which the user is connected.
5. Select one or more sessions and from the Action menu, select Send Message.
6. In the Send Message dialog box, edit the title of the message, if required, and enter the
content of the message in the Message text box.
The message is sent to users immediately.
468
Controlling Client Connections in XenApp
You can control XenApp client connections in different places:
•
XenApp policies
•
Application Publishing
•
Terminal Services Configuration
•
Active Directory
XenApp policies
Policies let you define how you want clients to connect, including SSL or encryption
requirements, and the properties for the user’s environments after the connection is
established.
Citrix recommends using XenApp policies whenever possible to control connections.
Connection settings defined through XenApp policies also supersede all other connection
settings in your environment, including those at the operating system level, in TS Config,
and specified when you publish an application
Application Publishing
You can define connection settings on a per-application basis when you are publishing a
resource. Settings you can define include the maximum number of connections to an
application, importance level of the application, maximum number of instances an
application can run in the farm, types of connections that can access an application, audio
properties, and encryption requirements.
Terminal Services Configuration
Terminal Services Configuration (TS Config), which is part of Windows Server 2008, lets you
define XenApp connection settings similar to the ones found in XenApp policies. However,
these TS Config settings must be defined on a per-server basis. Because defining settings
using TS Config requires setting them on each server in your farm, Citrix recommends using
TS Config to define connection settings only for test farms or very small server farms.
469
Controlling Client Connections in XenApp
Active Directory
Citrix provides a Group Policy Object (GPO) template, the icaclient.adm, that contains
Citrix-specific rules for securing client connections. This GPO lets you configure rules for
network routing, proxy servers, trusted server configuration, user routing, remote client
devices, and the user experience. The icaclient.adm template is in the XenApp installation
media. For more information about the icaclient.adm template, see the XenApp Plug-In for
Hosted Apps for Windows.
470
Preventing Specific Client Connection
Types
You can specify the types of client connections from which users can start sessions.
For example, to increase security, you can specify that users must connect through Access
Gateway Advanced Edition (Version 4.0 or later). This allows you to benefit from filters
created in Access Gateway.
To configure connection access controls
This procedure specifies the types of client connections from which users can start sessions.
Use this procedure if you want to affect all servers on your farm. If you want more granular
control, perform this task by configuring a policy.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the farm.
3. From the Action menu, select Modify farm properties > Modify all properties.
4. From the Properties list, select Farm-wide > Connection Access Controls.
5. Select one of these options:
471
•
Any connections (selected by default) allows access to published applications
through any connection.
•
Citrix Access Gateway, Citrix XenApp plugin, and Web Interface connections only
allows access to published applications through the listed connections, including
any version of Access Gateway. Denies access through any other connection.
•
Citrix Access Gateway connections only allows access to published applications only
through Access Gateway Advanced Edition servers (Version 4.0 or later).
Specifying Connection Limits
To help maintain the availability of resources in a server farm, you can limit the number of
connections to servers and published applications. Setting connection limits helps prevent:
•
Performance degradation and errors resulting from individual users who run more than
one instance of a published application at the same time
•
Denial-of-service attacks by malicious users who run multiple application instances that
consume server resources and connection license counts
•
Over-consumption of resources by non-critical activities such as Web browsing
Connection limits, including the option to log denials resulting from connection limits, are
configured in the Access Management Console or Delivery Services Console. (You cannot
configure connection limits in the plugins.) The name of the console depends on the version
of XenApp you have installed.
The console provides two types of connection limits:
Limit type
Description
Concurrent connections to
the server farm
Restricts the number of simultaneous connections that
each user in the server farm can establish. See Limiting
Connections to a Server Farm.
Published application
instances
Restricts the total number of instances of a published
application that can run in the server farm at one time,
and prevents users from launching more than one instance
of a published application. See Limiting Application
Instances.
By default, XenApp does not limit connections in any way. If you want to limit connections,
enable these settings.
472
Limiting Connections to a Server Farm
To conserve resources, you can limit the number of concurrent connections that users are
permitted to establish. Limiting connections can help you prevent over-consumption of
server resources by a few users.
A limit on connections applies to each user who connects to the server farm. A user’s active
sessions and disconnected sessions are counted for the user’s total number of concurrent
connections. For example, you can set a limit of three concurrent connections for users. If
a user has three concurrent connections and tries to establish a fourth, the limit you set
prevents the additional connection. A message tells the user that a new connection is not
allowed.
Connection control affects users only if a connection attempt is prevented. If a user’s
number of connections exceeds a connection limit, the plugin displays a message that
describes why the connection is not available.
You can also limit the number of connections on a farm by ensuring that session sharing is
enabled.
To limit concurrent connections to a server farm
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the farm and select Action > Modify farm properties > Modify all
properties.
3. From the Properties list, select Farm-wide > Connection Limits.
4. Select Maximum connections per user to limit each user’s concurrent connections.
Enter the number of concurrent connections to allow for each user. For example, you
can limit users to a maximum of five connections. If a user tries to launch a sixth
connection, the server denies the connection request and records the user’s name and
the time in the System log.
5. If you want the connection limitation to apply to everyone, including local
administrators, select Enforce limit on administrators.
Important: Limiting connections for Citrix administrators can adversely affect their
ability to shadow other users. By default, local administrators are exempt from the
limit so they can establish as many connections as necessary.
473
Sharing Sessions and Connections
Depending on the plugin, when a user opens an application, it can either appear in a
seamless or non-seamless window. These window modes are available for most plugins,
including the Web Interface, Citrix XenApp plugin, and Program Neighborhood.
In seamless window mode, published applications and desktops are not contained within an
ICA session window. Each published application and desktop appears in its own resizable
window, as if it is physically installed on the client device. Users can switch between
published applications and the local desktop.
In non-seamless window mode, published applications and desktops are contained within an
ICA session window. This creates the effect of the application appearing in two windows.
The mode that you choose typically depends on the type of client device that your users
will be using and whether you are publishing a desktop or individual applications. Desktops
are typically published in non-seamless window mode. This table provides examples of
when you might want to publish desktops and applications.
If your users will be using...
then you...
Local computers
Might want to publish desktops or individual
applications.
Local computers with locally
installed applications
Might want to publish individual applications.
Thin clients
Must publish desktops.
Kiosks
Might want to publish desktops, which allows the user
to have a more holistic experience and provide more
control from a security perspective.
When a user launches a published application, the plugin establishes a connection to a
XenApp server and initiates a session. If session sharing is not configured, a new session is
opened on the server each time a user opens an application. Likewise, every time a user
opens a new application, a new client connection is created between the client device and
the server.
Session sharing is a mode in which more than one published application runs on a single
connection. Session sharing occurs when a user has an open session and launches another
application that is published on the same server; the result is that the two applications run
in the same session. For session sharing to occur, both applications must be hosted on the
same server. Session sharing is configured by default when you specify that applications
appear in seamless window mode. If a user runs multiple applications with session sharing,
the session counts as one connection.
If you want to share sessions, ensure all applications are published with the same settings.
Inconsistent results may occur when applications are configured for different requirements,
such as encryption.
Note: Session sharing is not supported on PocketPC clients.
474
Sharing Sessions and Connections
Session sharing always takes precedence over load balancing. That is, if users launch an
application that is published on the same server as an application they are already using but
the server is at capacity, XenApp still opens the second application on the server. Load
Manager does not transfer the user’s request to another server where the second
application is published.
475
Limiting Application Instances
By default, XenApp does not limit the number of instances of a published application that
can run at one time in a farm. By default, a user can launch more than one instance of a
published application at the same time.
You can specify the maximum number of instances that a published application can run at
one time or concurrently in the server farm. For example, you can publish an application
and set a limit of 30 concurrent instances in the farm. Once 30 users are running the
application at the same time, no more users can launch the application because the limit of
30 concurrent instances was reached.
Another connection control option lets you prevent any user from running multiple
instances of a particular published application. With some applications, running more than
one instance in a single user context can cause errors.
You can apply application limits independently to each published application. For example,
you can apply the limitations on total concurrent instances and multiple instances by a
single user to one published application. You can limit only the total concurrent instances
of another application. You can configure a third application to limit launching of multiple
instances by individual users.
Note: Connection control options apply to published applications and published desktops
only and do not affect published content such as documents and media files that execute
on the client device.
476
Limiting Application Instances
To specify a limit for a published application or
desktop
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select Citrix Resources > XenApp > yourfarmname > Applications and
select the published application or desktop you want to modify.
3. From the Actions menu, select Modify application properties > Modify all properties.
4. In the Properties tree, select Limits.
5. On the Limits page, select one or both of these options:
•
Limit instances allowed to run in server farm. Select this option and enter the
maximum number of instances that can run at one time in the server farm without
regard to who launches the application.
For example, if you type 10 in Maximum instances and a user tries to launch the
application when 10 instances are running, the server denies the connection
request and records the time and the name of the published application in the
System log.
•
477
Allow only one instance of application for each user. Select this option to prevent
any user from running more than one instance of this application at the same time.
Logging Connection Denial Events
Event logging records an entry in the System log each time a server denies a user
connection because of a connection control limit. Each server records the data in its own
System log. By default, this type of event logging is disabled.
You can configure XenApp to log when limits are reached (and connections denied) for the
following:
•
Maximum connections per user, as set in the server farm properties
•
Application instance limits, as set for a published application
•
Application instances per user, as set for a published application
To enable logging of connection denial events
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select a farm and select Action > Modify farm properties > Modify all properties.
3. Open the Connection Limits page in the farm’s Properties list.
4. Select Log over-the-limit denials.
478
Controlling Connections with Terminal
Services Configuration
Important: Citrix recommends controlling connections by using Citrix policies. While you
can use the Terminal Services Configuration (TS Config) tool, Citrix policies are better
suited for farm-level changes. Using the TS Config tool is more time-consuming and
requires that you specify settings on each XenApp server.
You can control connection settings for individual servers using TS Config, which is a snap-in
you can add to the Microsoft Management Console (MMC). You can specify these settings in
either TS Config or XenApp policies:
•
Redirection, including disabling drive mapping
•
Printing
•
Ports
•
The clipboard
•
Other settings, including color depth on plugins
You might need to use the TS Config in these situations:
•
If you want to configure a test farm or create a very small farm and you do not want to
configure policies, specifying settings in TS Config might be easier than configuring
policies.
•
When you want to configure certain TS Config policies that do not have a corresponding
Citrix policy, such as policies that correspond with these tasks:
•
Idle Session Limit. In the ICA-tcp properties in TS Config, select the Sessions tab,
enable Override user settings and then specify the Idle Session Limit.
Restrict users to one session. This setting is in Terminal Services Configuration in
the Server Manager. Citrix strongly recommends that you turn this setting off
because it might affect your user sessions negatively.
For more information about TS Config, see your Microsoft documentation.
•
To control connections on a server with TS Config
To use TS Config to control connections on a remote computer that has XenApp installed,
XenApp must be installed on the local computer; otherwise, the ICA Settings tab on the
properties dialog box does not appear.
This procedure assumes that you already added the TS Config tool snap-in to the MMC. If
not, do so before proceeding. See your Microsoft documentation for details as needed.
479
Controlling Connections with Terminal Services Configuration
1. From the Start menu, select Administrative Tools > Terminal Services > Terminal
Services Configuration.
2. With Connections selected in the left pane of the console that opens, right-click ICA-tcp
in the right pane and select Properties.
3. Using the tabs that appear in this properties dialog box, you can select options for
configuring your connections.
Note: The Citrix Connection Configuration tool is no longer available. It has been
replaced by the ICA-tcp entry in TS Config.
480
Preventing User Connections during Farm
Maintenance
You might want to prevent logons to a server when you install software or perform other
maintenance or configuration tasks. This is helpful when you are installing applications that
require there be no active sessions on the server. It also lets you restart the server without
having to wait for users to disconnect.
By default, logons are enabled when you install XenApp and users can launch an unlimited
number of sessions and instances of published applications. You can prevent users from
connecting to a server in the farm by disabling logons.
To disable logons on a server
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select the server and select Action > All Tasks > Disable logon.
Note: To reenable disabled logons, use the Enable logon option.
481
Optimizing User Sessions for XenApp
XenApp includes various features that allow you to enhance user experience by maintaining
session activity and improving session responsiveness.
Network latency and bandwidth availability can impact the performance of connections to
published applications and content. These SpeedScreen and ICA technologies allow you to
improve connection speed and responsiveness during user sessions. Instructions for
configuring these features are provided in the corresponding topics:
•
SpeedScreen Browser Acceleration. Optimizes the responsiveness of graphics-rich
HTML pages in published versions of Microsoft Outlook Express, Outlook 2003, Windows
Mail, and Internet Explorer.
•
SpeedScreen Multimedia Acceleration. Allows you to control and optimize the way
XenApp servers deliver streaming audio and video to users.
•
SpeedScreen Flash Acceleration. Allows you to control and optimize the way XenApp
servers deliver Adobe Flash animations to users.
•
SpeedScreen Image Acceleration. Enables you to create a balance between the quality
of photographic image files as they appear on client devices and the amount of
bandwidth the files consume on their way from the server to the client.
•
SpeedScreen Progressive Display. Allows you to improve interactivity when displaying
high-detail images by temporarily increasing the level of compression (decreasing the
quality) of the image when it is first transmitted over a limited bandwidth connection,
providing a fast (but low quality) initial display. If the image is not immediately
changed or overwritten by the application, it is then improved in the background to
produce the normal quality image, as defined by the normal lossy compression level.
•
Heavyweight Compression. Allows you to increase the compression of SpeedScreen
Image Acceleration and SpeedScreen Progressive Display, thereby reducing bandwidth
further without impacting image quality. Heavyweight compression uses a more
CPU-intensive algorithm and impacts server performance and scalability. Because
heavyweight compression is CPU intensive and affects server scalability, this type of
compression is recommended for use only with low bandwidth connections.
If enabled in the SpeedScreen policy rule, heavyweight compression applies to all lossy
compression settings. It is supported on XenApp Plugins, but has no effect on other
clients.
•
SpeedScreen Latency Reduction. On high-latency network connections, users may
experience delays between the time they click a link and the time the link opens. As a
result, users may click links more than once, possibly opening multiple copies of a file
or application. Similarly, characters that a user types may not appear instantly, possibly
causing the user to type characters repeatedly before seeing them onscreen.
SpeedScreen Latency Reduction helps reduce a user’s perception of latency when
typing and clicking. It provides visual feedback for mouse clicks and Local Text Echo; a
feature that accelerates the display of input text, effectively shielding the user from
482
Optimizing User Sessions for XenApp
experiencing latency on the network.
483
•
ICA display. ICA display gives you control over settings that let you reserve bandwidth
by limiting session-memory usage and discarding obsolete queued images on the client.
•
ICA browser. CA browser gives you control over whether or not the servers in your
network will respond to broadcast messages sent from Program Neighborhood. You may
reduce bandwidth consumption if you disable these options.
Optimizing Web Page and Email
Responsiveness
As both Web pages and HTML-based email get richer in graphics content, more bandwidth is
used. You can use SpeedScreen Browser Acceleration to optimize the responsiveness of
image-rich Web pages and email in published versions of Microsoft Internet Explorer,
Outlook 2003, and Windows Mail. With SpeedScreen Browser Acceleration, the user can
scroll the pages and use the Back and Stop buttons immediately while image files download
in the background.
To further accelerate the accessibility of Web pages and email, enable JPEG compression
with SpeedScreen Browser Acceleration. JPEG compression lets you find a balance between
the quality of JPEG files as they appear on client devices and the amount of bandwidth the
files consume on their way from server to client. JPEG compression results in slightly lower
image resolution and slightly higher resource consumption on both server and client. It does
not affect JPEG files rendered by applications other than those mentioned above.
Users with limited bandwidth connections benefit the most from SpeedScreen Browser
Acceleration. Users connecting on the LAN may see improvement only when networks are
congested. Enabling this feature uses more resources on both servers and clients.
Enabling SpeedScreen Browser Acceleration results in:
•
Background image delivery. Users can click Back and Stop while images are being
downloaded in the background.
•
Progressive drawing. Users can interact with elements of a page while the page
continues to download.
•
Responsive scrolling. Scrolling speed and responsiveness is similar to scrolling in a local
browser.
•
JPEG image recompression. You can select a compression level for JPEG images.
Higher compression results in less bandwidth used but lowers image quality.
•
Adaptive JPEG image recompression. The available bandwidth is used to determine
how much images are compressed. If enough bandwidth is available, images are not
compressed. You can limit the compression level.
SpeedScreen Browser Acceleration requires at least Version 7.0 or later of the Presentation
Server Clients for Windows or Citrix XenApp Plugin for Hosted Apps 11.x for Windows,
Internet Explorer 5.5 through 7.0, and High Color (16-bit) or greater connection color
depth.
Speed Screen Browser Acceleration is not supported with Microsoft Outlook 2007; Citrix
supports Speed Screen Browser Acceleration for Microsoft Outlook 2003 only.
By default, SpeedScreen Browser Acceleration is enabled at the server farm level.
The SpeedScreen Browser Acceleration feature possesses the following limitations:
484
Optimizing Web Page and Email Responsiveness
•
Supports JPEG and nontransparent GIF images.
•
Not compatible with Adobe Flash.
•
Does not support images that are resized using dimensions specified in the HTML of a
Web page which might be different than the actual width and height of the image. In
this case, Internet Explorer grows or shrinks the image as required to fit it into the size
specified in the HTML. Images that are resized in HTML are drawn in legacy mode.
Note: Image resizing in HTML described here is not the same as the Internet Explorer
Automatic Image Resizing feature.
485
Effects of Restricting Animations in
Internet Explorer
At installation XenApp disables the Internet Explorer setting Play animations in web pages
for all users on the server. For optimal performance with SpeedScreen Browser
Acceleration, Citrix recommends that you keep this setting disabled.
When Play animations in web pages is enabled, animated GIF images are rendered as
animations and SpeedScreen Browser support for GIF images is disabled. When this feature
is disabled, SpeedScreen Browser Acceleration support for GIF images is enabled. The
secondary benefit is a bandwidth reduction due to the absence of animations that consume
significant bandwidth.
If a user subsequently enables Play animations in web pages, only an administrator can
modify it again by making changes to specific values in the registry.
Users can access Play animations in web pages by opening Internet Explorer and selecting
Tools > Internet Options > Advanced or by navigating to Internet Options under Control
Panel.
486
SpeedScreen Browser Acceleration
Limitations
The SpeedScreen Browser Acceleration feature possesses the following limitations:
•
Supports JPEG and nontransparent GIF images.
•
Not compatible with Adobe Flash.
•
Does not support images that are resized using dimensions specified in the HTML of a
Web page which might be different than the actual width and height of the image. In
this case, Internet Explorer grows or shrinks the image as required to fit it into the size
specified in the HTML. Images that are resized in HTML are drawn in legacy mode.
Note: Image resizing in HTML described here is not the same as the Internet Explorer
Automatic Image Resizing feature.
487
Configuring SpeedScreen Browser
Acceleration
When ICA connections have limited bandwidth, downloading images can be slow.
SpeedScreen Browser Acceleration can improve responsiveness for users when they are
using Internet Explorer 5.5 or later as published applications. Specifically, this feature helps
ensure that images display cleanly and scrolling is smooth in Web browsers.
You can configure SpeedScreen Browser Acceleration as a farm-wide server default setting
or as an individual setting for a particular server.
Do not enable Flash content in your Web browser display if you want SpeedScreen Browser
Acceleration to be used. Regardless of whether you configured the optimization settings for
Speedscreen Flash Acceleration, SpeedScreen Browser Acceleration does not work when
Flash content is on a page.
Caution: Using Registry Editor incorrectly can cause serious problems that can require
you to reinstall the operating system. Citrix cannot guarantee that problems resulting
from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
Make sure you back up the registry before you edit it.
SpeedScreen Browser Acceleration is disabled if Internet Explorer is running in Protected
Mode. However, you can turn on SpeedScreen Browser Acceleration even when Internet
Explorer is running in Protected Mode by adding EnableProtectedModeSpeedBrowse and
setting it to 1 in the HKEY_LOCAL_MACHINE\SOFTWARE\CITRIX\SpeedBrowse registry key.
488
Configuring SpeedScreen Browser Acceleration
To configure SpeedScreen Browser Acceleration for a
farm
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the farm.
3. From the Action menu, select Modify farm properties > Modify all properties.
4. From the Properties list, select Server Default > SpeedScreen > Browser Acceleration.
5. Select the SpeedScreen Browser Acceleration check box to improve responsiveness
when users run HTML-capable published applications.
6. Select the Compress JPEG images to improve bandwidth check box to improve
bandwidth.
7. Select one of these options if the ICA connections have very low bandwidth:
•
•
Image compression levels. Select High, Medium, or Low compression for JPEG
images. The higher the compression, the less bandwidth used and the lower the
image quality. Select High when bandwidth usage is most important, such as when
running a published application over a WAN connection. Select Low if image quality
is more important than bandwidth usage.
Adjust compression level based on available bandwidth. Select this option if the
available bandwidth can vary for ICA connections. The available bandwidth and
image size are used to determine how much images are compressed. If enough
bandwidth is available, images are not compressed.
Note: Compressing JPEG images reduces image quality.
To configure SpeedScreen Browser Acceleration for a
server
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the server.
3. From the Action menu, select Modify server properties > Modify all properties.
4. From the Properties list, select SpeedScreen > Browser Acceleration.
5. If you want the server to use the default farm settings, select the Use farm settings
(available server level only) check box.
489
Optimizing Audio and Video Playback
SpeedScreen Multimedia Acceleration improves the user’s experience of accessing published
audio-visual applications and content. Enabling this feature increases the quality of audio
and video in ICA sessions to a level that compares with audio and video played locally on a
client device. In addition, it reduces use of network bandwidth and server processing and
memory because compressed multimedia files are intercepted and forwarded to the client
to be uncompressed.This feature optimizes multimedia playback through published
instances of Internet Explorer, Windows Media Player, and RealOne Player. It offers
significant performance gains in these areas:
•
User Experience. Multimedia playback in sessions is much smoother.
•
Server CPU Utilization. The client device decompresses and renders multimedia
content, freeing server CPU utilization.
•
Network Bandwidth. Multimedia content is passed over the network in compressed
form, reducing bandwidth consumption.
Note: With SpeedScreen Multimedia Acceleration enabled, RealOne Player’s built-in
volume and balance controls do not work within client sessions. Instead, users can adjust
volume and balance from the volume controls available from the client notification area.
Without SpeedScreen Multimedia Acceleration, the cumulative cost of several users playing
multimedia content in sessions simultaneously is high, both in terms of server CPU
utilization and network bandwidth consumption. When you play multimedia content in a
session, the server decompresses and renders the multimedia file, which increases the
server’s CPU utilization. The server sends the file over the network in uncompressed form,
which consumes more bandwidth than the same file requires in compressed form.
With SpeedScreen Multimedia Acceleration, the server streams multimedia to the client in
the original, compressed form. This reduces bandwidth consumption and leaves the media
for the client device to decompress and render, thereby reducing server CPU utilization.
SpeedScreen Multimedia Acceleration optimizes multimedia files that are encoded with
codecs (compression algorithms) that adhere to Microsoft’s DirectShow, DirectX Media
Objects (DMO), and Media Foundation standards. DirectShow and Media Foundation are
application programming interfaces (APIs) that allow, among other things, multimedia
playback. To play back a given multimedia file, a codec compatible with the encoding
format of the multimedia file must be present on the client device.
Generally, if you can play back a given multimedia file locally on a given client device, you
can play back the same file on the same client device within a session. Users can download
a wide range of codecs, such as those supported by Windows Media Player or RealOne
Player, from vendor Web sites.
Users accessing audio-visual applications on servers on which SpeedScreen Multimedia
Acceleration is enabled use a little more memory but far less bandwidth than when this
feature is disabled. Users use only a little more memory or bandwidth when accessing
audio-visual applications compared to regular enterprise applications.
490
Optimizing Audio and Video Playback
By default, audio is disabled on any custom connections created with Program
Neighborhood. To allow users to run multimedia applications in ICA sessions, turn on audio
or give the users permission to turn on audio themselves in Program Neighborhood. By
default, all other clients and methods are configured with audio enabled and medium sound
quality.
Other requirements for using SpeedScreen Multimedia Acceleration are:
•
Users must be running a XenApp Plugin.
•
The client device must have the same memory and processing speed as is needed for
playing multimedia locally.
•
The correct codec, or compression algorithm, to decompress the media file type used
(MPEG for example) must reside on the client device. Windows clients have the most
common codecs already installed. If you need additional codecs, you can download
them from the Web sites of the manufacturers of media players.
Note: To make Windows Media Player 11 and Media Foundation components available on
your XenApp server, install and configure the Microsoft Windows Server 2008 Desktop
Experience in the Server Manager.
Applications and media formats supported by SpeedScreen Multimedia Acceleration are:
•
Applications based on Microsoft’s DirectShow, DirectX Media Objects (DMO), and Media
Foundation filter technologies such as Windows Media Player, RealPlayer
•
Applications like Internet Explorer and Microsoft Encarta are also supported, as they
leverage Windows Media Player
•
Both file-based and streaming (URL-based) media formats: WAV, all variations of MPEG,
and unprotected Windows Media Video (WMV) and Windows Media Audio (WMA)
Note: SpeedScreen Multimedia Acceleration does not support media files protected with
Digital Rights Management (DRM).
When the quality of media playing on a client device deteriorates, possible solutions are:
•
If video appears in slowly changing slides while audio is intact or audio becomes
choppy, this is caused by low bandwidth. Arrange for users to play media on the
network where more bandwidth is available.
•
If audio and video are not synchronized, generally only the video or audio is played
using SpeedScreen Multimedia Acceleration. This can happen if a client device lacks a
codec for either video or audio. Install the needed codec on the client or use media
content on the server for which clients have both codecs.
Note: Volume and balance selections do not work with RealOne in an ICA session. Users
can still control volume and balance outside the RealOne application with controls on the
client.
By default, SpeedScreen Multimedia Acceleration is enabled at the server farm level.
491
Configuring SpeedScreen Multimedia
Acceleration
You can configure SpeedScreen Multimedia Acceleration as a farm-wide server default
setting or as an individual setting for a particular server.
Note: By default, audio is disabled on the client. To allow users to run multimedia
applications in ICA sessions, turn on audio or give the users permission to turn on audio
themselves in their client interface.
To configure SpeedScreen Multimedia Acceleration
for a farm
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the farm.
3. From the Action menu, select Modify farm properties > Modify all properties.
4. From the Properties list, select Server Default > SpeedScreen > Multimedia
Acceleration.
5. Select the SpeedScreen Multimedia Acceleration check box. By default, SpeedScreen
Multimedia Acceleration is enabled. Turn off this setting only if playing media using
SpeedScreen Multimedia Acceleration appears worse than when rendered using basic
ICA compression and regular audio. This is rare but can happen under low bandwidth
conditions; for example, with media in which there is a very low frequency of key
frames.
6. Choose one of these options:
•
Accept the recommended default buffering of five seconds.
•
Select Custom buffer time in seconds (1-10) and enter another figure.
You can see how much server memory the selected buffer can use by changing the
buffer time.
492
Configuring SpeedScreen Multimedia Acceleration
To configure SpeedScreen Multimedia Acceleration
for a server
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the server.
3. From the Action menu, select Modify server properties > Modify all properties.
4. From the Properties list, select SpeedScreen > Multimedia Acceleration.
5. If you want the server to use the default farm settings, select the Use farm settings
(available server level only) check box.
493
Optimizing Flash Animations
SpeedScreen Flash Acceleration allows you to optimize the way XenApp renders and delivers
Adobe Flash animations to users. To display Flash animations in sessions, you must have the
Flash plug-in and the corresponding ActiveX control installed in the Web browser before you
publish it.
Users playing Flash animations in published applications might observe poor rendering
quality of the animation, slow session responsiveness, or a combination of both. This occurs
when Adobe Flash Player, which renders the animation on the server, starts in high-quality
mode by default. While this guarantees the highest possible rendering mode for each
frame, it also means that each frame consumes considerable bandwidth on its way to the
user.
SpeedScreen Flash Acceleration improves the user’s session responsiveness by forcing Flash
Player to use simpler graphics (for example, no smoothing or anti-aliasing). This feature
also reduces the amount of processing power that is required to render Flash animations.
By default, SpeedScreen Flash Acceleration is enabled at the server farm level. However,
the Web browser, and not this feature, controls whether or not Flash content appears.
SpeedScreen Flash Acceleration lets you specify the optimization settings when Flash is
present on a Web page.
You can configure the optimization settings for SpeedScreen Flash Acceleration as a
farm-wide server default setting or as an individual setting for a particular server.
Note: SpeedScreen Flash Acceleration now supports Adobe Flash 9.
494
Optimizing Flash Animations
To configure SpeedScreen Flash Acceleration for a
farm
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the farm.
3. From the Action menu, select Modify farm properties > Modify all properties.
4. From the Properties list, select Server Default > SpeedScreen > Flash Acceleration.
5. Select the Enable Adobe Flash Player check box to configure Flash optimization
settings.
6. Under Optimize Adobe Flash animation options, you can select one of these options to
reduce the amount of Flash data sent from the server to client devices:
•
Do not optimize. Select this option if bandwidth is not limited.
•
Restricted bandwidth connections. Select this option to improve responsiveness
when Flash content is sent to users on restricted bandwidth connections (under
150Kbps). On restricted bandwidth connections, such as over a WAN, less data is
downloaded and the quality of Flash content is lower. When bandwidth is not
limited, for example on a LAN, users get higher quality Flash animation.
All connections. Select this option to always reduce the amount of Flash data sent
to users. The result is that CPU usage is minimized on the servers on which users
are using Flash within Internet Explorer.
7. From the Properties list, select Server Default > ICA > Display and select the Discard
queued image that is replaced by another image check box to reduce bandwidth
consumption and improve video playback and server scalability.
•
To configure SpeedScreen Flash Acceleration for a
server
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the server.
3. From the Action menu, select Modify server properties > Modify all properties.
4. From the Properties list, select SpeedScreen > Flash Acceleration. If you want the
server to use the farm settings, select the Use farm settings (available on server level
only) check box. If not, follow Steps 4 to 5 in To configure SpeedScreen Flash
Acceleration for a farm.
5. From the Properties list, select ICA > Display. If you want the server to use the farm
settings, select the Use farm settings (available on server level only) check box.
495
Optimizing Flash Animations
496
Optimizing Throughput of Image Files
The size of image files affects the amount of time the files take to travel from server to
client. Often, image files contain redundant or extraneous data that is of little benefit to
the user and slows down the user’s session while downloading and rendering. Using lossy
image compression, SpeedScreen Image Acceleration lets you find a balance between the
quality of photographic image files as they appear on client devices and the amount of
bandwidth the files consume on their way from server to client.
SpeedScreen Image Acceleration applies a lossy compression scheme to reduce the size of
image files that the server sends to the client for faster throughput. The compression
scheme removes redundant or extraneous data from the files while attempting to minimize
the loss of information. Under most circumstances, the data loss is minimal and its effect
nominal. However, Citrix recommends that you use discretion in applying this feature
where preservation of image data may be vital, as in the case, for example, of X-ray
images.
Unlike the other SpeedScreen features, SpeedScreen Image Acceleration is not configured
through the Access Management Console. This feature is enabled by default. You can use
policy rules in the Advanced Configuration tool to override the default settings and
accommodate different user needs by applying different levels of image compression to
different connections. To do this:
1. In the Advanced Configuration tool, select the policy for which you want to configure
the rule.
2. From the Actions menu, select Properties.
3. Select Bandwidth > SpeedScreen > Image acceleration using lossy compression and
configure the rule.
Choose no or low compression for users who need to view images at original or near original
quality levels. You can accelerate image throughput by choosing one of four compression
levels per policy rule:
Lossy compression level
Image quality
Bandwidth requirements
High compression
Low
Lowest
Medium compression
Good
Lower
Low compression
High
Higher
No compression
Same as original
Highest
If this policy rule is not configured, by default, SpeedScreen Image Acceleration is enabled
as Medium compression; medium image quality for all connections.
Note: This default may not be the optimum setting for all environments, so you are
encouraged to experiment with other settings.
To configure SpeedScreen Image Acceleration without enabling SpeedScreen Progressive
Display, after enabling the policy rule and choosing Compression level, for SpeedScreen
Progressive Display compression level, choose Disabled; no progressive display.
497
Optimizing Throughput of Image Files
You can reduce bandwidth further by using heavyweight compression in conjunction with
this feature.
498
Optimizing Display of Image Files
As part of the SpeedScreen policy rule (Bandwidth > SpeedScreen > Image acceleration
using lossy compression), you can also enable SpeedScreen Progressive Display to increase
the performance of displaying images or parts of images that are changing.
SpeedScreen Progressive Display speeds the initial display of an image file by choosing an
increased compression level while an image is dynamic. This initial display is then
sharpened up to normal quality in the background if the image is not immediately changed
or overwritten in the application. The quality of the final image is controlled by
SpeedScreen Image Acceleration.
SpeedScreen Progressive Display can improve the performance not only of applications that
render and display images, but also those parts of an image that are dynamic, such as when
scrolling through a PDF or similar document.
When the SpeedScreen policy rule is not configured, SpeedScreen Progressive Display is
enabled with a compression level of Very high compression; very low quality, but only for
connections with less than 1 Mbps of bandwidth per user. Note that this may not be the
optimum setting for all environments, so experiment with other settings.
To configure SpeedScreen Progressive Display without enabling SpeedScreen Image
Acceleration, after enabling the policy rule and choosing SpeedScreen Progressive Display
compression level, for Compression level, choose Do not use lossy compression.
You can reduce bandwidth further by using heavyweight compression in conjunction with
this feature.
499
Optimizing Keyboard and Mouse
Responsiveness
SpeedScreen Latency Reduction is a collective term used to describe features such as Local
Text Echo and Mouse Click Feedback that help enhance user experience on a slow network.
Mouse Click Feedback
On high latency connections, users often click the mouse multiple times because there is no
visual feedback that a mouse click resulted in an action. Mouse Click Feedback, which is
enabled by default, changes the appearance of the pointer from idle to busy after the user
clicks a link, indicating that the system is processing the user’s request. When the user
clicks the mouse, the ICA software immediately changes the mouse pointer to an hourglass
to show that the user’s input is being processed. You can enable and disable Mouse Click
Feedback at the server level.
Local Text Echo
On high latency connections, users often experience significant delays between when they
enter text at the keyboard and when it is echoed or displayed on the screen. When a user
types text, the keystrokes are sent to the server, which renders the fonts and returns the
updated screen to the client. You can bridge the delay between keystroke and screen
redraw by enabling Local Text Echo. Local Text Echo temporarily uses client fonts to
immediately display text a user types while the screen redraw from the server is in transit.
By default, Local Text Echo is disabled. You can enable and disable this feature both at the
server and application level. You can also configure Local Text Echo settings for individual
input fields within an application.
Note: Applications that use non-standard Windows APIs for displaying text may not
support Local Text Echo.
500
Configuring SpeedScreen Latency
Reduction
SpeedScreen Latency Reduction Manager, a tool provided with XenApp, allows you to
configure SpeedScreen Latency Reduction settings for a XenApp server, for single or
multiple instances of an application, as well as for individual input fields within an
application. You can also use it as a troubleshooting tool to fine-tune SpeedScreen Latency
Reduction behavior for applications, or input fields within an application, that exhibit
incompatibility with this SpeedScreen feature.
SpeedScreen Latency Reduction Manager must be installed on a XenApp server, and can be
used to customize SpeedScreen Latency Reduction settings only on that server.
To launch SpeedScreen Latency Reduction Manager, select SpeedScreen Latency Reduction
Manager from the Citrix > Administration Tools program group in the Start menu.
Note: To run the Speedscreen Latency Reduction Manager with the User Account Control
(UAC) enabled, you must be a domain administrator, delegated administrator, or part of
the Administrators group on the local computer, or you will be prompted for
administrator credentials.
Through SpeedScreen Latency Reduction Manager, you can configure common SpeedScreen
Latency Reduction settings for all applications on a server or select custom settings for
individual applications. Before you can configure any settings, you must add the
application.
501
Adjusting SpeedScreen Latency
Reduction for an Application
If a published application exhibits abnormal behavior after it is configured to use
SpeedScreen Latency Reduction, you can use the Add New Application wizard included with
SpeedScreen Latency Reduction Manager to adjust latency reduction functionality for the
selected application, or all instances of the selected application on the server. To optimize
usability of the application, use this wizard to adjust, turn on, or turn off SpeedScreen
Latency Reduction for the application.
Note: The application must be running before you can use this wizard to modify existing
settings.
To adjust SpeedScreen Latency Reduction for an
application
If a published application exhibits abnormal behavior after it is configured to use
SpeedScreen Latency Reduction, you can use the Add New Application wizard included with
SpeedScreen Latency Reduction Manager to adjust latency reduction functionality for the
selected application, or all instances of the selected application on the server. To optimize
usability of the application, use this wizard to adjust, turn on, or turn off SpeedScreen
Latency Reduction for the application.
Note: The application must be running before you can use this wizard to modify existing
settings.
Before you can adjust Speedscreen Latency Reduction for an application, you must add the
application to the Speedscreen Latency Reduction Manager.
1. From the Start menu, select All Programs > Citrix > Administration Tools > SpeedScreen
Latency Reduction Manager.
2. From the Applications menu of SpeedScreen Latency Reduction Manager, select New to
start the wizard and follow the prompts.
3. Use the Define the Application screen to select an application instance on the server.
To specify the application, use one of these methods:
•
Click the icon at the bottom of the page and drag the pointer onto the window of
an application. The application must be running when you select it.
Click the Browse button and navigate to the application.
4. Specify whether Local Text Echo is enabled or disabled on the application by selecting
or clearing the Enable local text echo for this application check box. For a definition of
Local Text Echo, see Optimizing Keyboard and Mouse Responsiveness
•
502
Adjusting SpeedScreen Latency Reduction for an Application
5. Specify whether the setting you selected in the previous step should be applied to all
instances of the application on the server or just the instance selected.
Test all aspects of an application with Local Text Echo in a non-production environment
before enabling it to ensure that the display is acceptable to users.
When you configure SpeedScreen Latency Reduction Manager on a particular server, the
settings are saved in the ss3config folder in the Citrix installation directory of that server.
You can propagate the settings to other servers by copying this folder and its contents to
the same location on the other servers.
Note: If you plan to propagate SpeedScreen Latency Reduction Manager settings to other
servers, select Apply settings to all installations of the selected application when
configuring Local Text Echo through the wizard. Paths to published applications might
differ from one server to another; therefore, applying the settings to all instances of the
selected application ensures that the settings apply regardless of where the application is
located on the destination server.
To configure latency reduction settings for all
applications on a server
1. From the Start menu, select All Programs > Citrix > Administration Tools > SpeedScreen
Latency Reduction Manager.
2. From the Application menu, select Server Properties. The Server Properties dialog box
containing existing settings for the selected server appears.
3. Configure the SpeedScreen Latency Reduction settings that you want to be applied to
all of the applications on the server. All users connecting to the server benefit from the
SpeedScreen options you set here. Changes made to SpeedScreen Latency Reduction
settings at an application level override any server-wide settings.
•
Enable local text echo as default for all applications on this server. Select this
check box to enable Local Text Echo for all applications on the server.
•
Enable mouse click feedback as default for all applications on this server. Select
this check box to enable Mouse Click Feedback for all applications on the server.
•
Latency threshold times for SpeedScreen (in milliseconds). Latency threshold times
are used when the client device setting for SpeedScreen is set to Auto.
•
High latency threshold. Specify a threshold value above which SpeedScreen
options should be enabled.
Low latency threshold. Specify a threshold value below which SpeedScreen
options should be disabled.
For a definition of Local Text Echo and Mouse Click Feedback, see Optimizing Keyboard
and Mouse Responsiveness
•
503
Adjusting SpeedScreen Latency Reduction for an Application
To configure custom latency reduction settings for an
individual application
1. From the Start menu, select All Programs > Citrix > Administration Tools > SpeedScreen
Latency Reduction Manager.
2. In the SpeedScreen Latency Reduction Manager, select the application.
3. From the Application menu, select Properties. The Application Properties tab
containing existing SpeedScreen Latency Reduction settings for the selected application
appears. It contains this information:
•
Application Name. The application executable name appears here; for example,
Excel.exe.
Path to Application. The path to the application executable appears here; for
example, C:\Microsoft Office\Excel.exe.
4. If desired, configure application settings:
•
504
•
Disable local text echo for this application. The current setting for Local Text Echo
is displayed. Select the check box to disable Local Text Echo for this application.
Clear the check box to enable it.
•
Limit local text echo for this application. The current Local Text Echo setting for
the application appears. Select the check box to limit Local Text Echo functionality
for this application, and select the type of text display you need from the
drop-down list.
•
Forces Speedscreen to treat all input fields in the selected application in native
mode. Select the check box if you configure a setting that forces SpeedScreen to
treat all input fields in the selected application in native mode.
To configure latency reduction settings for
input fields in an application
Input fields in an application are fields where text can be added. You can use SpeedScreen
Latency Reduction Manager to set latency reduction behavior for selected input fields in a
configured application to reduce delays between when users enter text at the keyboard and
when it is echoed or displayed on the screen.
1. From the Start menu, select All Programs > Citrix > Administration Tools > SpeedScreen
Latency Reduction Manager.
2. Select an application.
3. From the Applications menu, select Properties. The Application Settings window
appears.
4. Select the Input Field Configuration tab, then configure these settings as needed.
•
The Configured Input Field List displays the list of configured input fields.
SpeedScreen Latency Reduction uses a window hierarchy to identify the input fields
that need special settings. The entries shown in the tree view are the window class
names of the configured fields. For example, _WwG is the window class name of
the main document window in Microsoft Word.
•
Click New to run the Advanced Input Field Compatibility wizard to add a new
input field. This wizard guides you through the process of configuring
SpeedScreen Latency Reduction settings for an input field.
Click Delete to delete the selected input field from the Configured Input Field
List.
Enable local text echo for this input field enables Local Text Echo. If this check box
is selected, you can apply more Local Text Echo settings to the selected field.
•
•
•
Limit local text echo forces behavior in input fields in nonstandard applications that
may not behave correctly. Select one of the two available settings:
•
Display text in place ensures text is echoed in place.
Display text in a floating bubble ensures text is echoed within a floating bubble.
Reduce font size forces input fields in non-standard applications to display text at a
reduced font size. Use this setting when input fields in non-standard applications
display misaligned text, oversized fonts, or other undesirable font behavior. Choose
the percentage by which to reduce the font size. Percentage values available are
10%, 20%, and 30%.
•
•
•
505
Use system default colors forces non-standard input fields to use system default
colors. SpeedScreen Latency Reduction tries to auto-detect the text and
background colors used in input fields; however, non-standard input fields
sometimes report incorrect or inadequate information. As a result, text echo in
input fields on nonstandard applications can appear corrupted. This setting turns
To configure latency reduction settings for input fields in an application
off auto-detection and controls how system default colors are applied to input
fields.
•
Choose Both the text and background to apply system default colors to both
text and background.
Choose The background only to apply system default colors only to the
background.
Input field is a password controls how hidden characters are displayed in
non-standard input fields. Typically, hidden characters are located in password
entry fields. Text echo in non-standard input fields might make these hidden
characters appear as normal text, compromising security. This setting forces hidden
characters to display as asterisks or spaces.
•
•
506
•
Choose Hidden characters denoted by “*” if you want Local Text Echo for such
input fields to be replaced by asterisks.
•
Choose Hidden characters denoted by spaces if you want Local Text Echo for
password input fields to be replaced by spaces.
To create exception entries for
non-standard input fields in an application
Some input fields do not conform to standard Windows behavior and thus do not work
correctly with SpeedScreen Latency Reduction. You can create exception entries for such
fields, while still providing minimal latency reduction functionality for the rest of the
application. The Input Field Compatibility wizard included with SpeedScreen Latency
Reduction Manager guides you through the process of selecting non-standard input fields
and creating exception entries for them.
Note: The application must be running before you can configure an input field within it.
1. Start the application.
2. Select Start > All Programs > Citrix > Administration Tools > SpeedScreen Latency
Reduction Manager.
3. From the Applications menu in SpeedScreen Latency Reduction Manager, select
Properties. The Application Settings window appears.
4. Select the Input Field Configuration tab. Click New to start the wizard and follow the
prompts.
5. With the application running, select the input field you want to configure and complete
these steps:
a. Drag the pointer onto the input field window for which SpeedScreen behavior needs
to be customized.
b. If the SpeedScreen Latency Reduction Manager window is obscuring the target input
field, check the Hide SpeedScreen Latency Reduction Manager check box. This
causes the SpeedScreen Latency Reduction Manager window to be hidden from
view.
6. To define the level of compatibility for the input field, select the level of SpeedScreen
Latency Reduction compatibility to apply to the selected input field. Use the slider bar
to select the desired compatibility level. The default compatibility level is Auto, which
provides full SpeedScreen Latency Reduction functionality. However, because the field
being configured is not displaying the desired behavior, downgrade the latency
reduction functionality level to Medium, Low, or Off.
507
•
Medium Compatibility. Use this level of compatibility for input fields that are
incompatible with the default Auto setting. Text echo appears in place with limited
acceleration.
•
Low Compatibility. If an input field is incompatible with both the Auto and Medium
compatibility settings, select Low. Text echo appears in a floating text bubble
rather than within the input field.
•
Off, or Zero Compatibility. If an input field is incompatible with Auto, Medium, and
Low compatibility settings, disable Local Text Echo for that field by selecting Off.
Configuring ICA Display Settings
508
Configuring ICA Display Settings
To configure ICA display settings for a farm
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the farm.
3. From the Action menu, select Modify farm properties > Modify all properties.
4. From the Properties list, select Server Default > ICA > Display.
5. Select the Discard queue image that is replaced by another image check box to improve
response when graphics are sent to the client. Queued images that are replaced by
another image are discarded. This is useful when bandwidth is limited. A drawback to
selecting this option is that it can cause animations to become choppy because
intermediate frames get dropped.
6. Select the Cache image to make scrolling smoother check box if you want to make
scrolling smoother because sections of an image can be retrieved from the cache.
7. Enter the maximum memory to be used on the server for each client connection in the
Maximum memory to use for each session’s graphics (KB) box.
You can specify an amount in kilobytes from 300 to 65536. Using more color depth and
higher resolution for connections requires more memory. You can calculate the
maximum memory required by using this equation:
(color depth in bits per pixel / 8) * vertical resolution in pixels * horizontal resolution in
pixels = memory required in bytes
For example, if the color depth is 24, the vertical resolution is 600, and the horizontal
resolution is 800, the maximum memory required is:
(24bpp / 8) * 600 pixels * 800 pixels = 1440000 bytes of memory required
You can specify 1440KB in maximum memory to handle ICA connections with these
settings.
8. Under Degradation bias, select one of these options to prioritize when the session
memory limit is reached.
•
Degrade color depth first. Select this option if you want color depth to be reduced
before resolution is lowered when the session memory limit is reached.
Degrade resolution first. Select this option if you want resolution to be lowered
before color depth when the session memory limit is reached.
9. Select the Notify user of session degradation check box to display a brief explanation to
the user when a session is degraded. Possible reasons for degradation include exceeding
the memory limit and connecting with a client that cannot support the requested
parameters.
•
509
Configuring ICA Display Settings
To configure ICA display settings for a server
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the server.
3. From the Action menu, select Modify server properties > Modify all properties.
4. From the Properties list, select ICA > Display.
5. If you want the server to use the default farm settings, select the Use farm settings
check box; otherwise, follow Steps 4 and 8 in To configure ICA display settings for a
farm.
510
To configure ICA browser settings for a
server
ICA browser settings control whether or not a server responds to client broadcast messages.
If these options are enabled, all servers in your network respond to broadcast messages. If
you are running Program Neighborhood with HTTP Browsing, do not enable these options.
This procedure applies only to environments with Program Neighborhood.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the server.
3. From the Action menu, select Modify server properties > Modify all properties.
4. From the Properties list, select ICA > Browser.
5. Select either of these check boxes:
511
•
Select Create browser listener on UDP network to enable the ICA browser on the
selected server respond to any ICA browser network packets on UDP networks. This
setting is enabled by default. Each server that has this setting enabled has a
listener on the network. Clearing this setting disables the listener for a server. In
large environments, you may want to clear this check box on specific servers
because having a listener enabled for every server on your network consumes
network resources. Clearing this check box on some servers in large environments
allows you to optimize your network.
•
Select Server responds to client broadcast messages to allow the server it is
enabled on to broadcast messages on the network and responds to messages clients
broadcast. This setting is disabled by default. Enabling it makes configuring
Program Neighborhood easier; users do not have to enter an address in Program
Neighborhood for the server to which they want to connect.
Securing Server Farms
Consult with your organization’s security experts for a comprehensive security strategy that
best fits your needs.
The Citrix Receiver is compatible with and functions in environments where the Microsoft
Specialized Security - Limited Functionality (SSLF) desktop security template is used. These
templates are supported in the Microsoft Windows XP and Vista platforms. Refer to the
Windows XP and Windows Vista security guides available at http://technet.microsoft.com
for more information about the template and related settings.
512
Securing Access to Your Servers
An important first step in securing your server farm is securing access to the servers.
Securing XenApp Advanced Configuration
The XenApp Advanced Configuration tool can be used to connect to any server in your farm.
Run the tool only in environments where packet sniffing cannot occur. Also, ensure that
only administrators have access to the tool. You can set NTFS permissions so that
non-administrators do not have Execute permission for the tool executable (Ctxload.exe).
Using NTFS partitions
To ensure that appropriate access control can be enforced on all files installed by XenApp,
install XenApp only on NTFS-formatted disk partitions.
Installing and configuring the Simple Network
Management Protocol (SNMP) service
The SNMP service is not installed by default on computers running Windows Server 2003 and
2008. If you install this service, you must configure the SNMP community string. You may
also want to create a white list that limits the remote IP addresses that have access to the
SNMP service.
The Windows SNMP service has many read/write privileges by default; however, you must
give read/create permissions to the SNMP service for administrative tasks, such as logoff
and disconnect through Network Manager. If you use Network Manager or other SNMP
management software for monitoring the server only (and not remote management), Citrix
recommends that the privileges be read only. If no SNMP consoles are used, do not install
SNMP components on the server.
You can configure the SNMP community and designated management consoles to prevent
unauthorized access. Configure SNMP agents to accept traps from known SNMP consoles
only.
Note: You can block incoming SNMP traffic from the Internet by using a firewall that
prevents passage of traffic on UDP ports 161 and 162.
For more information about installing the SNMP service and using it with XenApp, see the
following:
513
•
For XenApp 5 for Windows Server 2003, see Network Manager Administrator's Guide and
Monitoring Server Performance with Citrix Presentation Server available from the
Citrix Knowledge Center.
•
For XenApp 5 for Windows Server 2008, see Enabling SNMP Monitoring
Securing Access to Your Servers
Trusted Server Configuration
This feature identifies and enforces trust relations involved in client connections. This can
be used to increase the confidence of client administrators and users in the integrity of
data on client devices and to prevent the malicious use of client connections. When this
feature is enabled, clients can specify the requirements for trust and determine whether or
not they trust a connection to the server.
514
Securing the Data Store
One of the most important aspects of securing your server farm is protecting the data store.
This involves not only protecting the data in the data store database but also restricting
who can access it. In general:
•
Users who access your farm’s servers do not require and should not be granted any
access to the data store.
•
When the data store connection is a direct one (that is, no intermediary server is used),
all farm servers share a single user account and password for accessing the data store.
Select a password that is not easy to deduce. Keep the user name and password secure
and give it to administrators only to install XenApp.
Caution: If the user account for direct mode access to the database is changed at a later
time, the Citrix IMA Service fails to start on all servers configured with that account. To
reconfigure the Citrix IMA Service password, use the dsmaint config command on
each affected server. For information about the dsmaint config command, see
DSMAINT.
More specific Citrix recommendations for securing the data store vary depending on the
database you use for the data store. The following topics discuss security measures to
consider for each of the database products XenApp supports.
Important: Be sure to create a backup of your data store before using dsmaint config
to change the password on your data store.
Microsoft Access
For an Access data store, the default user name is “citrix” and the password is “citrix.” If
users have network access to the data store server, change the password using dsmaint
config and keep the information in a safe place.
Microsoft SQL Server
The user account that is used to access the data store on Microsoft SQL Server has public
and db_owner roles on the server and database. System administrator account credentials
are not needed for data store access; do not use a system administrator account because
this poses an additional security risk.
If the Microsoft SQL Server is configured for mixed mode security, meaning that you can use
either Microsoft SQL Server authentication or Windows authentication, you may want to
create a Microsoft SQL Server user account for the sole purpose of accessing the data store.
Because this Microsoft SQL Server user account would access only the data store, there is no
risk of compromising a Windows domain if the user’s password is compromised.
Note: For high-security environments, Citrix recommends using only Windows
authentication.
515
Securing the Data Store
Important: For improved security, you can change the user account’s permission to
db_reader and db_writer after the initial installation of the database with db_owner
permission. Changing the user account’s permission from db_owner may cause problems
installing future service packs or feature releases for XenApp. Be sure to change the
account permission back to db_owner before installing a service pack or feature release
for XenApp.
Microsoft SQL Server 2005 Express Edition
Windows authentication is supported for the Microsoft SQL Server 2005 Express Edition
database. For security reasons, Microsoft SQL Server authentication is not supported. For
further information, consult Microsoft documentation. The user name and password
typically are those for the local system Administrator account. If users have access to the
data store server, change the password with the dsmaint config command and keep the
information in a safe place.
Oracle
If the data store is hosted on Oracle, give the Oracle user account employed for the server
farm “connect” and “resource” permissions only. System administrator (system or sys)
account permissions are not needed for data store access.
IBM DB2
If the data store is hosted on IBM DB2, give the DB2 user account employed for the server
farm the following permissions:
•
Connect database
•
Create tables
•
Register functions to execute to database manager’s process
•
Create schemas implicitly
System administrator (DB2Admin) account permissions are not needed for data store access.
516
Securing Client-Server Communications
There are two methods for encrypting the session data transmitted between clients and
servers: SecureICA and SSL/TLS encryption.
By default, all ICA communications are set to Basic ICA protocol encryption. The Basic
setting obfuscates data but does not provide industry standard encryption. You can increase
the level of SecureICA encryption up to 128-bit and/or add SSL/TLS encryption.
The difference between the two types of client-server encryption is as follows:
•
SecureICA. The SecureICA feature encrypts the session data sent between a server
running XenApp and a client. In general, increase the level of ICA protocol encryption
when you want to encrypt internal communication within a LAN or a WAN, or you want
to encrypt internal access to an intranet. Increasing the level of ICA protocol encryption
prevents session data from being sent in clear text, but it does not perform any
authentication.
•
SSL/TLS protocols. SSL/TLS protocols can protect you from internal and external
threats, depending on your network configuration. Citrix recommends that you enable
SSL/TLS protocols. Enabling SSL/TLS ensures the confidentiality, authentication, and
integrity of session data.
If you enable protection against both internal and external threats, you must enable SSL
encryption. Using SecureICA with SSL or TLS provides end-to-end encryption.
Both protocols are enabled in two places:
•
On the server side, when you publish an application or resource.
•
On the client side (for Program Neighborhood only). The Web Interface and XenApp
plugin for Hosted Apps automatically detect and use the settings specified on the server
(that is, when you publish a resource).
The settings you specify for client-server encryption can interact with any other encryption
settings in XenApp and your Windows operating system. If a higher priority encryption level
is set on either a server or client device, settings you specify for published resources can be
overridden. The most secure setting out of any of the settings below is used:
•
The setting in Terminal Services Configuration (TSCC)
•
The XenApp policy setting that applies to the connection
•
The client-server setting (that is, the level you set when you publish a resource)
•
The Microsoft Group Policy
When you set an encryption level, make sure that it is consistent with the encryption
settings you specified elsewhere. For example, any encryption setting you specify in the
TSCC or connection policies cannot be higher than the application publishing setting.
517
Securing Client-Server Communications
If the encryption level for an application is lower than what you specified through the TSCC
and connection policies, the TSCC settings and the policies override the application
settings.
518
Using SecureICA
By default, client-server communications are obfuscated at a basic level through the
SecureICA feature, which can be used to encrypt the ICA protocol.
Plugins use the ICA protocol to encode user input (keystrokes and mouse clicks) and address
it to a server farm for processing. Server farms use the ICA protocol to format application
output (display and audio) and return it to the client device.
You can increase the level of encryption for the ICA protocol when you publish a resource or
after you publish a resource.
In addition to situations when you want to protect against internal security threats, such as
eavesdropping, you may want to use ICA encryption in the following situations:
•
You need to secure communications from devices that use Microsoft DOS or run on
Win16 systems
•
You have older devices running plugin software that cannot be upgraded to use SSL
•
As an alternative to SSL/TLS encryption, when there is no risk of a “man-in-the-middle”
attack
When traversing public networks, Citrix does not recommend SecureICA as your only
method of encryption. Citrix recommends using SSL/TLS encryption for traversing public
networks. Unlike SSL/TLS encryption, SecureICA, used on its own, does not provide
authentication of the server. Therefore information could be intercepted as it crosses a
public network and then be rerouted to a counterfeit server. Also, SecureICA does not
check data integrity.
519
Enabling SSL/TLS Protocols
If client devices in your environment communicate with your farm across the Internet,
Citrix recommends enabling SSL/TLS encryption when you publish a resource. If you want to
use SSL/TLS encryption, you must use either the SSL Relay feature or the Secure Gateway
to relay ICA traffic to the computer running XenApp.
The nature of your environment may determine the way in which you enable SSL:
•
For client devices communicating with your farm remotely, Citrix recommends that you
use the Secure Gateway to pass client communications to the computer running
XenApp. The Secure Gateway can be used with SSL Relay on the computer running
XenApp to secure the Secure Gateway to XenApp traffic, depending on your
requirements.
•
For client devices communicating with your farm internally, you can do one of the
following to pass client communications to the computer running XenApp:
•
Use the Secure Gateway with an internal firewall and place your farm behind the
firewall
Use the SSL Relay feature to secure the traffic between servers in your farm
In larger environments, it may not be convenient to use SSL Relay because doing so requires
storing certificates on every server in your farm. In large environments, you may want to
use the Secure Gateway with an internal firewall if you are concerned with internal threats.
•
Regardless of whether you use the Secure Gateway or SSL Relay, if you want to use SSL, you
must select the Enable SSL and TLS protocols setting when you publish an application.
If you are using Web Interface with the Secure Gateway, see the information about SSL in
the Secure Gateway and Web Interface administrator documentation at Citrix eDocs.
520
To configure session data encryption
The following procedure explains how to increase the level of encryption by enabling
SecureICA (ICA protocol encryption) or SSL/TLS encryption after you publish an application.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select a published application in the left pane by selecting XenApp > your farm name >
Applications > application name.
3. From the Action menu, select Modify application properties > Modify all properties.
4. In the Application Properties dialog box, select Advanced > Client options.
5. In the Connection encryption section, do one or more of the following:
•
Select the Enable SSL and TLS protocols check box. This option requests the use of
the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols for
clients connecting to the published application.
•
In the Encryption section, select a higher level of encryption from the drop-down
list box.
•
(For Program Neighborhood only. Optional.) Select the Minimum requirement check
box, which is available only if you increase the level of ICA protocol encryption. The
Minimum requirement check box sets a requirement that Program Neighborhood
plugins connecting to a published application use the specified level of encryption
or higher. This means the following:
•
If you do not select the Minimum requirement check box, Program
Neighborhood’s connections to the server are encrypted at the level that you
set in Program Neighborhood. If the encryption level on the server and in
Program Neighborhood do not match, you can still connect. The encryption
settings you specify in Program Neighborhood override the encryption level set
for the application.
If you select the Minimum requirement check box, Program Neighborhood’s
connections to the server must be encrypted at the same level that you set on
the server, or the server refuses the client’s transmission and the session is
dropped.
6. Click OK.
•
If you are using Program Neighborhood as one of the plugins in your environment, you must
also enable encryption on the client side.
If you are using SecureICA and you want to ensure that ICA traffic is always encrypted at a
certain level, you can set a policy for encryption. Creating a SecureICA policy prevents you
from accidentally publishing a resource at a lower level of encryption. If this policy is
enabled and you publish a resource at a lower level of encryption than the policy requires,
521
To configure session data encryption
the server rejects client connections. For plugins that take their encryption settings from
the server, such as the Web Interface and the Citrix XenApp plugin, this can be
problematic.
Therefore, Citrix recommends as a best practice, that if you enable an encryption policy,
you publish applications (or resources) by replicating an existing published application and
editing it so as to replace the application with the new application you want to publish.
522
To set a policy for ICA encryption
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
From the ICA toolbar, open the Presentation Server Console.
2. Select Policies.
•
3. From the Actions menu, click New > Policy.
4. Select the policy name; on the Actions menu, click Properties.
5. From the list of folders in the left pane, select Security > Encryption > SecureICA
encryption.
6. Select Enabled; from the Encryption Level list box, select the encryption level you want
for this policy.
7. Enable the policy by applying a filter.
For additional details about creating policies in general, see Working with XenApp Policies.
523
Configuring SSL/TLS Between Servers
and Clients
For XenApp to accept connections encrypted with SSL or TLS, you must use SSL Relay to
configure support on each XenApp server.
Citrix SSL Relay can secure communications between clients, servers running the Web
Interface, and XenApp servers that are using SSL or TLS. Data sent between the two
computers is decrypted by the SSL Relay and then redirected using SOCKSv5 to the Citrix
XML Service.
SSL Relay operates as an intermediary in the communications between the plugin and the
Citrix XML Service running on each server. Each plugin authenticates the SSL Relay by
checking the relay’s server certificate against a list of trusted certificate authorities. After
this authentication, the plugin and SSL Relay negotiate requests in encrypted form. SSL
Relay decrypts the requests and passes them to the server.
When returning the information to the plugin, the server sends all information through SSL
Relay, which encrypts the data and forwards it to the client to be decrypted. Message
integrity checks verify that each communication is not tampered with.
In general, use SSL Relay for SSL/TLS support when you:
•
Want to secure communications with servers that host the Citrix XML Service.
•
Have a small number of servers to support (five or fewer). To use SSL/TLS to protect
against internal threats in larger farms, consider configuring SSL/TLS support with
Secure Gateway.
•
Do not need to secure access at a DMZ.
•
Do not need to hide server IP addresses or you are using Network Address Translation
(NAT).
•
Need end-to-end encryption of data between clients and servers.
Configure SSL Relay and the appropriate server certificate on each XenApp server in the
server farm. By default, SSL Relay is installed with XenApp in C:\Program Files
(x86)\Citrix\SSLRelay, where C is the drive where you installed XenApp.
The Citrix XML Service provides an HTTP interface for enumerating applications available on
the server. It uses TCP packets instead of UDP, which allows connections to work across
most firewalls. The Citrix XML Service is included in the server. The default port for the
Citrix XML Service is 80.
524
Task Summary for Implementing SSL
Relay
To implement the SSL Relay, perform the following steps:
Task
See this topic
Obtain and install server and root SSL certificates.
Obtaining and Installing Server and
Root SSL Certificates
Enable the SSL relay and select the server
certificate in the Relay Credentials tab of the SSL
Relay Configuration Tool.
To enable the SSL Relay and select
the relay credentials
Use the features available from the Connection tab
to change the target server or port, or add servers
for redundancy.
Use the features available from the Ciphersuites
tab of the SSL Relay Configuration Tool to select
which ciphersuites to allow.
525
•
Using the SSL Relay with the
Microsoft Internet Information
Service (IIS)
•
Configuring the Relay Port and
Server Connection Settings
Configuring the Ciphersuites
Allowed by the SSL Relay
Installing and Configuring the SSL Relay
Tool with User Account Control Enabled
If you configure the SSL Relay tool with the User Account Control (UAC) feature of Microsoft
Windows enabled, you might be prompted for administrator credentials. To run the SSL
Relay tool, you must have privileges and associated permissions as follows:
526
•
Domain administrator
•
Delegated administrator
•
Administrator group of the local computer where you are installing the tool
Obtaining and Installing Server and Root
SSL Certificates
A separate server certificate is required for each XenApp server on which you want to
configure SSL or TLS. The server certificate identifies a specific computer, so you must
know the fully qualified domain name (FQDN) of each server. Certificates must be signed by
a trusted entity called a Certificate Authority (CA). In addition to installing a server
certificate on each server, you must install the root certificate from the same CA on each
client device that will communicate with SSL Relay.
Root certificates are available from the same CAs that issue the server certificates. You can
install server and client certificates from a CA that is bundled with your operating system,
an enterprise CA (a CA that your organization makes accessible to you), or a CA not bundled
with your operating system. Consult your organization’s security team to find out which of
the following methods they require for obtaining certificates.
Install the server certificate on each server. SSL Relay uses the same registry-based
certificate store as IIS, so you can install certificates using IIS or the Microsoft Management
Console (MMC) Certificate Snap-in. When you receive a certificate from the CA, you can
restart the Web Server Certificate wizard in IIS and the wizard will install the certificate.
Alternatively, you can view and import certificates on the computer using the MMC and
adding the certificate as a stand-alone snap-in.
527
Choosing an SSL Certificate Authority
You can obtain and install certificates for your servers and client devices in the following
ways:
528
•
Certificates from a CA bundled with the operating system. Some of the newer Windows
operating systems include native support for many CAs. If you choose to install the
certificate from a bundled CA, double-click the certificate file and the Windows
Certificate Store wizard installs the server certificate on your server. For information
about which operating systems include native support, see your Microsoft
documentation.
•
Certificates from an enterprise CA. If your organization makes a CA accessible to you
for use, that CA appears in your list of CAs. Double-click the certificate file and the
Windows Certificate Store wizard installs the server certificate on your server. For more
information about whether or not your company uses an enterprise CA, consult your
security team.
•
Certificates from a CA not bundled with the operating system. Certificates from CAs
that are not bundled with your operating system or made accessible to you by your
organization must be installed manually on both the server running Citrix SSL Relay and
on each client device. For instructions about installing certificates from an external CA,
see the documentation for the servers and clients in your configuration. Alternatively,
you can install certificates using Active Directory or the IIS snap-in:
•
If your computers belong to an Active Directory server, you can install the
certificates using Active Directory. For instructions about how to use Active
Directory to install your certificates, see your Microsoft documentation.
•
You can use the Microsoft Web Server Certificate wizard in the IIS snap-in to
request and import a certificate. For more information about using this wizard, see
your Microsoft documentation.
Acquiring a Signed SSL Certificate and
Password
After you choose a Certificate Authority (CA), generate a certificate signing request (CSR)
and send it to the CA using the Web server software that is compatible with the CA. For
example, if you are using the IIS snap-in to obtain your certificates, you can use Microsoft
Enterprise Certificate Services to generate the CSR. The CA processes the request and
returns the signed SSL certificate and password to you. For information about what
software you can use to generate the CSR, consult the documentation for your chosen CA.
Important: The common name for the certificate must be the exact fully qualified
domain name of the server.
After acquiring the signed certificate and password from your CA, install the certificates on
each server and client in your configuration using the appropriate method.
529
To enable the SSL Relay and select the
relay credentials
1. On the server where you installed Citrix SSL Relay, click All Programs > Citrix >
Administration Tools > Citrix SSL Relay Configuration Tool.
2. Click the Relay Credentials tab.
3. Select the Enable SSL relay check box to enable the relay features.
4. Select the Display Friendly Name check box to display the certificate’s friendly name, if
available. This check box determines which information from the certificate appears in
the Server Certificate list. Some certificates contain an additional friendly name field.
If you check this box and no friendly name exists, the certificate’s subject common
name is used (which is typically the server name). If Display Friendly Name is not
checked, the entire subject name is used.
5. Select the server certificate from the Server Certificate drop-down box (used to
identify the SSL Relay identity).
530
Using the SSL Relay with the Microsoft
Internet Information Service (IIS)
To use the SSL Relay and Microsoft Internet Information Services (IIS) on the same server,
for example, if you install the Web Interface and XenApp on the same server, you must
change the port number that IIS or the SSL Relay use. SSL Relay uses TCP port 443, the
standard port for SSL connections. Most firewalls open this port by default. Optionally, you
can configure the SSL Relay to use another port. Be sure that the port you choose is open on
any firewalls between the client devices and the server running the SSL Relay.
Microsoft IIS is installed by default on Windows Server 2003 and allocates port 443 for SSL
connections. It is not installed by default on Windows Server 2008. To run SSL Relay on a
server running Windows Server 2003 or 2008 (with Web Server IIS installed and enabled),
you must:
•
Install a server certificate on IIS before you change the port number. You can use the
same server certificate with IIS and the SSL Relay.
•
Configure IIS to use a different port or configure the SSL Relay to use a different port.
To change the SSL port for Internet Information Services, see the relevant Microsoft
documentation.
531
Configuring the Relay Port and Server
Connection Settings
The SSL Relay relays packets only to the target computers listed on the Connection tab. By
default, the SSL Relay is configured to relay packets only to the target computer on which
the SSL Relay is installed. You can add other computers in the same server farm for
redundancy through the Connection tab.
Use the Connection tab to configure the listener port and allowed destinations for the SSL
Relay. The SSL Relay relays packets only to the target computers listed on the Connection
tab. The target server and port specified on your server running the Web Interface or
XenApp plug-in must be listed on this tab. By default, no servers are listed.
See the topic Configuring TCP Ports for a list of ports used in a server farm.
Once a certificate is added, the default ICA and Citrix XML Service ports are added for the
local computer.
•
Relay Listening Port. The TCP port where SSL clients connect to the SSL Relay. The
default port number is 443. If your server has multiple IP addresses, this port is used on
all of them. If you change this value, you must make the same change on the client
device. You may also need to open the port on any firewalls between the client device
and the SSL Relay.
•
Encryption Standard. SSL Relay can be configured to use either SSL or TLS. The protocol
that is required is configured using the SSL Relay configuration tool.
•
Server Name. The fully qualified domain name (FQDN) of the server to which to relay
the decrypted packets. If certificates are not configured, no servers are listed. If
certificates are configured, the FQDN of the server on which the SSL Relay is running
appears here.
•
Ports. The TCP ports where ICA and the Citrix XML Service are listening.
Important: If you change the default Citrix SSL Relay port, you must set SSLProxyHost to
the new port number in the XenApp Plug-in for Hosted Apps icaclient.adm file. For more
information about plug-in settings, see the XenApp Plug-in for Hosted Apps administrator
documentation in Citrix eDocs.
532
To add a server to the destination server
list
1. On the server where you installed Citrix SSL Relay, click All Programs > Citrix >
Administration Tools > Citrix SSL Relay Configuration Tool.
2. Click the Connection tab and click New.
3. Type the FQDN of the computer in the Server Name box.
4. Type the port number of the Citrix XML Service in the Destination ports box and click
Add. Type the port number where ICA is listening in the Destination Ports box and click
Add.
These additional servers must also be specified in the configuration of servers running the
Web Interface.
533
To change the port for a server listed in
the destination server list
1. If you did not already do so, select the Connection tab.
2. Click the entry that you want to edit to select it.
3. Click Edit to display the Target Server Properties dialog box.
4. Select a destination port to remove and click Delete.
5. In the field below Destination ports, type the number of the new destination port and
click Add.
534
To run the SSL Relay on port 443 without
using HTTPS
1. Stop the Microsoft Internet Information Service.
2. Configure and start the SSL Relay service.
3. Restart the Microsoft Internet Information Service.
The SSL Relay uses port 443 before IIS, including when the server is restarted.
Note: When you install XenApp, members of the User group are allowed to edit registry
entries in the registry hive
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Secure\Citrix\Citrix SSL Relay, or
HKEY_LOCAL_MACHINE\SOFTWARE\Secure\Citrix\Citrix SSL Relay on XenApp, 32-bit
Edition. You can use the Microsoft Security Configuration and Analysis tool to prevent
members of the User group from editing these registry entries.
535
Configuring the Ciphersuites Allowed by
the SSL Relay
Use the Ciphersuites tab to configure which combinations of ciphersuites the SSL Relay will
accept from the client (a server running the Web Interface or XenApp plugin). The
Ciphersuites dialog box lists the available and allowed ciphersuites. The SSL Relay accepts
connections only from clients that support at least one of the allowed ciphersuites.
Installing additional ciphersuites is not supported.
Available ciphersuites are grouped into GOV (Government) or COM (Commercial). Note that
GOV ciphersuites are normally used when TLS is specified. However, any combination of
ciphersuite and security protocol can be used. Contact your organization’s security expert
for guidance about which ciphersuites to use.
Descriptions of ciphersuites are found in Appendix C of the Internet Society RFC 2246,
available online at http://www.rfc-editor.org.
By default, connections using any of the supported ciphersuites are allowed.
To add or remove ciphersuites
1. On the server where you installed Citrix SSL Relay, click All Programs > Citrix >
Administration Tools > Citrix SSL Relay Configuration Tool.
2. Select a ciphersuite from either the left column and click Add to allow it or from the
right column and click Remove to disallow it.
536
Using the Secure Gateway
Use the Secure Gateway to provide SSL/TLS encryption between a secure Internet gateway
server and an SSL-enabled client, combined with encryption of the HTTP communication
between the Web browser and the Web server. Using the Secure Gateway makes firewall
traversal easier and improves security by providing a single point of entry and secure access
to your server farms.
In general, you use the Secure Gateway when:
•
You want to hide internal IP addresses
•
You want to secure public access to your farm’s servers
•
You need two-factor authentication (in conjunction with the Web Interface)
Using the Secure Gateway provides the following benefits:
•
Secure Internet access
•
Removes the need to publish the addresses of every server running XenApp
•
Simplifies server certificate management
•
Allows a single point of encryption and access to the servers
Use the Secure Gateway to create a gateway that is separate from the computers running
XenApp. Establishing the gateway simplifies firewall traversal because ICA traffic is routed
through a widely accepted port for passage in and out of firewalls. The Secure Gateway
provides increased scalability.
However, because ICA communication is encrypted only between the client and the
gateway, you may want to use SSL Relay to secure the traffic between the gateway and the
servers running XenApp, including the servers hosting the Citrix XML Service.
For more information about implementing and configuring the Secure Gateway, see the
Secure Gateway for Windows administrator documentation at Citrix eDocs.
537
Using the Secure Ticket Authority
The Secure Ticket Authority (STA) is responsible for issuing session tickets in response to
connection requests for published resources on XenApp. These session tickets form the basis
of authentication and authorization for access to published resources.
When you install XenApp, you also install the STA. The STA is embedded within the Citrix
XML Service.
Important: If you are securing communications between the Secure Gateway and the
STA, ensure that you install a server certificate on the server running the STA and
implement SSL Relay. In most cases, internally generated certificates are used for this
purpose.
To display STA performance statistics
In addition to monitoring the performance of the server running the Secure Gateway, Citrix
recommends monitoring the performance of the server running the Secure Ticket Authority
(STA) as part of your administrative routine.
1. Access the Performance Monitor.
2. Right-click in the right pane and click Add Counters.
3. For the location of the performance counters, select Use local computer counters.
4. From the Performance Object drop-down list, select Secure Ticket Authority.
5. Select the performance counters you want to monitor and click Add.
6. Click Close.
7. Use the Windows Performance Console controls that appear at the top of the right pane
to switch views and add counters.
Identifying Entries in the STA Log
The STA logs fatal errors to its application log, which is located in the \inetpub\scripts
directory. When creating a log, the STA uses the following format for naming log files:
stayyyymmdd-xxx.log
where yyyy is the year, mm is the month, and dd is the day of the log file creation.
The first time the STA is loaded, it creates a log file.
538
Using the Secure Ticket Authority
To view entries in the STA log, use a plain-text editor to open the log file.
If the STA does not create a log file, it may be due to lack of write privileges to the
\inetpub\scripts directory.
539
Securing Network Communications
Network communication between servers and client devices can be a security risk in any
enterprise environment.
In addition to physically securing servers, most organizations install network security
measures including firewalls to isolate servers running XenApp and Web browsers from the
Internet and publicly accessible networks. To deploy XenApp on internal networks, secure
communications between the client and server by means of SSL/TLS or other security
measures.
Depending on your security needs, you can incorporate the following network
communication security components when designing XenApp deployments:
•
At the client-server level inside your network:
•
By encrypting the Independent Computing Architecture (ICA) protocol using
SecureICA
Secure Socket Layer/Transport Layer Security (SSL/TLS) encryption
At the network level, when clients are communicating with your farm remotely across
the Internet:
•
•
•
The Secure Gateway
•
Secure Ticket Authority
•
Network firewalls
Proxy servers
Part of securing your server farm is making sure that only properly authenticated users can
access your servers and resources, which can include smart cards .
•
540
Configuring TCP Ports
This table lists the TCP/IP ports that the servers, XenApp Hosted Plug-in, IMA Service, and
other Citrix services use in a server farm. This information can help you configure firewalls
and troubleshoot port conflicts with other software.
541
Communication
Default port
Configuration
Access Management
Console
135
Not configurable
Citrix SSL Relay
443
See Using the SSL Relay with the Microsoft
Internet Information Service (IIS) for
configuration instructions
Citrix XML Service
80
See the information about configuring the
XML Service port in the XenApp Installation
documentation at Citrix eDocs for
configuration instructions
Client-to-server
(directed UDP)
1604
Not configurable
ICA sessions (clients
to servers)
1494
See the XenApp Command Reference at Citrix
eDocs for instructions about the ICAPORT
command to change the port number
License Management
Console
8082
See Getting Started with Citrix Licensing at
Citrix eDocs for more information
XenApp Advanced
Configuration or
Presentation Server
Console to server
2513
See the XenApp Command Reference at Citrix
eDocsfor information about the IMAPORT
command
Server to license
server
27000
In the console, open the farm or server
properties page, and select License Server
Server to Microsoft
SQL or Oracle server
139, 1433, or
443 for MS-SQL
See the documentation for the database
software
Server to server
2512
See the XenApp Command Reference at Citrix
eDocs for information about the IMAPORT
command
Session reliability
2598
See Configuring Session Reliability.
Using Proxy Servers
A proxy server accepts connection requests from client devices and redirects those requests
to the appropriate XenApp servers. Using a proxy server, much like using a firewall, gives
you more control over access to the XenApp servers and provides a heightened level of
security for your network. A proxy server, as opposed to a firewall, uses a different port
from that used by the XenApp servers.
For information about using proxy servers with the XenApp plug-ins, see the information
about XenApp Plug-in for Hosted Apps .
Supported proxy servers are:
542
•
Microsoft Internet Security and Acceleration (ISA) Server 2004 and 2006
•
iPlanet Web Proxy Server 3.6
•
Squid 2.6 STABLE 4
•
Microsoft Proxy Server 2.0
Configuring Authentication for Workspace
Control
If users log on using smart cards or pass-through authentication, you must set up a trust
relationship between the server running the Web Interface and any server in the farm that
the Web Interface accesses for published applications. Without the trust relationship, the
Disconnect, Reconnect, and Log Off (“Workspace Control”) commands fail for those users
logging on with smart card or pass-through authentication. For more information about
Workspace Control, see Ensuring Session Continuity for Mobile Workers.
You do not need to set up a trust relationship if your users authenticate to the Web
Interface or XenApp Plugin for Hosted Apps by typing in their credentials.
To set up the trust relationship, open the server’s Properties page in the Access
Management Console, choose XML Service in the left pane, and select Trust requests sent to
the XML Service. The Citrix XML Service communicates information about published
applications among servers running the Web Interface and servers running XenApp.
If you configure a server to trust requests sent to the Citrix XML Service, consider these
factors:
543
•
The trust relationship is not necessary unless you want to implement Workspace Control
and your users log on using smart cards or pass-through authentication.
•
Enable the trust relationship only on servers directly contacted by the Web Interface.
These servers are listed in the Web Interface Console.
•
When you set up the trust relationship, you depend on the Web Interface server to
authenticate the user. To avoid security risks, use SSL Relay, IPSec, firewalls, or any
technology that ensures that only trusted services communicate with the Citrix XML
Service. If you set up the trust relationship without using IPSec, firewalls, or other
security technology, it is possible for any network device to disconnect or terminate
client sessions.
•
Configure SSL Relay, IPSec, firewalls, or other technology that you use to secure the
environment so that they restrict access to the Citrix XML Service to only the Web
Interface servers. For example, if the Citrix XML Service is sharing a port with IIS, you
can use the IP address restriction capability in IIS to restrict access to the Citrix XML
Service.
Using Smart Cards with Citrix XenApp
You can use smart cards in your XenApp environment. Smart cards are small plastic cards
with embedded computer chips.
In a XenApp environment, smart cards can be used to:
•
Authenticate users to networks and computers
•
Secure channel communications over a network
•
Use digital signatures for signing content
If you are using smart cards for secure network authentication, your users can authenticate
to applications and content published on servers. In addition, smart card functionality
within these published applications is also supported.
For example, a published Microsoft Outlook application can be configured to require that
users insert a smart card into a smart card reader attached to the client device to log on to
the server. After users are authenticated to the application, they can digitally sign email
using certificates stored on their smart cards.
Citrix has tested smart cards that meet Standard 7816 of the International Organization for
Standardization (ISO) for cards with electrical contacts (known as a contact card) that
interface with a computer system through a device called a smart card reader. The reader
can be connected to the host computer by the serial, USB, or PCMCIA port.
Citrix supports the use of PC/SC-based cryptographic smart cards. These cards include
support for cryptographic operations such as digital signatures and encryption.
Cryptographic cards are designed to allow secure storage of private keys such as those used
in Public Key Infrastructure (PKI) security systems. These cards perform the actual
cryptographic functions on the smart card itself, meaning the private key and digital
certificates never leave the card.
In addition, Citrix supports two-factor authentication for increased security. Instead of
merely presenting the smart card (one factor) to conduct a transaction, a user-defined PIN
(a second factor), known only to the user, is employed to prove that the cardholder is the
rightful owner of the smart card.
Note: XenApp does not support RSA Security Inc.’s PKCS (Public-Key Cryptography
Standard) #11 functional specification for personal cryptographic tokens.
You can also use smart cards with the Web Interface for XenApp. For details about
configuring the Web Interface for smart card support, see the Web Interface administrator
documentation at Citrix eDocs.
544
Smart Card Requirements
Before using smart cards with XenApp, consult your smart card vendor or integrator to
determine detailed configuration requirements for your specific smart card
implementation.
The following components are required on the server:
•
PC/SC software
•
Cryptographic Service Provider (CSP) software
These components are required on the device running the supported XenApp plug-in:
•
PC/SC software
•
Smart card reader software drivers
•
Smart card reader
Your Windows server and client operating systems may come with PC/SC, CSP, or smart
card reader drivers already present. See your smart card vendor for information about
whether these software components are supported or must be replaced with
vendor-specific software.
You do not need to attach the smart card reader to your server during CSP software
installation if you can install the smart card reader driver portion separately from the CSP
portion.
If you are using pass-through authentication to pass credentials from your client device to
the smart card server session, CSP software must be present on the client device.
545
Configuring XenApp for Smart Cards
A complete and secure smart card solution can be relatively complicated and Citrix
recommends that you consult your smart card vendor or integrator for details.
Configuration of smart card implementations and configuration of third-party security
systems, such as certificate authorities, are beyond the scope of this documentation.
Smart cards are supported for authenticating users to published applications or for use
within published applications that offer smart card functionality. Only the former is
enabled by default upon installation of XenApp.
The following XenApp clients and plug-ins support smart cards:
•
XenApp Plug-in for Hosted Apps
•
Client for Linux
•
Client for Windows-based terminals
•
Client for MacIntosh
To configure smart card support for users of these plug-ins and clients, see the section in
eDocs for the plug-ins and clients in your environment.
546
Configuring Kerberos Logon
Citrix XenApp Plug-in for Hosted Apps features enhanced security for pass-through
authentication. Rather than sending user passwords over the network, pass-through
authentication leverages Kerberos authentication. Kerberos is an industry-standard network
authentication protocol built into the Windows operating systems. Kerberos logon offers
security-minded users the convenience of pass-through authentication combined with
secret-key cryptography and data integrity provided by industry-standard network security
solutions.
System requirements
Kerberos logon works only between clients and servers that belong to the same or to
trusted Windows domains. Servers must also be trusted for delegation, an option you
configure through the Active Directory Users and Computers management tool.
Kerberos logon is not available:
•
If you use the following options in Terminal Services Configuration:
•
Use standard Windows authentication
Always use the following logon information or Always prompt for password
If you route connections through Secure Gateway
•
•
•
If the server running XenApp requires smart card logon
Kerberos requires Citrix XML Service DNS address resolution to be enabled for the server
farm or reverse DNS resolution to be enabled for the Active Directory domain.
Windows Server 2008 User Access Control and
Administrator Sessions
The User Access Control feature of the Windows Server 2008 operating system prompts
users to enter their credentials when all of the following requirements are met:
547
•
Kerberos logon is enabled on a computer hosting the Windows 2008 Server operating
system and running XenApp
•
Users logging on to the computer running XenApp are members of the Administrator
group on that computer
•
After logon, Administrator group users attempt to access network resources such as
shared folders and printers.
Configuring Kerberos Logon
Limitations of Kerberos Pass-through Authentication
to XenApp
Windows supports two authentication protocols, Kerberos and NTLM, so Windows
applications such as Windows Explorer, Internet Explorer, Mozilla Firefox, Apple Safari,
Google Chrome, Microsoft Office, and others, can use Windows pass-through authentication
to access network resources without explicit user authentication prompts.
When Kerberos pass-through authentication is used to start a XenApp session, there are
technical limitations that may affect application behavior.
•
Applications running on XenApp that depend on the NTLM protocol for authentication
generate explicit user authentication prompts or fail.
Most applications and network services that support Windows pass-through
authentication accept both Kerberos and NTLM protocols, but some do not. In addition,
Kerberos does not operate across certain types of domain trust links in which case
applications automatically use the NTLM protocol. However the NTLM protocol does not
operate in a XenApp session that is started using the Kerberos pass-through
authentication, preventing applications that cannot use Kerberos from authenticating
silently.
•
Kerberos pass-through authentication for applications expires if the XenApp session is
left running for a very long time (typically one week) without being disconnected and
reconnected.
Kerberos is based on security tickets issued by domain controllers, which impose a
maximum refresh period (typically one week). When the maximum refresh period has
ended, Windows obtains a new Kerberos ticket automatically by using the cached
network credentials that are required for the NTLM protocol. However these network
credentials are not available when the XenApp session was started using Kerberos
pass-through authentication.
To enable Citrix XML Service DNS address resolution
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select the Farm node and select Action > Modify farm properties > Modify all
properties.
3. From the farm’s Properties list, open the XenApp page and select the General option.
4. In the details pane, select the option XML Service DNS address resolution.
To disable Kerberos logon to a server
Caution: Using Registry Editor can cause serious problems that can require you to
reinstall the operating system. Citrix cannot guarantee that problems resulting from
incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
548
Configuring Kerberos Logon
To prevent Kerberos authentication for users on a specific server, create the following
registry key as a DWORD Value on the server.
On XenApp, 64-bit Edition: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Logon\
DisableSSPI = 1
On XenApp, 32-bit Edition: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Logon\DisableSSPI = 1
You can configure the Citrix online plug-ins to use Kerberos with or without pass-through
authentication.
549
Logging Administrative Changes to a
XenApp Farm
The Configuration Logging feature allows you to keep track of administrative changes made
to your server farm environment. By generating the reports that this feature makes
available, you can determine what changes were made to your server farm, when they
were made, and which administrators made them. This is especially useful when multiple
administrators are modifying the configuration of your server farm. It also facilitates the
identification and, if necessary, reversion of administrative changes that may be causing
problems for the server farm.
When this feature is enabled for a licensed server farm, administrative changes initiated
from the following components lead to the creation of log entries in a central Configuration
Logging database:
•
Access Management Console or Delivery Services Console
•
Advanced Configuration tool or Presentation Server Console
•
some command-line utilities
•
tools custom built with the MPSSDK and CPSSDK
Before you enable the Configuration Logging feature:
•
Determine the level of security and control you need over the configuration logs. This
determines if you need to set up additional database user accounts and if you want to
make XenApp administrators enter credentials before clearing logs.
•
Determine how strictly you want to log tasks; for example, if you want to log
administrative tasks and if you want to allow administrators to make changes to a farm
if the task cannot be logged (for example, if the database is disconnected).
•
Determine if you want to allow administrators to be able to clear configuration logs and
if you want them to have to supply credentials for this purpose. This requires the
permission to Edit Configuration Logging settings.
To enable the Configuration Logging feature:
550
•
Set up the Configuration Logging database
•
Define the Configuration Logging database access permissions
•
Configure the Configuration Logging database connection
•
Set the Configuration Logging properties
•
Delegate administrative permissions, as needed
Logging Administrative Changes to a XenApp Farm
Note: To securely store the credentials used for accessing the Configuration Logging
database, you can enable the IMA encryption feature when you deploy your server
farm. After this is enabled, however, you cannot disable it without losing the data it
encrypted. Citrix recommends that you configure IMA encryption before the
Configuration Logging feature is configured and used.
The Configuration Logging feature, after it is properly enabled, runs in the background as
administrative changes trigger entries in the Configuration Logging database. The only
activities that are initiated by the user are generating reports, clearing the Configuration
Logging database, and displaying the Configuration Logging properties.
551
Setting up the Configuration Logging
Database
The Configuration Logging feature supports Microsoft SQL Server 2005 and 2008 and Oracle
Version 10.2 and 11.1 databases.
The Configuration Logging database must be set up before Configuration Logging can be
enabled. Only one Configuration Logging database is supported per server farm, regardless
of how many domains are in the farm. When the Configuration Logging database is set up,
you also must ensure that the appropriate database permissions are provided for XenApp so
that it can create the database tables and stored procedures (preceded by
“CtxLog_AdminTask_”) needed for Configuration Logging. Do this by creating a database
user who has “ddl_admin” or “db_owner” permissions for SQL Server, or a user who has the
“connect” and “resource” roles and “unlimited tablespace” system privilege for Oracle.
This is used to provide XenApp full access to the Configuration Logging data.
General Requirements
•
The Configuration Logging feature does not allow you to use a blank password to
connect to the Configuration Logging database
•
Each server in the server farm must have access to the Configuration Logging database
Note: For additional instructions about how to manage and use schemas in SQL Server,
see your SQL Server documentation.
Considerations for SQL Server
552
•
For SQL Server 2005, only one server farm is supported per Configuration Logging
database. To store Configuration Logging information for a second farm, create a
second Configuration Logging database.
•
For SQL Server 2005, when using Windows Integrated Authentication, only fully
qualified domain logons are valid. Local user account credentials will fail to
authenticate on the database server that hosts the Configuration Logging database.
•
For SQL Server 2005, ensure that all Citrix administrators accessing the same farm are
configured to use the same default schema. The database user who will create the
Configuration Logging tables and stored procedures must be the owner of the default
schema. If you are using dbo as the default schema, the database user must have
db_owner permissions. If you are using ddl_admin as the default schema, the database
user must have ddl_admin permissions.
Setting up the Configuration Logging Database
Considerations for Oracle
553
•
For Oracle, only one farm is supported per schema. To store Configuration Logging
information for a second farm in the same database instance, use a different schema.
Tables and stored procedures are created in the schema associated with the user who
initially configured the Configuration Logging feature. For instructions about how to
manage and use a different schema, see your Oracle documentation.
•
Before running the Access Management Console or Delivery Services Console, you must
update the Oracle tnsnames.ora client file to include the connectivity information
needed to access the available databases.
•
If you are using Oracle Version 10.2, Citrix recommends that you apply the Oracle patch
10.2.0.1.4P (patch 4; patchset 4923768) and any subsequent patches. These patches
ensure that the Oracle client software can operate correctly if installation directories
contain a parenthesis character; for example, a directory folder named Program
Files/(x86).
Defining Database Permissions for
Configuration Logging
The first time the Configuration Logging feature is enabled, it connects to the Configuration
Logging database and discovers that the database schema does not exist. XenApp then
creates the database schema, tables, and stored procedures. To create a database schema,
XenApp needs full access to the database as described in Setting up the Configuration
Logging Database. After the database schema is created, full access is no longer necessary
and you have the option of creating additional users with fewer permissions.
The following table lists the minimum permissions required to perform the Configuration
Logging tasks.
Configuration Logging task
Database permissions needed
To create log entries in the database tables
INSERT for the database tables, EXECUTE
for the stored procedures, and SELECT for
sysobjects and sysusers (SQL Server) or
sys.all_objects (Oracle)
(Oracle also requires SELECT for sequence
objects and the create session system
privilege)
To clear the log
DELETE/INSERT for the database tables,
EXECUTE for the GetFarmData stored
procedure, and SELECT for sysobjects and
sysusers (SQL Server) or sys.all_objects
(Oracle)
(Oracle also requires SELECT for sequence
objects and the create session system
privilege)
To create a report
EXECUTE for the Citrix Configuration
Logging stored procedures
SELECT for sysobjects and sysusers (SQL
Server) or sys.all_objects (Oracle)
(Oracle also requires the create session
system privilege)
Note: The Configuration Logging components must have access to the GetFarmData
stored procedure to find out if a Configuration Logging database is associated with a
farm. If you do not have permission to execute an existing GetFarmData stored
procedure, this farm is invisible to the Configuration Logging components.
554
Defining Database Permissions for Configuration Logging
Considerations for SQL Server
555
•
Before you configure the Configuration Logging database connection, grant EXECUTE
permission to the system stored procedure sp_databases to list the databases on the
database server
•
The authentication mode must be the same for the database user who creates log
entries in the database tables and the database user who clears the log
To configure the connection to the
Configuration Logging database using the
Configuration Logging Database wizard
After the Configuration Logging database is set up by your database administrator and the
appropriate database credentials are provided to XenApp, the connection to the
Configuration Logging database must be configured through the Configuration Logging
Database wizard.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select a farm.
3. In the task pane, under Common Tasks, click Modify farm properties > Modify
configuration log properties.
4. In the Configuration Logging dialog box, click the Configure Database button to open
the wizard.
If you are using a SQL Server database, you need to provide or select:
•
The name of the database server
•
An authentication mode
•
The name of the database
•
The logon credentials for the database user that were created when you set up the
Configuration Logging database
When you use SQL Server, the Use encryption connection option in the wizard is enabled by
default. If your database does not support encryption, you must disable this option.
If you are using an Oracle database, you must provide a net services name as well as the
logon credentials. The net services names listed in the Data Source drop-down list are in
the Oracle tnsnames.ora client file. You are then asked to specify various connection and
pooling options. For information about how to configure these options, see your SQL Server
or Oracle documentation.
Note: Credentials are always required for both Oracle and SQL Server, even if you are
using Windows Integrated Authentication. The credentials are stored using the IMA
encryption feature. Each server that creates log entries uses the credentials to connect
to the Configuration Logging database.
Note: After you configure the connection to the Configuration Logging database, you
cannot set the database back to None. To stop logging, clear the Log administrative tasks
556
To configure the connection to the Configuration Logging database using the Configuration Logging Database wizard
to Configuration Logging database check box in the Configuration Logging dialog box.
557
To configure a SQL Server database for
configuration logging
1. Under Database configuration on the Configuration Logging page of your Farm
Properties dialog box, click Configure Database.
2. On the Select Connection Details page, select SQL Server as a connection type.
3. Use the drop-down list to select a SQL Server. You can also enter a server name
manually if the server is available but does not appear in the drop-down list.
4. Select Use Windows integrated security (recommended) or Use SQL Server
authentication.
5. Enter a valid user name and password for your SQL Server database.
6. Click Next. The Select Database page opens. Use the Specify the database drop-down
list to enter the name of your database. You can also enter a database name manually
here.
7. Click Next. The Select Advanced Options page opens. Configure the following
connection and connection pooling options:
•
Connection options comprise Connection time-out (seconds), Packet size (bytes),
and Use encryption.
•
Under Connection pooling on the database server, if desired, clear Connection
pooling enabled. This disables the Connection Pooling feature.
Note: It is not necessary to modify the default values of these settings for the
configuration to work. A possible exception is the Use encryption setting. For security
reasons the default value of this setting is Yes. However if the SQL Server database
server you are connecting to does not support encryption, the connection will fail.
Click the Test Database Connection button on the Check New Connection Summary
page to check whether or not the database supports encryption. If it does not, an
error message to that effect is returned.
8. Click Next. The Check New Connection Summary page opens with a summary of the
settings you configured. Click Back to return and alter any settings if required.
9. Click Test Database Connection. A dialog box appears telling you whether or not the
connection was successfully established.
558
To configure an Oracle database for
configuration logging
1. Under Database configuration on the Configuration Logging page of your Farm
Properties dialog box, click Configure Database.
2. On the Select Connection Details page, select Oracle as an information type. This
selection dynamically changes some of the information for which you will be asked.
3. Use the drop-down list to select a net service name. You can also enter a net service
name manually.
4. Enter a valid user name and password for your Oracle database.
5. Click Next. The Select Advanced Options page opens. Configure the following
connection and connection pooling options.
•
Connection options comprise Connection time-out (seconds), Packet size (bytes),
and Use encryption.
•
Under Connection pooling on the database server, if desired, clear Connection
pooling enabled. This disables the Connection Pooling feature.
Note: It is not necessary to modify the default values of these settings for the
configuration to work.
6. Click Next. The Check New Connection Summary page opens with a summary of the
settings you configured. Click Back to return and alter any settings if required.
7. Click Test Database Connection. A dialog box appears telling you whether or not the
connection was successfully established.
559
To set Configuration Logging properties
Before you set Configuration Logging properties, ensure a SQL Server or Oracle database is
configured. Otherwise, the Log Tasks and Clearing log areas of the Configuration Logging
page are not active.
After establishing a connection to the database, you enable the Configuration Logging
feature:
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select a farm.
3. In the task pane, under Common Tasks, click Modify farm properties > Modify
configuration log properties.
4. Under Log tasks, select Log administrative tasks to logging database to enable
configuration logging. If you want administrators to be able to make changes to the
farm when the database is disconnected, select Allow changes to the farm when
database is disconnected, which becomes available when configuration logging is
enabled.
5. To prompt administrators to enter their credentials before clearing the log, under
Clearing log, select the Require administrators to enter database credentials before
clearing the log check box.
Note: A Citrix administrator requires the Edit Configuration Logging Settings permission
to change any Configuration Logging settings or clear the log.
560
Delegating the Administration of
Configuration Logging
Full Citrix administrators can edit the Configuration Logging settings and select the task to
clear the log in the Access Management Console or Delivery Services Console, or they can
authorize other administrators to perform these tasks by assigning them the delegated
administration permission Edit Configuration Logging Settings. Without this permission,
ordinary administrators cannot perform these functions.
561
To view Configuration Logging properties
The Configuration Logging feature, after it is properly enabled, runs in the background as
administrative changes trigger entries in the Configuration Logging database. The only
activities that are initiated by the user are generating reports, clearing the Configuration
Logging database, and displaying the Configuration Logging properties.
You can view Configuration Logging properties at the farm level.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select a farm.
3. In the task pane, under Common Tasks, click Modify farm properties > Modify
configuration log properties.
562
Clearing Entries from the Configuration
Logging Database
It may become necessary to clear the entries in the Configuration Logging database
occasionally if the population of the tables becomes too large. To clear the log, you must:
•
Be a full or delegated Citrix administrator with the permissions to edit the
Configuration Logging settings. These permissions allow you to select the Clearing the
Log task.
•
Have the correct database user account permissions. These permissions allow you to
clear the log in the database. By default, the database credentials defined in the
database wizard are used to clear the log.
To manage which database users can clear the configuration log, Citrix recommends that
you enable the Require administrators to enter database credentials before clearing the log
check box in Configuration Logging properties. This ensures only database users with
permissions to clear logs can clear them. Therefore, anyone attempting to clear the log is
prompted for database credentials.
If you configured a SQL Server database and you want to clear a log, you can only enter
credentials that correspond with the same type of authentication mode that you selected
when you connected to the database initially. Specifically:
•
For SQL authentication, credentials with permissions for the Configuration Logging
database on the SQL server are required
•
For Windows Integrated authentication, XenApp impersonates the database user when
it connects to the SQL database, so you must enter the credentials for the Windows
user account
To clear log entries from the Configuration Logging
database
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. From the left pane, select a farm.
3. From the task pane, under Other Tasks, click Clear configuration log.
563
Generating Configuration Logging
Reports
Reports that draw the information from the tables created in the Configuration Logging
database can be configured and generated in the Report Center.
Important: When the Configuration Logging feature is enabled, only administrative
changes made to servers running XenApp are logged and appear in the reports that are
generated.
The supported versions of Microsoft SQL Server are verified for MDAC 2.8.
Reports can be generated based on the following filter criteria (wildcards are not
supported):
•
Time period. When the actions occurred that you want to review. The actions covered
in the report appears with the local time where the report is generated.
•
Type of item. Select the type of object for which you want to report changes.
•
Name of item. After you select an item type, you can provide the name of a specific
object on which to report. The name of the item search does not support wildcards;
therefore, enter the exact name of the object to get the desired result.
•
User name. The Citrix administrators whose actions are covered in the report.
When no filter criteria are selected, the default, all log entries are included in the report.
After you select the filtering criteria for the report, it can be published from the Report
Center.
Note: To generate a report from an Oracle logging database, you must first install the
Oracle Provider for OLE DB. This can be done by performing a custom installation of the
Oracle client.
To generate a Configuration Logging report
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the Report Center node.
3. In the task pane under Common Tasks, click Generate report.
4. From the Report type drop-down list, select Configuration Logging Report.
5. Click Next to start the Configuration Logging Report wizard. Follow the steps in the
wizard to generate a report.
564
Generating Configuration Logging Reports
Note: If you are using SQL Server or Oracle database authentication, the Allow saving
password check box must be selected.
565
Encrypting Sensitive Configuration
Logging Data
Independent Management Architecture (IMA) is the underlying architecture used in XenApp
for configuring, monitoring, and operating all XenApp functions. The IMA data store stores
all XenApp configurations.
The IMA encryption feature protects administrative data used by the configuration logging
feature. This information is stored in the IMA data store. For IT environments with
heightened security requirements, enabling IMA encryption provides a higher degree of
security for the configuration logging feature. One example would include environments
that require strict separation of duties or where the Citrix Administrator should not have
direct access to the configuration logging database.
IMA encryption is a farm-wide setting that applies to all servers in the farm after encryption
is enabled. Consequently, if you want to enable IMA encryption, you must enable it on all
servers in the farm. IMA encryption has the following components:
•
CTXKEYTOOL. Also known as the IMA encryption utility, CTXKEYTOOL is a command-line
utility that you can use to manage IMA encryption and generate key files. CTXKEYTOOL
is in the Support folder of the XenApp media.
•
Key file. The key file contains the encryption key used to encrypt sensitive IMA data.
You create the key file by using the CTXKEYTOOL, during Setup, or while changing
farms (chfarm). To preserve the integrity of the encryption, Citrix recommends that
you keep the key file in a secure location and that you do not freely distribute it.
•
Key. The same valid IMA encryption key must be loaded on all servers in the farm if IMA
encryption is enabled. After copying the farm’s key file to a server, you load the key by
using the CTXKEYTOOL, during Setup, or using the functionality in chfarm.
It is easier to enable IMA encryption as part of the installation process than after
installation. Enabling IMA encryption after installation requires performing a manual process
on each server. For information about installation methods when you are enabling IMA
encryption during Setup in large-farm environments, see the information about planning for
IMA encryption in the XenApp installation documentation at Citrix eDocs.
Regardless of when you enable IMA encryption, the process has the same basic elements. At
a high level, you perform the following tasks in the order given:
•
Generate a key file
•
Make the key file accessible to each server in the farm or put it on a shared network
location
•
Load the key on to the server from the key file
•
Enable IMA encryption
These topics provide information about IMA encryption:
566
Encrypting Sensitive Configuration Logging Data
•
How to use the IMA encryption utility (CTXKEYTOOL)
•
How to enable IMA encryption after installation
•
How to change farms
•
How to back up farm keys
•
What to do if you installed XenApp as a local administrator when you enabled IMA
encryption
Citrix recommends that, if you are enabling IMA encryption in environments that have
multiple farms, you give the keys for each farm a different name.
Important: Citrix strongly recommends backing up the farm key to a safe, secondary
location. For information, see Enabling IMA Encryption Features.
567
Copying the key to a local computer
Citrix provides a utility for performing various administrative functions after you install
XenApp. This utility is known as the IMA encryption utility and you run it from the
CTXKEYTOOL command. You can use the IMA encryption utility to enable and disable the
IMA encryption feature and generate, load, replace, enable, disable, and retrieve lost key
files. You can also use the IMA encryption utility to check to see if a key is loaded on the
local computer, if IMA encryption is enabled for the farm, and if your key matches the farm
key.
To run the utility locally
1. Copy the CTXKEYTOOL.exe file from the Support folder of the XenApp media to your
local computer.
2. Create a folder named Resource at the same level in your directory structure as the
CTXKEYTOOL file.
3. Copy the entire Support\Resource\en folder to the new Resource folder.
You can store the CTXKEYTOOL.exe file and its accompanying Resource\en folder anywhere
on your computer, provided you maintain the same relative directory structure in which
they were stored on the media.
568
To generate a key and enable IMA
encryption on the first server in a farm
You can enable IMA encryption after you install or upgrade to XenApp. Use this procedure to
generate a key and load the key to the first server to enable IMA encryption, and then
continue by loading the key on the subsequent servers in the farm.
You must have a key on every server in the farm for IMA encryption to work correctly.
1. On the server on which you want to enable IMA encryption, run the generate option
of the CTXKEYTOOL command. The following is an example of the command line to use
to accomplish this: ctxkeytool generate full UNC or absolute path, including the
file name of the key you want to generate, to the location where you want to store
the key file
Citrix suggests naming the key after the farm on which it will be used; for example,
farmakey.ctx. Citrix also suggests saving the key to a folder that uses the name of your
farm; for example, Farm A Key.
2. Press Enter. The following message appears indicating that you successfully generated a
key file for that server, “Key successfully generated.”
3. To obtain the key from the file and put it in the correct location on the server, run the
load option of the CTXKEYTOOL command on the server on which you want to add the
key. The following is an example: ctxkeytool load full UNC or absolute path,
including the key file name, to the location where you stored the key file
4. Press Enter. The following message appears indicating that you successfully loaded the
key on to that server: “Key successfully loaded.” You are now ready to enable the IMA
encryption feature in the data store.
5. Run the newkey option of the CTXKEYTOOL command to use the currently loaded key
and enable the key. ctxkeytool newkey
6. Press Enter. The following message appears indicating that you successfully enabled the
IMA encryption feature in the data store: “The key for this farm has been replaced. IMA
Encryption is enabled for this farm.”
7. Continue to the procedure for loading the key to other servers in the farm.
569
To load a key on subsequent servers in
the farm
1. If you do not have the key file on a shared network location, on the next server on
which you want to begin enabling IMA encryption, load the key file to the server from
portable storage media.
2. To obtain the key from the file and put it in the correct location on the server, run the
load option of the CTXKEYTOOL command on the server on which you want to add the
key. The following is an example: ctxkeytool load full UNC or absolute path,
including the key file name, to the location where you stored the key file
3. Press ENTER. The following message appears indicating that you successfully loaded the
key on to that server, “Key successfully loaded.” You do not need to enable IMA
encryption again (using the newkey option) because you have already enabled it on one
server in the farm.
4. Repeat this process on every server in the farm.
570
To store the key on a network location
If you choose to store the key on a shared network location, Citrix recommends the
following:
•
Make sure that the folder has a meaningful name that specifies the name of the farm
for which the key was created. This is especially important in situations when you
follow the Citrix best practice recommendation of creating a unique key for the farm.
•
Make sure that the account you use to generate the key is the same as the account that
will be used to install all the servers in the farm. You must use the same account for
both tasks.
•
Grant Read/Execute access to the key file to each computer that will be joining the
farm and to the administrator performing the installation.
In addition, if you want to specify this key when you are enabling IMA encryption during
Setup, you must specify it using a Universal Naming Convention (UNC) path.
The following procedure explains how to store a key on a shared network location. The
procedure assumes that you are performing an Autorun-based installation and generating a
key from Setup while you are installing the first server on the farm. The guidelines provided
in these steps apply to other situations in which you specify the key, such as chfarm and
unattended installations.
1. When you generate the key file, save it to a local directory (as you normally would).
2. After enabling IMA encryption on the server where you originally generated the key,
copy the key file to the shared network location that you want to use for the
subsequent server installations.
3. Grant Read/Execute access to the key file to each computer that will be joining the
farm and to the administrator performing the installation.
571
Changing Farms
If you need to move a server to a farm that has IMA encryption enabled, you must use the
chfarm command. When you run chfarm, a wizard similar to the Citrix XenApp Setup
wizard launches. This Setup wizard prompts you to specify a key the same way as product
Setup does when you choose to enable IMA encryption. If, before running chfarm, you
choose to load the new farm’s key to the server, note that adding a key to a server with the
same name as an existing key overwrites the existing key.
You cannot enable IMA encryption when you join a farm, either during Setup or when
changing farms, if you are logged on as a local administrator and you attempt to connect to
the data store indirectly. For more information, see the XenApp installation documentation
at Citrix eDocs.
If you are moving a server to a farm that does not have IMA encryption enabled, Setup does
not prompt you to provide a key file and IMA encryption is disabled automatically on the
server you are moving.
572
Enabling IMA Encryption Features
IMA encryption includes other features that you can use as needed:
•
Backing up keys. Citrix strongly recommends backing up the farm key to a safe,
secondary location, such as a CD, immediately after you generate a key. You can create
a copy of the key file when you create it, or you can back up the farm key by using the
backup option in the CTXKEYTOOL command.
•
Retrieving lost, deleted, or accidentally overwritten keys. It is possible to recreate a
key file that you accidentally deleted, if, for example, you need it to join a new server
to the farm. Because all servers in the same farm use the same key, you can obtain a
key from another server on the farm. XenApp does not allow you to access keys.
Consequently, to obtain the lost key, you must recreate the entire key file by running
the backup option in the CTXKEYTOOL command on any server in the farm with IMA
encryption that has the key and is functioning properly.
•
Disabling and reenabling IMA encryption. You can disable IMA encryption by running the
ctxkeytool disable command on any server in the farm. Because IMA encryption is
a farm-wide feature, you do not need to run this command on every server in the farm.
Running it on one server, disables the feature for all servers.
If you disable IMA encryption, to access the Configuration Logging database, you must
reenter the password for the Configuration Logging database. In addition, no
configuration information is logged until you reenter your database credentials in the
Access Management Console or Delivery Services Console.
If you want to reenable IMA encryption after you disabled it, use the enable option of
the CTXKEYTOOL command. After running the enable option, Citrix recommends that
you always run the query option to verify that IMA encryption is enabled.
For information about the CTXKEYTOOL, see the XenApp Command Reference at Citrix
eDocs.
573
XenApp Service Account Privileges
These tables provide information about the services installed by default with XenApp, their
accounts, associated permissions, and privileges.
XenApp Services Overview
This table lists the display name for the service, which is the name that appears in the
Services panel. When the display name and the service name differ, the table provides
service name in (parentheses). The Dependencies column in the table lists the system
components, such as Windows services, Citrix services, or drivers, on which the service
depends. The Dependencies column also includes subdependencies that might not appear
on the Dependencies tab for the service.
Licensing services, which are not listed here, might also appear if the license server is
installed on the same server as XenApp.
Display Name
(Service Name)
Executable
Logon Account /
Startup Type
Description
Dependenci
es
Citrix 64-bit
Virtual Memory
Optimization
ctxsfosvc64.exe
Local System
Dynamically
optimizes
64-bit
applications
running on a
XenApp server.
None
Citrix Client
Network
cdmsvc.exe
Maps client
drives and
peripherals for
access in
sessions.
Client Drive
Mapping
(CDM)
Manual
Local System
Automatic
(CdmService)
Windows M
anagement
Instrumenta
tion Driver
Extensions
Workstation
574
XenApp Service Account Privileges
Citrix CPU
Utilization
Mgmt/CPU
Rebalancer
ctxcpubal.exe
.\ctx_cpuuser
Manual
One of the
services for the
CPU Utilization
Management
feature.
None
(CTXCPUBal)
This service
enhances
resource
management
across multiple
CPUs.
This service is
installed only
on servers that
have multiple
CPUs.
Citrix CPU
Utilization
Mgmt/Resource
Mgmt
ctxcpusched.exe
Local System
Manual
One of the
services for the
CPU Utilization
Management
feature.
Remote
Procedure
Call (RPC)
(ctxcpuSched)
Manages
resource
consumption to
enforce
entitlement
policies.
Citrix
Diagnostic
Facility COM
Server
CdfSvc.exe
NT AUTHORITY\
Network Service
Automatic
(CdfSvc)
Citrix
Encryption
Service
encsvc.exe
NT AUTHORITY\
Local Service
Automatic
575
Manages and
controls
diagnostic
trace sessions,
which are used
to diagnose
problems on a
XenApp server.
Remote
Procedure
Call (RPC)
Enables secure
communication
with RC5
128-bit
encryption
between
XenApp
Plug-ins and
XenApp.
Windows M
anagement
Instrumenta
tion Driver
Extensions
XenApp Service Account Privileges
Citrix End User
Experience
Monitoring
SemsService.exe
Local Service
Manual
(Citrix EUEM)
Citrix Health
Monitoring and
Recovery
HCAService.exe
NT AUTHORITY\
Local Service
Automatic
(CitrixHealthMo
n)
Collects and
collates
end-user
experience
measurements.
Citrix SMC
Support
Driver
Provides health
monitoring and
recovery
services in the
event problems
occur.
Citrix Indep
endent Man
agement Ar
chitecture
service
Terminal
Services
Citrix
Independent
Management
Architecture
ImaSrv.exe
NT AUTHORITY\
NetworkService
Automatic
Provides
management
services in the
XenApp farm.
(IMAService)
Citrix
Services
Manager
service
IPsec Policy
Agent
Remote
Procedure
Call (RPC)
TCP/IP
Protocol
Driver
Server
Windows M
anagement
Instrumenta
tion Driver
Extensions
Workstation
Citrix MFCOM
Service
(MFCom)
mfcom.exe
NT AUTHORITY\
NetworkService
Automatic
Provides COM
services that
allow remote
connections
from the
management
tools.
Remote
Procedure
Call (RPC)
Citrix Indep
endent Man
agement Ar
chitecture
service
Citrix
Services
Manager
service
576
XenApp Service Account Privileges
Citrix Print
Manager
Service
CpSvc.exe
.\ctx_cpsvcuser
Automatic
(cpsvc)
Manages the
creation of
printers and
driver usage
within XenApp
sessions.
Print
Spooler
Remote
Procedure
Call (RPC)
This service
supports the
Citrix Universal
Printing
features.
Citrix Secure
Gateway Proxy
CtxSGSvc.exe
(CtxSecGwy)
Citrix Services
Manager
NT AUTHORITY\
Network Service
Automatic
IMAAdvanceSrv.
exe
Local System
Automatic
(IMAAdvanceSrv
)
Citrix
Streaming
Service
RadeSvc.exe
.\Ctx_StreamingSv
c
Automatic
(RadeSvc)
Citrix Virtual
Memory
Optimization
577
CTXSFOSvc.exe
Local System
Manual
Proxy to the
Citrix Secure
Gateway
server.
None
Provides
XenApp with an
interface to
the operating
system. Other
services use
this services to
perform
elevated
operations.
None
Manages the
XenApp Plug-in
for Streamed
Apps when
streaming
applications.
Remote
Procedure
Call (RPC)
Dynamically
optimizes
applications
running on a
XenApp server
to free up
server memory.
None
XenApp Service Account Privileges
Citrix WMI
Service
ctxwmisvc.exe
(CitrixWMIservi
ce)
NT AUTHORITY\
Local Service
Manual
Provides the
Citrix WMI
classes for
information
and
management
purposes.
Citrix Indep
endent Man
agement Ar
chitecture
service
Citrix
Services
Manager
service
IPsec Policy
Agent
Remote
Procedure
Call (RPC)
TCP/IP
Protocol
Driver
Server
Windows M
anagement
Instrumenta
tion Driver
Extensions
Workstation
Citrix XML
Service
ctxxmlss.exe
Network Service
Automatic
(CtxHttp)
Citrix XTE
Server
(CitrixXTEServe
r)
XTE.exe
NT AUTHORITY\
NetworkService
Manual
Services XML
data requests
sent by XenApp
components
None
Services
network
requests for
session
reliability and
SSL from
XenApp
components.
None
Caution: Citrix does not recommend altering account permissions and privileges. If you
delete the accounts or alter their permissions incorrectly, XenApp might not function
correctly.
Permissions for Service User Accounts
This table lists the permissions associated with accounts XenApp services use.
578
XenApp Service Account Privileges
Account Name
Permissions
Notes
Local Service
Limited
NT AUTHORITY\LocalService
Network Service
Limited, network resources
NT AUTHORITY\NetworkService
Local System
Administrator
NT AUTHORITY\System
Ctx_StreamingSvc
Domain or local user
Acts as a User
ctx_cpsvcuser
Domain or local user
Acts as a Power User
Ctx_ConfigMgr
Domain or local user
Acts as a Power User
Ctx_CpuUser
Domain or local user
Acts as a User
Privileges for Service User Accounts
If your organization requires that service accounts run as domain accounts and not as local
accounts, you can create domain accounts to replace the ctx_cpsvcuser, Ctx_ConfigMgr,
and Ctx_CpuUser accounts before installing XenApp and specify the new accounts during
Setup. Citrix does not support changing the account for the Citrix Streaming Service
(Ctx_StreamingSvc). Follow the guidelines in the XenApp installation documentation at
Citrix eDocs and ensure the new account has the same privileges as the default account.
579
Privilege
s
Local
Service
Network
Service
Ctx_Streamin
gSvc
ctx_cpsvc
user
Ctx_Config
Mgr
Ctx_CpuUs
er
Change
the
system
time
x
x
Generate
security
audits
x
x
Increase
quotas
x
x
Load and
unload
device
drivers
x
Log on as
a batch
job
x
x
x
x
x
x
Log on as
a service
x
x
x
x
x
x
Replace
a process
level
token
x
x
x
Restore
files and
directori
es
x
XenApp Service Account Privileges
580
Debug
programs
x
Increase
schedulin
g priority
x
Maintaining Server Farms
A server farm is a group of servers running Citrix XenApp and managed as a single entity.
The servers in the server farm share a single IMA-based data store.
Citrix recommends performing farm maintenance tasks from the data collector, assuming
no applications are published on the data collector, because this updates farm data faster.
Performing farm maintenance tasks from a server hosting published applications can slow
down users trying to connect to published applications and take longer to update in the
data store.
This topic describes how to perform the following tasks:
581
•
Displaying and Organizing Your Farm
•
To configure general farm properties
•
To search for objects in your farm
•
Connecting to a Server
•
Restarting Servers at Scheduled Times
•
To repair a XenApp installation
•
Changing XenApp Farm Membership
•
Removing and Reinstalling XenApp
•
Monitoring Server Performance with Health Monitoring & Recovery
•
Using Citrix Performance Monitoring Counters
•
Enabling SNMP Monitoring
•
Optimizing Server Performance
•
Managing Farm Infrastructure
•
Updating Citrix License Server Settings
•
Setting the Product Edition
•
Setting the Citrix XML Service Port
Displaying and Organizing Your Farm
Server and farm properties are configuration settings specific to individual servers or entire
farms. Using the Farm Properties page, you can configure a number of properties at the
farm level. By default, all servers are configured to use the farm settings for a given
property.
Using a Server Properties page, you can override farm settings and customize the
configuration of individual servers. For example, if you specify a license server on a Farm
Properties page, all servers in the farm, including servers you add later, point to that
license server. To point particular servers to a different license server, use those Server
Properties pages to specify a different license server.
Important: Interoperability of XenApp 5.0 for Windows Server 2008 with versions prior to
Presentation Server 4.5 for Windows Server 2003 is no longer supported.
To view farm information
You can view summary information about the server farm, published resources, servers, and
sessions. Depending on the configuration of your farm, some areas may not appear.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select a farm.
3. From the Action menu, click Change display > Information. The right, or details, pane of
the console displays summary information about the farm, servers, published resources,
and sessions.
4. From Available Displays, you can click Alerts, Users, Offline Sessions, Hotfixes,
Configured file types, Read-only Properties, or Offline users for more detailed
information about these areas.
Note: The displays that appear depend on the features you enabled in XenApp.
To view server information
You can view a wide variety of summary information about each server in the farm.
Depending on the configuration of your server, some areas may not appear.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select a server.
582
Displaying and Organizing Your Farm
3. From the Action menu, select Change display > Information. The details pane of the
console displays summary information about the product edition and version, installed
service packs, server operating system, and TCP address. Click Expand list to view more
server summary information.
4. From Available Displays, you can select Alerts, Users, Sessions, Processes, Hotfixes,
Published applications, Read-only Properties, View server health, and Trace Sessions for
more detailed information about these areas.
Note: The displays that appear depend on the features you enabled in XenApp.
583
Organizing Your Farm Display in the
Console
You can group applications or servers in folders to make navigating through their console
listings easier. Folders are also useful for Object Based Delegated Administration. Grouping
servers into folders can facilitate the process of delegating administrative tasks to Citrix
administrators.
You can move items between folders by dragging and dropping.
Important: The folder structure within Applications is not related to, or reflected in, the
folder structure for clients using Program Neighborhood.
To create a folder
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select Applications or Servers. To create a subfolder, select the folder
in which you want the new folder created.
3. From the Action menu, select New > Create folder.
4. In the New Folder dialog box, type the name of the new folder, and select Copy
permissions from the parent folder if you want the new folder to be accessed by the
same administrators who have access to the parent folder.
Note: This is a one-time only inheritance; no updating occurs if you make permission
changes to the parent folder later. If you clear the check box to disable the option,
only administrators with view only or full administration privileges can access the
folder. Administrators with Custom privileges cannot access the folder until they are
given permission.
To rename a folder
1. Select the folder in question and from the Action menu, select Rename.
2. Type the new name of the folder directly in the left pane.
584
Organizing Your Farm Display in the Console
To delete a folder
1. If the folder contains applications or servers, move them to other locations.
Note: You can delete empty folders only.
2. Select the empty folder you want to delete.
3. From the Action menu, select Delete folder.
To move the contents of a folder
1. Select the published application, server, or folder you want to move.
2. From the Action menu, select Move to folder.
3. Select the required destination folder and click OK.
To move servers to a folder
1. In the left pane, select the destination folder (under the Servers folder only) into which
you want to move a server.
2. From the Action menu, select All Tasks > Move servers to folder.
3. Select the required server or subfolder and click Add.
Note: Published applications can be moved only to Applications or folders under
Applications. Similarly, servers can be moved only to Servers or folders under Servers.
585
To configure general farm properties
General farm properties includes settings such as broadcast response, client time zones,
Citrix XML Service, and Novell Directory Services.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select a farm.
3. From the Action menu, select Modify farm properties > Modify all properties.
4. From the Properties list, select Farm-wide > XenApp > General.
5. Under Respond to client broadcast messages, select either of the following check boxes
to respond to broadcasts from clients:
•
Data collectors
RAS servers
6. Under Client time zones, select Use Client’s local time.
•
This means that all time stamps for all applications are based on the client’s time
instead of the server’s time.
You can then select Estimate local time for clients. This time is based on the client’s
time zone settings.
Note: Client time zone settings override similar settings that are configured in
Microsoft Windows Group Policy.
Important: Version 6.x of the Presentation Server Clients introduced the capability to
send time zone information to the server. For earlier versions of clients, the client
sends the local time, which could be incorrect or modified by the user, so the
server’s estimate of the client time zone might not be accurate.
7. Under Citrix XML Service, select XML Service DNS address resolution to allow a server to
return the fully qualified domain name (FQDN) to clients using the Citrix XML Service.
Important: DNS address resolution works only in server farms that contain servers
running MetaFrame XP Feature Release 1 or later, and clients must be using
Presentation Server Client Version 6.20.985 or later or Citrix XenApp Plugin for
Hosted Apps version 11.x.
8. Under Novell Directory Services, in the NDS preferred tree field, enter the name of the
NDS tree used to access NDS user account information and authentication.
9. Under Published application icons, select Enhanced icon support to enable additional
icon color depths (32-bit) when you publish applications. To apply this setting to
previously published applications, delete them and publish the applications again.
586
To search for objects in your farm
XenApp provides an advanced search feature so that you can search for the objects in your
farm such as discovered items, sessions or applications by user, and servers that do not
have a specific hotfix applied to them.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. From the Tasks pane, select Search > Advanced search.
3. In the Advanced Search dialog box, in the Find box, select one of the following:
•
Discovered items. Searches discovered items.
•
Sessions By User. Lists the sessions to which a specific user is connected. Type a
user name in the Name box.
•
Applications By User. Lists the applications that the specified user is using. Type a
user name in the Name box.
Servers without hotfix. Lets you search for all of the servers missing a specific
hotfix. This feature is useful if you want to check that you applied a hotfix to all
servers in your farm. Type a hotfix number in the Name box.
4. If desired, select one of the following locations to search in:
•
•
A farm. Displays all applications in that farm matching the search.
•
An application folder. Displays all applications in that folder matching the search.
•
An application. Displays only that application, if it matches the search.
•
A server folder. Displays all applications published to servers in the folder, that
match the search.
•
A server. Displays all applications published to the server, that match the search.
•
A zone. Displays all applications published to servers in the zone, that match the
search (may be useful for zone preference and failover scenarios).
•
Any other node. Displays all applications in all farms, that match the search.
Note: If there are multiple farms in the search scope, the Select directory type box
contains multiple Citrix User Selector, for farm <n> entries. After you enter or select a
complete user name, the user’s account authority is checked. If you enter a user name
and password that is incorrect or is not recognized by any of the farms in the search
scope, the Enter Credentials dialog box reappears. If the user is an Active Directory
Service (ADS) user, you are prompted whether or not you want to do a full ADS tree
search.
587
To search for objects in your farm
After resolving the credentials, a progress dialog may appear and then your search results
appear.
588
Connecting to a Remote Server Console
Before connecting to a remote server console:
•
Enable connections to it. You can enable connections to a server console for all servers
in a farm or for individual servers.
•
Ensure you are a local administrator on each server to which you want to connect
remotely.
To enable remote console connections for a farm
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select a farm.
3. From the Action menu, select Modify farm properties > Modify all properties.
4. From the Properties list, select Server Default > XenApp.
5. Select Remote Console Connections to allow administrators to connect remotely to
console sessions on servers running Microsoft Windows 2003.
6. On the Remote Console Connections page, select Remote connections to the console.
To enable remote console connections for a server
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select a server
3. From the Action menu, select Modify server properties > Modify all properties.
4. From the Properties list, select XenApp.
5. Select Remote Console Connections.
6. Select Use farm settings (available on server level only) or Remote connections to the
console.
589
Connecting to a Remote Server Console
To connect to a remote server console
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select a server.
3. From the Action menu, select All Tasks > Connect to server > Connect to server's
console.
4. Click OK to accept the default values. If desired, you can specify values for the Width,
Height, Colors, and Encryption level for the remote console display. After you click OK,
the connection progress dialog box appears. You are prompted to enter your credentials
and then the console appears.
590
To connect to a server’s published
desktop
You can access a server’s desktop only if the desktop of the selected server is published,
and the selected server is running XenApp 5.0 or later.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select a server.
3. From the Action menu, select All Tasks > Connect to server > Connect to server’s
published desktop.
4. In the Launch ICA Desktop Session dialog box, choose from the following selections. The
selections you make here become the new default settings.
591
•
Published Desktop. Select the published desktop from the list to which you want to
connect.
•
Accept the Width and Height values or specify a different resolution.
•
Colors. Select the color depth for the application. The available options are 16
Colors, 256 Colors, High Color (16-bit), or True Color (24-bit).
•
Encryption. Select one of the following options from the list.
•
Basic encrypts the connection using a non-RC5 algorithm. Basic encryption
protects the data stream from being read directly but can be decrypted.
•
128-Bit Login Only (RC5) encrypts the logon data with RC5 128-bit encryption
and the ICA connection with basic encryption.
•
40-Bit (RC5) encrypts the connection with RC5 40-bit encryption.
•
56-Bit (RC5) encrypts the connection with RC5 56-bit encryption.
•
128-Bit (RC5) encrypts the connection with RC5 128-bit encryption.
To connect directly to a server's desktop
Configure connection settings to your server farm through the Microsoft Management
Console (MMC) using Terminal Services Configuration.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select a server.
3. From the Action menu, select All Tasks > Connect to server > Connect directly to
server's desktop.
4. In the Launch ICA Desktop Session dialog box, choose from the following selections. The
selections you make here become the new default settings.
592
•
Accept the Width and Height values or specify a different resolution.
•
Colors. Select the color depth for the application. The available options are 16
Colors, 256 Colors, High Color (16-bit), or True Color (24-bit).
•
Encryption. Select one of the following options from the list.
•
Basic encrypts the connection using a non-RC5 algorithm. Basic encryption
protects the data stream from being read directly but can be decrypted.
•
128-Bit Login Only (RC5) encrypts the logon data with RC5 128-bit encryption
and the ICA connection with basic encryption.
•
40-Bit (RC5) encrypts the connection with RC5 40-bit encryption.
•
56-Bit (RC5) encrypts the connection with RC5 56-bit encryption.
•
128-Bit (RC5) encrypts the connection with RC5 128-bit encryption.
To limit the number of server connections
per user
When a user starts a published application, the client establishes a connection to a server in
the farm and initiates a client session. If the user then starts another published application
without logging off from the first application, the user has two concurrent connections to
the server farm. To conserve resources, you can limit the number of concurrent
connections that users can make.
1. Select the farm in the left pane.
2. From the Action menu, select Modify farm properties > Modify all properties.
3. From the Properties list, select Farm-wide > Connection Limits.
4. Select Maximum connections per user and type the numerical limit.
5. Select Enforce limit on administrators to extend the connection limit to Citrix
administrators.
Important: Limiting connections for Citrix administrators can adversely affect their
ability to shadow other users.
6. Select Log over-the-limit denials to record information about denied connection events
in the server’s system log.
7. Click Apply to implement your changes and then OK to close the Farm Properties dialog
box.
593
To disable and re-enable server logons
By default, logons are enabled for each server in a farm. You can disable logons on a
per-server basis, such as during maintenance, then re-enable after maintenance is
complete.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the server.
3. From the Action menu, select one of the following:
•
All Tasks > Disable logon
All Tasks > Enable logon
4. Click Yes to confirm.
•
594
Enabling Local Browsers with Published
Applications
To enable your users to use local browsers to open URLs found in remote published
applications, enable content redirection.
You can configure content redirection as a farm-wide server default setting or as an
individual setting for a particular server.
To enable content redirection for a farm
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select a farm.
3. From the Action menu, select Modify farm properties > Modify all properties.
4. From the Properties list, select Server Default > XenApp.
5. Select Content Redirection to allow users to open URLs found in remote published
applications in a local Web browser.
6. On the Content Redirection page, select Content redirection from server to client.
To enable content redirection on a server
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select a server.
3. From the Action menu, select Modify server properties > Modify all properties.
4. From the Properties list, select XenApp.
5. Select Content Redirection to allow users to open URLs found in remote published
applications in a local Web browser.
6. On the Content Redirection page, select Use farm settings (available on server level
only) or Content redirection from server to client.
595
Restarting Servers at Scheduled Times
To optimize performance, you can restart a server automatically at specified intervals by
creating a restart schedule.
Restart schedules are based on the local time for each server to which they apply. This
means that if you apply a schedule to servers that are located in more than one time zone,
the restarts do not happen simultaneously; each server is restarted at the selected time in
its own time zone.
When the Citrix Independent Management Architecture (IMA) service starts after a restart,
it establishes a connection to the data store and updates the local host cache. This update
can vary from a few hundred kilobytes of data to several megabytes of data, depending on
the size and configuration of the server farm.
To reduce the load on the data store and to reduce the IMA service start time, Citrix
recommends maintaining restart groups of no more than 100 servers. In large server farms
with hundreds of servers, or when the database hardware is not sufficient, restart servers
in groups of approximately 50, with at least 10 minute intervals between groups.
To define when multiple servers restart
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the Servers folder.
3. In the Contents display in the right pane, press the SHIFT key and select the servers to
restart.
4. From the Action menu, select All Tasks > Set restart options > Set restart schedule. This
starts the Set Restart Schedule wizard.
5. Use the wizard to configure your restart options.
596
Restarting Servers at Scheduled Times
To define when a single server restarts
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select a server.
3. From the Action menu, select All Tasks > Modify server properties > Modify all
properties.
4. In the Server Properties dialog box, select Restart Schedule and configure your restart
options.
To stop restarts for a server
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select the servers you do not want to restart.
3. In the center pane, select Other Tasks > Set restart options > Disable restarts.
597
To repair a XenApp installation
When you run the repair utility, if a public hotfix or hotfix rollup pack is installed, the same
file versions of the hotfix or hotfix rollup pack are reinstalled, not the original versions.
Therefore, you can perform a repair on a system without having to re-apply previously
installed public hotfixes or hotfix rollup packs.
However, this excludes installed private hotfixes or other customizations; they are applied
manually and the system does not track them. In these cases, running the repair utility
replaces the private hotfixes or other customizations with the original files and settings.
1. Log off from all sessions and exit any applications running on the server.
2. Choose Start > Control Panel > Programs and Features.
3. Select Citrix XenApp <version>, click Change, and then select Repair when asked to
select the maintenance action you want to perform.
4. Restart the server when prompted.
598
Changing XenApp Farm Membership
To change the farm to which a XenApp server belongs, use the chfarm command utility. For
more information about chfarm including syntax, parameters, and limitations, see CHFARM.
599
Removing and Reinstalling XenApp
At times, you might have to remove servers from your farm or uninstall XenApp software
from a server. Some tasks you might need to perform include:
•
Moving a server to another farm
•
Renaming a server
•
Removing a server from your farm
•
Uninstalling XenApp from a computer in your farm or need to force its uninstallation
•
Removing a server from your farm if the hardware hosting XenApp fails
To accomplish these tasks, you might need to uninstall XenApp from its host computer,
remove it from the farm or from the list of farm servers in the Access Management Console
or Delivery Services Console, or both depending on your situation.
Moving a Server to a Different Farm
If you want to move a XenApp server to another farm, use the Change Farm (CHFARM)
command. This removes the server from the farm data store and from the lists of servers
displayed in the consoles.
Renaming a Server
Follow the instructions in To rename a XenApp server to rename a server. They contain
critical steps to ensure records are not corrupted in the data store.
Uninstalling XenApp
Citrix recommends that you uninstall XenApp by using Control Panel > Programs and
Features while the server is still connected to the farm and the network. This method
removes the host information from the farm data store and removes the server from the
farm properties displayed in the management tools.
When uninstalling servers that connect to the data store indirectly through another farm
server, uninstall the indirectly connected servers before uninstalling the directly connected
server. Uninstalling the direct server first prevents the other servers from being uninstalled
properly from the data store.
Citrix does not recommend uninstalling XenApp from within a Remote Desktop Connection
(RDC) session because the uninstall program needs to log off all remote users as it uninstalls
XenApp. If you need to uninstall XenApp remotely, you can do so using tools such as
Microsoft Configuration Manager 2007 (formerly Systems Management Server (SMS)).
600
Removing and Reinstalling XenApp
Removing a Server from a Farm
If you want to remove a server from a farm, Citrix recommends that you uninstall XenApp.
Then, check the server was successfully removed from the farm and reimage it, if desired.
While you can remove the server from the farm using only the console, Citrix strongly
recommends using the method explained in To remove a server from the farm since it is
safer.
Forcing the Uninstall of XenApp
If you cannot uninstall XenApp through the Control Panel, you can force the removal of the
software by using the Windows Msiexec command.
Removing a Server from a Farm Due to Hardware
Failure
If the hardware for a server fails or it cannot be brought up to run the uninstall program,
remove the server. Citrix recommends that you only use the console to remove a server
from the farm in cases where the server cannot be brought up to run the uninstall program.
Caution: If you remove all servers belonging to a single domain and have Citrix
administrators in the domain, their user accounts cannot be enumerated by the console
and appear as a question mark (?) in the list of Citrix administrators.
Reinstalling XenApp Due to Hardware Failure
If the hardware for a server fails, before you connect its replacement server to your
network, change its name to the same name as the failed server. Assigning the replacement
server the failed server’s name lets the replacement have the same properties and
functionality as the failed XenApp server. The records in the data store for the old server
apply to its replacement of the same name.
When you assign a replacement server the failed server’s name, make sure the settings on
the replacement server are identical to the failed server. This includes settings for the
operating system, settings for applications made during installation or when the application
was published, and any user accounts on the failed server.
Backing Up and Restoring the XenApp Data Store
Many data store maintenance tasks, such as backing up and restoring the data store, are
performed using the DSMAINT and DSCHECK commands. Some data store maintenances tasks
have different instructions according to the type of database (for example, Microsoft
Access). The data store maintenance instructions are in the Citrix XenApp Installation
Guide.
Note: If the server that failed was hosting an indirect data store, create a new data
store. If the new server hosting the data store has a different name than the failed
601
Removing and Reinstalling XenApp
server, run the CHFARM command on each server in the farm so they reference the new
data store.
602
To remove XenApp
For illustration purposes, this procedure assumes that you installed XenApp with all options
enabled.
Caution: If you are removing XenApp remotely, do not do so from within a Remote
Desktop Connection (RDC) session. Using RDC to remove XenApp remotely can result in
you being unexpectedly disconnected from the computer with no way to reconnect or
complete the removal.
1. Log off from all sessions and exit any applications running on the server.
2. If the Citrix License Server is running on the XenApp server you are uninstalling,
manually stop the License Management Console service. This action prevents Java
errors during the uninstallation that could result from other Citrix components that
detect the service.
3. Choose Start > Control Panel > Programs > Programs and Features.
4. Select Citrix XenApp <version>, click Uninstall, click Yes when asked if you want to
uninstall XenApp, and follow the instructions that appear.
5. Remove XenApp. If you want to remove only specific components of XenApp, do so in
the following order:
•
Citrix Access Management Console or Delivery Services Console
•
XenApp Advanced Configuration or Presentation Server Console
•
Citrix XenApp
•
Citrix Web Interface
•
Citrix Licensing
Note: To complete the removal, you must restart the computer after you remove
XenApp.
603
To force the uninstallation of XenApp
1. If you need to force the uninstallation of XenApp from a computer, you can use msiexec
on a command line to add the property: CTX_MF_FORCE_SUBSYSTEM_UNINSTALL Set
its value to Yes
2. The following sample command line enables logging of the uninstallation operation and
forces the removal of XenApp: msiexec /x cps.msi /L*v c:\output.log
CTX_MF_FORCE_SUBSYSTEM_UNINSTALL=Yes where cps.msi is the name and location
of the msi package.
604
To remove a server from the farm
1. With the server still on the network and online in the farm, uninstall XenApp from the
server from Control Panel > Programs and Features by selecting Citrix XenApp 5.0 and
selecting Uninstall.
2. Open the Access Management Console or Delivery Services Console on a different
server, run or rerun Discovery and check the server was removed from the farm
successfully. If the server from which you uninstalled XenApp still appears in the
console:
a. In the left pane, select the server.
b. From the Action menu, select All Tasks > Remove from farm.
3. After you ensure the server no longer appears in the farm, disconnect the server from
the network.
Caution: Do not reconnect the server to the network until you reimage it or remove
its XenApp software. If it reconnects to the network, it can corrupt your farm.
4. Run the dscheck command on the data store to repair any consistency errors.
5. Perform a new installation of operating system (that is, a “clean” installation and not
an upgrade) and XenApp 5.0 (if you want to reuse the hardware for that server).
605
To rename a XenApp server
Caution: Using Registry Editor incorrectly can cause serious problems that can require
you to reinstall the operating system. Citrix cannot guarantee that problems resulting
from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
Make sure you back up the registry before you edit it.
1. Create a Citrix local administrator account on the server you want to rename.
2. On the server you want to rename, run chglogon /disable to prevent users from logging
into the server.
3. Open the Access Management Console or Delivery Services Console on a different
server, remove the server to be renamed from published applications assigned to that
server.
4. On the server you want to rename, stop the Citrix Independent Management
Architecture service.
5. In the Registry, set the HKEY_LOCAL_MACHINE\SOFTWARE\
Wow6432Node\Citrix\IMA\RUNTIME\PSRequired registry value to 1. This value is
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA \RUNTIME\PSRequired on XenApp, 32-bit
Edition.
Caution: Not changing the PSRequired registry value to 1 can result in incomplete
records in the data store. Changing this value to 1 forces the Citrix Independent
Management Architecture service to communicate with the data store and create a
record for the newly named server.
The value for PSRequired reverts to 0 the next time the Citrix Independent Management
Architecture service restarts.
6. Change the name of the server in the server operating system and restart the server.
7. Log on to the console using the local administrator account you created.
8. Update all references to the old server to the new server name. This might require
logging on to the XenApp Advanced Configuration tool or Presentation Server Console as
well.
Important: Before removing the old server name, change all objects that reference
the old name to the new server name, including data collector ranking, published
application references, load evaluators, and zone settings.
9. Expand the Servers folder and remove the old server name from the list of servers.
10. Add the new server name to the list of configured servers for published applications.
606
Monitoring Server Performance with
Health Monitoring & Recovery
You can use Health Monitoring & Recovery to run tests on the servers in a server farm to
monitor their state and discover any health risks. Citrix provides a standard set of 10 tests;
you have the option of importing additional tests, including custom tests that you develop.
The 10 tests included with XenApp allow you to monitor several services and activities
including Terminal Services, XML Service, Citrix IMA Service, and logon/logoff cycles. These
tests are:
Note: You can update the default names of these tests. Therefore, within your
organization, the tests might have different names from those specified in this topic.
Terminal Services test
This test enumerates the list of sessions running on the server and the session user
information, such as user name.
XML Service test
This test requests a ticket from the XML service running on the server and prints the
ticket.
Citrix IMA Service test
This test queries the service to ensure that it is running by enumerating the applications
available on the server.
Logon monitor test
This test monitors session logon/logoff cycles to determine whether or not there is a
problem with session initialization or possibly an application failure. If there are
numerous logon/logoff cycles within a short time period, the threshold for the session is
exceeded and a failure occurs. The session time, interval, and threshold can be
configured by modifying the parameters in the Test file field. These parameters are
listed and described in the following table.
Logon monitor test
parameter
Description
SessionTime
Defines the maximum session time for a short
logon/logoff cycle. Default is five seconds.
SessionInterval
The time period designated to monitor logon/logoff
cycles. Default is 600 seconds.
SessionThreshold
The number of logon/logoff cycles that must occur within
the session interval for the test to fail. Default is 50
cycles.
Check DNS test
607
Monitoring Server Performance with Health Monitoring &amp; Recovery
This test performs a forward DNS lookup using the local host name to query the local DNS
server in the computer’s environment for the computer’s IP address. A failure occurs if
the returned IP address does not match the IP address that is registered locally. To
perform reverse DNS lookups in addition to forward DNS lookups, use the flag /rl when
running this test.
Check Local Host Cache test
This test ensures the data stored in the XenApp server’s local host cache is not corrupted
and that there are no duplicate entries. Because this test can be CPU-intensive, use a
24-hour test interval (86,400 seconds) and keep the default test threshold and time-out
values.
Before running this test, ensure the permissions of the files and registry keys that the
test accesses are set properly. To do this, run the LHCTestACLsUtil.exe file located in
C:\Program Files (x86)\Citrix\System32 of the XenApp server. To run this utility, you must
have local administrator privileges.
Check XML Threads test
This test inspects the threshold of the current number of worker threads running in the
Citrix XML Service. When running this test, use a single integer parameter to set the
maximum allowable threshold value. The test compares the current value on the XenApp
server with the input value. A failure occurs if the current value is greater than the input
value.
Citrix Print Manager Service test
This test enumerates session printers to determine the health of the Citrix Print Manager
service. A failure occurs if the test cannot enumerate session printers.
Microsoft Print Spooler Service test
This test enumerates printer drivers, printer processors, and printers to determine
whether or not the Print Spooler Service in Windows Server 2008 is healthy and ready for
use
ICA Listener test
This test determines whether or not the XenApp server is able to accept ICA connections.
The test detects the default ICA port of the server, connects to the port, and sends test
data in anticipation of a response. The test is successful when the server responds to the
test with the correct data.
Note: Through the Health Monitoring & Recovery page of the Farm Properties and Server
Properties dialog boxes, you can configure the feature to allow additional tests to run on
your servers.
Use the load balancing feature of XenApp with Health Monitoring & Recovery to ensure that
if a server in the farm experiences a problem (for example the Citrix IMA Service is down),
the state of that server does not interfere with the user’s ability to access the application
because the user’s connection to that application is redirected through another server. For
more information about load balancing and using Load Manager, see the Load Manager
documentation at Citrix eDocs.
608
Enabling and Disabling Health Monitoring
& Recovery
By default, Health Monitoring & Recovery is enabled on all of the servers in your farm, and
the four tests that are included run on all servers, including the data collector. Typically,
you do not need to run these tests on the data collector because, particularly in a large
farm, the data collector is not used for serving applications. If you do not want Health
Monitoring & Recovery to run on the data collector, you must disable it manually.
To disable Health Monitoring & Recovery on all
servers in a farm
1. In the left pane of the Access Management Console, select a farm.
2. From the Action menu, select Modify farm properties > Modify all properies.
3. In the Farm Properties dialog box, from the Properties list, select the Server Default >
Health Monitoring & Recovery.
4. Clear the Run health check tests on all servers in the farm check box.
To disable Health Monitoring & Recovery on a
particular server
1. In the left pane of the Access Management Console, select a server.
2. From the Action menu, select Modify server properties > Modify all properties.
3. In the Server Properties dialog box. from the Properties list, select Health Monitoring &
Recovery.
4. Clear the Use farm settings and Run Health Monitoring tests on this Server check boxes.
609
Modifying Health Monitoring & Recovery
Test Settings
The Health Monitoring & Recovery tests included with XenApp are configured with default
settings. You can modify the settings for each test by server or across all servers in a farm
through the Health Monitoring & Recovery page of the Server Properties or Farm Properties
dialog box.
Selecting Recovery Actions
Alert Only
Sends an error message to the Event log but takes no other action. The test continues to
run, and if it subsequently successfully passes, an event is sent to the system log. This
recovery action is the default for all tests except the Citrix XML Service test.
Remove Server from load balancing
Excludes the server from load balancing. Clients do not attempt to make new
connections to this server through Load Manager. However, existing connections are
maintained, and attempts are made to reconnect disconnected sessions. You can make
new direct connections to the server; this enables you to try to correct any problems. To
prevent possible farm-wide outages, this is the default recovery action for the Citrix XML
Service test.
Note: To restore one or more servers to load balancing, use the enablelb
command-line utility.
Shut Down IMA
Shuts down the Citrix IMA Service. After this happens, tests continue to run but failures
will not trigger events to be sent to the Event log until the Citrix IMA Service is up and
running again.
Restart IMA
Shuts down and then restarts the Citrix IMA Service. After this happens, tests will run but
failures will not trigger events to be sent to the Event log until the Citrix IMA Service is
up and running again.
Reboot Server
Restarts the server. An alert is triggered before the server is restarted. After the system
is restarted, the tests resumes.
Note: If the Recovery Action list contains the entry Action ID followed by a number, this
means that Citrix supplied a new action through a hotfix. Although you applied the hotfix
to the selected server, you did not apply it to the computer on which the Access
610
Modifying Health Monitoring &amp; Recovery Test Settings
Management Console or Delivery Services Console is running. When the hotfix is fully
applied, a meaningful name for the new action is added to the list.
611
To modify the Health Monitoring &
Recovery Tests settings for farms or a
server
To modify the settings of Health Monitoring &
Recovery tests for a farm
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select a farm.
3. From the Action menu, select Modify farm properties > Modify all properties.
4. From the Properties list, select Server Default > Health Monitoring & Recovery.
5. Select a test and click Modify.
6. Make the necessary modifications and click OK.
To modify the settings of Health Monitoring &
Recovery tests for a server
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select a server.
3. From the Action menu, select Modify server properties > Modify all properties.
4. From the Properties list, select Health Monitoring & Recovery.
5. Clear the Use farm settings check box and ensure Run Health Monitoring tests on this
server is selected.
6. To copy existing tests from the farm to the server, click Copy From Farm.
7. Select a test and click Modify.
8. Make the necessary modifications and click OK.
612
Adding Health Monitoring & Recovery
Tests
You can add two types of Health Monitoring & Recovery tests to your servers: tests supplied
by Citrix through the Citrix Knowledge Center and custom tests developed by your
organization or third parties.
Citrix recommends that you store all tests in the following location:
%Program Files%\Citrix\HealthMon\Tests\
where %Program Files% is the location in which you installed XenApp. Store Citrix-supplied
tests in the Citrix folder and custom tests in the Custom folder.
Note: For information about custom tests, see Developing Custom Health Monitoring &
Recovery Tests.
To add tests to a farm
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select a farm.
3. From the Action menu, select Modify farm properties > Modify all properties.
4. From the Properties list, select Server Default > Health Monitoring & Recovery.
5. Click New.
6. In the New Health Monitoring & Recovery Test dialog box, select the Allow running
custom Health Monitoring tests check box. This setting is disabled by default. By
selecting this check box, you can import a test by typing or navigating to the
appropriate file path in the Test file field.
613
Adding Health Monitoring &amp; Recovery Tests
To add tests to a server
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select a server.
3. From the Action menu, select Modify server properties > Modify all properties.
4. From the Properties list, select Health Monitoring & Recovery.
5. Clear the Use farm settings check box and ensure Run Health Monitoring tests on this
server is selected.
6. Click New.
7. In the New Health Monitoring & Recovery Test dialog box, select the Allow running
custom Health Monitoring tests check box. This setting is disabled by default. By
selecting this check box, you can import a test by typing or navigating to the
appropriate file path in the Test file field.
614
Developing Custom Health Monitoring &
Recovery Tests
If you want to perform particular tests that are not included in Health Monitoring &
Recovery, you can develop custom tests using the Health Monitoring & Recovery SDK. This
SDK includes a Readme file and white papers that contain information required to use the
SDK, including security requirements and return values. In addition, the SDK contains
various sample test scripts that you can use as examples to develop custom tests that can
be run on a server farm or on individual servers in a farm. The Health Monitoring &
Recovery SDK is available for download from the Citrix Knowledge Center.
615
Getting Health Monitoring & Recovery
Alerts
In the event of a test failure, an HCAService Test Failed alert is raised for the relevant
server. This alert, displayed in the Access Management Console or Delivery Services
Console, indicates the name of the test that failed. For information about the alert that
appears, view the Citrix Knowledge Center article associated with the alert.
The default recovery action for all tests (except the Citrix XML Service test) is that an error
message is sent to the Event log. For the Citrix XML Service test, the default action is to
exclude the server from load balancing to prevent possible farm-wide outages.
Note: In the Advanced Edition of XenApp, XML ticketing failures also result in the server
being excluded from load balancing. This action is performed by the Citrix XML Service
and not by Health Monitoring & Recovery, so no alerts are sent. For any servers excluded
in this way, the IMA service needs to be restarted for the server to rejoin the load
balancing tables.
If the test is run again and it is successful, an event is sent to the Event log.
616
Using Citrix Performance Monitoring
Counters
Performance monitoring counters for ICA data are installed with XenApp and can be
accessed from Performance Monitor, which is part of the Windows operating system.
Performance monitoring provides valuable information about utilization of network
bandwidth and helps determine if a bottleneck exists.
By using Performance Monitor, you can monitor the following counters:
•
Bandwidth and compression counters for ICA sessions and computers running XenApp
•
Bandwidth counters for individual virtual channels within an ICA session
•
Latency counters for ICA sessions
1. Select Start > Administrative Tools > Server Manager.
2. In the Tree view, Select Diagnostics > Reliability and Performance > Monitoring Tools >
Performance Monitor.
3. Click Add.
4. In the Add Counters dialog box, from the Select counters from computer drop-down list,
ensure Local computer is selected.
5. In the Available counters list, select ICA Session.
6. To add all ICA counters, in the Available counters list, select ICA Session. To add one or
more ICA counters, click the plus sign next to ICA Session and select the individual
counters to be added.
7. Select All instances to enable all instances of the selected ICA counters, No instance, or
Select instances from list and highlight only the instances you need. In Performance
Monitor, the instance list contains all active ICA sessions, which includes any session
(shadower) that is shadowing an active ICA session (shadowee). An active session is one
that is logged on to successfully and is in use; a shadowing session is one that initiated
shadowing of another ICA session.
Note: In a shadowing session, although you can select ICA counters to monitor, you
see no performance data for that session until shadowing is terminated.
8. Click Add and then click Close.
You can now use Performance Monitor to view and analyze performance data for the
ICA counters you added. For more information about using Performance Monitor, see
your Windows documentation.
617
Enabling SNMP Monitoring
XenApp supports Simple Network Management Protocol (SNMP) monitoring and integration
with third-party SNMP network management products. Using third-party applications, you
can perform the following tasks remotely on XenApp servers:
•
Monitor server status
•
Terminate processes on servers
•
Disconnect, log off, or send a message to an active session on a server
•
Query operating system, process, and session information
This topic describes how to enable and configure SNMP monitoring on XenApp servers. For
information about support and use of integrated third-party SNMP network management
products, contact the product vendor.
Enabling SNMP monitoring comprises the following steps:
618
•
Installing and configuring the Microsoft SNMP Service on the XenApp servers.
•
Enabling the Citrix SNMP agent on the XenApp servers and enabling/disabling traps to
be reported. You can enable the SNMP agent for all servers in the farm or for individual
servers.
To install the Microsoft SNMP Services
The Microsoft SNMP Service is included with Windows but is not installed by default. To
determine if the Microsoft SNMP Service is installed, click Start > Administrative Tools >
Server Manager, then click Features. If SNMP is not listed, you must install the service.
1. Click Start > Administrative Tools > Server Manager.
2. Click Features.
3. Click Add Features.
4. In the Add Features Wizard, on the Select Features page, select SNMP Services (SNMP
Services includes the SNMP Service and SNMP WMI Provider).
5. Follow the on-screen instructions to complete the installation.
6. Restart the computer and reinstall any service packs.
619
SNMP Security Considerations
Generally, the third-party SNMP network management product administrator provides the
community names to the Citrix administrator. The XenApp servers must have at least one
community name in common with the computer running the SNMP network management
product.
If an SNMP community on the XenApp server is configured with Read/Write permissions and
the SNMP agent is enabled, users can perform potentially dangerous actions remotely (such
as logging off or disconnecting a user, terminating a process, or sending a message).
To prevent unauthorized users from performing these actions, you can configure the SNMP
Service to accept SNMP packets only from computers running the SNMP network
management product by adding the DNS name or IP address of that computer to the list of
hosts from which to accept packets.
If you have a firewall, you can prevent spoofing by configuring the firewall to block packets
coming from outside the firewall that contain source IP addresses known to be inside the
firewall.
Alternatively, you can disable these features completely by removing Read/Write
permissions from all SNMP communities on all computers.
The Access Management Console and Delivery Services Console uses Windows domain-based
user authentication and is a secure method of allowing access to these actions.
See the Windows documentation for details about SNMP community security properties.
620
To display or change the SNMP security
properties
1. Click Start > Administrative Tools > Server Manager.
2. Click Configuration > Services.
3. Double-click SNMP Service. The SNMP Service Properties dialog box appears.
4. In the SNMP Service Properties dialog box, revise the properties as needed.
5. Click OK.
6. If you changed any SNMP security settings, stop and restart the SNMP Service.
621
Enabling the Citrix SNMP Agent and
Configuring Trap Settings
By default, the Citrix SNMP agent is not enabled on XenApp servers. You can enable the
SNMP agent and configure trap settings for all servers in the farm or for individual servers.
622
Check box on
configuration
page
Name OID.trap number
Server action that triggers trap
-
trapMfAgentUp
1.3.6.1.4.1.3845.3.1.1.8
SNMP agent starts
Logon
trapSessionLogon
1.3.6.1.4.1.3845.3.1.1.2
User logs on
Logoff
trapSessionLogoff
1.3.6.1.4.1.3845.3.1.1.1
User logs off
Disconnect
trapSessionDisconnect
1.3.6.1.4.1.3845.3.1.1.2
User disconnects
Session limit per
server
trapSessionLimitThreshold
1.3.6.1.4.1.3845.3.1.1.4
Number of concurrent sessions on
the server exceeds the configured
session limit
Session limit per
server
trapSessionThresholdNormal
1.3.6.1.4.1.3845.3.1.1.9
Number of concurrent sessions
falls below the configured session
limit
To enable the SNMP agent and configure
trap settings on all servers in a farm
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select the farm node in the console tree.
3. From the Action menu, choose Modify farm properties > Modify all properties.
4. From the Properties tree, click SNMP.
5. Select the Send session traps to selected SNMP agent on all farm servers check box.
6. Enable these traps as desired:
•
Logon
•
Logoff
•
Disconnect
Session limit per server
If you enable Session limit per server, choose a value.
•
By default, the Use farm settings check box is selected in each server’s properties.
623
To enable the SNMP agent and configure
trap settings on an individual server
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. Select the server in the console tree.
3. From the Action menu, choose Modify server properties > Modify all properties.
4. From the Properties tree, click SNMP.
5. Clear the Use farm settings check box.
6. Select the Send session traps to selected SNMP agent on this server check box.
7. Enable these traps as desired:
•
Logon
•
Logoff
•
Disconnect
Session limit per server
If you enable Session limit per server, choose a value.
•
8. Click OK.
624
Monitoring Traps from SNMP Network
Management Products
You may be able to use one or more of the following methods to monitor traps from the
third-party SNMP network management product:
Monitoring the event browser
An event browser may log all traps received by the SNMP network management product; a
filter may be available to display traps specific to XenApp servers.
Using the Citrix TrapDialog monitor
The Citrix TrapDialog monitor displays a pop-up message when a status-change trap is
received.
Configuring notifications
You may be able to configure monitoring and notification procedures such as sending an
email or paging individuals when traps are received. You may also be able to customize
descriptions saved to the event log.
See the documentation for the SNMP network management product for details.
Troubleshooting SNMP Monitoring
If a XenApp server does not appear as an icon in the IP Internet tree of the third-party SNMP
network management product display, verify that the SNMP agent is enabled on the XenApp
server, and that it is configured to send traps to the computer running the SNMP network
management product.
625
Using the Citrix Management Information
Base
Although support for XenApp is integrated into a number of popular third-party SNMP
network management products, the Citrix Management Information Base (MIB) can be used
with other SNMP network management products.
If the SNMP network management product has a MIB browser utility, you must load the MIB
file before you can use the utility to query or set SNMP trap values. The MetaFrame.mib file
is located in the \NetworkManager\mibs directory of the XenApp media. See the
documentation for the SNMP network management product for instructions about loading
these files.
The SNMP agent returns strings in Unicode format for all MIB variables except serverFarmA
and serverZoneA. Depending on your query, these variables can return strings in either
Unicode or multibyte format. Your SNMP network management product may not be able to
handle strings in Unicode format.
626
Optimizing Server Performance
XenApp provides you with a number of ways to optimize the performance of the servers in
your farm:
627
•
Assigning load evaluators to servers and published applications
•
Using Preferential Load Balancing
•
Managing CPU usage
•
Managing virtual memory usage
•
Enhancing the performance of remote servers
•
Working with the cache
•
Updating license server settings
Using Preferential Load Balancing
Preferential Load Balancing assigns importance levels (Low, Normal, or High) to specific
users and applications. For example, doctors and nurses in a hospital are specified as
important users and MRI scans and X-rays are specified as important applications. These
important users and applications with higher levels of service connect to their sessions
more quickly and have more computing resources available to them. By default, a Normal
level of service is assigned to all users and applications.
Preferential Load Balancing calculates importance levels based on the Resource Allotment
for each session. The Resource Allotment is determined by the importance levels of both
the session and the published application that the session is running.
To enable Preferential Load Balancing, in the Access Management Console or Delivery
Services Console, choose CPU sharing based on Resource Allotments on the CPU Utilization
Management page. This setting bases CPU sharing on resource shares (recommended).
Set the application importance level when publishing the application and use XenApp
Advanced Configuration to set the session importance policy level.
Note: To enable load balancing using resource shares only (without CPU management),
you must create a load evaluator that uses the Server User rule and assign it to all your
XenApp servers.
628
Resource Allotment
Resource Allotment is calculated based on the published application importance level and
the result of the XenApp policy engine for that session. The policy engine bases the session
result on the session importance policy setting.
A session’s Resource Allotment determines the level of service it experiences in comparison
with other sessions on the same XenApp server, as well as sessions on other XenApp servers.
The higher a session’s Resource Allotment, the higher service it receives compared with
those other sessions.
The figure illustrates a XenApp farm running sessions with different Resource Allotments. It
illustrates how a session’s Resource Allotment affects its competition with other sessions on
the same server and on different servers. Session 1 on Server 2 has a relatively high
Resource Allotment compared with all other sessions in the farm. As a result Session 1 gets
the highest percentage of CPU cycles (90%) of any session running in the farm, and at the
same time has to compete with fewer sessions on that server (there are only two sessions
on Server 2, as opposed to three). Any new session would be assigned to Server 1 because it
has the lowest Resource Allotment of the three servers.
The session with the highest Resource Allotment gets the highest percentage of CPU cycles
of any sessions running in the farm.
629
Resource Allotment
The three application importance settings have Resource Allotment values associated with
them, as do the three session importance policy settings. To determine the effective
Resource Allotment associated with a session running the published application, multiply
the application importance value by the session importance policy value. The most
powerful session is one with a high importance policy setting (3) running a high importance
application (3), with a total Resource Allotment of 9 (3x3). Conversely, the least powerful
session is one with a low importance policy setting (1) running a low importance application
(1), with a total Resource Allotment of 1 (1x1).
Use this table to help determine how to set your importance levels for applications and
sessions.
Resource Allotments based on importance levels
630
Application Importance
Session Importance (from
policy)
Session Resource Allotment
Low (1)
Low (1)
1
Low (1)
Normal (2)
2
Low (1)
High (3)
3
Normal (2)
Low (1)
2
Normal (2)
Normal (2)
4
Resource Allotment
631
Normal (2)
High (3)
6
High (3)
Low (1)
3
High (3)
Normal (2)
6
High (3)
High (3)
9
Multiple Published Applications in the
Same Session
Session sharing allows multiple published applications to run in the same session. During
session sharing, the Resource Allotment is calculated based on the maximum application
importance level setting of all the published applications running in the session multiplied
by the session importance policy setting.
When an application is launched in an existing session, the importance level of the new
application is compared with the maximum of all current application importance levels. If
the importance level of the new application is greater, the session’s Resource Allotment is
recalculated and the session’s CPU entitlement adjusted upwards. Similarly, when an
application is closed, if the maximum importance level of the remaining applications is
lower, the session’s Resource Allotment is recalculated and the session’s CPU entitlement
adjusted downward.
632
Using CPU Utilization Management
The CPU utilization management feature can improve the ability of a farm to manage
resources and normalize CPU peaks when the farm’s performance becomes limited by
CPU-intensive operations.
In Windows, CPU utilization management entitles each user to an approximately equal
amount of CPU, with each allocation being a relative percentage of the available CPU.
However, if some users are not using their entitlement, that entitlement is divided among
the processes from other users, provided those processes want to use the resource.
CPU utilization management shares processor resources equitably amongst users (fair
sharing) and makes servers more responsive in periods with high processor loads. The effect
of enabling the feature is that it can make applications respond faster than they would
otherwise.
To determine if enabling CPU utilization management could be beneficial, check the CPU
column and the Base Priority column in the Task Manager to see if there are processes from
user sessions that consume inequitable amounts of CPU resources yet have the same
priority.
You can configure the CPU utilization management feature using the following settings:
Fair sharing of CPU between sessions
Ensures that CPU resources are equitably shared among users by having the server
allocate an equal share of the CPU to each user.
CPU sharing based on Resource Allotments
Determines CPU resource allotments for users based on their published application and
session importance levels. For more information about resource allotments, see Using
Preferential Load Balancing.
633
Fair Sharing of CPU Between Sessions
The CPU utilization management Fair sharing of CPU between sessions option ensures that
CPU resources are equitably shared among users by having the server allocate an equal
share of the CPU to each user. This prevents one user from impacting the productivity of
other users and allows more users to connect to a server. This is accomplished by providing
CPU reservation and CPU shares.
•
CPU reservation is a percentage of your server’s CPU resource that is available to a
user. If all of a reserved allocation is not being used, other users or processes can use
the available resource, as needed. Up to 20% of the work capability of a single CPU on a
server is always set aside for the local system account:
•
Default Local System Account CPU Reservation % = 20 / (number of CPUs or CPU cores).
For example, if System A has only one CPU, the local system account has a 20%
reservation of the total CPU capability. If System B has two CPUs, the local system
account has a 10% reservation of its total CPU capability. Reservations are available to
the users who need them the most.
Note: If the feature is supported in your XenApp edition, Citrix recommends you use
Preferential Load Balancing to allocate more CPU resources to one user over another,
rather than setting CPU Shares and Reservations in the registry key associated with
the CPU Utilization Management feature:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CTXCPU\Policy. If you set this registry key
and enable Preferential Load Balancing, the values in this key are not used.
•
CPU shares are percentages of the CPU time. By default, CPU utilization management
allocates four shares for each user. If two users are logged on to a server and the local
system account does not need any of the resources on the system, each user receives
50% of the CPU time. If there are four users, each user receives 25% of the CPU time.
Important: The minimum number of CPU shares that can be assigned to a single user is 1
and the maximum is 64. For CPU reservation, the total cannot exceed 99% of the
computer’s CPU capacity, where 100% represents the entire CPU resource on the
computer. For example, if the local system has a 20% reservation, you can assign a
reservation of 79% to a user, but not 80%.
Do not enable Fair sharing of CPU between sessions on farms or servers that host:
634
•
CPU-intensive applications that may require a user to have a share of the CPU greater
than that allocated to fellow users
•
Special users who require higher priority access to servers
Managing Peak Utilization on
Multiprocessor Servers
If you enable Fair sharing of CPU on a multiprocessor system and fair sharing does not
occur, you might need to start the Citrix CPU Utilization Mgmt/CPU Rebalancer service.
On Windows Server 2008, there is one run queue for each CPU. To optimize cache reuse, on
computers with two or more CPUs, processes tend to stay on the same run queue and,
consequently, execute on the same CPU. However, on multiprocessor systems, a side effect
of this behavior is that it can compromise the CPU utilization management’s ability to align
CPU usage with CPU entitlement. To determine if fair sharing is occurring, check the CPU
column in the Windows Task Manager to see if one or more processes is consuming one
processor each.
The Citrix CPU Utilization Mgmt/CPU Rebalancer service is installed on multiprocessor
systems only. To use this service, start it manually. If you decide to use this service
long-term, set it to Automatic.
Do not start the CPU Rebalancer service simply because your server has multiple processors.
If fair sharing is occurring, the CPU Rebalancer service can impact server performance.
Note: If throughput is more important than fair sharing, Citrix does not recommend
starting the CPU Rebalancer service.
635
Enabling CPU Utilization Management
You can enable CPU utilization at the farm level and at an individual server level. This
feature is not enabled by default.
To enable CPU utilization management for a farm
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the farm for which you want to enable CPU utilization
management.
3. In the task pane under Common Tasks, select Modify farm properties > Modify
Memory/CPU properties.
4. In the left pane of the Farm Properties dialog box, select Memory/CPU > CPU Utilization
Management.
5. On the CPU Utilization Management page, make one of these choices to enable this
setting for all of the servers in your farm:
636
•
Select Fair sharing of CPU between sessions to allocate an equal share of the CPU to
each user
•
Select CPU sharing based on Resource Allotments to enable Preferential Load
Balancing
Enabling CPU Utilization Management
To enable or disable CPU utilization management for a
server
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the server for which you want to enable CPU utilization
management.
3. In the task pane under Common Tasks, select Modify server properties > Modify
Memory/CPU properties.
4. In the left pane of the Server Properties dialog box, select Memory/CPU > CPU
Utilization Management.
5. On the CPU Utilization Management page, clear the Use farm settings check box.
6. Select one of these choices to disable or enable this setting for this server.
637
•
Select No CPU utilization management to disable all CPU utilization management
•
Select Fair sharing of CPU between sessions to allocate an equal share of the CPU to
each user
•
Select CPU sharing based on Resource Allotments to enable Preferential Load
Balancing
Managing Virtual Memory Usage
You can improve system speed, performance, and scalability by controlling virtual memory
utilization for a farm or individual servers. This feature is especially useful when user
demand exceeds available RAM and causes farm performance to degrade. Performance
degradation can occur during peak times when users run memory-intensive applications in
multiple sessions.
To increase the number of users who can use a server and improve a farm’s ability to
optimize the use of DLLs stored in virtual memory, enable memory utilization management.
When you enable memory utilization management, you enable the rebasing of DLLs for
virtual memory savings without actually changing the DLL files. You can also schedule the
rebasing of DLLs for off peak hours, exclude specific applications from DLL rebasing, and
rebase DLLs through a user account with permissions to access application files stored on
file servers.
You do not want to enable memory utilization management on farms or servers that
exclusively host signed or certified applications. XenApp can detect only some published
applications that are signed or certified.
Caution: If, after enabling memory utilization management and running scheduled
memory optimization, published applications fail, exclude those applications from
memory optimization.
Before Deploying Memory Utilization Management
1. Using a test server hosting your published applications, enable memory utilization
management.
2. Schedule memory optimization.
3. After memory optimization completes, run all published applications.
4. Add to the exclusion list those applications that fail.
638
Enabling Memory Utilization Management
You can enable memory utilization management at the farm level and at an individual
server level. This feature is not enabled by default.
To enable memory optimization for a farm
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the farm for which you want to enable memory optimization.
3. Select Action > Modify farm properties > Modify all properties.
4. In the left pane of the Farm Properties dialog box, click Server Default > Memory/CPU >
Memory Optimization.
5. On the Memory Optimization page, select the appropriate check boxes.
To enable memory optimization for a server
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the server for which you want to enable memory optimization
and select Action > Properties.
3. In the left pane of the Server Properties dialog box, click Memory/CPU > Memory
Optimization.
4. On the Memory Optimization page, select the appropriate check boxes.
When you enable virtual memory optimization at the server level, virtual memory
optimization occurs at a time set by the farm-wide schedule. After enabling memory
optimization, create a schedule for when the servers can rebase DLLs.
639
Scheduling Virtual Memory Optimization
After enabling virtual memory optimization, you create a virtual memory optimization
schedule that identifies when a server rebases DLLs for greater operating efficiency.
When a server rebases a DLL:
•
It makes a hidden copy of the DLL
•
It modifies the starting address of the DLL to avoid conflicts that result in multiple
copies of a single DLL held in virtual memory
Schedule virtual memory optimization at a time when your servers have their lightest loads.
640
To create a memory optimization
schedule
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the farm for which you want to create a virtual memory
optimization schedule.
3. Select Action > Modify farm properties > Modify all properties.
4. In the Farm Properties dialog box, choose Farm-wide > Memory/CPU > Optimization
Interval.
5. In the Optimization interval area, specify when to run the optimization program to set
the frequency at which the server rebases DLLs. You can set the frequency to be every
time you restart your server, every day, once a week, or once a month (daily is the
default). If you choose to run the program weekly or monthly, specify the day of the
week or month.
Note: Citrix recommends that if you select Day of month, you do not enter a value
higher than 28 in the text box. If you specify a higher value, memory optimization
may not occur in some months.
6. Specify the startup time (3:00 by default) in the Optimization time box to set the time
at which the server begins rebasing DLLs. The optimization time is specified using a
24-hour clock format.
Note: If you selected to optimize at startup, this option is disabled.
7. In the Memory optimization user area, if you want the memory optimization program to
run automatically using the local system account, select the Use local system account
check box (enabled by default).If you want to run the optimization program with a local
or remote user account (for example, if you store application files on a file server or
remote server that requires special access permissions, such as a domain
administrator), clear the Use local system account check box and supply the valid user
name and password of a domain or local administrator.
Note: The user must have read-write permission to all the files that you want to be
optimized.
8. Click Apply to implement your changes and then OK to close the Farm Properties dialog
box.
641
Excluding Applications from Memory
Optimization
The following applications are excluded from being rebased by virtual memory
optimization:
642
•
Applications that have digitally signed components.
•
Applications whose DLLs are protected by Windows Rights Management. For example,
applications such as Office 2003 do not benefit from this feature.
•
Applications whose executable programmatically checks the DLL after it is loaded.
•
Applications that fail after you enable memory optimization. Add the applications'
executables to the memory optimization exclusion list.
To exclude additional applications from
memory optimization
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the farm on which you want to exclude additional applications
from memory optimization.
3. From the Action menu, select Modify farm properties > Modify all properties.
4. In the Farm Properties dialog box, choose Farm-wide > Memory/CPU > Exclude
Applications. The Exclude Applications page appears. This page lists the applications
that memory optimization ignores. For example, some applications require a fixed DLL
address. If an application was working but it stops working after enabling this feature,
add the application to this list and see if the problem is resolved.
5. Click Add. The Browse Files dialog box listing all servers in the farm appears.
6. Navigate to the applications from each server that you would like memory optimization
to ignore, clicking OK to add each executable to the Exclude Applications page.
7. Click Apply to implement your changes and then OK to close the Farm Properties dialog
box.
643
Optimizing Simultaneous Logon
Performance
You might see an improvement in simultaneous logon performance if you enable disk write
caching on the server’s RAID controller. The reason is the logon process is dependent on
dynamic information and is handled by a data collector in the farm rather than being
dependent on the data store.
644
Managing Farm Infrastructure
All farms include infrastructure functions to support the servers hosting published
applications. Whether you configure these functions on shared or stand-alone servers
depends on your farm’s size and requirements.
Farms comprise at least one zone or grouping of servers. Multiple zones are sometimes used
to improve the performance on geographically segmented farms. Within the zone, there is a
data collector, which contains information about other servers in the farm, and servers
designated as backup data collectors. If the data store fails, each server on the farm also
contains a backup of all data store information, known as the local host cache.
Citrix does not recommend publishing applications on infrastructure servers.
These topics contain information about data collectors, zones, and the local host cache:
645
•
Maintaining the Local Host Cache
•
Data Collectors and Elections
•
Enhancing the Performance of a Remote Group of Servers
Maintaining the Local Host Cache
A subset of data store information, the local host cache, exists on each server in the farm,
providing each member server with quick access to data store information. The local host
cache also provides redundancy of the data store information, if for example, a server in
the farm loses connectivity to the data store.
When a change is made to the farm’s data store, a notification to update the local host
cache is sent to all the servers in the farm. However, it is possible that some servers will
miss an update because of network problems. Member servers periodically query the data
store to determine if changes were made since the server’s local host cache was last
updated. If changes were made, the server requests the changed information.
646
Tuning Local Host Cache Synchronization
You can adjust the interval by which member servers query the farm's data store for missed
changes. The default interval is 30 minutes. In most cases, this default setting is sufficient.
Caution: Using Registry Editor incorrectly can cause serious problems that can require
you to reinstall the operating system. Citrix cannot guarantee that problems resulting
from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
Make sure you back up the registry before you edit it.
You can configure the interval by creating the following registry key on each server you
want to adjust, with the value expressed in hexadecimal notation:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\IMA\ DCNChangePollingInterval
(DWORD)
Value: 0x1B7740 (default 1,800,000 milliseconds)
Note: This registry key is HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\
DCNChangePollingInterval (DWORD) on XenApp, 32-bit Edition.
You must restart the IMA Service for this setting to take effect.
Most changes made through the Access Management Console, Delivery Services Console,
XenApp Advanced Configuration, or Presentation Server Console are written to the data
store. When you open one of these tools, it connects to a specified server. The Citrix
Independent Management Architecture service running on this server performs all reads and
writes to the data store for the console.
If the data store is experiencing high CPU usage when there should not be significant read
or writes to the data store, it is possible that the data store is not powerful enough to
manage a query interval of 30 minutes. To determine whether or not the data store query
interval is causing the high CPU usage on the data store, you can set the query interval to a
very large number and test CPU usage. If the CPU usage returns to normal after you set a
large query interval, the data store query interval is probably the cause of the high CPU
usage. You can adjust the query interval based on performance testing.
To test the query interval, set the interval to 60 minutes and then restart all the servers in
the farm. If the data store is still experiencing constant high CPU usage, increase the query
interval further. If the CPU usage returns to normal, you can try a smaller value. Continue
these adjustments until data store CPU usage is normal.
Important: Do not set the data store query interval higher than necessary. This interval
serves as an important safeguard against lost updates. Setting the interval higher than
necessary can cause delays in updating the local host cache of the farm’s member
servers.
647
Refreshing the Local Host Cache
You can force a manual refresh of a server’s local host cache by executing dsmaint
refreshlhc from a command prompt. This action forces the local host cache to read all
changes immediately from the farm’s data store. Refreshing the local host cache is useful,
for example, if the Citrix IMA Service is running, but published applications do not appear
correctly when users browse for application sets.
A discrepancy in the local host cache occurs only if the IMA Service on a server misses a
change event and is not synchronized correctly with the data store.
648
Recreating the Local Host Cache
You can manually create the local host cache from the farm’s data store. If the Citrix IMA
Service fails to start or you have a corrupt local host cache, you may need to recreate it.
To recreate the local host cache, stop the IMA Service and then run the command dsmaint
recreatelhc. Running this command performs three actions:
•
Sets the value of the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\IMA\ RUNTIME\PSRequired to 1.
This key is HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\ RUNTIME\PSRequired to 1 on
XenApp, 32-bit Edition.
•
Deletes the existing local host cache (Imalhc.mdb)
•
Creates an empty local host cache (Imalhc.mdb)
You must restart the IMA Service after running dsmaint recreatelhc. When the IMA Service
starts, the local host cache is populated with fresh data from the data store.
The data store server must be available for dsmaint recreatelhc to work. If the data store is
not available, the Citrix IMA Service fails to start.
649
Data Collectors and Elections
A data collector is an in-memory database that maintains dynamic information about the
servers in the zone, such as server loads, session status, published applications, users
connected, and license usage.
Data collectors receive incremental data updates and queries from servers within their
zone. Data collectors relay information to all other data collectors in the farm. The data
collector tracks, for example, which applications are available and how many sessions are
running on each server in the zone. The data collector communicates this information to
the data store on behalf of the other servers in the farm. By default, in farms that
communicate indirectly with the data store, the first server in the farm functions as the
data collector.
Farms determine the data collector according to what level the election preference is set
for a server. By default, all servers joining the farm are configured as backup data
collectors. When the zone’s data collector fails, a data collector election occurs and a
backup data collector replaces the failed data collector.
If the data collector fails, existing and incoming sessions connected to other servers in the
farm are not affected. The data collector election process begins automatically and a new
data collector is elected almost instantaneously. Data collector elections are not dependent
on the data store.
New Data Collector Election
When communications fail between data collectors or between a server and its data
collector, the process to choose or elect a new data collector begins. For example:
1. The data collector for Zone 1 has an unplanned failure. If the data collector shuts down
correctly, it triggers the election process as it shuts down.
2. The servers in Zone 1 detect the data collector failed and start the election process.
The server set to the next highest election preference is elected as the new data
collector.
3. The member servers start sending their information to the new data collector for Zone
1.
4. The new Zone 1 data collector replicates this information to the other data collectors in
the farm.
Sometimes, you might decide to have a dedicated data collector after your farm is in
production. In general, if users experience slow connection times due to high CPU
utilization on the data collector, consider dedicating a server to act solely as the zone data
collector.
650
Specifying Backup Data Collectors
When you create a server farm and whenever a new server joins a zone, a server is elected
as the data collector for that zone. If the data collector for the zone becomes unavailable,
a new data collector is elected for the zone based on a simple ranking of servers in the
zone.
Important: A primary domain controller or backup domain controller must not become
the data collector for a zone. This situation may arise if XenApp is installed on Windows
domain controllers. Citrix does not recommend such installations.
651
Specifying Backup Data Collectors
To set the data collector election preference of a
server
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
From the ICA toolbar, open the Presentation Server Console.
2. Select the farm.
•
3. On the Actions menu, click Properties.
4. Select Zones.
5. In the list of zones and their servers, locate the server, select it, and click Set Election
Preference.
6. Select the ranking for the server by choosing from the following election options:
Important: If you change the server name of the data collector, the new server name
is added to the list of servers in the farm. The old server name is still listed as a
member of your farm and must be removed using the Access Management Console.
Before removing the old server name, you must update the data collector ranking for
the new server name.
Most Preferred
The server is always the first choice to become the data collector. It is recommended
that only one server per zone be given this setting.
Preferred
When electing a new data collector, XenApp elects the next collector from the
Preferred servers if the Most Preferred server is not available.
Default Preference
The default setting for all servers. The next collector is selected from the Default
servers if neither a Most Preferred server nor a Preferred server is available.
Not Preferred
Apply this setting to servers that you do not want to become the data collector for
the zone. This setting means that this server becomes the data collector only when
no servers are available with any of the other three settings (Most Preferred,
Preferred, Default Preference).
652
Enhancing the Performance of a Remote
Group of Servers
A zone is a configurable grouping of XenApp servers. All farms have at least one zone. All
servers must belong to a zone. Unless otherwise specified during XenApp Setup, all servers
in the farm belong to the same zone, which is named Default Zone.
This illustration depicts a server farm with multiple zones. Each zone’s data collector
communicates with the other data collectors across the WAN link.
In farms distributed across WANs, zones enhance performance by grouping geographically
related servers together. Citrix does not recommend having more than one zone in a farm
unless it has servers in geographically distributed sites. Zones are not necessary to divide
large numbers of servers. There are 1000-server farms that have only one zone.
Zones have two purposes:
•
Collect data from member servers in a hierarchical structure
•
Efficiently distribute changes to all servers in the farm
Each zone contains a server designated as its data collector. Data collectors store
information about the zone’s servers and published applications. In farms with more than
one zone, data collectors also act as communication gateways between zones.
Data collectors generate a lot of network traffic because they communicate with each
other constantly:
653
Enhancing the Performance of a Remote Group of Servers
•
Each zone data collector has an open connection to all data collectors in the farm.
•
During a zone update, member servers update the data collector with any requests and
changed data.
•
Data collectors relay changes to the other data collectors. Consequently, data
collectors have the session information for all zones.
You can create zones during XenApp installation or after installation. This topic provides
information about creating zones after Setup, moving servers between zones, and renaming
zones. For design considerations for zones, including whether to zones for small groups of
remote servers, see the Citrix XenApp Installation documentation at Citrix eDocs.
For business continuity, you can specify that if all zone servers go offline, XenApp redirects
user connections to a backup zone. This feature is known as Zone Preference and Failover;
you configure it through the User Workspace > Connections > Zone preference and failover
policy rule.
To minimize data exchanges among zones on WANs, and the ensuing network traffic, you
should:
•
Not configure zones to load balance across zones (share load information). By default,
load balancing between zones is disabled.
•
Direct requests for applications to the nearest geographic location by specifying a
preferred zone connection order in the User Workspace > Connections > Zone
preference and failover policy rule.
•
Create a policy that applies to connections from a zone’s location. Then, specify that
zone as the Primary Group zone in the Zone preference and failover rule. This makes
XenApp route incoming connection requests from users to the zone for their location
first.
Zones are view-only in the Access Management Console and Delivery Services Console. Use
XenApp Advanced Configuration or Presentation Server Console to configure zones.
654
To configure zones in your farm
1. Depending on the version of XenApp you have installed:
•
From the Start menu, open All Programs > Citrix > Administration Tools and choose
XenApp Advanced Configuration.
From the ICA toolbar, open the Presentation Server Console.
2. Select the farm.
•
3. On the Actions menu, click Properties.
4. Select Zones.
Change the configuration of the zones in your farm by selecting:
•
The buttons provided.
•
The Only zone data collectors enumerate Program Neighborhood check box to make
your server farm more secure. When Program Neighborhood users browse for
application sets, servers enumerate, or list, the published applications they are
authorized to launch. When this option is not selected, any server in the farm can
respond to client enumeration requests. For any server in the farm to enumerate users’
applications, you must allow users to retain the Windows Group Policy right to log on
locally to every server. When you select this option, a data collector is always used to
specify which applications appear for a user in Program Neighborhood. You can then
confine users’ access to the servers that are or may become data collectors.
Do not select this option if you want the fastest possible enumeration of applications to
occur in Program Neighborhood and security is not a concern.
Important: Servers running some earlier releases of XenApp in a mixed farm cannot
access this farm setting to direct a connection for enumeration correctly. If users are
directed to a server on which they are not permitted access, their applications
cannot be enumerated and they will receive error messages. Citrix recommends that
you maintain all servers in a farm at the same release level.
•
The Share load information across zones check box to allow data collectors to exchange
server load information across zones and ensure users are efficiently routed to the least
loaded server in any zone. Enable this setting only if the following conditions are true:
•
The bandwidth capacity among zones is not limited, such as if the zones are in the
same LAN
•
You are not implementing zone preference and failover policies
Selecting this option can result in increased network traffic because every change in
server load is communicated to all data collectors across all zones. Connection requests
are routed to the least loaded server in the server farm, even a server located across a
WAN, unless a preferred order is established using the Zone preference and failover
policy rule. When you establish a preferred connection order, the zone data collectors
query the preferred zones in the order you set.
655
To configure zones in your farm
To create new zones
Use the New Zone dialog box to enter the name of the new zone.
Empty zones are not allowed. After you create a new zone, you must move one or more
servers into the new zone before you click OK in Zones or exit Zones by making another
selection in the left pane of the farm’s Properties page.
To rename zones
Use the Rename Zone dialog box to change the name of the zone you selected. Enter the
new name of the zone in the text box provided.
If you change the server name of the data collector, the new server name is added to the
list of servers in the farm. The old server name is still listed as a member of your farm and
must be removed using the Access Management Console or Delivery Services Console.
To move servers between zones
Use the Move Servers dialog box to move the selected server to another zone. This button is
available only when one or more servers is selected.
After you move one or more servers among zones, you must restart each server that was
moved. This is required to update the data collector information for each zone.
To remove zones
Use the Remove Zone button to delete the selected zones. A zone cannot be removed until
all the servers in the zone are moved to other zones.
656
Updating Citrix License Server Settings
Use the License Server page in the farm’s Properties dialog box to change the name of the
license server or port number that the license server uses to communicate. You can apply
the changes to either an individual server (on the License Server page of the server’s
Properties dialog box) or an entire farm and you can type the license server name or its IP
address in the Name field.
License files are stored on a license server. XenApp servers must point to the license server.
After you install XenApp, you can change the port number or license server name on the
license server Properties dialog box for the farm or an individual server.
The settings for your Citrix License Server are configured automatically when you install the
licensing components as part of the Setup program for your Citrix product. Two of these
settings are the name of the license server that your farm accesses to check out licenses
and the port number the license server uses to communicate. You may want to change
these settings in the following instances:
•
You rename your license server.
•
You want to specify another license server to point to (either for an entire farm or for
individual servers only) to relieve some of the traffic to the license server. For
example, you have many connections and you find that it is slowing down the network,
or you would like to add a second license server to the farm and point half of the
connections to it.
•
You want to specify another license server to point to individual servers to segregate
licenses. For example, you want to host the accounting department’s licenses on a
server other than the human resources department.
•
The default port number (27000) is already in use.
•
You have a firewall between the license server and the computers running your Citrix
products, and you must specify a static Citrix vendor daemon port number.
To change the name of the license server or port number that it uses to communicate, type
the license server name or its IP address in the Name field of the License Server page of the
server’s or farm’s Properties dialog box (to apply the changes to either an individual server
or an entire farm). Changing the settings on this page is only one part of the procedure,
however.
If you decide to change the license server name, ensure that a license server with the new
name already exists on your network. Because license files are tied to the license server’s
host name, if you change the license server name, you must download a license file that is
generated for the new license server. This may involve returning and reallocating the
licenses. To return and reallocate your licenses, go to www.mycitrix.com. For additional
information, see Licensing Your Product.
If you change the port number, specify the new number in all license files on the server.
For additional information, see Licensing Your Product.
657
To specify a default license server for a
farm
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the farm.
3. From the Action menu, select Modify farm properties > Modify license server properties.
4. Modify one or more of the following values:
•
Name. You can enter either a license server name or an IP address
•
Port number (default 27000). Enter the license server port number
Note: If you change the port number, you must specify the new number in all
license files on the server. For additional information, see Licensing Your
Product.
5. Click Apply to implement your changes.
•
658
To specify a license server for individual
servers
Use this method to specify a license server for individual servers in your farm.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the server.
3. From the Action menu, select Modify server properties > Modify license server
properties.
4. Clear the Use farm settings check box (selected by default).
5. Specify the following information:
659
•
Name. Because license files are tied to the license server’s host name, if you
change the license server name, you must ensure that you download a license file
that is generated for the new license server. This may involve returning and
reallocating the licenses. To return and reallocate your licenses, go to
www.mycitrix.com. Additionally, before you change the server name, ensure that
there is a license server with that name on your network. Note that you cannot
leave the license server name blank.
•
Port Number. If you change the port number, you must specify the new number in
all license files on the server. For additional information, see Licensing Your
Product.
To set the product edition
The product editions of XenApp support different features. To activate the features
available with a particular edition installed on each server, set the edition of the product
for each server.
The product edition also determines which type of license a server requests from the
license server. Make sure the editions you set match the licenses you installed.
Important: To apply changes to the product edition, you must restart the servers.
1. Depending on the version of XenApp you have installed, from the Start menu, select All
Programs > Citrix > Management Consoles and choose Access Management Console or
Delivery Services Console.
2. In the left pane, select the required server.
3. From the Action menu, select All Tasks > Set server edition.
4. Select the required edition.
Important: Do not select Other unless you are asked to do so by Citrix Technical
Support.
660
Setting the Citrix XML Service Port
The Citrix XML Service is used by clients connecting over the TCP/IP+HTTP protocol and the
Web Interface.
During the installation of Citrix XenApp on your server, you configured the XML Service to
either share the port with your Microsoft Internet Information Server or to use a particular
port.
If you chose to have the XML Service share the port, this page displays a short message to
this effect.
If you chose a particular port during installation, the TCP/IP Port field reflects your choice.
Use this field to change the XML port number if necessary.
Note: The port option appears only if you entered a different port number than the
default Share with IIS during the Web Interface installation. Use this option to change the
port number.
If you do not trust XML requests, certain features of XenApp are not available. Trusting
requests sent to the XML Service means:
•
Users can move among client devices and reconnect to all of their applications. For
example, you can use workspace control to assist health-care workers in a hospital who
need to move quickly among workstations and be able to pick up where they left off in
published applications.
•
Users can connect to the Web Interface using pass-through authentication or smart
cards to reconnect to ICA sessions. These credentials are not passed from the server
running the Web Interface to the servers on which the users access their applications.
Users can reconnect to their ICA sessions even though their credentials are not passed
when this option is selected.
•
XenApp can use the information sent in those requests by Access Gateway (Version 4.0
or later). This information includes Access Gateway filters that can be used to control
access to published applications and to set XenApp session policies. If you do not trust
requests sent to the XML Service, this additional information is ignored.
•
Others on the network can disconnect or terminate sessions without authentication. It
can also allow clients to make false security assertions.
To avoid security risks, select Trust requests sent to the XML Service only under the
following conditions:
661
•
Some users connecting to their ICA sessions using the Web Interface are also using
pass-through authentication or smart cards.
•
The same users need to move from one client device to another and still be able to pick
up where they left off in published applications.
•
You implemented IPSec, firewalls, or any technology that ensures that only trusted
services communicate with the XML Service.
Setting the Citrix XML Service Port
662
•
You are selecting this setting only on servers that are contacted by the Web Interface.
•
You are restricting access to the XML Service to the servers running the Web Interface.
When Internet Information Services (IIS) and the XML Service share a port, you can use
IIS to restrict port access to include the IP addresses of servers running the Web
Interface only.
To configure the Citrix XML Service port
for a server
1. Select the server in the left pane
2. From the Action menu, select Modify server properties > Modify all properties.
3. From the Properties list, select XML Service.
4. Select the Trust requests sent to the XML Service check box if you ensured that only
trusted services communicate with the XML Service.
5. Click Apply.
663
To manually change the XML Service port
to use a port different from IIS after
installation
Note: This setting takes effect only after the XML Service restarts.
1. At a command prompt, stop IIS by typing: net stop w3svc
2. Delete the following files from the IIS scripts directory on your Web server:
•
ctxadmin.dll
•
CtxConfProxy.dll
•
ctxsta.dll
•
radexml.dll
•
wpnbr.dll
3. At a command prompt, restart IIS by typing: net start w3svc The XML Service no
longer shares a port with IIS.
4. To ensure the XML Service is stopped, at a command prompt, type: net stop
ctxhttp
5. At a command prompt, to unload the XML Service from memory, type: ctxxmlss /u
6. To install the XML service, type: ctxxmlss /rnn where nn is the number of the port
you want to use; for example, ctxxmlss /r88 forces the Citrix XML Service to use
TCP/IP port 88.
7. At a command prompt, stop the XML Service by typing: net stop ctxhttp
664
To manually configure Citrix XML Service
to share the TCP port with IIS
1. At a command prompt, stop the XML Service by typing: net stop ctxhttp
2. At a command prompt, to uninstall the Citrix XML Service, type: ctxxmlss /u
3. Copy the following files to the IIS scripts directory on your Web server:
•
ctxconfproxy.dll
•
ctxsta.config
•
ctxsta.dll
•
ctxxmlss.exe
•
ctxxmlss.txt
•
radexml.dll
wpnbr.dll
These files are installed in \Program Files\Citrix\System32 during XenApp installation.
The default scripts directory is \Inetpub\AdminScripts.
•
4. In the IIS scripts directory, create a folder called ctxadmin and copy the file
ctxadmin.dll from \Program Files\Citrix\System32 to \Inetpub\AdminScripts\ctxadmin.
5. Use Internet Service Manager to give the files read and write access.
6. At a command prompt, stop and restart the Web server by typing: iisreset This
setting takes effect after the Web server restarts.
665
Understanding XenApp Printing
Managing printers in a XenApp environment is a multistage process. The cycle for managing
printers on a farm requires that you:
1. Design your printing configuration. This includes analyzing your business needs, your
existing printing infrastructure, how your users and applications interact with printing
today, and what a realistic printing management model would look like for your
organization (that is, assessing that the administrative overhead of printing pathway
you choose is realistic in your environment).
2. Configure your printing environment, including creating the policies necessary to deploy
your printing design.
3. Test a pilot printing deployment before rolling it out to users.
4. Maintain your Citrix printing environment, including updating policies when new
employees or servers are added and maintaining drivers on your farm servers.
5. Troubleshoot issues that may arise in your printing environment.
Before you begin planning your deployment, make sure that you understand these major
concepts for printing in XenApp:
•
The concept of printer provisioning in a session and the two major types of provisioning
(auto-created and self-provisioned). To understand these concepts, you need to
understand, among other things, the difference between a printer, a printing device,
and a printer driver.
•
How print jobs can be routed in XenApp.
•
The policies that you can create to manage drivers.
XenApp printing concepts build on Windows printing concepts. To configure and successfully
manage printing in a Citrix environment, you must understand how Windows network and
client printing works and how this translates into printing behavior in a Citrix environment.
666
Introduction to Windows Printing
Concepts
This section provides a limited overview of basic printing concepts in a standard
(non-Terminal Services) Windows environment. However, Citrix recommends reviewing the
Windows documentation about network printing, print servers, and Terminal Services
printing before learning about Citrix printing concepts.
In a Windows environment, you can either print from your computer to a locally attached
desktop printer (for example, a printer on LPT1 or COM1) or you can print to a network
printer that is managed by a print server.
This diagram shows how print jobs are spooled from the client device to a print server and
then sent to the printing device in a Windows network.
Here are a few basic definitions:
Printing Device
In the context of this topic, the term printing device refers to the physical printer (that
is, the hardware device to which you send print jobs).
Printers
The term printer refers to the software representation of a printing device. Computers
must store information about printers so they can find and interact with printing devices.
667
Introduction to Windows Printing Concepts
When you see printer icons in the Printers panel in the Control Panel, you are seeing the
software representation of the printers. (You are not seeing the printer drivers.)
For clarity, the term printer object is sometimes used to denote the software
representation of a printing device.
Printer driver
The printer driver is the software program that lets the computer communicate with this
hardware device. This program converts the information to be printed to a language that
the printing device can process. It also understands the device and job settings of the
printing device and presents a user interface for users to configure these. In Windows
systems, printer drivers are distinct from the software representation of printers.
Print job
When a user prints a document, the data sent to the printer is known as a print job. Jobs
are queued to the printer in a specific sequence, which the print spooler controls. When
this sequence appears, it is known as the print queue.
Print spooler
The spooler is the Windows service that manages printer objects, coordinates drivers,
lets you create new printers, determines where print jobs are processed, and manages
the scheduling of print jobs. The print spooler also determines if the printer prints each
page as it receives it or if the printer waits until it receives all pages to print the job.
Typically, when a print job is spooled to a printer, the spooler loads documents into a
buffer. The printing device then retrieves the print jobs from the buffer when it is ready
to print the job. By storing the job, the computer can perform other operations while the
printing occurs in the background.
Print queue
A sequential, prioritized list of the print jobs waiting to be printed. The spooler
maintains this list for each printer object in the computer.
Print server
A computer that manages the communications between client devices and printers. In
this context, the term print server refers to dedicated computers that are running a
Windows server operating system and hosting x number of shared printers. Print servers
provide client workstations with drivers they need to print and store files, or print jobs,
in a print queue until the printer can print them. A print server is a remote print spooler.
Network printer
A shared printer object accessed through a network print server.
668
Local and Remote Print Job Spooling
Print job spooling is important because where print jobs are spooled to is where print jobs
are processed. Processing location affects network traffic, resource utilization, and has
additional implications in a XenApp context.
Print jobs can be spooled either locally or remotely. Typically, print jobs sent to locally
attached printers are spooled locally, and jobs sent to network printers are spooled
remotely.
Locally Spooled Print Jobs
When print jobs are spooled locally, the local Windows computer processes the job. The
application creates a spooled print job; the local print spooler, aided by the printer driver,
processes the print job, and sends the rendered output to the printing device.
In a Windows environment, when you print to a printer connected to your local computer
(when print jobs are spooled locally), the printer drivers and settings are stored on the
computer itself. A typical printing process for locally spooled print jobs is:
1. The application tells the local spooler to create a print job and an associated spool file
on the local computer.
2. On the local computer, Windows writes the application’s drawing commands to the
local spool file. This process of writing commands occurs repeatedly until the job is
completely spooled.
3. The local spooler processes the job with the printer driver in a process known as
rendering.
4. The local spooler delivers the rendered data to the printing device (for example, a
locally attached printer).
Remotely Spooled Print Jobs
When print jobs are spooled remotely, the Windows print server processes the print job.
A typical printing process for remotely spooled print jobs is
1. The application tells the remote spooler to create a print job on the print server and an
associated spool file.
2. On the local computer, Windows writes the application’s drawing commands to the
remote spool file. This process of writing commands across the network occurs
repeatedly until the job is completely spooled.
3. The remote spooler processes the job with the printer driver in a process known as
rendering.
669
Local and Remote Print Job Spooling
4. The print server delivers the rendered data to the printing device (typically a network
printer).
Key Differences Between Remote and Local Spooling
Unlike remote spooling, local spooling does not use any network resources. Remote spooling
requires that the local computer and the remote printer exchange many messages across
the network. Even in a non-Citrix environment, if a WAN has substantial latency, users will
have a poor user experience if the print jobs are spooled remotely across the WAN.
However, in some situations, for example when the resources on the local computer are
needed for other tasks, remote spooling is preferable. In remote spooling, the print job is
processed on the print server, which off-loads processing from the local computer.
670
XenApp Printing Concepts
In a XenApp environment, all printing is initiated (by the user) on the server. However,
print jobs are not always sent directly from the server to the printing device. Instead, the
print jobs can be redirected through the client device.
Because there is no persistent workspace for users in XenApp (when a session ends, the
user’s workspace is deleted), all settings need to be rebuilt at the beginning of each
session. As a result, each time a user starts a new session, XenApp must reprovision
(recreate or restore) the printers available in a session.
When a user clicks Print, XenApp:
•
Determines what printers (that is, printer objects) to provide to the user. This is known
as printer provisioning.
•
Restores the user’s printing preferences.
•
Determines which printer is the default for the session.
However, you can customize how XenApp performs these tasks by configuring options for
printer provisioning, print job routing, printer property retention, and driver management.
Settings for these options can affect the performance of printing in your environment and
the user experience. For example, you can reduce the amount of latency when users print
by choosing a method of provisioning that is appropriate for your network configuration.
As a result, understanding key printing concepts is critical when planning your printing
configuration:
671
•
The difference between the client and network printing pathway and how this is not
the same as local printers and network printers
•
The term printer provisioning, the types of printer provisioning (static and dynamic),
printer autocreation, and user self-provisioning
•
Print job routing and when changing it can improve utilization
•
The basics of printer driver management
Overview of Client and Network Printing
Pathways
An important concept in XenApp is the printing pathway. The term printing pathway
encompasses both the path by which print jobs are routed and the location where print jobs
are spooled. Both aspects of this concept are important. Routing affects network traffic.
Spooling affects utilization of local resources on the device that processes the job.
In XenApp, print jobs can take two different printing pathways:
•
Network printing pathway
•
Client printing pathway
Network Printing Pathway
The term network printing pathway refers to print jobs that are routed from the farm
server hosting the user’s session to a print server and spooled remotely.
This diagram shows a XenApp network printing example: Printing begins on the farm server
hosting the user’s session (where the application is published and executing). XenApp
routes the print job over a network connection to the network print server. The network
print server then routes the print job to an associated network printing device.
When a print job is spooled remotely in a Windows environment, it uses this process:
1. The application tells the remote spooler to create a print job and an associated spool
file.
2. The Windows Print Provider sends the spool file to the print server.
3. The print server processes the spool file.
4. The print server then sends the print job to the appropriate network printer.
672
Overview of Client and Network Printing Pathways
Server Local Printers
The term server local printers refers to a configuration that uses the network printing
pathway where printing devices are attached locally to a XenApp farm server. Server local
printers are shared printing devices that are physically attached to a farm server.
Note: To use a locally attached printer as a server local printer in a XenApp farm, the
printer must be shared; otherwise XenApp does not recognize it.
Server local printers are often a good choice for printing in small farm environments.
However, server local printers are not used widely in enterprise environments because they
require installing the printer drivers on each server in the farm and require additional
resources on the XenApp server. Server local printers are managed and configured in the
same ways as network printers.
This diagram shows a XenApp server local printing example: Printing begins on the farm
server hosting the user’s session and is routed to a printing device attached locally to the
server.
Client Printing Pathway
The term client printing pathway refers to print jobs that are routed over the ICA protocol
through the client device to the printer (either a printer connected directly to the client
device or connected through a print server) and spooled on the Citrix XenApp Plug-in for
Hosted Apps.
When using the client printing pathway, a virtual printer is constructed in the session that
redirects to the printer object on the client device. The client device, in turn, sends the
print job to the printing device.
Importantly, because all processing occurs on the XenApp server, when users print a
document from a published application, they are actually starting that print job on the
XenApp server. These jobs are spooled locally on the XenApp server.
673
Overview of Client and Network Printing Pathways
There are two different configurations of the client printing pathway: one for printers
attached directly to the client device and another for network printers.
Locally Attached Client Printers
The simplest configuration is the one where the printer is attached directly to the client
device. In this configuration, the application server sends the print job back to the
client/client device. The client device then relays it to a locally attached printer.
This diagram shows a simplified XenApp client printing example: Printing begins on the
server where the application is published. XenApp sends the print job over the connection
to the client device. The client device then routes the print job to the printer connected
locally to the client device.
When a print job is spooled to a client along the client printing pathway, it uses this
process:
1. The published application tells the local spooler on the server hosting the application
(that is, the host server) to create a print job and an associated spool file on the host
server.
2. On the host server, Windows writes the application’s drawing commands to the local
spool file. (This process of writing commands occurs repeatedly until the job is
completely spooled.)
3. The local spooler processes the job with the printer driver in a process known as
rendering.
4. The rendered data is delivered to the client device through the ICA protocol.
5. The client device relays the print data to the client-side printing device (a locally
attached printer in this example).
Client Printers on the Network
While client printers are often printers physically attached to client devices, they can also
be printers on the network. In this case, print jobs are routed through the client device to
the print server.
674
Overview of Client and Network Printing Pathways
The process is the same as for printing to a local printing device through the client.
However, instead of sending the job to the client device, the job is sent to the network
print server.
This diagram shows client printing to a network printer: Printing begins on the server where
the application is published. XenApp routes the print job over the connection to the client
device. The client device then routes the print job over the network to the print server,
which in turn routes the print job to the network printer.
When a print job is spooled to a network printer along the client printing pathway, it uses
this process:
1. The application server sends the print job to the client for processing.
2. The client processes the spooled job and sends it to the Windows print server for
processing.
3. The Windows print server then sends the print job to the appropriate network printer.
Configuring XenApp to use the client printing pathway for network printing devices is useful
when a print server is in a domain different from the farm servers (and the client devices
have access to the print server’s domain). Using the client printing pathway lets application
servers send print jobs over the ICA connection to access the printer through the client
device.
Configuring the client printing pathway for network printing is useful for low bandwidth
connections, such as WANs, that can benefit from the traffic compression that results from
sending jobs over the ICA connection. The client printing pathway also lets you limit traffic
or restrict bandwidth allocated for print jobs.
675
Overview of Client and Network Printing Pathways
676
Provisioning Printers for Sessions
For a computer to process a print command, it needs both the required printer object and a
printer driver. Because sessions are hosted in a virtual workspace instead of locally on a
hard drive, printers and their drivers are not stored on the local computer. Instead, they
are restored at logon or reconnect. The process by which XenApp makes printers available
in a session is known as provisioning.
You can control printer provisioning and the way you configure it affects what printers users
see in sessions and the speed of the printers.
There are two types of printer provisioning:
•
Static. Server local printers are provisioned only once, when you connect them to the
farm server. After that, they are always created in sessions with the same properties
and do not vary according to policies.
•
Dynamic. The printers that are available in a session are determined as the session is
built. As a result, they can change according to changes to policies, changes in user
location, and changes to the network (provided they are reflected in policies). When
printers are provisioned dynamically, the printers that appear in a session are not
predetermined and stored. Rather, the printers are assembled, based on policies, as
the session is built.
Because provisioning static printers is relatively simple, this topic focuses on provisioning
printers dynamically. While there are other ways in which printers can be provisioned, such
as through Active Directory policies, this topic discusses the most common methods using
XenApp.
The two most common methods of dynamic printer provisioning are:
•
User provisioning
•
Autocreation
To control what printers users have in their sessions and ensure printers are available when
users start their sessions, provision their printers through autocreation. If you do not want
to specify (and administer) user printers, you can let users self-provision their printers.
If you choose, you can prevent printer autocreation and let users provision printers visible
from their client device.
User Provisioning
You can allow users to add printers to their sessions on their own. Users can map client
printers that are not autocreated by policy manually in a user session through the Windows
Add Printer wizard on the server (in their sessions). If users have thin clients or cannot
access their client devices, they can self-provision by running the ICA Client Printer
Configuration tool (PrintCfg.exe). For users to self-provision with the utility, you must
publish PrintCfg.exe on your farm.
677
Provisioning Printers for Sessions
Autocreation
The term autocreation refers to printers XenApp creates automatically, at the beginning of
each session, based on what printers are configured on the client device and any policies
that apply to the session.
By default, XenApp makes printers available in sessions by creating all printers configured
on the client device automatically, including locally attached and network printers. After
the user ends the session, the printers for that session are deleted. The next time a session
starts, XenApp evaluates any policies for printer creation and enumerates the appropriate
printers from the client device.
You can change the default autocreation policy settings to limit the number or type of
printers that are auto-created. XenApp can auto-create:
•
Client redirected printers, including auto-created client printers and a Universal Printer
•
Network printers
There is maintenance associated with provisioning by printers by using client and network
printer autocreation. When you add new printers, you need to update the autocreation list.
Also, the drivers for these printers must be added to all servers on the farm; however, you
can specify for XenApp to do this automatically.
This topic comprises:
•
Auto-Creating Client Printers
•
Provisioning a Citrix Universal Printing Solution
•
Auto-Creating Network Printers
•
Letting Users Provision Their Own Printers
All of these provisioning methods use the client printing pathway except for Auto-Creating
Network Printers, which uses the network printing pathway.
678
Auto-Creating Client Printers
The main purpose of the autocreation feature is to create a list of printers that a user can
use when they log in. When the user logs in, their print drivers will be installed and all
printers returned in this list will be available for use.
XenApp can auto-create redirected client printers in two different ways:
•
By creating a one-to-one match with printers on the client device
•
By creating one generic printer, the Citrix Universal Printer, that represents all (or any)
printers on the client device
In many environments, especially large ones, Citrix recommends that you auto-create only
one default printer. Auto-creating a smaller number of printers creates less overhead on
the server and is better for CPU utilization.
However, in environments where users with limited computer skills need to print to a wide
variety of local printing devices, you may want to leave the default autocreation setting so
that all printers are created on logon.
If you do not want large numbers of printers created at the beginning of each session,
consider specifying for XenApp to use the Citrix Universal Printer.
Auto-Creating Printers from the Client Device
At the start of a session, XenApp auto-creates all printers on the client device by default.
You can control what, if any, types of printers are provisioned to users and prevent
autocreation entirely.
The Auto-creation policy rule lets you control autocreation and specify that:
•
All printers visible to the client device, including network and locally attached printers,
are created automatically at the start of each session
•
All non-network printers physically attached to the client device are created
automatically
•
Only the default printer for the client device is created automatically
•
No printers visible to the client device are created automatically
You can also use the Auto-creation policy rule to specify that XenApp auto-creates network
printing devices that are accessible through the client device only. An example is printing
devices in a domain different from the application server.
When configuring policies for printer autocreation, ensure:
•
679
User accounts are not shared
Auto-Creating Client Printers
•
Users are not in the local power user or administrators group on the client devices
•
You add Microsoft native or fully tested drivers only
•
Users have write access on the server to %systemroot%\system32\spool
These points help ensure that printers auto-create successfully.
Provisioning a Citrix Universal Printing Solution
Citrix Universal printers and drivers are printing solutions that let users print regardless of
whether or not they have the correct printers and drivers installed.
Universal printing solutions are printers and drivers not tied to any specific device.
Consequently, they simplify administration by reducing the number of drivers required on
farm servers or the number of printers created at the beginning of sessions. Because users
need to access fewer printers and drivers, the speed of starting a session is increased and
the complexity of printer administration is decreased.
XenApp includes two types of universal printing solutions:
•
Citrix Universal Printer. A generic printer object, replacing the printers that appear in
the users Printers control panel during their session. This printer can be used with
almost any printing device.
•
Citrix Universal Printer Drivers. Windows Native Printer drivers are generic drivers
that work with almost any printer. These drivers also work with non-Windows clients.
Citrix-created Universal printer drivers consist of the Citrix XPS Universal Printer driver
and the EMF-based Citrix Universal Printer driver.
These printing solutions can be used in one of the following ways:
•
Auto-created device printer with Citrix Universal printer driver. A device-specific
printer gets auto-created but uses a Citrix Universal printer driver. For example,
configured policy rules specify that the printer LaserJet5L still gets auto-created at the
beginning of each session; however, the session uses the Citrix Universal printer driver
to communicate with the driver on the client device and the print job is processed on
the client device.
•
Auto-created Citrix Universal Printer with a Citrix Universal printer driver. A Citrix
Universal Printer gets auto-created and it uses a Citrix Universal printer driver. That is,
at the beginning of each session, the only printer that is auto-created is the Citrix
Universal Printer. Like the first example, the session uses the Citrix Universal printer
driver to communicate with the driver on the client device and the print job is
processed on the client device.
•
Auto-created device printers, auto-created Citrix Universal Printer with a Citrix
Universal printer driver – At the beginning of the session, the Citrix Universal Printer
and device-specific printers are auto-created. Both printers use the Citrix Universal
printer driver.
Whether you use a Citrix Universal printing solution depends on various factors:
680
Auto-Creating Client Printers
•
The Citrix Universal Printer and printer driver might not work for all client devices or
plug-ins in your environment. The Citrix Universal Printer and printer driver solution
requires the Citrix XenApp Plug-in for Hosted Apps or the Citrix XenApp Plug-in for
Streamed Apps (when streaming to the server).
The Citrix Universal Printer does not work if plug-ins are not connecting through the ICA
channel, such as when you are using the Citrix XenApp Plug-in for Streamed Apps and
streaming applications to the client.
If you want to use a universal printing solution for non-Windows plug-ins, use one of the
other universal printer drivers that are based on postscript/PCL and installed
automatically with XenApp.
•
The Citrix Universal printer driver might also create smaller print jobs than older or less
advanced printer drivers. However, sometimes it might be better to use a
device-specific driver because the driver might be able to optimize print jobs for its
associated printer.
Note: If you want the Citrix Universal Printer to appear in sessions, make sure that the
rule Printing > Client Printers > Legacy client printers is not set to Create old-style client
printers in any policies affecting those sessions. If the Legacy client printers rule is
enabled, set it to Create dynamic session-private client printers.
Universal printer drivers are installed by default on each farm server; the printer is not
enabled, however. To get the best results when configuring your farm, use both the Citrix
Universal Printer and a Citrix Universal printer driver.
Note: Citrix Universal Printing is available for Citrix Presentation Server Client, Version
9.x or later and the Citrix XenApp Plug-in for Streamed Apps (streamed to server). This
feature is available in Presentation Server 4.0 to XenApp 5.0
Citrix Universal Printer
The Citrix Universal Printer is a generic printer created at the beginning of sessions that can
be used with almost any printing device. This printer can print to and communicate,
through the client, with any client-side printer.
You may also want to use the Citrix Universal Printer because the printer name does not
change when users reconnect. Changing printer names can cause problems for some
applications.
The Citrix Universal Printer is created on a per-session basis. When used in conjunction with
a Citrix Universal Printer driver, it can greatly reduce the resource usage at the start of a
session from printer autocreation. When you use the Universal Printer, you can specify that
only the Universal Printer be auto-created for each printer on the client device.
Unlike many printing settings, the Universal Printer does not appear in the policy rules. By
default, the Universal Printer does not appear in XenApp unless you enable it by editing the
registry. When enabled, an extra printer is created in the session with the name Citrix
UNIVERSAL Printer in session number of session. To use only the Citrix Universal Printer in
sessions and not auto-create any printers on the client device, enable the Universal Printer
through the registry and set the Printing > Client Printers > Auto-creation rule to Do not
auto-create client printers.
The user experience varies depending on the type of Citrix Universal Printer.
681
Auto-Creating Client Printers
Because the Citrix Universal Printer is not tied to a specific printing device, both the
EMF-based and XPS-based Citrix Universal Printers provide ways to preview and select
settings:
•
EMF-based Citrix Universal Printer. The EMF-based Citrix Universal Printer can display
a Print Previewer before printing. Clicking Local Settings in the Citrix Print Previewer is
the only way users can select a different printer, control the device settings for the
printer hardware, and preview the print job. You control whether or not the Local
Settings button is available to users. If you do not allow users to change their printer
through the Local Settings button, the Citrix Universal Printer prints to the default
printer on the client device.
•
XPS-based Citrix Universal Printer. Like Microsoft XPS Document Writer, the Citrix XPS
Universal Printer sends documents to Internet Explorer if a user selects Print Preview or
modifies the print settings, displaying them in Microsoft’s XPS “electronic paper”
format.
Note: The Print Previewer cannot be controlled by the administrator unless users have
the Citrix Presentation Server Client, Version 10.100 or later or the Citrix XenApp Plug-in
for Hosted Apps, Version 11.x.
682
Auto-Creating Network Printers
By default, any network printing devices on the client device are created automatically at
the beginning of sessions; however, if possible, XenApp always tries to route jobs directly
from XenApp to the print server and not through the client connection.
To specify that specific printers are created in sessions rather than auto-create all the
network printing devices available from the client device, configure the Session Printer
policy rule.
The key difference between provisioning network printers with the Printing > Client Printers
> Auto-creation rule and the Printing > Session printers rule is that the Auto-creation rule
automatically creates all printers on the client device whereas the Session printers rule lets
you specify which printers are created. Network printers created with the Session printers
rule can vary according to conditions where the session was initiated, such as location (by
filtering on objects such as subnets).
Before you can configure the Session printers rule, you must import the printer objects
stored on your print server into your XenApp farm. After importing printers into XenApp,
you can assign them to user sessions through the Session Printer policy rule. See Configuring
Network Printers for Users
Note: For printers in domains that do not have a trust relationship with the XenApp farm,
configure them as redirected client printers using the Auto-creation rule. When network
printing devices are provisioned in this way, the print jobs are routed through the client
using the client printing pathway.
683
Letting Users Provision Their Own
Printers
If you do not want specific printers to be auto-created at the beginning of each session,
allow users to add their own printers.
By default, provided they can access the network from their client devices, all users can
add printing devices to be used in a session. The only time users cannot add printers to
their sessions is when they cannot access their client device because they are using a thin
client and there are no applications published that let them browse and add printers.
Printers that users create on their own during a session are known as retained printers
because they are created again (or remembered) at the start of the next session. When
XenApp recreates a retained printer at the start of a session, it considers all policy rules
except the Auto-creation rule.
Retained printers appear in sessions on that device until the client printer within the
session is deleted manually, the remembered printer connection is removed from the
client’s properties store, or the client-side printer is inaccessible.
Users might need to use the PrintCfg.exe tool to add printers if they cannot browse to the
printer from within the session or cannot access their client desktop. If they use this tool,
the printers are routed along the client printing pathway.
684
Device or Session-Based Print Settings
By default, all changes users make to the printer device settings and preferences, whether
in a session or working on their local computer, are saved and used locally and in a session.
This means that printer settings and preferences are always the same on the client device
and in a session. XenApp policies let you change the way XenApp software saves and applies
printer device settings and preferences.
You can configure sessions to obtain print settings, specifically user printing preferences,
from either the printer object or the printing device.
XenApp can write printer settings to the printer object at the end of a session or to a client
printing device, provided the user’s network account has sufficient permissions. By default,
XenApp Plug-ins use the settings stored in the printer object in the session, before looking
in other locations for settings and preferences.
The main reason you want sessions to obtain their print settings from the printing device is
if Windows users make changes to local printers outside of sessions (that is, on their local
computer offline). Non-Windows plug-ins synchronize changes made out of sessions
automatically.
685
Device-Based Print Settings
Caution: Using Registry Editor incorrectly can cause serious problems that may require
you to install your operating system. Citrix cannot guarantee that problems resulting from
the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
If you have Windows users with locally attached printers who work on applications locally
and on the server, you might want to retain changes to the printer settings the users make
locally outside of a session. To do so, create and set the Win32FavorRetainedPrinterSettings
registry key to False, as described in To synchronize properties from the printer.
When the registry key is modified, the plugin gives priority to settings from the printer,
rather than retained settings. Settings in the session stay synchronized with settings on the
printing device. If a change was made to the printer out of a session, the change is picked
up. If a change is made to the printer inside the session, the plugin attempts to write the
change back to the printer on the client device when logging off.
You must have the same driver on the client device and server. If you do not, only a subset
of settings is exchanged between the real printer and the virtual printer in the session.
Some device independent settings are inherited and others are not.
686
Controlling Printing Settings and User
Preferences
To understand how printing preferences are retained and applied, you must understand:
•
The locations printing settings can be stored in a XenApp environment
•
The priority XenApp software uses to apply printing preferences from previous sessions
to the printers in a newly created session
•
Where XenApp software stores printing preferences by default and if there are factors
in your environment that will prevent the software from successfully storing them in
this location (that is, when you need to change this setting)
General Locations of Printing Preferences
In Windows printing environments, changes made to printing preferences can be stored on
the local computer or in a document. In a XenApp environment, when users modify printing
settings, the settings are stored in these locations:
•
On the client device itself. The settings are set on the client device by right-clicking
the printer in Control Panel > Printers and selecting Printing Preferences. For example,
if Landscape is selected as page orientation, landscape is saved as the default page
orientation preference for that printer. This type of preference is known as Device
Settings.
•
Inside of a document. In word-processing and desktop-publishing programs, settings,
such as page orientation, are often stored inside documents. These settings are often
referred to as Document Settings. For example, when you queue a document to print,
Microsoft Word typically stores the printing preferences you specified, such as page
orientation and the printer name, inside the document. These settings appear by
default the next time you print that document.
•
From changes a user made during a session. XenApp keeps only changes to the
printing settings of an auto-created printer if the change was made in the Control Panel
> Printers in the session; that is, on the server.
•
On the server. These are the default settings associated with a particular printer driver
on the server.
If you want to control user printing preferences, it is important to understand that the
settings preserved in any Windows-based environment vary according to where the user
made the changes. This also means that the printing settings that appear in one place, such
as in a spreadsheet program, can be different than those in others, such as documents. As
result, printing settings applied to a specific printer can change throughout a session.
687
Controlling Printing Settings and User Preferences
Hierarchy of Users’ Printing Preferences
Because printing preferences can be stored in multiple places, XenApp processes them
according to a specific priority. Also, it is important to note that Device Settings are
treated distinctly from, and usually take precedence over, Document Settings.
XenApp searches for settings in this order:
1. XenApp checks for retained printer settings.
If XenApp finds retained settings, it applies these settings when the user prints.
2. If there are no retained printer settings, XenApp searches for any changes to the printer
settings for the default printer for the client device.
If XenApp finds any changes to printing preferences on the client device, it applies
these settings when the user prints.
3. If there are no retained or client printer settings, XenApp applies the default printer
settings stored on the server when the user prints.
At this point, the printer settings are merged. Generally, XenApp merges any retained
settings and the settings inherited from the client device with the settings for the default
printer driver on the server.
By default, XenApp always applies any printing settings a user modified during a session;
that is, the retained settings, before considering any other settings.
Saving Users’ Printing Preferences
By default, XenApp attempts to store printing properties, a combination of the user’s
printing preferences and printing device-specific settings, on the client device. If the client
does not support this operation, XenApp stores printing properties in its user profile for that
user. Sessions from non-Windows XenApp plug-ins or even older Windows XenApp plug-ins
use the user profiles on the server for properties retention. You can use the Printer
Properties Retention policy rule to force properties to be saved on either the client or on
the server.
If one of the following apply, you might need to reconfigure how XenApp stores user
printing preferences:
•
Client version. Not all XenApp plug-ins allow users to store printer properties on a
client device. Users must be running Citrix Presentation Server Client 9.x and higher to
store user-modified printer properties on the client device.
•
Type of Windows user profile. That is, if you are using local, roaming, or mandatory
profiles on your Windows network.
If you are using a mandatory profile and you want to retain the user’s printer
properties, you must store the properties on the client device.
•
688
Farm Size. If you have a large farm and you are load balancing applications, users will
experience inconsistent printing behavior and properties if you use local profiles. The
Controlling Printing Settings and User Preferences
only way you can get consistent printing behavior is to save the printer properties on
the client device.
•
Type of workers. If you have mobile or remote workers and you are using roaming
profiles, you must save the printer properties to the user’s profile and not the client
device.
If none of these factors apply to you, Citrix recommends you not change where the printer
properties are stored. Leaving the default setting, which saves the printer properties on the
client device, is the easiest way to ensure consistent printing properties.
You can specify whether you want these settings stored on the client device or with the
user’s profile. You can also change this default behavior so settings are not stored.
However, before you make these decisions, you must understand how XenApp determines
what print settings it applies and also what the difference is between storing print settings
on the client device or with a profile.
689
Setting Default Printers
The printer that XenApp selects for a session’s default printer can be based on:
•
A network printer you specify as the default
•
The default printer on the client device
If you want to base the default session printer on either of these, use the Session printers
policy rule. See To assign printers using the Session printers policy rule for details.
However, if you specified that XenApp auto-create the default client printer, then, if no
other printers are provisioned in sessions, you might not need to specify a default session
printer.
690
Printing and Mobile Workers
In situations where users move among different workstations or sites, you can make sure
that the closest printers are presented to them wherever they try to print. Examples of
such users include hospital workers who move among workstations in different wings of a
hospital, reconnecting to the same session using a smart card, or employees who travel to
remote business units.
If you have mobile workers and need this type of printing functionality, use one of these
features:
•
SmoothRoaming
•
Proximity Printing
SmoothRoaming
Also known as Workspace control, this feature lets a user disconnect from one session,
move to another device, and reconnect to continue that same session. The printers assigned
on the first client device are replaced on reconnection with the printers designated on the
second client device. As a result, users are always presented with applicable printer options
from wherever they connect.
Proximity Printing
This feature lets you control the assignment of network printers so that the most
appropriate printer is presented, based on the location of the client device.
The Proximity Printing solution is enabled through the Session printers policy rule.
Proximity Printing can make administration easier even if you do not have mobile workers.
For example, if a user moves from one department or floor to another, you do not need to
assign additional printers to that user if Proximity Printing is implemented. When the
workstation is recognized within the new location’s IP address range, it has access to all
network printers within that range.
However, if you configure Proximity Printing, you must maintain the Session printer policy.
For example, as network printers are added or removed, you must update this policy to
reflect the current set of network printers. Likewise, if you modify the DHCP IP address
ranges for floors or departments, you must update this policy.
Proximity Printing requires that you can filter the policy on some type of geographic
indicator, such as:
691
•
The name of the workstation, if the name relates to the workstation’s location
•
Your network’s IP addresses, if they correlate with user locations
Optimizing Printing Performance by
Routing
In a XenApp environment, you can control how print jobs destined for network printers are
routed. Jobs can take two paths to a network printing device: along the client or network
printing pathway.
By default, XenApp routes print jobs along the client printing pathway as follows:
•
Auto-created client printers. XenApp routes jobs to locally attached printers from the
server, through the client, and then to the print device. The ICA protocol compresses
the print job traffic. When a printing device is attached locally to the client device, the
jobs must be routed through the plug-in.
•
Auto-created network printers. By default, all print jobs destined for network printers
route from the server, across the network, and directly to the print server. However, if
the application server and the print server are on different domains, XenApp
automatically routes the print job through the plug-in.
When network printers are visible from the server, you can use policies to control how print
jobs are routed to network printers. You can configure that jobs be routed to network
printers:
•
Through the plugin. This is accomplished by auto-creating the network printer but
specifying its jobs to route through the plug-in.
•
Over the network. This is accomplished either by leaving the default settings so that
the network printer is auto-created (or configuring a policy to do this) or by
provisioning the network printer through the Session printers policy rule.
Routing jobs along the network printing pathway is ideal for fast local networks and when
you want users to have the same user experience that they have on their local client device
(that is, when you want the printer names to appear the same in every session).
However, print jobs relayed using the network printing pathway are not suited to WANs.
The spooling of print jobs using the network printing pathway method is “chatty;” many
packets are exchanged between the host server and the print server. Consequently, users
might experience latency while the print jobs are spooling over the WAN. Also, the print
job traffic from the server to the print server is not compressed and is treated as regular
network traffic.
When printing jobs across a network with limited bandwidth, Citrix recommends routing
jobs through the client device so that the ICA protocol compresses the jobs. To do so,
enable the Printing > Client Printers > Print job routing policy rule and select the Always
connect indirectly as a client printer option. See Print Job Routing for policy details.
692
Managing Printer Drivers
During printer auto-creation, if XenApp detects a new local printer connected to a client
device, it checks the server hosting the published application (from which the user is trying
to print) for the required printer driver. By default, XenApp automatically installs a native
driver if one is not found on the server hosting the published application.
Because users in a XenApp environment do not have a persistent workspace, drivers cannot
be stored on the client. To print to a local device, XenApp must find the correct driver on:
(a) its server or in the server’s Windows operating system, and (b) the client device. The
diagram that follows shows how the printer driver is used in two places for client printing.
This diagram shows client printing to a local printer: The printer driver on the server routes
the job over the ICA channel to the client device. The client device then routes the print
job through the same printer driver, which is accessible on the client device. The printer
driver on the client device relays the print job to the print spooler on the client device,
which in turn routes the print job to the local printer.
The printer driver on the server and the driver used by the client device must match
exactly. If not, printing fails. As a result, XenApp provides features to manage drivers,
install them automatically, and replicate them across your farm.
The following problems can arise from not managing client printer drivers correctly:
•
693
Any missing drivers can prevent users from printing successfully. If a third-party printer
driver has multiple or inconsistent names across your farm, a session might not be able
Managing Printer Drivers
to find it and a user’s job may fail to print.
•
Printing to a client printer with a defective driver can cause a fatal system error on a
server.
•
XenApp does not download drivers, including printer drivers, from the print server. For
XenApp servers to print across the network printing pathway, the correct
device-specific printer driver for the XenApp server's operating system (version and bit
depth) must be installed on the XenApp server. Two print servers are not required.
•
If a defective driver is replicated throughout a server farm, it is difficult and time
consuming to remove it from every server to prevent its use with client printers.
When planning your driver management strategy, determine if you will support
device-specific or the Universal Printing driver, or both.
If you support standard drivers, you also need to determine:
694
•
What types of drivers you want to support
•
If you want printer drivers automatically installed when they are missing on farm
servers
•
If you want to create driver compatibility lists
•
If you want to replicate drivers across your farm servers automatically
Types of Printer Drivers
There are two categories of printer drivers:
•
Citrix Universal Printer driver.
•
Standard printer drivers; specifically, Windows printer drivers or manufacturer’s printer
drivers.
These drivers are covered in this topic. However, Citrix recommends, when possible, using
the Citrix Universal Printer driver exclusively because it reduces the number of drivers on
farm servers and simplifies administration.
Universal Printer Drivers Overview
The Citrix Universal Printer drivers provide basic printer driver functionality to almost all
printers, regardless of make or model. Deploying one of these drivers relieves the burden of
administering multiple printer drivers and avoids problems with driver maintenance,
replication, and other client printing issues.
In XenApp, Citrix provides several different types of Universal printer drivers:
•
Citrix Universal XPS Printer driver
•
Citrix Universal Printer driver
•
Stock or Standard Windows printer drivers
Citrix Universal XPS Printer driver
This driver is based on the Windows XML Paper Specification (XPS) printing technology
introduced in Windows Server 2008. Windows XPS printing technology uses XML to create a
platform-independent “electronic paper” similar to Adobe’s PDF format.
The XPS format is a device-independent XML-based spool file format that provides a
compressed XML description of a page’s graphic elements. Printing devices can use
XPS-formatted print jobs directly without translation.
The Citrix Universal XPS Printer driver creates the XPS print job using the Microsoft XPS
printer driver on the client device. The Citrix Universal XPS Printer driver obtains printing
device-specific information from the client device.
Provided your farm servers are running XenApp 5.0 and your client devices have .NET 3.0
installed on them, which comes with Windows Vista, you can use the Citrix Universal XPS
Printer driver.
695
Types of Printer Drivers
Citrix Universal Printer driver
This driver uses Windows’ Enhanced Metafile Format (EMF) technology. EMF is a
device-independent format for capturing the graphical elements printed on each page of a
print job. A client-side renderer uses EMF and provides a substantial reduction in the
processing time of Citrix Universal print jobs on the client.
Stock or standard Windows printer drivers
Citrix also uses standard printer drivers, which are sufficiently compatible to support a
broad range of printing devices, to provide universal printing functionality. You can use
these printer drivers for universal printing for non-Windows plug-ins, such as Macintosh or
UNIX clients. These drivers include the following:
•
HP Color LaserJet 4500 PCL 5 (Citrix PCL5c Universal Driver)
•
HP Color LaserJet 4500 PS (Citrix PS Universal Printer Driver)
•
HP LaserJet Series II (Citrix PCL4 Universal Driver)
Effects of Using Universal Printer drivers
When a Universal Printer driver is configured, by default, XenApp uses the EMF-based Citrix
Universal Printer. If you change the default driver to be the Citrix Universal XPS Printer
driver, the XPS driver is used provided the plugin or client device meet the XPS driver’s
requirements. If a requirement is missing, XenApp uses (that is, “falls back” to) the
EMF-based Citrix Universal Printer.
If you use the Citrix Universal XPS Printer driver, the print jobs it processes might have a
smaller footprint on your network. However, users might perceive the EMF-based Citrix
Universal driver as printing faster. The EMF-based driver spools print jobs one page at a
time, so each page prints as the printer receives it. In contrast, with the XPS-based printer
driver, printers cannot print until they receive the last page of the job.
Citrix Universal XPS Printer Driver Overview
The Citrix Universal Printer driver uses Microsoft’s XPS printer driver on the server to create
an XPS print job that can be read by the printing device. It uses this process:
1. The XPS print job (*.*xps) that will be ultimately read by the printing device is created
on the server in a session:
•
On the server hosting the published application, the application sends the data to
the printer (object) for the target printing device
The printer object then sends the print data to the XPS printer driver on the server
where it is rendered into an XPS file
2. The XenApp server sends the XPS file across the printing virtual channel to the XPS Print
Helper (which is part of the Citrix XenApp Plugin for Hosted Apps and the Web
Interface).
•
3. The XPS Print Helper does one of two things:
696
Types of Printer Drivers
•
If the XPS printer driver is bound to a specific printer that was auto-created at the
beginning of a session, the XPS file is sent directly to the printer and the XPS
Viewer does not appear.
•
If the XPS printer driver is not bound to a specific printer, the user must choose a
printer. The XPS file is sent to the XPS Viewer in Internet Explorer and the user can
select the printer from Internet Explorer.
Standard Printer Drivers Overview
In this topic, the term standard printer drivers refers to any printer driver that is not a
Citrix Universal Printer driver. There are two types of standard printer drivers:
•
Windows printer drivers. Refers to the drivers included with Windows operating
systems. Also known as native printer drivers because they are part of, or native to, the
operating system.
These drivers are manufacturer-specific and they are the drivers that Windows
automatically installs when you use the Windows Add Printer wizard. These are not
synonymous with manufacturer’s drivers.
•
Manufacturer’s printer drivers. Refers to the printer drivers that come with a printer;
for example, on a CD or as a download from the manufacturer’s Web site. Also known
as third-party printer drivers.
You may need to use standard drivers from the Windows operating system or the
manufacturer in some situations, including:
•
When your environment has extremely new printers, older printers, or specialty printers
•
When users require specialty printing features that are not available through the Citrix
Universal Printer driver, such as support for certain paper sizes
If you must use standard printer drivers, use the Windows printer drivers included with the
Windows operating system, over the manufacturers drivers, whenever possible. The drivers
with Windows typically go through a higher level of Windows certification that includes
testing for multiuser environments. However, sometimes if there is not a comparable
Windows driver or if users require a feature, such as postscript, you may need to use the
manufacturer’s driver for that printing device.
The Universal driver policy rule lets you control which type of printer drivers are used
during printer autocreation. You can specify:
•
Model-specific drivers only
•
Universal drivers only
•
Universal drivers only if a model-specific driver is not available
If you do not enable the Universal driver policy rule, XenApp uses model-specific drivers if
they are available. If XenApp cannot find the correct model-specific driver, it uses a
Universal printer driver.
697
Types of Printer Drivers
If you are supporting standard device-specific printer drivers, determine how you want to
manage the drivers on your farm. See Managing Printer Drivers.
698
Planning Your Printing Configuration
Choosing the most appropriate printing configuration options for your needs and
environment can simplify administration. Without performing any printing configurations,
users can print in most environments. However, users might not get the printing experience
they expect and default printing configurations might not be appropriate for your
environment.
Your printing configuration depends upon:
•
Your business needs and your existing printing infrastructure. Design your printing
configuration around the needs of your organization. Your existing printing
implementation (user’s ability to add printers, which users have access to what
printers, and so on) might be a useful guide when defining your XenApp printing
configuration.
•
If your organization has security policies that