N

ot
fo
rr
es
al
e
or
di
CWS-215-2I: Citrix Virtual Apps and Desktops 7 Administration

s
tri
On-Premises and in Citrix Cloud

b
ut
io
n
Table Of Contents

Module 0 - Course Overview.....................................................................................................................................................................2

Module 1 - Architecture Overview...........................................................................................................................................................27
Introduction to Citrix Virtual Apps and Desktops.........................................................................................................................29

N
Architecture Overview.................................................................................................................................................................32

ot
Features......................................................................................................................................................................................46
Hosting Platform Considerations.................................................................................................................................................71

fo
Citrix Virtual Apps and Desktops Service....................................................................................................................................88

rr
Connection Flow Process Introduction......................................................................................................................................114

es
Module 2 - Deploy the Site....................................................................................................................................................................125
Pre-Deployment Considerations................................................................................................................................................127

al
Citrix Licensing Setup................................................................................................................................................................152

e
Delivery Controller Setup...........................................................................................................................................................190

or
Site Setup And Management.....................................................................................................................................................235
Redundancy Considerations.....................................................................................................................................................250

di
Lab Exercises............................................................................................................................................................................262

s tri
Module 3 - The Apps and Desktops Images.........................................................................................................................................266
Consider Master Image Creation Methods................................................................................................................................268

b ut
Master Image Requirements.....................................................................................................................................................274
Module 4 - Provision and Deliver App and Desktop Resources............................................................................................................290

io
Machine Catalogs and Delivery Groups....................................................................................................................................292

n
Provisioning Methods and Considerations................................................................................................................................311
Machine Creation Services (MCS) Deep Dive..........................................................................................................................318
MCS Environment Considerations............................................................................................................................................344
Resource Locations...................................................................................................................................................................355
Lab Exercises............................................................................................................................................................................375
Module 5 - Provide Access to App and Desktop Resources.................................................................................................................378
Consider Workspace Experience versus StoreFront.................................................................................................................380
Workspace Experience User Authentication.............................................................................................................................413
Workspace app..........................................................................................................................................................................422
Communication Flow.................................................................................................................................................................460
Lab Exercises............................................................................................................................................................................470
Module 6 - Manage the User Experience..............................................................................................................................................473

N
Methods to Manage the User Experience.................................................................................................................................475

ot
Common User Experience Settings..........................................................................................................................................509

fo
Lab Exercises............................................................................................................................................................................535

rr
Module 7 - Published App and Desktop Presentation and Management..............................................................................................538
Published App Properties..........................................................................................................................................................540

es
Server OS Published App Optimizations...................................................................................................................................561

al
Published App Presentation......................................................................................................................................................575

e
Application Groups....................................................................................................................................................................582
Apps and Desktops Presentation..............................................................................................................................................590

or
Lab Exercises............................................................................................................................................................................600

di
Module 8 - Manage Printing for User Sessions.....................................................................................................................................603

s
Map Printers to the User Session..............................................................................................................................................605

tri
Print Drivers...............................................................................................................................................................................628

b
Print Environment......................................................................................................................................................................643

ut
Lab Exercises............................................................................................................................................................................660

io
Module 9 - Citrix Profile Management...................................................................................................................................................663

n
User Profiles Introduction and Considerations..........................................................................................................................665
Configure Citrix Profile Management.........................................................................................................................................681
Lab Exercises............................................................................................................................................................................699
Module 10 - Manage the Site................................................................................................................................................................702
Delegated Administration..........................................................................................................................................................704
Use PowerShell with Citrix Virtual Apps and Desktops.............................................................................................................743
 Power Management Considerations.........................................................................................................................................758
Lab Exercise..............................................................................................................................................................................765
Module 11 - Citrix Virtual Apps and Desktops Basic Security Considerations......................................................................................768
Citrix Admin Security.................................................................................................................................................................770
XML Service Security................................................................................................................................................................780
Secure HDX External Traffic.....................................................................................................................................................791
Lab Exercises............................................................................................................................................................................811

N
Module 12 - Monitor the Site.................................................................................................................................................................814

ot
Citrix Director Introduction.........................................................................................................................................................816

fo
Monitor and Interact With User Sessions..................................................................................................................................837

rr
Published Apps Analysis...........................................................................................................................................................858
Monitor the Machines Running the VDA...................................................................................................................................890

es
Site Specific Common Monitoring.............................................................................................................................................906

al
Alerts and Notifications..............................................................................................................................................................912

e
Optimize Citrix Director Monitoring............................................................................................................................................928
Lab Exercise..............................................................................................................................................................................938

or
Module 13 - Introduction to Supporting and Troubleshooting Citrix Virtual Apps and Desktops...........................................................941

di
Introduction to Supporting a Citrix Virtual Apps and Desktops Site.........................................................................................943

s
A List of Common Tools............................................................................................................................................................958

tri
Proactive Administration Common Tasks..................................................................................................................................985

b
Module 14 - Migrate To Citrix Cloud....................................................................................................................................................1002

ut
Migration Considerations.........................................................................................................................................................1004

io
Citrix Cloud Connector Deployment........................................................................................................................................1012

n
Citrix Virtual Apps and Desktops with an On-Premises Resource Location...........................................................................1035
The Migration Process.............................................................................................................................................................1049
Module 15 - Citrix Analytics.................................................................................................................................................................1067
Citrix Analytics Introduction.....................................................................................................................................................1069
Prepare to Use Citrix Analytics................................................................................................................................................1078
Types of Analytics...................................................................................................................................................................1086
 Citrix Virtual Apps and Desktops 7
1912 LTSR Administration On-
Premise and in Citrix Cloud

N
ot
Course Overview

fo
rr
es
al
CWS-215-2I: December 06, 2021

e
Lab Manual: v2.3
Module 0

or
di
s
tri
b
ut
io
n

2 © 2021 Citrix Authorized Content

 Course Overview
Page 1 of 2
• Explain the architecture of Citrix Virtual Apps
and Desktops.
• Determine how to install and configure a Citrix
Virtual Apps and Desktops Site.

N
• Explore the preparation considerations for the

ot
images used to host apps and desktops.

fo
• Discuss how to provision app and desktop

rr
resources.

es
• Explain how to deliver and access app and

al
desktop resources.

e
• Explore how to manage the user experience

or
through Citrix policies.

di
• Identify published app and desktop presentation

s
tri
and management settings.

b
• Describe printing with Citrix Virtual Apps and

ut
Desktops.

io
n

3 © 2021 Citrix Authorized Content

 Course Overview
Page 2 of 2

• Configure Citrix Profile Management.

N
• Describe the common management tasks of a

ot
Citrix Virtual Apps and Desktops Site.

fo
• Identify Citrix Virtual Apps and Desktops basic

rr
network security considerations.

es
• Explain monitoring and management with

al
Citrix Director.

e
• Introduce supporting and troubleshooting

or
concepts.

di
• Present how to migrate to Citrix Cloud.

s
tri
• Explore Citrix Analytics.

b
ut
io
n

4 © 2021 Citrix Authorized Content

 Student Introduction

• Introduce yourself to the class.

N
• Include the following information:

ot
• Name and company

fo
• Job title
• Job responsibility

rr
• Networking and virtualization experience

es
• Citrix product experience
• Class expectations

al
e
or
di
s
tri
utb
io
n

5 © 2021 Citrix Authorized Content

 Facilities

• Review:

N
• Parking and transportation information

ot
• Class Policies
• Break and lunch schedules

fo
• Emergency contact information

rr
es
al
e
or
di
s
tri
utb
io
n

6 © 2021 Citrix Authorized Content

 Course Prerequisites

• Basic knowledge of:

N
• Active Directory

ot
• Windows Operating Systems
• Storage

fo
• Networking

rr
• Little to no previous experience with Citrix

es
Virtual Apps and Desktops 7

al
e
or
di
s tri
b ut
io
n
Key Notes:
• Citrix recommends completing the free Citrix Virtual Apps and Desktops 7 introduction bundle at elearning.citrix.com
prior to attending this course.

7 © 2021 Citrix Authorized Content

 Day One
Course Outline

• Module 0: Course Overview

N
• Module 1: Architecture Overview

ot
• Module 2: Deploy the Site

fo
rr
• Module 3: The Apps and Desktops Images

es
al
e
or
di
s
tri
b
ut
io
n

8 © 2021 Citrix Authorized Content

 Day Two
Course Outline

• Module 4: Provision and Deliver App and

N
Desktop Resources

ot
• Module 5: Provide Access to App and Desktop

fo
Resources

rr
• Module 6: Manage the User Experience

es
al
e
or
di
s
tri
utb
io
n

9 © 2021 Citrix Authorized Content

 Day Three
Course Outline

• Module 7: Published App and Desktop

N
Presentation and Management

ot
• Module 8: Manage Printing for User Sessions

fo
• Module 9: Citrix Profile Management

rr
• Module 10: Manage the Site

es
al
e
or
di
s
tri
b
ut
io
n

10 © 2021 Citrix Authorized Content

 Day Four
Course Outline

• Module 10: Manage the Site (Continued)

N
• Module 11: Citrix Virtual Apps and Desktops

ot
Basic Security Considerations

fo
• Module 12: Monitor the Site

rr
• Module 13: Introduction to Supporting and

es
Troubleshooting Citrix Virtual Apps and

al
Desktops

e
or
di
s
tri
b
ut
io
n

11 © 2021 Citrix Authorized Content

 Day Five
Course Outline

• Module 14: Migrate to Citrix Cloud

N
• Module 15: Citrix Analytics

ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

12 © 2021 Citrix Authorized Content

 Course Materials Introduction

• This course has the following material:

N
• Student Manual

ot
• Lab Manual
• Lab Environment

fo
• Watch the Instructor demonstrate how to

rr
access the course materials and connect to

es
the lab environment.

al
e
or
di
s
tri
utb
io
n

13 © 2021 Citrix Authorized Content

 N
ot
Lab Exercises Environment

fo
rr
All lab exercises are grouped and performed

es
together per module

al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• There are 8 core steps to access the lab environment for this course.
• The next few slides present these steps.
• All course modules that have lab exercises will have a place marker slide that tells the student when to begin provisioning
a lab.
• References for how to do this, are made back here in Module 0.

14 © 2021 Citrix Authorized Content

 Lab Exercise Access
Use the following link to access the CWS-215 labs:
https://elearning.citrix.com/#/elearning/coursequests/7/quest/64

1. Login with your MyCitrix credentials, specifically those used to enroll in the course.

N
ot
fo
rr
es
al
e
or
di
s tri
2. When the instructor tells the class to provision the labs, click the module you want to complete.

but
io
n
Additional Resources:
• Lab Access URL: https://training.citrix.com/#/elearning/coursequests/7/quest/64

15 © 2021 Citrix Authorized Content

 Lab Exercise Access (Continued)

N
3. After clicking on a specific module, verify

ot
the requirements and click READY TO
START.

fo
rr
es
al
e
or
4. On the next page, click START LAB.

di
s
tri
b ut
© 2021 Citrix Authorized Content

io
n

16 © 2021 Citrix Authorized Content

 Lab Exercise Access (Continued)

5. Verify the 5-minute countdown timer

starts and wait for the timer to go to zero.

N
ot
6. If you have not done so already, ensure
you have the Citrix Workspace app or

fo
Citrix Receiver installed.

rr
es
al
e
7. Click OPEN LAB IN CITRIX

or
RECEIVER to connect to the lab.

di
stri
Note: Take notice of the Lab Time counter,
this will show you how much time you have

but
© 2021 Citrix Authorized Content
left to complete the exercise.

io
n

17 © 2021 Citrix Authorized Content

 Lab Exercise Access (Continued)

N
ot
fo
8. Once the lab exercises are

rr
complete, click END LAB to

es
decommission the lab.

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

18 © 2021 Citrix Authorized Content

 Lab Introduction
Citrix Cloud integration is on Day 5

Citrix Cloud

User Access Control Resource

Layer Layer Layer Layer

• This diagram represents the lab environment

N
for this course. Delivery

ot
Controller
Internal StoreFront
• Check connectivity to the lab environment Users Server OS Assigned

fo
Desktop OS
and report any issues to the instructor. Domain
Controller

rr
Firewall
• All lab environment details are also provided

es
SQL
in the lab manual. Random
Desktop OS
Firewall

al
External Citrix Gateway
Users

e
License Server

or
Hardware Layer

di
Network WIFI Storage Processor Memory Graphics Hypervisor

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The course lab environment is not a production environment.
• Each VM is given enough resources to perform the lab exercises.
• There are enough lab exercises to gain valuable hands-on experience to match the lecture part of this course.
• These lab VM’s are tuned tot eh lab manual tasks, do not deviate unless instructed to by the Instructor.
• Any deviation may result in destabilizing of the lab causing intermittent or long-term failure.
• If a lab fails, it can be reset to the beginning, but it is time consuming and requires a classroom support ticket.

19 © 2021 Citrix Authorized Content

 Student Desktop

• Remote Desktop Connection Manager for

N
general management

ot
• Hyper-V Manager for virtual machine

fo
management and power operations

rr
• System Center Virtual Machine Manager for

es
Hypervisor management

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

20 © 2021 Citrix Authorized Content

 Remote Desktop Connection
Manager

• Use the Remote Desktop Connection

N
Manager to connect to the lab virtual

ot
machines (VM).

fo
• The connections are preconfigured.

rr
es
al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

21 © 2021 Citrix Authorized Content

 Hyper-V Manager

• Manage virtual machines

N
• Power operations

ot
• Install Operating System

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

22 © 2021 Citrix Authorized Content

 System Center Virtual Machine
Manager

• Manage Hyper-V clusters

N
• Add Networking features

ot
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

23 © 2021 Citrix Authorized Content

 Classroom Support
How do I open a Classroom Support ticket?

N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

24 © 2021 Citrix Authorized Content

 Printing

• You can download, save, and print electronic

N
courseware.

ot
• To print, click Student Resources >

fo
Courseware > Student Manual > Launch

rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

25 © 2021 Citrix Authorized Content

 Looking ahead – End of Course Survey
Your opinion matters!

N
ot
fo
rr
es
al
e
or
di
Help shape the next course Tell us what you liked! What can we do better?

stri
but
© 2021 Citrix Authorized Content

io
n

26 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Administration On-Premise and In
Citrix Cloud

N
ot
Architecture Overview

fo
rr
es
al
e
Module 01

or
di
s
tri
b
ut
io
n

27 © 2021 Citrix Authorized Content

 Learning Objective

• Introduce Citrix Virtual Apps and Desktops.

N
ot
• Explain the architecture in Citrix Virtual Apps
and Desktops.

fo
rr
• Identify a resource strategy for different use

es
cases through product features.

al
• Identify hosting considerations.

e
or
• Explain Citrix Virtual Apps and Desktops
Service in Citrix Cloud.

di
s
• Describe the Connection Flow Process.

tri
b
ut
© 2021 Citrix Authorized Content

io
n

28 © 2021 Citrix Authorized Content

 N
Introduction to Citrix Virtual Apps

ot
and Desktops

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

29 © 2021 Citrix Authorized Content

 What is Citrix Virtual Apps and Desktops?

The Citrix Virtual Apps and Desktops product line provides secure universal access to applications and

N
desktops, hosted in the datacenter or in the cloud, on Windows or Linux platforms, using server or

ot
desktop operating systems to any user connecting from any device or network.

fo
Apps and Desktops

rr
es
al
Published Applications

e
or
Private Desktops Shared Desktops

di
Anywhere

s
Any User Any Device

tri
b
Windows and Linux

ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• This access requires software on the user device called the Citrix Workspace app (formerly known as Citrix Receiver).
• Citrix Workspace app can be downloaded both using https://www.citrix.com/downloads/workspace-app/ and mobile App-
Stores.
• Citrix Workspace app uses the Citrix connection protocol called HDX to access these apps and desktops.

30 © 2021 Citrix Authorized Content

 What is Citrix Virtual Apps and Desktops Service?

The Citrix Virtual Apps and Desktops Service is the same product, except customers offload the
infrastructure that serves as the mechanism to provide this “any user”, “any device” and “anywhere” by

N
ot
offloading most of the product installation, configuration, upgrades, and monitoring through a
subscribed service through Citrix Cloud.

fo
rr
Service tagged at the end of the product means Citrix Cloud enabled.

es
Apps and Desktops

al
e
Published Applications

or
di
Private Desktops Shared Desktops

s
tri
Any User Any Device Anywhere

but
Windows and Linux
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Citrix Online Documentation Introduction to Citrix Virtual Apps and Desktops service: https://docs.citrix.com/en-us/citrix-
virtual-apps-desktops-service

31 © 2021 Citrix Authorized Content

 N
ot
Architecture Overview

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

32 © 2021 Citrix Authorized Content

 Architecture
Overview
By Layers
User Layer Access Layer Control Layer Resource Layer

• Internal users access Delivery Controller

N
StoreFront directly.

ot
Internal Users StoreFront
Server OS Assigned
• External users are Desktop OS

fo
Domain Controller
proxied by Citrix

rr
Gateway. Firewall

es
• StoreFront presents SQL
Random Desktop OS Remote PC

al
resources available to External Users Firewall Citrix Gateway

e
end users.
License Server

or
Hardware Layer

di
s tri
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Layer Presentation:
• External users connect through Citrix Gateway, located in a DMZ, and then are directed to StoreFront (explain that
Citrix Gateway is not covered in this course, but is covered in CNS-222 “Citrix ADC 12.x Essentials and Citrix
Gateway”).
• Internal users connect directly to StoreFront.
• StoreFront presents the resources that are available to users.

33 © 2021 Citrix Authorized Content

 • Resources include the desktops and apps made available through the different Feature models:
• Published Desktops/Published Apps – Server OS
• Assigned Desktop OS – Hosted VDI (static/persistent)
• Random Desktop OS – Hosted VDI (random/non-persistent)
• Delivery Controller brokers connections to desktop and app resources.
• Citrix Workspace app must be installed on endpoint to supply connection to resource.
• Hypervisor – optional component.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

34 © 2021 Citrix Authorized Content

 User Layer
Architecture by Layers

User Layer Access Layer Control Layer Resource Layer

• Citrix Workspace app Delivery Controller

N
running on user device Internal Users StoreFront

ot
Assigned
and other endpoints. Server OS
Desktop OS
Domain Controller

fo
• Enables on-demand

rr
Firewall
access to resources

es
made available to end SQL
Random Desktop OS Remote PC
user.

al
Firewall Citrix Gateway
External Users

e
License Server

or
Hardware Layer

di
s
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The User Layer is the grouping presentation of endpoint device architecture that users use to make connections to the
Citrix Virtual Apps and Desktops Environment.
• In this layer the endpoint choices can range from small mobile devices to specialized thin clients and multifunctional
devices like notebooks or PCs.
• For devices where admins/users are unable to install Citrix Workspace app, Citrix Workspace app for HTML5 can be
leveraged. Remember Citrix Workspace app for HTML5 provides a connection through an HTML5 compatible Web

35 © 2021 Citrix Authorized Content

 browser; however, it does not have all the functionality that the other Citrix Workspace app clients have.

Additional Resources:
• Citrix Workspace app download: https://www.citrix.com/downloads/workspace-app/
• Citrix Workspace app Feature Matrix:
https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/citrix-workspace-app/Citrix-Workspace-
app-Feature-matrix.pdf

N
• Citrix VDI Best Practices for Citrix XenApp and XenDesktop 7.15 LTSR, Page 45: http://docs.citrix.com/en-

ot
us/xenapp-and-xendesktop/7-15-ltsr/citrix-vdi-best-practices.html

fo
rr
es
al
e
or
di
s tri
but
io
n

36 © 2021 Citrix Authorized Content

 Access Layer
Architecture by Layers

User Layer Access Layer Control Layer Resource Layer

• StoreFront authenticates Delivery Controller

N
internal users.

ot
Internal Users StoreFront
Server OS Assigned
• StoreFront displays Desktop OS

fo
Domain Controller
aggregated resources

rr
from multiple sources. Firewall

es
• Citrix Gateway SQL
Random Desktop OS Remote PC

al
authenticates and External Users Citrix Gateway
Firewall

e
validates user’s
License Server

or
permission to access
resources. Hardware Layer

di
s
tri
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The Access Layer is the presentation of the technical component(s) that serve as a middle-man between the users with
their endpoints and the
Citrix Virtual Apps and Desktops Site with its apps and desktops.
• Typical deployments require external users to make secure encrypted connections through an SSL VPN that supports the
HDX protocol, such as a Citrix Gateway.
• Internal users may bypass the Citrix Gateway to directly access the StoreFront server.

37 © 2021 Citrix Authorized Content

 • These two access methods are typically determined by several factors, such as the location of the users, the
types of devices used for access, and company policy.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

38 © 2021 Citrix Authorized Content

 Control Layer
Architecture by Layers

User Layer Access Layer Control Layer Resource Layer

• Delivery Controller makes Delivery Controller

N
load-balancing decisions Internal Users StoreFront

ot
Assigned
and manages availability Server OS
Desktop OS
of devices in the resource Domain Controller

fo
layer.

rr
Firewall

es
• Delivery Controllers SQL
Random Desktop OS Remote PC
broker connections to

al
Firewall Citrix Gateway
External Users
resources.

e
License Server

or
Hardware Layer

di
s
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The Control Layer is used to group and present the core components of the Citrix Virtual Apps and Desktops
implementation.
• The Delivery Controller is the central broker that handles all requests for all user sessions; this includes both apps and
desktops, across Server OS and Desktop OS hosts.
• The Delivery Controller also performs load balancing on user requests for apps and desktops on Server OS hosts.
• The Citrix Virtual Apps and Desktops deployment relies on the SQL platform to host the Site database.

39 © 2021 Citrix Authorized Content

 • The Citrix License Server centrally manages and disburses licenses for user connections.

N
ot
fo
rr
es
al
e
or
di
stri
b ut
io
n

40 © 2021 Citrix Authorized Content

 Resource Layer
Architecture by Layers

User Layer Access Layer Control Layer Resource Layer

• Applications and Delivery Controller

N
desktops run on hosted Internal Users StoreFront

ot
Assigned
virtual or physical Server OS
Desktop OS
machines. Domain Controller

fo
rr
Firewall
• Various levels of

es
personalization. SQL
Random Desktop OS Remote PC

al
Citrix Gateway
External Users Firewall

e
License Server

or
Hardware Layer

di
s
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The Resource Layer is a presentation of all resources that authorized users can gain access to, such as:
• Apps
• Desktops
• User data, like profiles and documents
• The Resource Layer is also the architectural orientation where administrators consider how best to manage and control

41 © 2021 Citrix Authorized Content

 these above resources, such as through creating policies to grant or restrict features.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

42 © 2021 Citrix Authorized Content

 Hardware Layer
Architecture by Layers

User Layer Access Layer Control Layer Resource Layer

• Provides the hardware Delivery Controller

N
resources for the

ot
Internal Users StoreFront
deployment. Server OS Assigned
Desktop OS

fo
Domain Controller
• Influences the scalability

rr
and performance of the Firewall

es
deployment. SQL
Random Desktop OS Remote PC

al
Firewall Citrix Gateway
External Users

e
License Server

or
Hardware Layer

di
s tri
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The Hardware Layer provides the virtual computing needed by the Access, Control and Resource Layers.
• It’s no accident that the Hardware layer is presented beneath those three layers, as Compute layer is the “supply channel”
for the environment.
• We will expand upon the Hardware Layer in a later lesson in this module.

43 © 2021 Citrix Authorized Content

 On-Premise vs
Citrix Cloud
Customer responsibility or User Layer Access Layer Control Layer Resource Layer

offload to Citrix Cloud

Delivery Controller
• For on-premise Internal Users StoreFront

N
deployments everything Server OS Assigned
Desktop OS

ot
is customer’s Domain Controller

responsibility.

fo
Firewall

rr
• For Citrix Virtual Apps SQL
Random Desktop OS

es
and Desktops Service Firewall Citrix Gateway
Remote PC
External Users
subscribers, the Access

al
License Server
Layer components can be

e
offloaded to Citrix Cloud Hardware Layer

or
and some of the Control

di
Layer is offloaded to Citrix Network Wi-Fi Storage Processor Memory Graphics Hypervisor

s
Cloud.

tri
b ut
© 2021 Citrix Authorized Content

io
n

44 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
ot
Which layer does the Citrix Delivery

fo
Controller belongs to?

rr
es
The Control Layer

al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• What is the role of StoreFront?
• Enumerating, Aggregating, and Presenting Desktops and Applications
• Which Citrix infrastructure component brokers end user connections to application and desktop resources?
• Delivery Controller

45 © 2021 Citrix Authorized Content

 N
ot
Features

fo
rr
Citrix Virtual Apps and Desktops Product

es
Features and Resource Capabilities

al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

46 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops
Features
Introduction
Published Desktops Published Apps

Server OS Based Server OS Based

Shared Shared
• Citrix Virtual Apps and Desktops provides

N
Citrix administrators with several app and Server OS Based VM Hosted Apps
Not-Shared

ot
(Desktop OS Based)
desktop delivery methods.

fo
• Citrix administrators can tailor the method Remote PC
URL or UNC Path

rr
chosen to the specific use case.
Desktop OS Based

es
Random

al
Desktop OS Based

e
Static

or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Virtual Apps and Desktops share a unified architecture called FlexCast Management Architecture (FMA).
• FMA's key features are the ability to manage both Server OS and Desktop OS hosts from a single Site and integrated
provisioning.
• The variety of delivery methods are referred to as Feature (also known as FlexCast) models, such as those depicted
above. Although not a comprehensive list, they are the most common.
• One of the advantages of using this FMA platform is that it enables administrators to tailor the delivery method to the

47 © 2021 Citrix Authorized Content

 business and technical requirements of the end user.

Additional Resources:
• For a Complete list of features: https://www.citrix.com/content/dam/citrix/en_us/documents/data-sheet/citrix-
virtual-apps-and-desktops-current-release.pdf
• Citrix Virtual Apps and Desktops 7 1912 (LTSR) – Technical overview: https://docs.citrix.com/en-us/citrix-
virtual-apps-desktops/1912-ltsr/technical-overview.html

N
ot
fo
rr
es
al
e
or
di
stri
b ut
io
n

48 © 2021 Citrix Authorized Content

 Server-based Published App
Server OS Applications
Users Resources

Description: Provides multiple application

N
instances hosted on a single server-based

ot
operating system.

fo
• Advantages:

rr
• Higher scalability.
• Lower hardware cost per user. Multiple Users

es
• Higher user density per physical host.

al
VDA
• Considerations:

e
• Applications must be compatible with a multi-user,

or
server-based operating system.
• Users cannot customize completely.

di
• A single user’s resource consumption can affect

s
other users.

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Published apps are managed centrally and users cannot modify the application, providing a user experience that is
consistent, safe, and reliable.
• Benefits and Considerations:
• Manageable and scalable solution within your datacenter.
• Most cost effective application delivery solution.
• Users must be online to access their applications.

49 © 2021 Citrix Authorized Content

 • Example scenario: WWLabs has identified the following requirements for its HR user group:
• Requires access to standard Microsoft Office applications
• Does not require personalization
• Does not engage in resource intensive application work
• Which Feature Model(s) would be an effective solution and why?
• Answer: Published Apps or Published Desktops.
• Lead with Server OS apps/desktop if meets the requirements due to scalability and manageability.

N
• Applications are Server OS and Remote Desktop Services compatible.

ot
• Users do not require personalization (non-persistent).

fo
• Users do not engage in resource intensive application work, so they do not require dedicated resource
allocation.

rr
• Does not specify if users require a desktop feel or if published applications would suffice, so either Server

es
OS apps or desktops are acceptable.

al
Additional Resources:

e
• Citrix Virtual Apps published apps and desktops: https://docs.citrix.com/en-us/citrix-virtual-apps-

or
desktops/technical-overview/delivery-methods/published-apps-desktops.html

di
s tri
but
io
n

50 © 2021 Citrix Authorized Content

 Published Content
URL or UNC
Users Resources

Description: Provides access to a resource path

N
or website and appears to the user as a http:// website

ot
published application icon.

fo
• Advantages:

rr
• Leverage existing internet or intranet resources.
• Users access these resources the same as any

es
User 1
\\ UNC path
other published application.

al
• Considerations:

e
• The publishing process cannot use Citrix Studio,

or
instead it requires the PowerShell SDK. Document

di
Resource

s
tri
b
ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Published content types include:
• HTML website address
• Document file on a web server
• Directory on a FTP server
• Document file on an FTP server
• UNC directory path

51 © 2021 Citrix Authorized Content

 • UNC file path
• If using Citrix Virtual Apps and Desktops, then use the regular PowerShell SDK.
• If using Citrix Virtual Apps and Desktops Service, then switch to the remote PowerShell SDK.
• After publishing the content using PowerShell, it can be viewed just like any other published application in
Citrix Studio.

Additional Resources:

N
• XenApp published apps and desktops (7.15 LTSR): https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-

ot
15-ltsr/install-configure/publish-content.html

fo
• Citrix Virtual Apps published apps and desktops (1912) : https://docs.citrix.com/en-us/citrix-virtual-apps-

rr
desktops/1912-ltsr/install-configure/publish-content.html

es
al
e
or
di
s tri
b ut
io
n

52 © 2021 Citrix Authorized Content

 Server-based Published Desktop
(Shared)
Server OS Desktop (Multi-session OS) Users Resources

Description: Provides multiple user desktops

N
hosted on a single server-based operating

ot
system.

fo
• Advantages:

rr
• Higher scalability.
• Lower hardware cost per user.

es
Multiple Users
• Higher user density per physical host.

al
VDA
• Considerations:

e
• Applications must be compatible with a multi-user,

or
server-based operating system.
• Users cannot customize completely.

di
• A single user’s resource consumption can affect

s
other users.

tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Server OS machines can run multiple desktop or application sessions from a single machine. It is considered an
inexpensive server-based delivery mechanism that minimizes the cost of delivering applications to a large number of
users, while providing a secure, high-definition user experience.

53 © 2021 Citrix Authorized Content

 Additional Resources:
• XenApp published apps and desktops (7.15 LTSR): http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/
technical-overview/delivery-methods/published-apps-desktops.html
• Citrix Virtual Apps published apps and desktops (LTSR 1912): https://docs.citrix.com/en-us/citrix-virtual-
apps-desktops/1912-ltsr/technical-overview/delivery-methods/published-apps-desktops.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

54 © 2021 Citrix Authorized Content

 Server-based Published Desktop
(Server VDI)
Server OS Desktops(Multi-session OS) Users Resources

Description: Provides a single desktop operating

N
system to each user from a Server OS machine.

ot
• Advantages:

fo
• Dedicated resource allocation per user.

rr
• Ability to install applications.
• Complete customization, personalization, and

es
User 1
persistence.

al
• Considerations: VDA

e
• Higher cost per physical host.

or
• Lower user density per physical host.
• Increased management and operational overhead.

di
• Requires additional backup strategy.

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Use Server OS machines to deliver VDI desktops.
• Server VDI desktops are hosted on virtual machines and provide each user with a Server operating system.
• Server VDI desktops can use the Enhanced Desktop Experience Citrix policy setting to make this server Operating
system look like a desktop operating system.
• Server VDI is a limited use case feature, typically used for engineers or designers that require a more powerful platform
than a regular Desktop operating system.

55 © 2021 Citrix Authorized Content

 • Once the Server machine is configured for VDI, it cannot be used to host published applications, because it is
a 1:1 ratio of users to desktop.
• The Server machine must be prepared to install and configure Server VDI. The high level overview of the
preparation steps are as follows:
1. Remove Remote Desktop Services.
2. Install the VDA using CLI in ”quiet” mode with “servervdi” options.
3. Create the machine catalog.

N
4. Create the Delivery Group..

ot
Additional Resources:

fo
• Server VDI Desktops:

rr
• 7.15 LTSR: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/technical-overview/delivery-

es
methods/vdi-desktops.html

al
• Server VDI: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/install-configure/server-vdi.html

e
• VDI desktops: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/technical-

or
overview/delivery-methods/vdi-desktops.html

di
s tri
b ut
io
n

56 © 2021 Citrix Authorized Content

 VDI (Random/non-persistent)
Desktop OS Desktops (Single-session OS)
Users Resources

Description: Provides a single desktop operating

N
system to each user randomly.

ot
• Advantages: User 1

fo
• Dedicated resource allocation per user. VDA

rr
• Able to use single-image management.

es
• Considerations:
• Higher cost per physical host.

al
• Lower user density per physical host.

e
• Limited user personalization. User 2

or
di
VDA

s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Use Desktop OS machines to deliver VDI desktops.
• VDI desktops are hosted on virtual machines and provide each user with a desktop operating system.
• VDI desktops require more resources than Hosted Shared Desktops, but do not require that applications installed on them
support server-based operating systems. Additionally, depending on the type of VDI desktop you choose, the desktop can
be assigned to individual users and allow these users a high degree of personalization.
• Considerations:

57 © 2021 Citrix Authorized Content

 • 1:1 ratio of users to desktop; at logon, user is randomly assigned a desktop. After logging off, changes are
discarded and VM returns to pool for another user.
• A user’s resource consumption or action is less likely to affect other users, making it a good use case for
those who require a higher level of performance due to resource intensive application work.
• The overhead of running a complete operating system per user requires more resources on hypervisors.
• Hosted VDI models also offer the option of dramatically accelerating graphically intensive applications by
providing GPUs (or vGPUs) to the VM.

N
• Example Scenario: WWLabs has identified the following requirements for its Technician user group:

ot
• Applications are not multi-user compatible

fo
• Does not require ability to install applications
• Engages in resource intensive work

rr
• Which Feature Model(s) would be an effective solution and why?

es
• Answer: Hosted VDI (random/non-persistent)

al
• Applications need to be installed on Desktop OS.
• No installation of applications means persistence is not required.

e
• 1:1 ratio of user desktops means that a user’s resource intensive work will not affect others.

or
Additional Resources:

di
• VDI Desktops:

s tri
• 7.15 LTSR: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/technical-overview/delivery-

b
methods/vdi-desktops.html

ut
• Current release: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/technical-overview/delivery-

io
methods/vdi-desktops.html

n
• VDI desktops: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/technical-
overview/delivery-methods/vdi-desktops.html

58 © 2021 Citrix Authorized Content

 VDI (Static/Persistent)
Desktop OS Desktops (Single-session OS)

Users Resources

Description: Provides a single desktop operating

N
system to each user that is permanently

ot
assigned.
User 1

fo
• Advantages: VDA

rr
• Dedicated resource allocation per user.
• Ability to install applications.

es
• Complete customization, personalization, and

al
persistence.

e
• Considerations:

or
User 2
• Higher cost per physical host.
• Lower user density per physical host.

di
VDA
• Increased management and operational overhead.

s
• Requires additional backup strategy.

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The first time a user logs on to use one of these desktops, the user is assigned a desktop from a pool of desktops based
on a single master image. After the first use, the user will subsequently connect to the same desktop that was initially
assigned. Changes to the desktop are not lost when the machine reboots.
• Considerations:
• 1:1 ratio of users to desktop; user is assigned the same desktop on each subsequent logon; changes persist and are
not discarded on logoff.

59 © 2021 Citrix Authorized Content

 • A user’s resource consumption or actions is less likely to affect other users, making it a good use case for
those who require a higher level of performance due to resource intensive application work.
• Example Scenario: WWLabs has identified the following requirements for its Engineer user group:
• Requires ability to install applications
• Requires personalization and elevated administrator rights
• Engages in resource intensive work
• Which Feature Model(s) would be an effective solution and why?

N
• Answer: Hosted VDI (Static/persistent)

ot
• Users need to install applications and have them persist.

fo
• 1:1 ratio of user to desktops means that a user’s resource intensive work and use of elevated
admin rights will not affect others.

rr
es
Additional Resources:

al
• VDI Desktops:

e
• 7.15 LTSR: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/technical-overview/delivery-
methods/vdi-desktops.html

or
• VDI desktops: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/technical-

di
overview/delivery-methods/vdi-desktops.html

s tri
but
io
n

60 © 2021 Citrix Authorized Content

 Remote PC
Desktop OS Desktop

Users Resources

Description: Provides access to a physical

N
desktop already deployed.

ot
• Advantages:

fo
• Leverage existing physical desktop investment.

rr
• Lower total cost of ownership.

es
• Considerations: User 1
PC Desktop

• Increased management and operational overhead.

al
• Requires additional backup strategy.

e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Remote PC Access allows an end user to log on remotely from virtually anywhere to the physical Windows PC in the
office. The Virtual Delivery Agent (VDA) is installed on the office PC; it registers with the Delivery Controller and manages
the HDX connection between the PC and the end user client devices.
• Remote PC Access supports a self-service model; after you set up the whitelist of machines that users are permitted to
access, those users can join their office PC’s to a Site themselves, without administrator intervention. The Citrix
Workspace app running on their client device enables access to the applications and data on the office PC from the

61 © 2021 Citrix Authorized Content

 Remote PC Access desktop session.
• Remote PC is a great solution for customers that have a great workstation design with a backup solution
already in place. These customers would not need to build out additional server infrastructure to get many of
the same benefits.
• Remote PC can be a great stop-gap where customers can get benefits quickly while the Citrix Virtual Apps
and Desktops solution is being developed.
• Example Scenario: WWLabs has identified the following requirements for its Designer user group:

N
• Needs to leverage existing physical corporate desktops

ot
• Requires remote access to their applications as soon as possible

fo
• Engages in resource intensive work
• Which Feature Model(s) would be an effective solution and why?

rr
• Answer: Remote PC

es
• Physical desktops that have already been deployed.

al
• Quicker time to value.
• 1:1 ratio of user to desktops means that user’s resource intensive work will not affect others.

e
or
Additional Resources:

di
• Remote PC Access:

s
• Remote PC Access 7.15 LTSR: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/install-

tri
configure/remote-pc-access.html

b
• Current Release: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/remote-

ut
pc-access.html

io
n

62 © 2021 Citrix Authorized Content

 VM Hosted Applications
Desktop OS Applications

Users Resources

Description: Provides an application instance on

N
a single desktop operating system.

ot
• Advantages: User 1

fo
• Deliver hosted applications only compatible with

rr
Desktop OS. VDA

• Deliver 16-bit applications.

es
• Considerations:

al
• Higher hardware cost per user.

e
• Lower user density per physical host.

or
User 2

di
VDA

s
tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Applications and desktops on the master image are securely managed, hosted, and run on machines within your
datacenter, providing a more cost effective application delivery solution.
• Considerations:
• 1:1 ratio of users to desktop for user to access a hosted Desktop OS application.
• It is not highly scalable as it requires a desktop for each user for a single application

63 © 2021 Citrix Authorized Content

 Additional Resources:
• VM hosted apps:
• 7.15 LTSR: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/technical-overview/delivery-
methods/vm-hosted-apps.html
• Current Release: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/technical-
overview/delivery-methods/vm-hosted-apps.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

64 © 2021 Citrix Authorized Content

 User Segmentation Process Assess user population

Identifying use cases to assign Features User Population

User 1 User 2 User 3 User 4 User 5 User 6

• Assess business and technical needs of user

N
population

ot
User Assessment – Use Cases
• Segment into user groups based on common

fo
requirements:

rr
• End user location
• Mobility User 1 User 2 User 3 User 4 User 5 User 6

es
• Security

al
• Personalization, customization, ability to install

e
applications
• Application set and application usage User Group 1 User Group 2 User Group 3

or
• Desktop loss criticality

di
• User groups typically map to a role within a

s
department

tri
User 1 User 4 User 2 User 5 User 3 User 6

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The diagram depicts the assessment and segmentation of users into groups based on the following criteria: graphic
intensive apps, CPU-intensive application work, high-security requirements, and printing requirements.
• It is important to the success of the deployment to understand the user requirements and tailor the solution to their
specific needs, as this can impact user acceptance and project costs.
• You need to define user groups based on shared common characteristics in order to assign the Feature model that
effectively addresses the requirements of the user group.

65 © 2021 Citrix Authorized Content

 • Mobility – understand where user is connecting from (network speeds, network security, etc.) and how
frequently the user is roaming.
• Security - lockdown, audit requirements.
• Personalization – assess if user requires additional personalization that cannot be provided by roaming
profiles. Determine if user needs the ability to install apps themselves, or if the admin should install any
additional apps required by user.
• Application set/application usage – common applications required; how resource intensive the application

N
work is that users are doing.

ot
• Have to have an understanding of how users are using applications; not always a clear mapping between

fo
app and workload.
• E.g. Excel for one user may be a light workload, but may have another user who is running reports with

rr
thousands of data sets and who therefore is a heavy workload.

es
• Desktop loss criticality – understand impact to revenue, projects, and product if user is unable to access

al
resources.
• User segmentation is also important for understanding policies that may need to be applied.

e
or
di
s tri
but
io
n

66 © 2021 Citrix Authorized Content

 Features Strategy
Feature Model Comparison
Assignment
Assigning Features

Management and Infrastructure Cost

• Tailor the delivery method Hosted VDI

N
(Static/persistent)
to the business and

ot
technical needs based on Hosted VDI
the assessment of a user (Random/non-

fo
persistent)
group.

rr
Published

es
• Lead with scalable, lower Desktop

cost and higher user

al
density options. Published

e
Apps

or
• Determine if user groups
will require an additional End User Flexibility

di
backup strategy.

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• As with physical desktops, it is not possible to meet every user requirement with a single Feature model. Different types of
users need different types of resources. Some users may require simplicity and standardization, while others may require
high levels of performance and personalization. Implementing a single Feature model across an entire organization will
inevitably lead to user frustration and reduced productivity.
• The Citrix Virtual Apps and Desktops features offer a complete set of application and desktop virtualization technologies
that have been combined into a single integrated solution. Because each Feature (formerly known as FlexCast) model has

67 © 2021 Citrix Authorized Content

 different advantages and disadvantages, it is important that the right model is chosen for each user group
within the organization.
• There are six feature models available, the advantages and disadvantages of each model are described
below:
• Published Apps - The Hosted Apps model utilizes a server-based Windows operating system, where only
the application interface is seen by the user. This approach provides a seamless way for organizations to
deliver a centrally managed and hosted application into the user’s local PC. The Windows app model is

N
often utilized when organizations must simplify management of a few line-of-business applications.

ot
• Published Desktop – With the published desktop model, multiple user desktops are hosted from a single,

fo
server-based operating system (Windows 2008, 2012, 2016, Red Hat, SUSE, CentOS). The shared
desktop model provides a low-cost, high-density solution; however, applications must be compatible with a

rr
multi-user server based operating system. In addition, because multiple users share a single operating

es
system instance, users are restricted from performing actions that negatively impact other users, for

al
example installing applications, changing system settings and restarting the operating system.
• Hosted VDI (Random/non-persistent) - The Hosted VDI (random/non-persistent) desktop model provides

e
each user with a random, temporary desktop operating system. Because each user receives their own

or
instance of an operating system, overall hypervisor density is lower when compared to the published

di
desktop model. However, pooled desktops remove the requirement that applications must be multi-user
aware and support server based operating systems.

s tri
• Hosted VDI (Static/persistent) – This model provides each user with a statically assigned, customizable,

b
persistent desktop operating system. Because each user receives their own instance of an operating

ut
system, overall hypervisor density is lower when compared to the published desktop model. However,

io
personal desktops remove the requirement that applications must be multi-user aware and support server
based operating systems.

n
• Remote PC – The remote PC access desktop model provides a user with secure remote access to their
statically assigned, traditional PC. This is often the fastest and easiest VDI model to deploy as it utilizes
already deployed desktop PCs.
• VM-hosted applications – Similar to published apps, the main difference being that the apps are hosted on
a desktop operating system. This approach can be used when the seamless app approach is desired, but

68 © 2021 Citrix Authorized Content

 the application is not compatible with a multi-user Server OS machine. Because each application session is
hosted by its own instance of an operating system, overall hypervisor density is lower when compared to
the published apps model.

Additional Resources:
• Citrix VDI Best Practices for Citrix XenApp and XenDesktop 7.15 LTSR: http://docs.citrix.com/en-us/xenapp-
and-xendesktop/7-15-ltsr/citrix-vdi-best-practices.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

69 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
Which features of Citrix Virtual Apps and

ot
Desktops support a 1:1 ratio users to

fo
machines?

rr
es
• Desktop OS-based VDI

al
• Server OS-based VDI

e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

70 © 2021 Citrix Authorized Content

 N
ot
Hosting Platform Considerations

fo
rr
Citrix Virtual Apps and Desktops Architecture By

es
Layers

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

71 © 2021 Citrix Authorized Content

 Hosting Transition
Data Center Evolution

Running on physical Using virtual machines Full cloud deployment

machines

N
Mixed environments,

ot
Several versions ago, Since Citrix XenApp 6, the including hybrid cloud
approaches.

fo
admins would typically industry has been focusing on

rr
deploy physical single unit virtualizing their Citrix
servers to host their Citrix workloads, which is still Currently, the trend is moving

es
workloads considered a leading practice. towards leveraging the cloud.

al
e
or
di
s tri
b
Physical Hypervisors

ut
Servers
© 2021 Citrix Authorized Content

io
n
Key Notes:
• In 1990s and up to mid 2000s Citrix was typically hardware deployed.
• Mid 2000s, the focus shifted towards virtual Citrix environments.
• Today the focus is on cloud deployments, either full or hybrid.

72 © 2021 Citrix Authorized Content

 Cloud Considerations

What if:

N
• Operating a datacenter is too costly?

implement in the datacenter?

ot
• A state-of-the-art security standard is hard to

fo
• The datacenter itself has no redundancy?

rr
$$
es
• The datacenter needs additional capacity?

al
e
• More flexibility is needed within the

or
datacenter?

di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Cloud simplifies the management of virtual applications, desktops, mobile devices, and data sharing with its cloud-
based management platform. You can choose whether you put your resources (hypervisors, VDAs, and StoreFront
servers, for example) on premises or in a private or public cloud.
• The biggest drivers for moving to the cloud are flexibility, redundancy, and scalability.
• Citrix Virtual Apps and Desktops supports on premises, hybrid cloud solutions and full cloud deployments.

73 © 2021 Citrix Authorized Content

 Additional Resources:
• Citrix Workspace Cloud Apps and Desktop Services for New Customers Reference Architecture:
https://docs.citrix.com/en-us/citrix-cloud/downloads/workspace-cloud-apps-desktop-services-for-new-
customers-reference-architecture.pdf

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

74 © 2021 Citrix Authorized Content

 Hosting Platform
Options
By Layers
User Layer Access Layer Control Layer Resource Layer

• On-Premises Delivery Controller

N
• Service Provider

ot
Internal Users StoreFront
Server OS Assigned
Desktop OS
• Cloud Hosted

fo
Domain Controller

rr
• Citrix Cloud Hosted Firewall

es
SQL
Random Desktop OS Remote PC

al
Firewall Citrix Gateway
External Users

e
License Server

or
Hardware Layer

di
stri
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

b ut
© 2021 Citrix Authorized Content

io
n

75 © 2021 Citrix Authorized Content

 Hosting Platform:
On-Premises
By Layers
User Layer Access Layer Control Layer Resource Layer

• The Citrix administrator Delivery Controller

N
team manages every Internal Users StoreFront

ot
aspect of the deployment: Server OS Assigned
Desktop OS
• infrastructure Domain Controller

fo
• rights assignments

rr
Firewall
• resources and hardware.

es
SQL
Random Desktop OS Remote PC

al
Firewall Citrix Gateway
External Users

e
License Server

or
Hardware Layer

di
s
Wi-Fi

tri
Network Storage Processor Memory Graphics Hypervisor

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• This model offers complete control over every aspect of the deployment, including choice of the hardware manufacturer. It
also comes with complete responsibility for designing and operating security, climate control, backup, maintenance and
updates.
• A typical on-premises configuration consists of one or more Delivery Controllers. For customers looking to use Citrix Cloud
and have Citrix host the Delivery Controller, consider the following needs:
• All current Delivery Controllers that are on premises need to use the “ListOfDDCs” option for those VDAs to remain on

76 © 2021 Citrix Authorized Content

 premises. Otherwise, move the VDAs you want to use with Citrix Cloud into a different OU and change the
“ListOfDDCs” option. Currently, there is no support for adding both an on-premises Delivery Controller and
Citrix Cloud Connector system to the “ListOfDDCs” in the same OU.
• You need to configure one or more systems with Internet access that are used to host the Citrix Cloud
Connector that gets installed on these systems to host multiple services.
• Citrix Cloud Connector requires Windows Server 2012 R2 or newer.
• Port 443 outbound is required to be open and used by the Citrix Cloud Connector system. The Citrix Cloud

N
Connector system will also support the use of IE proxy settings configured for outbound connections. For

ot
proxy support, see https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-connector/technical-details.html

fo
• The Citrix Cloud Connector enables access to:
• On premises Active Directory and provides Protocol Proxy for all STA\NFuse connectivity .

rr
• Other services such as Citrix Endpoint Management, Citrix Content Collaboration, Networking, Monitoring,

es
and Lifecycle Management, which can be added at a later time.

al
• The Citrix Cloud Connector supports multiple AD forests. Windows 2003 and later are supported for AD forest.

e
Citrix Hypervisor is included in Citrix Virtual Apps and Desktops.

or
Enterprise features:

di
• Automated Windows VM Driver Updates

s
• Automatic updating of the Management Agent

tri
• Support for SMB storage

b
• Direct Inspect APIs

ut
• Dynamic Workload Balancing

io
• GPU Virtualization with NVIDIA GRID and Intel GVT-g

n
• VMware vSphere to Citrix Hypervisor Conversion utilities
• Intel Secure Measured Boot (TXT)
• Export Pool Resource Data
• In-memory read caching

Additional Resources:

77 © 2021 Citrix Authorized Content

 Citrix Workspace Cloud Apps and Desktop Service with an on-Premises Resource Reference Architecture:
https://docs.citrix.com/en-us/citrix-cloud/downloads/workspace-cloud-apps-desktop-service-on-premises-
resource-reference-architecture.pdf

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

78 © 2021 Citrix Authorized Content

 Hosting Platform:
Service Provider
By Layers User Layer Control Layer Resource Layer
Access Layer

Delivery Controller
• The Citrix administrator

N
Internal Users
team allows a third party StoreFront
Server OS Assigned

ot
to manage everything for Domain Controller
Desktop OS

them.

fo
Firewall

rr
• The machines are usually
SQL

es
hosted in dedicated or Random Desktop OS Remote PC
shared datacenters of the External Users Firewall Citrix Gateway

al
third party.

e
License Server

or
Hardware Layer

di
s
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

tri
b ut
© 2021 Citrix Authorized Content

io
n

79 © 2021 Citrix Authorized Content

 Hosting Platform:
Cloud Hosted
By Layers
User Layer Access Layer Control Layer Resource Layer

• The Citrix administrator Delivery Controller

N
team allows a third party to
Internal Users StoreFront

ot
manage the hardware, for Server OS Assigned
Desktop OS
example:

fo
Domain Controller
• Microsoft Azure, Azure

rr
Resource Manager or Firewall

Amazon AWS.

es
SQL
Random Desktop OS Remote PC

al
Firewall Citrix Gateway
External Users

e
License Server

or
Hardware Layer

di
s
Wi-Fi

tri
Network Storage Processor Memory Graphics Hypervisor

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Simplify cloud adoption:
• Ensure a smooth and secure transition when migrating environments to the public cloud.
• Expand capacity quickly and with less capital cost.
• Manage hybrid and multi-cloud environments:
• Leverage a common management plane across all Citrix environments.
• Use multiple disaster recovery locations or manage multiple sites and/or clouds.

80 © 2021 Citrix Authorized Content

 • Speed time-to-value:
• Quickly establish new sites and offices.
• Rapidly set up test environments and proof-of-concepts.
• Starting with version 7.11, Azure ARM is now supported.

Additional Resources:
• Citrix Cloud Overview: https://www.citrix.com/products/citrix-cloud/

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

81 © 2021 Citrix Authorized Content

 Hosting Platform:
Citrix Cloud
By Layers
User Layer Access Layer Control Layer Resource Layer

• The Citrix administrator Delivery Controller

N
team allows Citrix to Internal Users StoreFront

ot
Server OS Assigned
manage the necessary Desktop OS
Domain Controller
infrastructure of the site.

fo
rr
Firewall
• The applications and

es
desktops can remain on SQL
Random Desktop OS Remote PC
premises in a private

al
Firewall Citrix Gateway
External Users
datacenter or hosted in a

e
License Server
public cloud of your

or
choosing. Hardware Layer

di
Optional Citrix Cloud

s
Citrix Cloud
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Explain that new versions of the software in use will automatically be provided for Citrix-managed machines, while on
premise machines need to be maintained and updated manually.
• Choice - Host your apps and data on any cloud or virtualization platform as well as across multiple locations.
• Security - Citrix Cloud doesn’t handle your apps and data – you control where they reside.
• Experience - An intuitive admin experience keeps management simple, while award-winning Citrix HDX technology
delights end users.

82 © 2021 Citrix Authorized Content

 Additional Resources:
• Citrix Cloud Overview: https://www.citrix.com/products/citrix-cloud/

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

83 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops Hosting Platforms Overview

Citrix Virtual Apps and Desktops supports deployment across the following platforms:

N
• Microsoft Azure Resource Manager

ot
• Citrix Hypervisor (aka XenServer)
• VMware vSphere (vCenter +ESXi)

fo
• Microsoft System Center Virtual Machine Manager

rr
• Amazon Web Services (AWS)
• Nutanix Acropolis

es
• Oracle Cloud Infrastructure (OCI)

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

84 © 2021 Citrix Authorized Content

 Architecture Layers
Citrix Cloud Hosted Layers

The Citrix Cloud Approach On-Premise or Public Cloud Hosted Layers

N
ot
fo
rr
es
Citrix Cloud On-Premise Public Cloud

al
e
• Access Layer • User Layer

or
• Control Layer • Access Layer

di
s
• Control Layer

tri
• Resource Layer

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Cloud does not host the Resource Layer.
• Resource layer containing Desktop and Apps can be on-premise or on public cloud as per customer needs.
• Citrix Cloud provides Control layer and also gives options to have Access Layer maintained on Citrix Cloud.

Additional Resources:

85 © 2021 Citrix Authorized Content

 • Citrix Workspace Cloud Apps and Desktop Service with an on-Premises Resource Reference Architecture:
https://docs.citrix.com/en-us/citrix-cloud/downloads/workspace-cloud-apps-desktop-service-on-premises-
resource-reference-architecture.pdf
• Citrix Cloud Overview: https://www.citrix.com/products/citrix-cloud/
• Citrix Workspace Cloud Apps and Desktops Services for New Customers Reference Architecture:
https://docs.citrix.com/en-us/citrix-cloud/downloads/workspace-cloud-apps-desktop-services-for-new-
customers-reference-architecture.pdf

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

86 © 2021 Citrix Authorized Content

 Lesson Objective Review

The CTO has decided to prioritize the Citrix

Apps and Desktops deployment and keep the

N
environment up to date to the latest version.

ot
What is the least administrative effort to keep

fo
the deployment up-to-date?

rr
es
Migrate to Citrix Cloud, because new versions of
Citrix Virtual Apps and Desktops are

al
e
automatically installed in the Citrix Cloud
subscribed Citrix Virtual Apps and Desktops

or
Service.

di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

87 © 2021 Citrix Authorized Content

 N
Citrix Virtual Apps and Desktops

ot
Service

fo
rr
• Introduction To Citrix Cloud

es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

88 © 2021 Citrix Authorized Content

 Citrix Cloud Overview of Available Services

Virtual Endpoint
Workspaces Apps & Content For Service
Management Networking Analytics
Desktops Collaboration Providers

N
ot
Citrix Workspace Virtual Apps and Citrix Endpoint Citrix Content Citrix Gateway Citrix Analytics License Usage
Desktops Service Management Collaboration Standard Insights Service

fo
Citrix Virtual Apps Standard Service Citrix Application
and Desktops Virtual Apps Service Service Delivery SD-WAN

rr
Service Citrix Web App Management Cloud-
Virtual Desktop

es
Citrix Endpoint Firewall Service Service Managed
Citrix Endpoint Service Management Service

al
Management Advanced
Premium Service Secure Browser Service

e
Service

or
Citrix Content Citrix Endpoint
Collaboration Virtual Apps Management

di
Advanced Service Essentials Premium
Service Service

s
Citrix Gateway*

tri
Service Virtual Desktops

b
Essentials

ut
Service
© 2021 Citrix Authorized Content
*Only ICA Proxy included. Full ADC (NetScaler) Service features available as as separate purchase.

io
n
Key Notes:
• Citrix Workspace is a combination of the following services:
• Virtual Apps and Virtual Desktops
• Citrix Endpoint Management Premium Service
• Citrix Content Collaboration Advanced Service
• Citrix Gateway with ICA proxy Includes XA/XD Service, Citrix Endpoint Management Premium Service, Citrix Content
Collaboration Advanced Service and Citrix Gateway.

89 © 2021 Citrix Authorized Content

 • Citrix Virtual Apps and Desktops Service:
• The common use cases for both Citrix Virtual Apps and Desktops Service are the same as the on-premises
versions. However, the Cloud based service is more simple in terms of deployment and management for
the customer.
• On-premises customers can convert existing Virtual Apps/Virtual Desktops concurrent or user/device
license to the Virtual Apps/Desktops service offering.
• Citrix Virtual Apps and Desktops Service is licensed on a per user basis. The on-premises user/device

N
(U/D) or concurrent user (CCU) licensing options are not available for Cloud Services.

ot
• Citrix Virtual Apps and Desktops Service: Deliver secure access to virtual Windows, Linux, and web apps

fo
and desktops. Manage apps and desktops centrally across multiple resource locations while maintaining a
great end user experience.

rr
• Secure Browser Standard: Protect the corporate network from browser-based attacks by isolating web

es
browsing activities. IT administrators can offer users safe internet access without sacrificing security by

al
delivering consistent, secure remote access to internet hosted web applications on public cloud
infrastructure with zero end-point configuration.

e
• Virtual Apps Essentials: Easily and securely deliver Windows apps in the Azure Cloud to any device.

or
Purchased on the Azure Marketplace.

di
• Virtual Desktops Essentials: Accelerate Windows 10 Enterprise migration with the power of Citrix Virtual
Desktops and Microsoft Azure. Purchased on the Azure Marketplace.

s tri
• Citrix Endpoint Management Service

b
• The benefits of Citrix Endpoint Management as a Service are quicker time to value, as Users are

ut
productive sooner as a result of faster deployment and access to new productivity application features &

io
platform updates
• Citrix Endpoint Management : Provide cloud-based, comprehensive enterprise mobility management—

n
including mobile device management (MDM), mobile application management (MAM), and enterprise-
grade productivity apps—on BYO or corporate devices.
• Citrix Content Collaboration Service
• Citrix Content Collaboration is a feature rich cloud based file sharing and enterprise collaboration service.
• Citrix Content Collaboration: Provide secure access to files and data from any device, across any

90 © 2021 Citrix Authorized Content

 infrastructure. Control how and where you store your data while meeting mobility and collaboration needs
of employees and the data security requirements of the enterprise
• Citrix Networking
• A number of unique advantages exist for Citrix Gateway Standard Service over on-premises
implementations, such as availability across 12 regions, removing the need to manage global server load
balancing.
• Citrix Gateway: Utilize the most secure way to deliver virtual apps and desktops with a cloud-based

N
offering that is simple to deploy and manage. Ensure the availability of Virtual Apps and Desktops and

ot
provide the best user experience on any device, under any network condition.

fo
• Citrix Web App Firewall Service: Protect web applications and infrastructure from cyber-attacks using
security tools like signatures, blacklisted and whitelisted URLs/applications, and IP Reputation. Keep

rr
historical retention capabilities for easy operations and incident analysis.

es
• Citrix Analytics

al
• The Application Delivery Management is a cloud-based management, monitoring, automation and analytics
service which provides end-to-end visibility and control of application infrastructure deployed on-premises or

e
in public clouds.

or
• Citrix Application Delivery Management Service: Gain end-to-end visibility and control of your application

di
infrastructure across multiple clouds. Using application and network data, easily view summaries and
detailed analytics to allow for faster troubleshooting, proactive performance management, and security-

s tri
threat management.

but
io
n

91 © 2021 Citrix Authorized Content

 Citrix Cloud Service Example: Citrix Virtual Apps and Desktops
Service
Entitlements and Licensing

Minimum purchase 25 Virtual Desktop Service Virtual Apps and Virtual Desktops

N
Services Included
subscribers or devices Subscription Subscription

ot
Desktop Delivery  

fo
Citrix Virtual Apps
and Desktops App Delivery 

rr
Multiple resource locations 

es
Smart Build  

al
Smart Tools Smart Migrate  

e
Smart Scale  

or
Smart Check  

di
ADD-ON SERVICE

s tri
1 Gbps data per user per
Citrix Gateway ICA/HDX Proxy 1 Gbps data per user per month
month

but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Be aware that Citrix Cloud is under constant development and evolvement. To understand the latest features and benefits,
refer to the link below.
• Server VDI is supported in Virtual Desktop Service.
• Citrix will not actively deny access for a user when the bandwidth restrictions are met for Citrix Gateway, but will contact
the customer and offer them to purchase an extra 300 GB data transfer.

92 © 2021 Citrix Authorized Content

 Additional Resources:
• Subscriptions to meet your needs - https://www.citrix.com/products/citrix-workspace

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

93 © 2021 Citrix Authorized Content

 Citrix Cloud Service Example: Workspace Service
Entitlements and Licensing

Services Included Minimum purchase 25 subscribers or devices Citrix Workspace Subscription

N
ot
Citrix Virtual Apps and Desktop Delivery 
Desktops App Delivery 

fo
Multiple resource locations 

rr
Citrix Endpoint Mobile Device Management 

es
Management Premium Mobile App Management 

al
Service
Mobile Productivity Apps 

e


or
Citrix Content Storage Zone Connectors
Collaboration Bring-your-own storage 

di
1 GB file sharing data per user 

s tri
Citrix Gateway 1 Gbps data per user per month 

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Workspace is the Citrix Cloud version of Workspace Suite. It includes Citrix Virtual Apps and Desktops, Citrix
Endpoint Management and Citrix Content Collaboration as a hosted service.
• Be aware that Citrix Cloud is under constant development and evolvement. To understand the latest features and benefits,
refer to the link below.
• Citrix will not actively deny access for a user when the bandwidth restrictions are met for Citrix Gateway, but will contact
the customer and offer them to purchase an extra 300 GB data transfer.

94 © 2021 Citrix Authorized Content

 Additional Resources:
• Subscriptions to meet your needs - https://www.citrix.com/products/citrix-cloud/subscriptions.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

95 © 2021 Citrix Authorized Content

 Citrix Cloud Service Example: Citrix Secure Browser Service
Entitlements and Licensing

N
Minimum purchase 50 Secure Browser
Services Included

ot
subscribers or devices Subscription

fo
Isolated, Cloud Hosted Browser 

rr
Includes Cloud IaaS for Browser 

es
al
StoreFront Integration 
Secure Browser Service

e
5000 hours of secure browsing per


or
organization

di
1000 hour add-on pack Add-on available

s
tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Be aware that Citrix Cloud is under constant development and evolvement. To understand the latest features and benefits,
refer to the link below.

Additional Resources:
• Subscriptions to meet your needs - https://www.citrix.com/products/citrix-cloud/subscriptions.html

96 © 2021 Citrix Authorized Content

 Citrix Cloud Service Examples: Citrix ADC Services

N
ot
fo
Citrix Citrix Application Citrix Web

rr
Gateway Delivery App Firewall

es
Management

al
e
or
Secure Access and Centralized management, Web App firewall to

di
s
Identity analytics, & provisioning protect against

tri
Management of Citrix ADC application layer web

b
infrastructure attacks

ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Application Delivery Management provides the following benefits:
• Agile – Easy to operate, update, and consume. The service model of Citrix Application Delivery Management is available
over the cloud, making it is easy to operate, update, and use the features provided by Citrix Application Delivery
Management. The frequency of updates, combined with the automated update feature, quickly enhances your Citrix
ADC deployment.
• Faster time to value – Quicker business goals achievement. Unlike with the traditional on-premises deployment, you can

97 © 2021 Citrix Authorized Content

 use your Citrix Application Delivery Management with a few clicks. You not only save the installation and
configuration time, but also avoid wasting time and resources on potential errors.
• Multi-Site Management – Single Pane of Glass for instances across Multi-Site data centers. With the Citrix
Application Delivery Management, you can manage and monitor Citrix ADCs that are in various types of
deployments. You have one-stop management for Citrix ADCs deployed on premises and in the cloud.
• Operational Efficiency – Optimized and automated way to achieve higher operational productivity. With the
Citrix Application Delivery Management, your operational costs are reduced by saving your time, money, and

N
resources on maintaining and upgrading the traditional hardware deployments.

ot
Additional Resources:

fo
• Citrix Application Delivery Management: https://www.citrix.com/products/citrix-cloud/services.html

rr
• Citrix Application Delivery Management 12.1: https://docs.citrix.com/en-us/citrix-application-delivery-

es
management-software/12-1.html

al
• Citrix Application Delivery Management Features and Solutions: https://docs.citrix.com/en-us/citrix-

e
application-delivery-management-software/13/overview/features.html

or
di
s tri
b ut
io
n

98 © 2021 Citrix Authorized Content

 Citrix Cloud Labs
Services

N
ot
fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Linux VDA Image Service:
• Use this Citrix-prepared CentOS Linux VDA base image to quickly provision an entire machine catalog for the Citrix
Virtual Apps and Desktops onto a Microsoft Azure resource location – avoiding the hassle of installing dozens of open-
source Linux packages by hand. By hosting an MCS-ready golden master VDA, this Citrix Cloud service allows
administrators to jump-start their Linux VDA deployment onto Azure with the peace of mind of starting from a “Citrix
validated” image.

99 © 2021 Citrix Authorized Content

 • Session Manager dramatically reduces app launch times:
• The new Session Manager lab improves application launch performance by pre-launching anonymous
sessions when using the Citrix Cloud Virtual Apps and Desktops. This is particularly useful during “logon
storms,” such as at the beginning of the workday or at shift changes, and in healthcare environments where
rapid access to applications is critical.
• Leverage a powerful, user-friendly tool for workspace automation:
• Citrix Provisioning for Microsoft Office 365:

N
• Assign Microsoft Office 365 subscription licenses alongside other Citrix apps and services. Simplify user

ot
management and assignment with centralized access control. Citrix Provisioning for Microsoft Office 365

fo
also provides license consumption and verification to simplify administration.

rr
Additional Resources:

es
• Explore new services in Citrix Cloud Labs - https://www.citrix.com/products/citrix-cloud/labs.html

al
e
or
di
s tri
but
io
n

100 © 2021 Citrix Authorized Content

 Citrix Cloud Access

Create a Trial Account Enable a New Service

N
ot
fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• It’s free and fast to create a Citrix Cloud account.
• When you log on with your new Citrix Cloud account, you will not have access to any services but you will have the
ability to request trials of different services.
• When requesting a trial for Citrix Virtual Apps and Desktops Service, the request is evaluated by the Citrix Cloud team
for business potential.
• If you create your Citrix Cloud account using a personal email account and do not provide any customer information,

101 © 2021 Citrix Authorized Content

 your Citrix Virtual Apps and Desktops Service trial will probably never be granted.
• You do not need to create a trial account for this class, an . An account has already been provisioned for use
during class.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

102 © 2021 Citrix Authorized Content

 Service Levels
Availability:
Status.Cloud.com

• Citrix’s goal is that in any

N
30 calendar day period

ot
99.9% of the time users
can access their app or

fo
desktop session through

rr
the Service.

es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• It is important to understand that 99.9% uptime is a goal and not a SLA.
• Citrix hosts all Cloud Solutions within a public cloud, since no public cloud vendors will sign an official service level
agreement and Citrix can not provide a legal SLA either.
• Limitation examples:
• Customer failure to follow configuration requirements for the service.
• Customer controlled physical and virtual machines.

103 © 2021 Citrix Authorized Content

 •Customer installed and maintained operating systems.
•Customer installed and controlled networking equipment or other hardware.
•Customer defined and controlled security settings, group policies and other configuration policies.
•Public cloud provider failures, Internet Service Provider failures or other external to Citrix’s control.
•Service disruption due to reasons beyond Citrix’s control, including natural disaster, war or acts of terrorism,
government action.
• The screenshot presents each Citrix Cloud Service and the status of those services for each day it has been

N
in operation.

ot
Additional Resources:

fo
• About the Citrix Virtual Apps and Desktops Service: https://docs.citrix.com/en-us/citrix-cloud/xenapp-and-

rr
xendesktop-service.html#service-level-goal

es
• Citrix Cloud Status: http://status.cloud.com/

al
e
or
di
s tri
b ut
io
n

104 © 2021 Citrix Authorized Content

 Citrix Cloud
Locations

• Choose a region when

N
signing in for the first

ot
time.

fo
• US and EMEA available

rr
now.

es
• The region cannot be

al
changed later.

e
• Only one region is

or
supported per

di
subscription.

s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• All services are available in all regions. Certain services, like Citrix Virtual Apps and Desktops, have dedicated regional
instances. However, some services are only US based.
• Where a service uses a region that is different from the one you selected for your organization, certain information (such
as authentication data) may be transferred between regions as needed.
• Where a service is globally replicated, all data in that service is stored in all regions.
• Your region is where certain metadata is stored about your environment. For example:

105 © 2021 Citrix Authorized Content

 • Citrix Cloud administrator details, including the name, username, and password.
• Data resulting from traffic directed through your region by any Citrix Cloud Connectors you install. For
example, any authentication data using your domain controllers (whether managed on your premises or
through your subscription with a public cloud vendor) stays in your region.
• Data used to map users to library offerings. For example, if you add Microsoft Office to your library as an
offering for your users, and then add five users to that offering as subscribers, the data linking each user to
that offering (such as user name and domain name) is stored in your region.

N
• Data about users for any services available in your region. For example, if you use the Citrix Endpoint

ot
Management in your region, data such as name, address, and telephone number is stored there.

fo
• If your organization is not located in any of the supported regions, you can simply pick the region that is either
closest to the majority of your users or that provides the best controls for protecting the integrity of your data.

rr
• It is not possible to change the region after a customer account has been created, instead a customer must

es
stand up a new account and subscription in another region and manually migrate settings, Catalogs, Delivery

al
Groups, etc.
• A single account cannot have a presence in both locations at a time. If an organization wants a presence in

e
both the USA and the EU, they must create two Cloud accounts and subscribe to the Citrix Virtual Apps and

or
Desktops Service from both accounts.

di
Additional Resources:

s tri
• Geographical Considerations - https://docs.citrix.com/en-us/citrix-cloud/overview/signing-up-for-citrix-

b
cloud/geographical-considerations.html

ut
io
n

106 © 2021 Citrix Authorized Content

 Citrix Cloud Security
Customer Data

Security Encryption Flow

N
ot
fo
rr
Customer A Metadata StoreFront Cloud Connector
Control
Access

Admin Customer B Metadata Citrix

es
Gateway
Customer C Metadata
VDA Cloud Connector

al
e
or
Connector Connector Connector AES Encrypted Password Single
Sign-On
Password Password for

di
Customer Customer Customer Windows
Application Application Application Encryption Key / ICA Ticket

s
Resources Resources Resources Logon
Data Data Data

tri
Customer A Customer B Customer C

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Cloud does not host the machines running the VDAs nor the customer data.
• The only data stored in Citrix Cloud is the metadata in Cloud Studio and Cloud Director, such as user or group names,
application names, client IP addresses, etc.
• Security:
• Every customer’s metadata is secured in separate containers.
• Application data remains on-premise

107 © 2021 Citrix Authorized Content

 • Security Compliance:
• Security Development Lifecycle
• Regular security training for the entire team
• Threat modeling before any code is written
• Both static and human code analysis for vulnerabilities
• Quarterly independent penetration tests
• Ongoing security reviews and auditing

N
• 24/7 Monitoring & Alerting for Security and Availability

ot
• Handling of Data

fo
• Data at Rest:
• Citrix Cloud only stores metadata, such as:

rr
• Usernames

es
• Application Names

al
• Icons
• Sensitive data remains in the resource location, under the customer’s control:

e
• Machine Images

or
• User and Application Data

di
• Data in Transit:
• All data is encrypted with TLS while in transit

s tri
• HDX data (pixels, keystrokes, etc.) transit the Citrix Gateway

b
• User credentials transit Citrix Workspace, but are not persisted

ut
• Alternatively, StoreFront may be deployed by the customer to encrypt credentials before they leave the

io
customer’s premises.
• Encryption Flow

n
• User Password:
• Flows from client device to Citrix Gateway for authentication
• StoreFront forwards to Connector
• Citrix Cloud Connector:
• Generates the launch ticket and encrypts password using the ticket as the key.

108 © 2021 Citrix Authorized Content

 • Encrypted password is forwarded to the proper Virtual Delivery Agent (VDA) by Citrix Cloud.
• Ticket is returned in the ICA file without ever reaching the cloud.
• Citrix Workspace App:
• Connects to VDA, which provides a launch ticket that allows VDA to decrypt credentials.
• Red: Symbolizes the password being transmitted from Workspace App to Citrix Gateway to StoreFront to
Cloud Connector.
• Green: Symbolizes the Cloud Connector encrypting the password with AES encryption before sending the

N
credentials to Citrix. Cloud. At launch time Citrix Cloud sends back the AES encrypted credentials to the

ot
Cloud Connector which then forwards the credentials to the VDA.

fo
• Grey: Symbolized the exchange of the STA ticket retrieved from the Cloud Connector, the STA ticket will
never reach Citrix Cloud.

rr
es
al
e
or
di
s tri
b ut
io
n

109 © 2021 Citrix Authorized Content

 Citrix Cloud Updates
Canary Program

• Citrix Cloud consists of two identical Update

N
environments: Release A Release B

ot
• Release A
• Release B

fo
rr
• Updates are applied to one environment first,

es
and then customers are migrated over to this
environment in designated batches.

al
e
• Once all customers are moved, the remaining

or
environment will receive Customer 1 Customer 2 Customer 3 Customer 4

the update.

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix can move Cloud Customers between the two environments freely and without the customer noticing any
difference.
• A move will not be completed until a customer signs out of any administrative consoles, and, this way the move will not
interfere with the administrators work.
• Customers can chose whether to be first movers (opt in) or last movers (opt out), but every customer will be moved and
receive the updates eventually.

110 © 2021 Citrix Authorized Content

 • If errors are found during the migration, customers will be migrated back to the stabile platform until the error
is resolved.
• Updates are deployed to Citrix Cloud every two weeks using the canary process.
• You may be notified about a pending update and asked to finish your tasks before an update is deployed to
your Citrix Cloud account.
• You can verify which release platform you are connected to using the browser development tools. Look for
release-a and release-b in the code.

N
• Browser tools can typically be invoked by pressing F12 in your browser.

ot
• Canary Update

fo
• In software testing, a canary is a push of programming code changes to a small group of end users who
are unaware that they are receiving new code.

rr
• For incremental code changes, a canary approach to delivering functionality allows the development team

es
to quickly evaluate whether or not the code release provides the desired outcome.

al
• The word canary was selected to describe the code push to a subset of users because canaries were
once used in coal mining to alert miners when toxic gases reached dangerous levels.

e
• Schedule:

or
• Control plane and Cloud Connectors are automatically updated.

di
• 4-5 Day process to migrate customers to new code.
• If issues are observed, the Control Plane issues a hard stop until the issue is resolved.

s tri
• Test State: Internal customers to verify deployment.

b
• Opt-In: Customers who have explicitly notified Citrix that they want the latest stable

ut
code as quickly as possible.

io
• Opt-Out: Customers who want to wait until 100% state is achieved.

111 © 2021 Citrix Authorized Content

 Citrix Cloud Updates Rollback
Canary Program

Update
• If a problem is detected during updates, Citrix

N
Cloud can roll back any customer to the Release A Release B

ot
previous Release environment.

fo
• Rollback can be done within 5 minutes.

rr
• Cloud Connectors are downgraded in serial.

es
• Many Cloud Connectors equals longer

al
rollback times.

e
Customer 1 Customer 2 Customer 3 Customer 4

or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Platform roll back within 5 minutes.
• The Citrix Cloud platform services and cloud connector can now recover from release-to-release customer-impacting
issues in less than 5 minutes. This is achieved by rolling back to the previous version of platform service and connector
code. Previously, we had a ‘roll forward only’ approach where fixes were made in place and pushed to production, which
sometimes resulted in a recovery time of an hour or more.
• Note: Connector downgrades may take longer than 5 minutes as they are done serially across the customers’
environments.
112 © 2021 Citrix Authorized Content
 Lesson Objective Review

N
• If a customer chooses to opt out of the

ot
canary program, will they still get the

fo
update?

rr
es
• Yes, but only when the update has been
successfully deployed to all the opt in

al
e
customers.

or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

113 © 2021 Citrix Authorized Content

 N
Connection Flow Process

ot
Introduction

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

114 © 2021 Citrix Authorized Content

 Connection Flow Process (Three Concepts)

It is important that the Citrix Administrator is familiar with the following three connection flow processes,

N
when both deploying and managing a Citrix Virtual Apps and Desktops environment:

ot
• Authentication

fo
• Enumeration

rr
• Session Launch

es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Previously, the Citrix Virtual Apps and Desktops Architecture was presented with a layer by layer approach.
• The next few slides will target specific components from all of those layers and group them together.
• This grouping is used to present the basic concepts in one of Three Connection Flow Processes:
• Authentication
• Enumeration
• Session Launch

115 © 2021 Citrix Authorized Content

 Additional Resources:
• Citrix XenDesktop Connection Process and Communication Flow: http://support.citrix.com/article/CTX128909
• Technical overview - How typical deployments work:
• 7.15 LTSR: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/technical-overview.html
• Current Release: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/technical-overview.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

116 © 2021 Citrix Authorized Content

 On-Premise
Connection Flow User Layer Access Layer Control Layer Resource Layer

Processes 6 5, 11
4

1 2
2 Delivery Controller
1
3
2 3
Users 3
• Authentication 7
StoreFront
1 Server OS Assigned

N
Desktop OS

• Enumeration

ot
Domain Controller

Firewall 9
• Session Launch

fo
rr
SQL Random Desktop OS Remote PC
Citrix Gateway

es
External Users Firewall 10

al
8
License Server
12

e
or
Hardware Layer

di
s
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

tri
or

b
On-Premise Cloud Hosted

ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Authentication is the process in which user identity is verified.
• There are two methods for authentication with StoreFront:
• Direct: StoreFront validates credentials against Active Directory. Direct authentication is the default behavior of
StoreFront.
• XML service-based authentication: StoreFront passes credentials to Delivery Controller, which validates credentials
against Active Directory.

117 © 2021 Citrix Authorized Content

 • Both methods are acceptable, and may simply be a choice of preference.
• However some companies don’t have the choice. For example, if the StoreFront server is not in the same
domain as Citrix Virtual Apps and Desktops, or if it is not possible to put an Active Directory trust in place,
then the only method you can configure is to require the Delivery Controller to authenticate to Active
Directory on behalf of StoreFront.
• In order to support this, you have to delegate authentication to the XML server.
• Enumeration:

N
• The Broker Service determines which desktops and applications the user is allowed to access.

ot
• Once the credentials are verified, the information about available apps or desktops is sent back to the user

fo
through the StoreFront-Receiver pathway.
• Session launch:

rr
• When the user selects applications or desktops from this list, that information goes back down the pathway

es
to the Controller, which determines the proper VDA to host the specific applications or desktop.

al
• The Controller sends a message to the VDA with the user's credentials and sends all the data about the
user and the connection to the VDA. The VDA accepts the connection and prepare itself for the session

e
(start listening on Port 1494,2598 on desktop OS VDA's) and sends the information back through the same

or
pathways all the way to Delivery Controller. Delivery Controller send the information about the VDA too the

di
Storefront and Storefront bundles up all the information that has been generated in the session to create
Independent Computing Architecture (ICA). file and sends to the user's device. Citrix Workspace app opens

s tri
ICA file and establishes connection with the VDA. As long as the Site was properly set up, the credentials

b
remain encrypted throughout this process.

ut
• The ICA file is copied to the user's device and establishes a direct connection between the device and the

io
ICA stack running on the VDA. This connection bypasses the management infrastructure such as
StoreFront and the Delivery Controller.

n
• The connection between Citrix Workspace app and the VDA uses the Citrix Gateway Protocol (CGP). If a
connection is lost, the Session Reliability feature enables the user to reconnect to the VDA rather than
having to re-launch through the management infrastructure. Session Reliability can be enabled or disabled
in Studio.
• Once the client connects to the VDA, the VDA notifies the Controller that the user is logged on, and the

118 © 2021 Citrix Authorized Content

 Controller sends this information to the Site database and starts logging data in the Monitoring database.
• In this diagram, the differences between IMA and FMA are apparent. For example, under IMA architecture,
each worker was responsible for obtaining the license file. In FMA architecture, this is now centralized and
the Delivery Controller checks out the licenses.
• This provides greater flexibility in segmenting the network and also means that the redirection of the license
cache on non-persistent machines is no longer needed.
• Connection Flow Process: (Keep in mind the diagram addresses Internal Users. External users would start

N
Authentication through a firewall, then to a Citrix Gateway, then proxy authentication to the Domain Controller

ot
running Active Directory.)

fo
• Authentication: (Orange)
1. Credentials are submitted to StoreFront.

rr
2. StoreFront passes the credentials to the Delivery Controller.

es
3. The Delivery Controller validates the credentials received from StoreFront with Active Directory.

al
• Enumeration: (Blue)
1. The Delivery Controller queries the site database for assigned apps and desktops.

e
2. Available apps and desktops are forwarded to StoreFront.

or
3. Apps and desktops are presented to the user

di
• Session Launch: (Purple)
1. User clicks a listed app or desktop. This request is sent to the StoreFront Server.

s tri
2. This request is forwarded to the Delivery Controller.

b
3. The Delivery Controller queries the Site database to determine which VDAs are currently available to

ut
host the selected resource, then selects a VDA.

io
4. The Delivery Controller validates the current status of the selected VDA.
5. Delivery Controller notifies the VDA about the upcoming connection.

n
6. The Delivery Controller forwards information about the assigned VDA to StoreFront.
7. A launch file (.ICA) is sent to the end user’s endpoint.
8. Citrix Workspace app establishes connection with VDA.
9. VDA notifies Delivery Controller about established HDX Session.
10.Delivery Controller queries Citrix License Server and checks out a valid license for the session.

119 © 2021 Citrix Authorized Content

 11.Delivery Controller notifies VDA that licensing is qualified.
12.Citrix Workspace app presents virtual app or desktop to the user.

Additional Resources:
• Citrix XenDesktop Connection Process and Communication Flow: http://support.citrix.com/article/CTX128909
• Technical overview - How typical deployments work:
• 7.15 LTSR: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/technical-overview.html

N
• Current Release: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/technical-overview.html

ot
fo
rr
es
al
e
or
di
s tri
but
io
n

120 © 2021 Citrix Authorized Content

 Citrix Cloud Citrix Cloud

Connection Flow
Processes License Server 7 Citrix Studio Citrix Director

2 2

• Authentication Citrix Gateway Citrix Workspace 2 Delivery Controller 1 Site Database

5

N
3

• Enumeration Citrix Cloud

ot
1
• Session Launch User Layer Access Layer Control Layer Resource Layer

fo
rr
1
3

es
3 StoreFront Cloud Connector Server OS Assigned
Desktop OS
4 8

al
Users
Firewall

e
6 Citrix Gateway

or
Domain Controller Random Desktop OS Remote PC

Hardware Layer

di
s tri
or
Network Wi-Fi Storage Processor Memory Graphics Hypervisor
On-Premise Cloud Hosted

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• It is worth noticing that the Cloud Hosted StoreFront passes the credentials to Citrix Cloud Delivery Controllers which
then proxy the authentication to Citrix Cloud Connectors. Finally, the Cloud Connectors talk to Domain Controllers to
authenticate the users.
• Credentials are being parsed in the Cloud, this might be a security concern for some organizations.
• If Citrix Gateway is not being used then the launch.ica file will have an internal IP which cannot be resolved by the
remote clients. Hence a Cloud Hosted StoreFront without Citrix Gateway provides access to internal users only.

121 © 2021 Citrix Authorized Content

 • Citrix Cloud StoreFront does not support direct authentication.
• Currently, there is no option to customize the default settings for Cloud Hosted StoreFront.
• If a user logs in to a Cloud Hosted StoreFront and is published a single Desktop; then the desktop will auto-
launch. This is a default behavior and cannot be customized for a Cloud Hosted StoreFront.
• Connection Flow Process: (Remember, when outside of Citrix cloud, the StoreFront role is still called
StoreFront, but inside of Citrix Cloud it has a different name, Citrix Workspace. It make it easier, the following
steps, consistently use StoreFront, regardless of location.)

N
• Authentication: (Orange)

ot
1. Citrix Workspace app contacts StoreFront in Cloud.

fo
2. StoreFront authenticates with Cloud Delivery Controller.
3. Cloud Delivery Controller proxies authentication to Cloud Connector.

rr
4. Cloud Connector queries Domain Controller.

es
• Enumeration: (Blue)

al
1. Cloud Delivery Controller queries the database.
2. Cloud Delivery Controller returns XML to Cloud StoreFront.

e
3. StoreFront displays available resources.

or
• Session Launch: (Purple)

di
1. User selects a resource, which sends the request to the Cloud StoreFront, to the Cloud Delivery
Controller.

s tri
2. The Delivery Controller queries the Site database to determine which VDAs are currently available to

b
host the selected resource, then selects a VDA.

ut
3. Cloud Delivery Controller checks resource availability through Cloud Connector

io
4. The Delivery Controller forwards information about the assigned VDA to StoreFront.
5. A launch file (.ICA) is sent to the end user’s endpoint.

n
6. Citrix Workspace app establishes connection with VDA.
7. Delivery Controller queries Citrix License Server and checks out a valid license for the session.
8. Citrix Workspace app presents virtual app or desktop to the user

122 © 2021 Citrix Authorized Content

 Lesson Objective Review

• Which Citrix Connection Flow Process,

N
demonstrates the Broker Service, in

ot
determining which desktops and

fo
applications the user is allowed to access?

rr
es
• Enumeration

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

123 © 2021 Citrix Authorized Content

 Key Takeaways

• Citrix Virtual Apps and Desktops provides secure access to user

resources across any network from any device.
• The essential architecture for a POC deployment includes a
Delivery Controller, Domain Controller, License Server, StoreFront

N
ot
Server, and a Citrix Gateway.

fo
• Citrix Virtual Apps and Desktops allows administrators to tailor

rr
Server OS and Desktop OS resources to users from a single
console.

es
• Citrix Virtual Apps and Desktops supports four hosting solutions

al
including On-Premises, Cloud-Hosted, Citrix-Hosted, and Service

e
Provider.

or
• The Citrix Virtual Apps and Desktops Service offloads the product

di
deployment to Citrix Cloud.

stri
• The default method of authentication relies on StoreFront

b
forwarding credentials to Active Directory.

ut
© 2021 Citrix Authorized Content

io
n

124 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Administration On-Premise and In
Citrix Cloud

N
ot
Deploy the Site

fo
rr
es
al
e
Module 02

or
di
s
tri
b
ut
io
n

125 © 2021 Citrix Authorized Content

 Learning Objectives

• Identify supporting infrastructure

N
requirements for pre-deploying Citrix Virtual

ot
Apps and Desktops build.

fo
• Review the Citrix licensing considerations.

rr
es
• Present the role of the Delivery Controller.

al
• Explain the process to setup the Site.

e
or
• Identify redundancy considerations for the
Site.

di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

126 © 2021 Citrix Authorized Content

 N
ot
Pre-Deployment Considerations

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

127 © 2021 Citrix Authorized Content

 Consider Active Directory Services

• Supporting • Organizational • Domain Name • Dynamic Host

Infrastructure Unit (OU) System (DNS) Configuration

N
ot
• Leverage Active Structure • Citrix Virtual Apps and Protocol (DHCP)
Directory for • Create a separate OU Desktops relies on • Citrix Virtual Apps and

fo
authentication and structure for the Citrix DNS to operate Desktops Machine

rr
authorization environment correctly at all times Creation Services and

es
• Create DHCP scope • Separate out • DNS services are Citrix Provisioning
for provisioned infrastructure servers usually installed on rely on DHCP to issue

al
machines and enable from Domain Controllers IP addresses to

e
DNS dynamic desktops/applications machines hosting the

or
updates, where resources VDA software
applicable • Build a distinct OU for • Confirm DHCP Scope

di
• Verify Microsoft test Citrix size to match the

s
Remote Desktop environment number of planned

tri
Services Licensing, VDA machines

b
wherever required for

ut
Server OS resources

io
n
Key Notes:
• Supporting Infrastructure
• Active Directory is required for Citrix Virtual Apps and Desktops.
• Kerberos infrastructure ensures authentication of Delivery Controller communication and time synchronization
between servers.
• Time synchronization is particularly important for VDA registration.
• A DHCP scope is recommended for VMs provisioned via PVS or MCS; DNS dynamic updates are required for VMs that

128 © 2021 Citrix Authorized Content

 receive addresses dynamically via DHCP (including provisioned VMs).
• RDS licensing is required for Server OS-based published apps and desktops, so admins will need to verify
that the number of RDS licenses is sufficient for the Server OS workloads delivered.
• Organizational Unit (OU) Structure
• When you create a Site, a corresponding Organizational Unit (OU) can be created in Active Directory to
ease management of the VDAs. As a leading practice, the OU should also contain the Controllers in the
Site, but this is not enforced or required. A domain administrator with appropriate privileges can create the

N
OU as an empty container, then delegate administrative authority over the OU to a Citrix administrator.

ot
• Consider the following:

fo
• Separate Citrix OUs to block inheritance for the Citrix OU and thereby prevent other policies from

rr
affecting the Citrix environment.
• Separate infrastructure servers from resources delivered (VDAs) to prevent VDA policies from affecting

es
infrastructure servers.

al
• Further separate out VDAs according to OS, application set, delivery type, etc. where necessary in order

e
to apply more granular group policies to specific machines based on their role in the environment:
• E.g. Optimization policies based on OS.

or
• E.g. Security restrictions for particular resources.

di
• If there is a separate AD infrastructure for the test environment, the test OU in the production

s
environment can be leveraged for user acceptance testing (pre-production).

tri
• If there is no separate AD infrastructure for the test environment, then the test OU can be used to enable

b
administrators to test policies without affecting the production Citrix Virtual Apps and Desktops

ut
deployment.

io
• The test OU should mimic the production OU as closely as possible.

n
• Domain Name System (DNS)
• DNS is a critical component in Microsoft Windows Domains and should be given extra considerations to
guarantee the availability of the service.
• Most Citrix components need name resolution to function properly. In particular, the VDA registration
process can fail if duplicate entries or stale records exist in DNS, so consider enabling “aging and
scavenging” on applicable DNS zones.

129 © 2021 Citrix Authorized Content

 • For added security, the HDX connection between Citrix Workspace app and VDA can be encrypted using
SSL/TLS. This requires certificates to be present on VDAs, and since certificates are normally issued to
names rather than IP addresses, the “XML DNS Address resolution” feature needs to be turned on.
• A reverse DNS Lookup Zone might also be required, especially if the DNS namespace differs from Active
Directory Domain names.
• Dynamic Host Configuration Protocol (DHCP)
• DHCP is a service responsible for issuing unique IP addresses (and other information like Gateway servers,

N
Routing information, DNS server location, etc.) to devices within a local network. DHCP allocates theses IP

ot
addresses from a specified range of addresses for a limited time (before these addresses are either

fo
returned to the pool or their return date is extended). Sometimes these ranges (scopes) are not large
enough or the allocated addresses are not returned fast enough to be available to others.

rr
• The main two dependencies for DHCP are Machine Creation Services (MCS) and Citrix Provisioning (PVS).

es
While MCS will be covered in an upcoming module, PVS is explained in a different course.

al
• DHCP normally does not fall under the responsibilities of the Citrix Administration team, but it needs to be
monitored / checked because of the dependencies.

e
• Servers built manually are often using static IP addresses.

or
• DHCP as a central service can become a single point of failure if no high availability solution is set up.

di
• Many deployments install the role of the DHCP server on their domain controllers.

s
Additional Resources:

tri
b
• Supported Databases for XenApp and XenDesktop Components:

ut
http://support.citrix.com/article/CTX114501

io
• System Requirements - Databases:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/system-requirements.html

n
• Citrix Health Assistant - Troubleshoot VDA Registration and Session Launch:
https://support.citrix.com/article/CTX207624
• How to Enable DNS Address Resolution in XenDesktop:
https://support.citrix.com/article/CTX135250
• Understanding Aging and Scavenging:
https://technet.microsoft.com/en-us/library/cc771677(v=ws.11).aspx

130 © 2021 Citrix Authorized Content

 Service Accounts
Reduce impact of individual permission and account issues, while increasing security

Leading practice is to have a database service account for each Citrix product/each purpose.

N
Citrix Virtual Apps and Desktops SQL Service Account

ot
• Setup and maintenance permissions:

fo
• dbcreator
• securityadmin

rr
• db_owner

es
• Install database via Studio permissions:
• sysadmin

al
Hypervisor Service Account

e
• Permissions to create and manage virtual machines

or
• Permissions to enable communication with hypervisor

di
stri
b ut
io
n
Key Notes:
• Leading practice: have a database service account for each Citrix product/each purpose.
• A proper password management procedure should be implemented for service accounts.
• Consider the following:
• Service accounts reduce the impact if there is an issue with an individual administrator’s account.
• Service accounts increase security because it limits the privileges of individual administrator accounts. If an account is
compromised, then it will not provide access to the entire environment. Important to note that the service account

131 © 2021 Citrix Authorized Content

 should not have domain admin privileges, in accordance with the principle of least privilege.
• The service account permissions for the XA/XD SQL account are required during the initial setup of the
database, removing/adding controllers, and updating database schema. During the initial setup, the correct
security roles are configured for the services (read, write, and execute only) for runtime. The FMA services
utilize the controller's AD machine account for accessing SQL during runtime, so user accounts are not
leveraged.
• “Studio” refers to the Citrix Virtual Apps and Desktops management console.

N
• To configure the site database automatically during site creation through Studio, sysadmin privileges for the

ot
service account are required during the initial configuration. However, these can be removed after the initial

fo
setup/configuration if dictated by security. More specifics are covered during Module 3.
• Exact permissions required for a hypervisor account vary according to the hypervisor. Refer to the links

rr
below for permissions by host resource type.

es
Additional Resources:

al
• Citrix Hypervisor virtualization environments:

e
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/install-

or
prepare/xenserver.html

di
• Microsoft System Center Virtual Machine Manager virtualization environments
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/install-configure/resource-

s tri
location/msscvmm.html

b
• Microsoft Azure virtualization environments

ut
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/install-

io
prepare/xenserver.html
• VMware virtualization environments

n
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/install-prepare/vmware.html
• Nutanix virtualization environments
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/install-prepare/nutanix.html

132 © 2021 Citrix Authorized Content

 Standard Naming Convention
Establish a standard naming convention for
environment components

Examples:

• Determine a consistent, expandable naming FTL-Win2016Desktop-##

N
convention during the design phase.

ot
• Enable administrators to quickly identify Fort Windows 2016 Desktop Number

fo
Lauderdale OS Scheme
meaningful information: Datacenter

rr
• Server role
• Geographic location

es
• Operating system
Finance_Win10Static_##

al
• Standardize naming conventions for:

e
• Servers and desktops

or
• Machine catalogs and Delivery Groups Finance User Windows 10 Static/ Number
• Sites Group OS persistent Scheme

di
Desktop
• Policies

s tri
but
io
n
Key Notes:
• Considerations:
• Avoid naming components POC, test, etc. that will eventually be moved into production to avoid confusion and minimize
potential issues with changing names, or situations where the name cannot be changed.
• The naming convention should convey important information so that an admin can quickly identify components (helps
streamline management).
• When creating a naming convention, take into account future expansion. Make sure the naming convention is

133 © 2021 Citrix Authorized Content

 something that can be built upon so that it can continue to be used if the environment grows.
• Remember renaming components can cause issues, so it is important to delineate naming conventions during
the design phase.
• You could include special characters (a hyphen or a dot) used for filtering / tokenizing in scripts later, like “Site-
Function-Name-Number”. If special characters cannot be used, a fixed number of characters and
abbreviations can serve the same purpose, like “SitFunNamNum”.

N
Additional Resources:

ot
• Naming conventions in Active Directory for computers, domains, sites, and OUs:

fo
https://support.microsoft.com/en-us/kb/909264

rr
es
al
e
or
di
s tri
b ut
io
n

134 © 2021 Citrix Authorized Content

 Certificate Authority
(CA)
User Layer Access Layer Control Layer Resource Layer

Delivery Controller
• Internal CAs can issue

N
Internal Users StoreFront
certificates for internal Server OS Assigned
Desktop OS

ot
computers Domain Controller
Internal CA

fo
• Certificates secure Firewall

rr
network traffic using SSL

es
or TLS SQL Random Desktop OS Remote PC
Citrix Gateway
Firewall
External Users

al
e
License Server

or
Hardware Layer

di
stri
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

b ut
io
n
Key Notes:
• Configuring a Citrix Virtual Apps and Desktops Site to use the Secure Sockets Layer (SSL) or Transport Layer Security
(TLS) security protocols includes the following procedures: Obtain, install, register certificate and configure a port to use
the certificate. Optionally, you can change the ports the Controller uses to listen for HTTP and HTTPS traffic.
• The leading practice is to install certificates to secure communication for the connections between:
• Endpoint to Storefront: Install server certificate on StoreFront server to secure traffic between endpoints and

135 © 2021 Citrix Authorized Content

 StoreFront.
• If using the Citrix Workspace app to connect directly to StoreFront using the manual configuration of the
StoreFront store or email-based account discovery, SSL/TLS encryption is required
• Storefront to Delivery Controller: Install server certificate on Delivery Controller to secure communication
between StoreFront server and Delivery Controller.
• This certificate is optional, but consider:

N
• It is recommended to prevent XML data from being sent in clear text (passwords obfuscated).

ot
• However, it is a relatively lower security risk because the components are typically on the internal
network.

fo
• Delivery Controller to hypervisor: Install certificate to secure communication between hypervisor and

rr
Delivery Controller

es
• vSphere – vCenter certificate on Delivery Controllers

al
• Citrix Hypervisor – certificate on Citrix Hypervisor host

e
• Installing a certificate is not required for Hyper-V because Citrix Virtual Desktops leverages WCF to

or
automatically secure communications.
• Administrators should be aware that they may need to request these in advance or work with the security

di
team beforehand so they can have the certificates ready when needed for building.

s tri
Additional Resources:

b
• Transport Layer Security (TLS):

ut
• 1912 LTSR:

io
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/secure/tls.html

n
• VMware virtualization environments:
• 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/install-
prepare/vmware.html
• How to Use IIS to Acquire SSL Certificates for XenServer:
https://support.citrix.com/article/CTX128617

136 © 2021 Citrix Authorized Content

 Group Policy
Management

• Microsoft Leading

N
practice to manage

ot
multiple systems

fo
• Requires delegated

rr
permissions on OU level

es
al
e
or
di
s tri
but
io
n
Key Notes:
• In some companies the Citrix Admin has no permissions to manage group policies.
• It is a leading practice to separate all Citrix components into OUs underneath a common Citrix-OU.
• This OU can than be delegated for management to the Citrix Admin team.

137 © 2021 Citrix Authorized Content

 Firewall
Ports and Placement

389, 636 27000, 7279

Active Directory Server License Server

Verify ports required for

N
389, 636
communication are open.

ot
Firewalls are typically 80/443

fo
placed to secure traffic to 80/443 80/443

rr
Hypervisor
and from: Endpoint Devices StoreFront Delivery Controller

es
• Virtual Delivery Agent
• Endpoint Device

al
e
1433 80/443

or
SQL VDA

di
1494/2598

s tri
b ut
io
n
Key Notes:
• This is a succinct overview of the ports required for Citrix Virtual Desktops and the full list of required ports can be found in
article under Additional Resources.
• You may need to work with your security or firewall team to determine how the ports will be opened (manually vs.
automatically) and these decisions should be made during the design phase to prevent impact to build timelines.
• Port 1494 is for the HDX connection, but port 2598 is used if Session Reliability is enabled.
• Ports 80/443 depends on if the communication has been secured.

138 © 2021 Citrix Authorized Content

 • The VDA stands for Virtual Delivery Agent, and refers to the application and desktop resources being made
available to users.
• Keep all endpoint devices in your environment up to date with security patches. One advantage of Citrix
Virtual Apps and Desktops is that you can use thin clients as terminals, which simplifies this task.
• Protect all machines in your environment with anti-virus software.
• Protect all machines in your environment with perimeter firewalls, including at enclave boundaries as
appropriate.

N
• If you are migrating from a conventional environment, you may need to reposition an existing perimeter

ot
firewall or add new perimeter firewalls. For example, suppose there is a perimeter firewall between a

fo
conventional client and database server in the data center. When Citrix Virtual Apps and Desktops is used,
that perimeter firewall must instead be placed so that the Virtual Delivery Agent (VDA) and user device are on

rr
one side, and the database servers and Delivery Controllers in the data center are on the other side. You

es
should therefore consider creating an enclave within your data center to contain the database servers and

al
Controllers. You should also consider having protection between the user device and the VDA.
• All machines in your environment should be protected by a personal firewall. When you install core

e
components and VDAs, you can choose to have the ports required for component and feature communication

or
opened automatically if the Windows Firewall Service is detected (even if the firewall is not enabled). You can

di
also choose to configure those firewall ports manually. If you use a different firewall provider, you must
configure the firewall manually.

s tri
b ut
io
n

139 © 2021 Citrix Authorized Content

 Storage
Determine storage architecture solution to leverage for Citrix Virtual Apps and Desktops environment

Local Storage Shared Storage

N
Multi-Machine Access

ot
Single Machine Access

fo
Local Storage Shared Storage

rr
es
Single Machine

al
Image Image Image Image Image Image
Multi-Machines

e
or
di
Typical Use Case: Typical Use Case:

s
• Random/non-persistent VDI • Static/persistent VDI

tri
• Published desktops • User data and home directory files

b ut
io
n
Key Notes:
• Misconception: enterprise companies should use only shared storage.
• Reality: Enterprise XA\XD implementations are also using local storage.
• Local storage is typically cheaper and allows for decentralized execution, which makes it easier to guarantee a certain
level of performance. Very large environments are aiming for centralized configuration and management with
decentralized execution. Local storage based on SSD drives can outperform lower-end SANs and cost only a fraction.
• Requirements should be reviewed (as well as the existing infrastructure) and a storage solution should be selected

140 © 2021 Citrix Authorized Content

 based on those needs.
• There are additional storage considerations when determining the supporting storage solution:
• RAID levels
• Disk type and tiered storage
• IOPS requirements
• Storage bandwidth
• Consider - Local Storage versus Shared Storage:

N
• Local storage – stored on the machine and only accessible from a single machine.

ot
• DAS – block-level, storage sub-system directly attached to server via cable.

fo
• Shared storage –stored on a separate storage system that is accessible from multiple machines.
• NAS – file-level storage connected via Ethernet or network file sharing protocol.

rr
• SAN – dedicated storage network for block-level storage connected via HBA.

es
• For local storage, will have to copy master images and updates to each server if using MCS (will be covered

al
in a later module).
• There is not a one size fits all, the choice of storage type depends on the design of the solution.

e
or
Additional Resources:

di
• Connections and resources:
• 1912 LTSR:

s tri
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/manage-deployment/connections.html

but
io
n

141 © 2021 Citrix Authorized Content

 VLAN Separation
Desktops and Apps VLAN Infrastructure Servers Storage VLAN
VLAN

Published Desktop
Delivery Controller
• Create VLANs to:

N
• Minimize traffic

ot
• Increase security Active Directory Server

fo
Published Apps

rr
es
StoreFront

al
Hosted VDI
(Random/Non-Persistent)

e
SQL Storage

or
di
Hosted VDI License Server

s
(Static/Persistent)

tri
b
ut
io
n
Key Notes:
• VLANs can reduce broadcast traffic, enhance security, and enable complex network configurations.
• It is desirable to employ a modular approach to network VLAN design. Traffic separation is efficient for VDI IP
considerations and alleviating bandwidth traffic concerns. If possible, always create a separate VLAN for certain types of
traffic. For example:
• Storage VLAN for storage traffic (that is iSCSI, NFS, or CIFS).

142 © 2021 Citrix Authorized Content

 • DMZ’s for certain external incoming traffic types.
• Server management VLAN (which may include Lights-Out capabilities and log gathering mechanisms).
• Guest VLANs for virtual desktops.
• This type of design approach keeps layer 2 broadcasts to a minimum while not over-utilizing the CPU and
memory resources of network devices.
• To optimize storage communications in the environment, Citrix recommends using a dedicated VLAN for

N
server to storage connections.

ot
• Always consider separating heavy network traffic in a dedicated VLAN so that it does not interfere with other
traffic.

fo
rr
es
al
e
or
di
s tri
b ut
io
n

143 © 2021 Citrix Authorized Content

 The Site Database

Site Database on SQL Site Database Sizing

N
Proof of Concept (POC)

ot
Users Applications Type Expected Peak Size (MB)

fo
1,000 50 HSD 31

rr
Combined Database Delivery Controller
10,000 100 HSD 198

es
Legacy 100,000 200 HSD 752

al
1,000 n/a VDI 30

e
10,000 n/a VDI 121

or
Combined Database
System Delivery Controller System 40,000 n/a VDI 426

di
Today, Default

s
tri
b
Logging Monitor

ut
Database Database Site Database Delivery Controller
System System System System

io
n
Key Notes:
• Determine the edition and version of SQL to be installed
• Implement a supported SQL high availability configuration:
• SQL Server Clustered Instances
• SQL Server Mirroring
• SQL Server AlwaysOn Availability Groups
• Citrix Virtual Apps and Desktops requires a Microsoft SQL Database.

144 © 2021 Citrix Authorized Content

 • POC Deployments: The Delivery Controller and the database on the same system.
• Legacy: The Delivery Controller and the database on different systems.
• Today, Default: The databases are split by function and the Delivery Controller are all on different systems
• There are different Citrix Components that use databases for different purposes – each one may have
different requirements for the version or features of its database.
• In previous versions of Citrix Virtual Apps and Desktops, the database required for Citrix Virtual Apps and
Desktops would be created as one database by the installer; after install the admin could split it into different

N
databases to enhance performance or comply with backup/security guidelines.

ot
• With the later releases of the product the installer now suggests to deploy three separate databases, although

fo
it is still possible to deploy using a single database. However, this is not recommended. This will be covered in
detail in a later module.

rr
• Database size varies depending on usage of the product

es
• Refer to the sizing guide for close estimates

al
• This table serves as a reference and ONLY contains data for the Site Database. The Monitoring and
Configuration Logging database are not included. Refer to the Citrix Virtual Desktops 7.x Database Sizing

e
guide (provided below) for more information.

or
• Most databases grow but normally do not shrink. So, it is best to plan ahead in terms of free space on the

di
storage volume that the database resides on.
• Log files, depending on database settings, can fill up the disk of the database system if they are not truncated

s tri
(which usually happens after a backup of the database).

b
• Solid Microsoft SQL knowledge is recommended in order to change settings concerning the database server.

ut
Additional Resources:

io
• Supported Databases for XenApp and XenDesktop Components:

n
https://support.citrix.com/article/CTX114501
• System Requirements - Databases:
• 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/system-requirements.html
• XenDesktop 7.x Database Sizing:

145 © 2021 Citrix Authorized Content

 https://support.citrix.com/article/CTX139508
• XenDesktop 7.x Database Sizing Tool:
https://support.citrix.com/article/CTX209080

N
ot
fo
rr
es
al
e
or
di
s
tri
utb
io
n

146 © 2021 Citrix Authorized Content

 Windows Licensing for Citrix
Virtual Apps and Desktops Infrastructure Components

KMS License Server Windows Server 2012 R2

Windows Server 2016
Different editions and versions may be used but

N
require corresponding licenses:
Machines running the VDA

ot
• Use KMS to activate volume licenses.
• Windows Server OS machines used for multi-

fo
user session hosting require an additional RDS

rr
license server. RDS License Windows Server,

es
• A special Microsoft VDA license is required for Server Role 2012 R2, 2016, 2019
Windows Desktop 10
each Client OS system accessed remotely.

al
Windows Endpoints

e
or
di
VDA covered by SA
Windows Based

s
Session Machine Windows Based
Endpoints

tri
b ut
io
n
Key Notes:
• Microsoft licenses exist in many flavors and a professional consultation of the different license models (OEM, Retail,
Volume) and Editions should be done during the conception phase.
• A Key Management Server (KMS) is a special role that can be added to most Microsoft Windows servers to serve the
activation requests for other servers, but requires a volume license model.
• The VDA install on a Windows Server machine adds the role of Remote Desktop Services (RDS).
• An RDS server requires connecting to a separate Microsoft license server that needs to be activated, configured and

147 © 2021 Citrix Authorized Content

 holding appropriate RDS licenses to issue.
• Each client/user connection to an RDS host requires a separate license to be checked out from the RDS
license server to connect.
• RDS licenses are based on client OR user.
• As an additional benefit, the RDS license covers the use of App-V.
• The VDA on a Windows Desktop OS does not require contact to the RDS license server.
• When accessing Windows Server systems, the RDS license is used, while Client/Desktop systems require

N
different licensing.

ot
• Depending on Software Assurance (a Microsoft license model) status, the access to virtualized client systems

fo
may already be covered without the need to buy additional VDA licenses from Microsoft. The same can apply
to existing Windows InTune licenses.

rr
es
Additional Resources:

al
• Windows Server 2012 R2 Licensing Datasheet:
http://download.microsoft.com/download/F/3/9/F39124F7-0177-463C-8A08-

e
582463F96C9D/Windows_Server_2012_R2_Licensing_Datasheet.pdf

or
• Windows Server 2016 Licensing Datasheet:

di
http://download.microsoft.com/download/7/2/9/7290EA05-DC56-4BED-9400-
138C5701F174/WS2016LicensingDatasheet.pdf

s tri
• Commercial Licensing brief – Licensing Windows Server (2016) for use with virtualization technologies:

b
http://download.microsoft.com/download/3/D/4/3D42BDC2-6725-4B29-B75A-

ut
A5B04179958B/WindowsServer2016VirtualTech_VLBrief.pdf

io
• Using Microsoft VDI to Enable New Workstyles – (07) Microsoft VDI Licensing:

n
https://channel9.msdn.com/series/using-microsoft-vdi-to-enable-new-workstyles/using-microsoft-vdi-to-enable-
new-workstyles-07-microsoft-vdi-licensing

148 © 2021 Citrix Authorized Content

 Application Licensing

User Layer Resource Layer

App Sessions

• Citrix Virtual Apps and Desktops allow

N
concurrent access to multiple instances of a User1
Endpoints User1 Session

ot
software program.

fo
• Check with vendor for specific license User2 Session

rr
requirements. User2

es
Endpoints
User3 Session

al
e
User3

or
Endpoints Server OS

di
s tri
b ut
io
n
Key Notes:
• Most software requires a license per device it is installed on (for example Microsoft Office).
• Some software requires extra licensing to run on multi-user systems or prohibits concurrent use altogether.
• Some software uses hardware components (dongle) to verify license compliance – which can pose problems in virtualized
deployments.
• Some software requires its own license server in the backend, but may fail if multiple users access the license server with
the same IP (from the same system).

149 © 2021 Citrix Authorized Content

 • License requirements for specific applications should be clarified before going into production.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

150 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
How many databases are created by default

ot
when deploying an On-Premise Citrix Virtual

fo
Apps and Desktops Site?

rr
es
Three

al
• Site database

e
• Configuration logging database

or
• Monitoring database

di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

151 © 2021 Citrix Authorized Content

 N
ot
Citrix Licensing Setup

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

152 © 2021 Citrix Authorized Content

 Consider Citrix
Citrix Virtual Apps and Desktops Licensing: What is counted and how long?
License Models User/Device Model
A user connects from different devices
Each unique user
90 days since last
connection
User Endpoint Devices

• Citrix Virtual Apps uses the User/Device Model

N
concurrent licensing model. Multiple users sharing a device
Each unique endpoint

ot
• Citrix Virtual Desktops uses 90 days since last
connection Citrix Licensing Server
the concurrent or the

fo
Users Thin Client
user/device licensing

rr
Concurrent Model
models. Each unique user &

es
Multiple users connect from multiple, endpoint combination
different devices
• Citrix Virtual Apps and License returned when

al
session ends
Desktops Service uses the

e
Users Endpoint Devices
user licensing model.
Citrix Cloud Service Subscriptions

or
A user connects from different devices
Each unique user

di
30 days since last

s
connection Citrix Cloud

tri
User Endpoint Devices

b ut
io
n
Key Notes:
• User Licensing – the license is assigned to a user ID, so the user can launch their resources from multiple devices, and
consume only one license. License is assigned to user ID and not able to be re-assigned until after 90 days of user
inactivity.
• Device Licensing – the license is assigned to a device ID, so multiple users can launch their resources from one device,
and consume only one license. License is assigned to device ID and not able to be re-assigned until after 90 days of
device inactivity.

153 © 2021 Citrix Authorized Content

 • Use case: shared workstations in classrooms and hospitals.
• Concurrent Licensing – a license is assigned to an anonymous user and is assigned to each established
connection. On disconnection / logoff the license is returned to the pool and available for another user.
• Citrix Cloud Service Subscription – When subscribing to the Citrix Virtual Apps and Desktops Service, a
license is assigned to a user the first time a user accesses and uses the service. The license cannot be re-
assigned until after 30 days of user inactivity.
• It’s the customer that chooses either the (1) User/Device, (2) Concurrent, or (3) Service Subscription models

N
when purchasing licenses. If user/device licenses are used, the Citrix Licensing assigns either a user or

ot
device license optimally based on usage.

fo
• Citrix Virtual Desktops – user/device, concurrent, or service subscription models are available.
• Keep in mind that in most cases, Citrix Virtual Desktops licenses can be used for both Server OS and

rr
Desktop OS workloads, with the exception of the VDI Edition. License editions will be covered in a later

es
slide.

al
• Citrix Virtual Apps – only concurrent or service subscription models are available, except for Secure Browser
edition (user/device).

e
• Citrix Virtual Apps concurrent licenses can only be used for Server OS workloads.

or
• Can release a user/device or concurrent license assigned to a user ID or device ID using the “udadmin” utility

di
if a user or device is no longer part of a customer’s organization/environment. The Citrix Cloud console can be
used to release service subscription licenses.

s tri
• Supplemental Grace Period (SGP) feature – if all purchased user/device or concurrent licenses are in use, the

b
license policy engine will grant unlimited additional connections for a limited time of 15 days to provide

ut
customers with an opportunity to purchase more licenses. After the expiration of SGP, regular license limits

io
are enforced. Currently, service subscriptions do not enforce maximum license usage.
• Formula to determine number of user/device licenses to buy:

n
• (Number of total users) – (number of users that only access via shared devices) + (number shared
devices) = total number of licenses to buy
• Concurrent licenses are not tied to a specific user. When a user launches a published resource, the Delivery
Controller requests the license and it is checked out to the specific user connection. When the user logs off or
disconnects from the session, the license is checked back in and is available for another user.

154 © 2021 Citrix Authorized Content

 • Per user licenses: A licensed user requires a unique user ID, such as an Active Directory entry. When
assigned to a user, the license allows the user to connect to their desktops and applications with multiple
devices, such as desktop computer, laptop, netbook, smartphone, or thin client. A licensed user can connect
to multiple instances of a product concurrently. When users connect to an application or desktop, they
continue to consume the assigned license for the 90 day license assignment period. The assignment period
begins when a connection is made, is renewed to the full 90 days during the life of the connection, and expires
(allowing reassignment) 90 days after the last connection terminates (logs off or disconnects).

N
• Per device licenses: A licensed device requires a unique device ID and is authorized for use by any

ot
individuals to access instances of a product. Use this type of license for shared devices, such as those used in

fo
a classroom or hospital. It allows an unlimited number of users per device. When devices connect to an

rr
application or desktop, they consume a license for the 90 day license assignment period.
• Citrix Cloud Service Subscription: When subscribing to the Citrix Virtual Apps and Desktops Service, a license

es
is assigned to a user the first time a user accesses and uses the service. The license cannot be re-assigned

al
until after 30 days of user inactivity.

e
• For some companies, it might be advisable to upgrade existing Citrix Virtual Apps licenses to a Citrix Virtual

or
Desktops edition just to benefit from the user/device licensing model available for Citrix Virtual Desktops.
• Note that it does not matter which or how many VDAs a user is connecting to (sequentially or concurrent) as

di
long as they use the same Citrix License server in the backend.

s tri
Additional Resources:

b
• License types:

ut
https://docs.citrix.com/en-us/licensing/current-release/license-types.html

io
• FAQ: XenApp and XenDesktop 7.x Licensing:

n
http://support.citrix.com/article/CTX128013
• FAQ for Licensing (Current Release):
https://docs.citrix.com/en-us/licensing/current-release/frequently-asked-questions.html
• Citrix Cloud services subscriptions:
https://www.citrix.com/products/citrix-cloud/subscriptions.html

155 © 2021 Citrix Authorized Content

 Consider Citrix License Editions
Session Type Comparative Matrix

Depending on the product and edition licensed, different options to publish desktops and applications

N
are available.

ot
Product Citrix Virtual Apps Editions Citrix Virtual Desktops Editions

fo
Edition / Availability Standard Advanced Premium Standard Advanced Premium

rr
Server OS Published Desktop

es
Server OS Published App

al
VDI - Windows

e
or
VM Hosted Apps
Published Linux Server Desktops

di
s
Hosted Physical Desktop

tri
Server VDI

b ut
io
n
Key Notes:
• You should always verify that the desired features are part of the edition of XD or XA that you are deploying. Licensing
restricts/enables available features.
• The brackets indicate that all of the features in the preceding edition are also available in the higher edition.
• Some key features by product/edition:
• Citrix Virtual Desktops Premium: AppDNA, SmartAccess, SCOM Bundle, Citrix Connector for SCCM, Enhanced
Director Monitoring.

156 © 2021 Citrix Authorized Content

 • Citrix Virtual Desktops Advanced: Remote PC, Linux Dedicated VDI Desktops, PVS for Desktops and
Servers, DesktopPlayer, support for 16-, 32-, 64-bit apps, Microsoft App-V integration.
• Citrix Virtual Desktops Standard: VDI desktops, PVS available for all XD desktops (except physical
desktop).
• Citrix Virtual Apps Premium: AppDNA, SCOM Bundle, SmartAccess, PVS available for all Citrix Virtual
Apps servers, Enhanced Director Monitoring, Citrix Connector for SCCM, PVS available for all XA
servers.

N
• Citrix Virtual Apps Advanced: Linux hosted shared desktop, VM hosted apps, HDX RealTime

ot
Optimization, PVS only for VM hosted app instances, Microsoft System Center integration, and Hybrid

fo
cloud provisioning.
• Citrix Virtual Apps Standard: published desktops, unified Communications optimization, Support for 32-,

rr
64-bit apps, FIPS compliant, Microsoft App-V integration.

es
• One Citrix License server can contain licenses for multiple editions of a Citrix product (in this case, Citrix

al
Virtual Apps and Desktops). The type of license checked out corresponds to the edition that is configured for
the Citrix Virtual Apps and Desktops Site. A Site is configured to consume an edition of a license and therefore

e
will check out that edition of a license.

or
• For example:

di
• Site A is configured to checkout Advanced licenses.
• Site B is configured to checkout Premium licenses.

s tri
• Citrix License server1 contains both Advanced and Premium licenses.

b
• Users who connect to Citrix License server1 from Site A will check out Advanced licenses only. Once the

ut
number of Advanced licenses on Citrix License server1 is exceeded, new requests from Site A users will

io
cause the Site to enter a Supplemental Grace Period.
• Users who connect to Citrix License server1 from Site B will check out Premium licenses only. Once

n
again, if the number of Premium licenses on Citrix License server1 is exceeded, new requests from Site
B users will cause the Site to enter a Supplemental Grace Period.
• Citrix Cloud services do not have license editions; instead, there are multiple service subscriptions that can
enable different products and features of the Citrix suite. The selection of available services, and what is
included in each service, often changes frequently, so check the Citrix Cloud services web page for the

157 © 2021 Citrix Authorized Content

 latest information (see Additional Resources).
• Citrix Virtual Desktops offers two license models (concurrent / user-device) while Citrix Virtual Apps uses the
concurrent model.
• Server VDI refers to using Windows Server OS VDAs without Remote Desktop Session host capability, as
mere 1-user-per-server VDAs.
• Linux Desktops are supported for RedHat and SUSE Distributions in multi-user mode (much like Windows
Server OS published desktops) only.

N
• The Citrix License server manages the entitlements to the following features of Citrix Virtual Desktops:

ot
Delivery Controller, Citrix Provisioning, on-demand application delivery, SCOM Bundle, AppDNA, Session

fo
Recording, and enhanced Director monitoring.
• The Citrix License server manages the entitlements to the following features of Citrix Virtual Apps: Delivery

rr
Controller, Citrix Provisioning, on-demand application delivery, SCOM Bundle, AppDNA, Session Recording,

es
and enhanced Director monitoring.

al
• Secure access (Citrix Gateway), WAN optimization features (Citrix SD-WAN) and Desktop Player are licensed
individually because licenses can be deployed on an integrated Citrix License server on the appliance or on a

e
shared Citrix License server in a datacenter.

or
• Citrix Cloud services each support a defined set of FlexCast models and features. As the services continue to

di
evolve, additional models and features will be added to them. For an up-to-date comparison of the FlexCast
models and features available to the Citrix Virtual Apps and Desktops Service, please see the “XenApp and

s tri
XenDesktop Release Feature Matrix”; a URL is provided in the Additional Resources.

b
Additional Resources:

ut
io
• Citrix licensing technical overview 11.16.3:
https://docs.citrix.com/en-us/licensing/current-release/licensing-technical-overview.html

n
• Citrix XenApp and XenDesktop Features:
https://www.citrix.com/go/products/xendesktop/feature-matrix.html
• Frequently Asked Questions for Licensing:
https://docs.citrix.com/en-us/licensing/current-release/frequently-asked-questions.html
• Citrix Cloud services subscriptions:
https://www.citrix.com/products/citrix-cloud/subscriptions.html

158 © 2021 Citrix Authorized Content

 The Citrix License
Server Role Citrix Licensing

Citrix License Server

• Provides central license

N
management for all user

ot
Citrix Virtual Desktops Citrix Virtual Apps Site Citrix Hypervisor Pool Citrix Endpoint
sessions Site Management

fo
• Is a common resource for

rr
different products Pool Host A
Delivery Controller

es
Delivery Controller
Citrix Endpoint Management

al
Pool Host B

e
Server OS Standalone

or
Host

di
Server OS
Host C

s tri
Desktop OS

b ut
io
n
Key Notes:
• Citrix recommends that you upgrade the Citrix License server to the latest version when you upgrade or install new Citrix
products. New license servers are backward compatible and work with older products and license files. New products
often require the newest license server to check out licenses correctly.
• Citrix does not provide hotfixes for Citrix License server components and does not support older License servers with
newer products. The latest versions of the Citrix License server often contain resolutions to issues appearing in earlier
versions.

159 © 2021 Citrix Authorized Content

 • Citrix also recommends the following security considerations when you configure your environment or use the
Citrix Licensing Manager Console:
• Configure the Citrix Licensing environment so that only authorized administrators on a trusted network are
permitted to access the licensing port. You achieve this with an appropriately configured network or host-
based firewall.
• When using the Citrix Licensing Manager Console, avoid visiting untrusted websites or clicking on untrusted
URLs.

N
ot
Additional Resources:

fo
• FAQ for Licensing:
https://docs.citrix.com/en-us/licensing/current-release/frequently-asked-questions.html

rr
• Get started, install, and configure the License Server:

es
https://docs.citrix.com/en-us/licensing/current-release/getting-started.html

al
e
or
di
s tri
b ut
io
n

160 © 2021 Citrix Authorized Content

 Requirements to Deploy
The Citrix License Server Deployment

Citrix Cloud On-Premise or Public Cloud

N
ot
The Citrix License Server is managed and maintained by
Create a new VM or use an existing one.
Citrix.

fo
The license usage insight service enables the Citrix Service

rr
Download and install Citrix License Server software.
Providers to monitor the usage.

es
Allocate licenses to the host name of the license server.

al
Configure firewalls to allow traffic on license server ports

e
(27000,7279,8083).

or
License consumption can be monitored on Citrix
Licensing Manager Console.

di
s tri
b ut
io
n
Key Notes:
• On-Premise or Public Cloud Ports:
• 27000: Used for product machines to contact the License Server.
• 7279: Citrix Vendor Daemon service, used for vending out licenses to product machines.
• 8082: Used for Web Services for Licensing.
• The License Usage Insights service will enable you to:
• Automatically collect and aggregate product usage information from Citrix license servers

161 © 2021 Citrix Authorized Content

 • Easily view which users are accessing your Citrix Virtual Apps and Desktops deployments each month
• Optimize license costs by identifying and tracking a list of free users
• View and understand your historic business with Citrix
• Leading practice: install/upgrade to latest version of Citrix licensing when implementing a new product,
because new products typically need the latest license server in order to correctly check out licenses. The
Citrix License Servers are backwards compatible. However, if the latest version is not installed, it is imperative
to verify the minimum supported version for a product.

N
• Determine whether to leverage Citrix License Server or License Server VPX.

ot
• VPX does not offer the same functionality, so review the applicable features prior to making a design

fo
decision.
• The Citrix Licensing Manager is available with the License Server VPX, if you configure Active Directory

rr
and install the keytab file.

es
• The Citrix License Server components can either be installed on a separate, dedicated server or on a server

al
they share with another application. Alternatively, you can use a Web or application server; however, the
locations mentioned below are less resource intensive:

e
• If you are running fewer than 50 servers or 10,000 licenses on all the environments connecting to the license

or
server, you can install the License Server role on the same server as one of the other Citrix Virtual Apps and

di
Desktops infrastructure components. You can monitor CPU and Memory load using Performance Monitor to
determine if and when you should relocate the License Server to another system.

s tri
Additional Resources:

but
• License Usage Insights Service:

io
https://docs.citrix.com/en-us/citrix-cloud/license-usage-insights/license-usage-insights.html

n
• Technical overview:
https://docs.citrix.com/en-us/licensing/current-release/technical-overview.html
• Get started, install, and configure the License Server:
https://docs.citrix.com/en-us/licensing/current-release/getting-started.html

162 © 2021 Citrix Authorized Content

 Citrix License
Control Layer
Server User Layer Access LayerPort Control Layer Resource Layer
Communication 27000
7279

Delivery Controller
Delivery Controller

• The following Ports are Internal Users StoreFront

Server OS Assigned

N
used in the Citrix License Desktop OS

ot
Domain Controller
Server Communication: Active Directory Server

• Products contact License

fo
Firewall

Server using port 27000.

rr
• Products request license SQL Random Desktop OS Remote PC

es
using vendor daemon port External Users Firewall Citrix Gateway Site Database

7279.

al
• The Administrator License Server

e
Port 8083 Citrix Licensing
connects to the Citrix License Server
Manager

or
Licensing Manager Hardware Layer
Console using port 8083.

di
s
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

tri
b ut
io
n
Key Notes:
• Port 27000 is used by the License Server itself, while 7279 is used by the vendor daemon (a service) to check licenses in
and out.
• Port 8083 is used for administrative access via a common web browser; Port 8083 is used to programmatically access the
license server from PowerShell, Studio and Director.
• Determine if you need to place a firewall between the license server and any product servers. Citrix recommends that you

163 © 2021 Citrix Authorized Content

 determine if your products will communicate with the license server through a firewall before installing
licensing. Where you install the license server can be impacted by firewall considerations.
• Licensing installation sets several port numbers for communications. After installation you can use the Citrix
Licensing Manager Console to change port numbers. (located under the "gear” Settings > Server
Configuration)
• Web Services for Licensing Port: The HTTPS TCP/IP port that the Web server uses to listen for
communication with clients connecting to Citrix Licensing Manager Console.

N
• By default, the port is set to 8083.

ot
• If you are already using that port number for another application, you can change it to a range between 1

fo
and 65535. If you are upgrading, you will maintain your previous configuration and might not get HTTPS
by default.

rr
• If you change the port, you must stop and restart the Citrix Licensing service.

es
• License Server Port: This port number is used by the license server, which handles the initial

al
communication between the products, starts the vendor daemon, and relays check out and check in
requests to the vendor daemon.

e
• By default, this port number is 27000.

or
• Tip: You can verify which port number is being used from within the Citrix Licensing Manager Console,

di
under the "gear” Settings > Server Configuration.
• Vendor Daemon Port: This port number is used by the Citrix vendor daemon, which is responsible for the

s tri
core operations of the license server, including license allocation.

b
• By default, this port number is 7279; however, you may need to change it if you have a firewall or if the

ut
number is already in use.

io
• You can verify which port number is being used from the Vendor Daemon Port within the Citrix Licensing
Manager Console, under the "gear” Settings > Server Configuration.

n
• PowerShell: port 8083 is used to programmatically access the license server from PowerShell, Studio and
Director.

164 © 2021 Citrix Authorized Content

 Additional Resources:
• Technical overview:
https://docs.citrix.com/en-us/licensing/current-release/technical-overview.html
• Get started, install, and configure the License Server:
https://docs.citrix.com/en-us/licensing/current-release/getting-started.html
• Change port numbers:

N
https://docs.citrix.com/en-us/licensing/current-release/manage/change-port-numbers.html

ot
fo
rr
es
al
e
or
di
s tri
but
io
n

165 © 2021 Citrix Authorized Content

 Citrix License
Services

Citrix License Server

The main service providing access to the license server via port 27000 and

N
consists of four services: the license administration console via port 8082.

ot
• Citrix Licensing This service also launches the vendor daemon hosting port 7279.
• Citrix Licensing Support

fo
Service Adjusts port specifications within uploaded license files to match the license

rr
• Citrix Licensing WMI server’s actual port setting.

es
• Citrix Web Services for
Licensing
Provides access to licensing data for Windows Management

al
Instrumentation (WMI).

e
or
Uses port 8083 to provide access to programmatic functions like uploading
and activating licenses.

di
s tri
b ut
io
n
Key Notes:
• The main service is “Citrix Licensing” (lmadmin.exe) which launches the vendor daemon (citrix.exe).
• The Citrix Web Services for Licensing – This service is proactively accessed and utilized by Citrix Studio, Director and
Licensing Administration PowerShell Snap-in use Web Services to perform specific actions:
• To communicate with the License Server and manage users
• To allocate and install licenses

166 © 2021 Citrix Authorized Content

 • To display License Server health, license usage, and other alert messages.
• The Citrix Web Services for Licensing service is also used by the Citrix Licensing Manager.
• Citrix Licensing WMI – This service provides access to Citrix Licensing WMI classes.
• There’s a namespace (ROOT\CitrixLicensing) with a few classes (notably, Citrix_GT_License_Pool) that
gives license usage and availability counts.
• License Server queries that occur too frequently (more than every 15 minutes) can have a negative impact
on overall performance.

N
• Citrix License Management Service – This is a non-Windows service that helps with better capacity planning

ot
and license management.

fo
• This service also helps you avoid prohibited practices:
• Duplication of licenses outside a Disaster Recovery (DR) environment

rr
• Use of legacy licenses for new product versions

es
• Use of rescinded licenses

al
• Alerts the administrator in Citrix Insight Services regarding duplicate licenses in a Disaster Recovery
environment using built-in product telemetry.

e
• The first upload occurs approximately five minutes after the License Server first starts, or restarts, and

or
subsequent uploads occur once a day thereafter

di
Additional Resources:

s tri
• Licensing services:

b
https://docs.citrix.com/en-us/licensing/current-release/consoles-services.html

ut
io
n

167 © 2021 Citrix Authorized Content

 Citrix Licensing
Manager
Default Console Navigation

The console maintains

four main tabs for

N
ot
administration:
• Dashboard

fo
• Historical Use

rr
• Install Licenses

es
• Update Licenses

al
e
or
di
s tri
b ut
io
n
Key Notes:
• Remember that the Citrix Licensing Manager console is accessible using a browser via port 8083, by default.
• To open, From the Start menu, choose All Programs > Citrix > Citrix Licensing Manager.
• The default administrator with permissions to login to the console is the account that performed the Citrix License Server
installation.
• During the installation of the Citrix Licensing Manager Console accounts are added based on the machine
membership.

168 © 2021 Citrix Authorized Content

 • The traffic to the Citrix Licensing Manager Console can be secured using a certificate (SSL/TLS) manually,
which it is generally considered a leading practice since credentials are exchanged over this connection.
• There are four main tabs for administration: Dashboard, Historical Use, Install Licenses and Update Licenses.
• The Dashboard:
• Displays installed, in-use, expired and available licenses, as well as Customer Success Services dates.
• Presents enhanced user/device license usage reporting.
• Displays specific license information about each unique environment location:

N
• Product-edition (i.e. Premium, Advanced, etc.)

ot
• Model (i.e. User/Device. Server, Concurrent, etc.)

fo
• In use/installed
• Available (i.e. How many licenses are currently available for that Product/Edition; and what % is

rr
available of total licenses)

es
• An administrator can obtain more detailed information for a particular product license by expanding

al
the ”>” on the right side of the screen.
• The Citrix Licensing Manager will then display a table containing:

e
• Customer Success Services (CSS) date: (i.e. 2020.1201)

or
• Total licenses installed: (i.e. How many total licenses are installed for that Product/Edition.

di
• Overdraft - Products (excluding Citrix Cloud) that support user/device, user, or device license
models include a license overdraft feature that enables you to use a limited number of extra

s tri
licenses to prevent access denial. This is made available as a convenience to customers. Any

b
overdraft licenses used must be purchased within 30 days of first use. This is not supported for

ut
Concurrent and server licenses.

io
• Licenses in use - represents the total licenses that are currently checked out for that
Product/Edition.

n
• Available - represents the total licenses that are still currently available for use for that
Product/Edition.
• Expiration date – how long until licenses expire for this Product/Edition.
• Type of license (i.e. Evaluation, etc.).

169 © 2021 Citrix Authorized Content

 Additional Resources:
• Citrix Licensing Manager:
https://docs.citrix.com/en-us/licensing/current-release/citrix-licensing-manager.html
• Licensing FAQ:
https://docs.citrix.com/en-us/licensing/current-release/frequently-asked-questions.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

170 © 2021 Citrix Authorized Content

 Citrix Licensing
Manager
Default Console Navigation

The console maintains four

N
main tabs for

ot
administration:
• Dashboard

fo
• Historical Use

rr
• Install Licenses

es
• Update Licenses

al
e
or
di
s tri
but
io
n
Key Notes:
• Historical Use:
• The Citrix Licensing Manager stores and can export historical usage reports from the License Server on which the tool
is installed.
• You can specify a date range for the historical usage data and export it to a CSV file.
• The CSV file provides daily usage information, including the number of licenses in overdraft.
• You can view and specify the amount of time to retain the data.

171 © 2021 Citrix Authorized Content

 • For any administrator who would like to export historical usage data, perform the following steps:
1. Browse to http://License-Server-Hostname:8083/ from any system with access to the License Server. (
“Hostname” would be replaced with the actual License Server host name).
2. Use the menus, select the product and edition, the license model, and the date range (larger the better)
to gather the history.
3. Select Export, and Save As to save the exported .CSV file.
4. You can adjust and change the retention period if desired. To do so, select the “Change” link next to

N
“Historical data is retained 1 Year“, and then make the change using the menu.

ot
• The default retention period is 180 days.

fo
Additional Resources:

rr
• Citrix Licensing Manager:

es
https://docs.citrix.com/en-us/licensing/current-release/citrix-licensing-manager.html

al
• Licensing FAQ:
https://docs.citrix.com/en-us/licensing/current-release/frequently-asked-questions.html

e
or
di
s tri
b ut
io
n

172 © 2021 Citrix Authorized Content

 Citrix Licensing
Manager
Default Console Navigation

The console maintains four

N
main tabs for

ot
administration:
• Dashboard

fo
• Historical Use

rr
• Install Licenses
Update Licenses

es
•

al
e
or
di
stri
b ut
io
n
Key Notes:
• Install licenses:
• The Citrix Licensing Manger gives you 2 options to obtain your licenses:
• Use license access code
• Use downloaded license file
• Update licenses:
• You can check for available Customer Success Services renewal licenses.

173 © 2021 Citrix Authorized Content

 Additional Resources:
• Citrix Licensing Manager:
https://docs.citrix.com/en-us/licensing/current-release/citrix-licensing-manager.html
• Licensing FAQ:
https://docs.citrix.com/en-us/licensing/current-release/frequently-asked-questions.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

174 © 2021 Citrix Authorized Content

 Citrix Licensing
Manager (cont.)
Settings Page Navigation

The console also maintains

N
a Settings tab for additional

ot
configurations:

fo
• The Settings window can

rr
be accessed by selecting
the gear icon in the top

es
right of the page.

al
e
• Three options are

or
available:
• Account

di
• Server Configuration

s
• Usage and Statistics

tri
but
io
n
Key Notes:
• Account: Allows for the configuration of the user and group access to manage the License Server.
• The Citrix Licensing Manager can use either local Windows Users and Groups or Active Directory Users and Groups.
• You can Add and/or Remove listings from the User Administration location in the Console.
• If Active Directory Users or Groups are used, then you need to ensure that the Windows License Server is a member
of that Microsoft Active Directory domain and running the Citrix Licensing Manager.
• Users or Groups created to access and manage the License Server can be created as either an Administrator or User

175 © 2021 Citrix Authorized Content

 Role. (this setting can be changed later, if required)
• The Users role allows for a password protected console dashboard; User roles will be prompted for
Windows logon when attempting to launch and access the Citrix Licensing Manager Console, and
randomly when attempting to access certain locations within the console.
• The Users role can perform configurations and reporting from the console.
• The Administrators Role by default can:
• Select a console display language.

N
• View system information.

ot
• Add and remove users.

fo
• Configure the License Server port.
• Configure the vendor daemon port.

rr
• Configure the Web Services for Licensing port.

es
• Configure and add licenses.

al
Additional Resources:

e
• Settings for Windows:

or
https://docs.citrix.com/en-us/licensing/current-release/citrix-licensing-manager/settings.html

di
• License Administration Console:
https://docs.citrix.com/en-us/licensing/current-release/manage-license-administration-console.html

s tri
but
io
n

176 © 2021 Citrix Authorized Content

 Citrix Licensing
Manager (cont.)
Settings Page Navigation

The console also maintains

N
a Settings tab for additional

ot
configurations:

fo
• The Settings window can

rr
be accessed by selecting
the gear icon in the top

es
right of the page.

al
e
• Three options are

or
available:
• Account

di
• Server Configuration

s
• Usage and Statistics

tri
but
io
n
Key Notes:
• Server Configuration: Various functions can be performed from within this location; to include license server port
adjustments, Customer Success Services renewal, and supplemental grace period configurations.
• Configured Ports: This location allows for the change or adjustment to the current license server ports.
• License Server. This port number is used by the License Server Manager. License Server Manager handles the initial
communication among the products, starts the vendor daemon, and relays check out and check in requests to the
vendor daemon. By default, this port number is 27000.

177 © 2021 Citrix Authorized Content

 • Vendor Daemon. This port number is used by the CITRIX vendor daemon. The vendor daemon is
responsible for the core operations of the License Server, including license allocation.
• By default, this port number is 7279.
• If there is a firewall being used within the environment, or if the number is already in use, you may
need to change this port number.
• Web Services for Licensing. This port hosts the Citrix Licensing Manager, so anyone connecting to Citrix
Licensing Manager use this port.

N
• Director and Studio use this port to communicate with the License Server using Web Services for

ot
Licensing.

fo
• By default, this port number is 8083.
• Customer Success Services Renewals: These renewal files contain licenses that extend Customer Success

rr
Services memberships from1 to 5 years.

es
• When enabled, the Citrix Licensing Manager contacts Citrix.com web services weekly to check for

al
available Customer Success Services renewal licenses.
• Based on how you configure it, the Citrix Licensing Manager automatically or manually checks for

e
Customer Success Services renewal licenses, and notifies you or installs the licenses when found.

or
• There are three options to choose:

di
• Automatically check for Customer Success Services renewal licenses and notify when available: This
option will trigger the Citrix Licensing Manager to display a notification to download and install

s tri
available renewals.

b
• This same notification appears in Studio and Director if they are configured to manage the License

ut
Server.

io
• Automatically check for and install Customer Success Services renewal licenses when available: Citrix
Licensing Manager checks weekly and automatically installs renewal licenses when available.

n
• A notification displays for a few days stating that renewals have been installed.
• Manually check for Customer Success Services renewal licenses: An administrator can manually
select the Update License tab to Check for Available Renewals.
• You can check the Update License tab at any time to see a list of licenses installed in the last 30
days.

178 © 2021 Citrix Authorized Content

 • Supplemental grace period. Maintains and on/off switch for configuration.
• An administrator can specify whether to start the 15-day supplemental grace period when you reach the
regular license consumption limit.
• Language: Allows for the administrator to change the display language for the Citrix Licensing Manager
Console. Changing the language setting will impact all listings in the console, to include the Dashboard and
Settings locations.
• Available languages include:

N
• Chinese (Simplified)

ot
• English

fo
• French
• German

rr
• Japanese

es
• Spanish

al
Additional Resources:

e
• Settings for Windows:

or
https://docs.citrix.com/en-us/licensing/current-release/citrix-licensing-manager/settings.html

di
• License Administration Console:
https://docs.citrix.com/en-us/licensing/current-release/manage-license-administration-console.html

s tri
but
io
n

179 © 2021 Citrix Authorized Content

 Citrix Licensing
Manager (cont.)
Settings Page Navigation

The console also maintains

N
a Settings tab for additional

ot
configurations:

fo
• The Settings window can

rr
be accessed by selecting
the gear icon in the top

es
right of the page.

al
e
• Three options are

or
available:
• Account

di
• Server Configuration

s
• Usage and Statistics

tri
b ut
io
n
Key Notes:
• Usage and Statistics: This location allows an administrator to configure how you share usage statistics with Citrix, register
your License Server with Citrix Cloud, monitor the status of uploads, and manage historical usage information.
• Register and remove registration with Citrix Cloud: Allows for easy registration of a Citrix License Server with Citrix
Cloud.
• When you register the License Server with Citrix Cloud, the License Server collects and stores the Call Home license
usage information. The License Server regularly transmits that data to Citrix Cloud.

180 © 2021 Citrix Authorized Content

 • Before registering your License Server with Citrix Cloud, use the following firewall rules to open these
URLs:
• https://trust.citrixnetworkapi.net:443
• https://trust.citrixworkspacesapi.net:443
• https://core.citrixworkspacesapi.net:443
• Ensure that the License Server can access the Certificate Revocation List server for DigiCert. The
License Server checks the server to see if the required certificates are valid or revoked.

N
• Share usage statistics with Citrix:

ot
• If you select and enable the option “Allow Citrix Insight Services to safely collect basic usage and

fo
statistical information to better understand customer usage”, you will need to register with an auto-
generated 8-character alphanumeric code.

rr
• Once registered, a server can be removed using the option “Remove Registration” that will be

es
displayed in place of the Registration button.

al
• Removal from registration may be desired for various reasons; for example: you’ve registered your
License Server to a specific company, which is now merged into another organization. Or, you may

e
want to perform some consolidation of your license usage data into one Citrix customer account.

or
• To complete the registration removal process, you have to remove the registration on Citrix Cloud

di
as well, under the “Identity and Access Management > API Access > Product Registrations”
tab location, and select “Remove registration”.

s tri
• If you select and enable the option “Send anonymous statistics and usage information to the Citrix

b
Customer Experience Improvement Program (CEIP)”, your information will be uploaded anonymously,

ut
and there is no need to register.

io
• If you select and enable the option “Do not send any data to Citrix”, then no statistical data will be
uploaded to the analytics programs.

n
• The Citrix Licensing CEIP and Call Home usage and analytics programs are voluntary data collection
programs designed to improve customer product experience. Customers can participate in the
programs anonymously, choose to be identified, or decline to participate.
• Upload Information: This section provides status for the last CEIP, Call Home, or Citrix Service Provider
upload. If the upload fails, the Citrix Licensing Manager displays troubleshooting information.

181 © 2021 Citrix Authorized Content

 • You can force a data upload to Citrix without waiting for the daily upload.
• The must wait five minutes between each forced upload.
• Historical Use: Allows you to set the amount in days to retain your License Server usage information.
• You can configure this between one year and forever.

Additional Resources:
• Settings for Windows:

N
https://docs.citrix.com/en-us/licensing/current-release/citrix-licensing-manager/settings.html

ot
• License Administration Console:

fo
https://docs.citrix.com/en-us/licensing/current-release/manage-license-administration-console.html

rr
es
al
e
or
di
s tri
b ut
io
n

182 © 2021 Citrix Authorized Content

 Access Citrix Licensing from Studio
Studio License Navigation

The Citrix License Server and Citrix Licensing

N
Manager can be viewed, accessed and

ot
configured from within the Citrix Studio.

fo
• Launch the Citrix Licensing Manager Console

rr
• View license and usage information

es
• Add or Allocate licenses
• Change the License Server

al
• Edit the Product Edition

e
• Configure Delegated Administration

or
* You must be a full license Administrator to

di
complete these tasks.

s tri
b ut
io
n
Key Notes:
• From Studio, you can manage and track licensing; the license server needs to be in the same domain as Studio, or in a
trusted domain.
• Selecting the Licensing Management option from the Actions pane, will l now launch the new Citrix Licensing Manager
Console.
• Licensing Overview (default Licensing page):
• Site Overview: Displays bar graph license usage, Site information and installed licenses.

183 © 2021 Citrix Authorized Content

 • License Use- bar graph showing total available and in use licenses in real time.
• Site information – Lists the current Site that the License Server is serving, the License Server FQDN
name, Product Edition, License Model, and Required Subscription Advantage date.
• Licenses – Currently installed product licenses, license model, license expiration, SA date, type of
license, and installed quantity.
• Actions pane: Displays a list of actions that can be performed, as listed in the main slide bullet list.
• Licensing Administrators: (second licensing tab):

N
• This tab will list each current Delegated Administrator for licensing for this environment, and there current

ot
permission level.

fo
• Actions pane: lists all the functions that can be performed for Delegated Administration:
• You can add, edit or delete Administrator Users and Groups.

rr
• The two permission levels include; Read only or Full administrative permissions.

es
• To allocate a license from within Studio:

al
1. Select Configuration > Licensing in the Studio navigation pane.
2. Select Allocate Licenses in the Actions pane.

e
3. Type the License Access Code, which is supplied in an email from Citrix.

or
4. Select a product and click ”Allocate licenses”.

di
5. Licenses can then be accessed through studio.
• Tools:

s tri
• The Citrix licensing Portal can be accessed through My Account by selecting All Licensing Tools

b
• The Citrix Licensing Portal is an online tool that allows you to view and manage your Citrix product licenses.

ut
• Customers using license server 11.5 or later can take advantage of the new Licensing Portal benefits

io
immediately after they log on

n
• A customer’s license pool can be issued to a single file or split to multiple license files.
• Each license file must be issued to the actual license server’s hostname.
• Citrix stores the licenses & license files in a database system so they can be downloaded again if needed.
• This Citrix License Online Tool manages licenses giving administrators access to:
• Allocate
• Re-allocate

184 © 2021 Citrix Authorized Content

 • Renew
• View
• Upgrade
• Return
• Re-download

Additional Resources:

N
• Licensing:

ot
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/manage-deployment/licensing.html

fo
• My Account All Licensing Tools – User Guide:
https://support.citrix.com/article/CTX131110

rr
• Citrix Licensing Manager:

es
https://docs.citrix.com/en-us/licensing/current-release/citrix-licensing-manager.html

al
e
or
di
s tri
b ut
io
n

185 © 2021 Citrix Authorized Content

 How to Apply and Install Licenses
Citrix Licensing Manager

Install Licenses (Install Licenses on the Update Licenses (Customer Success

N
License Server) Services renewal)

ot
fo
rr
es
al
e
or
di
s tri
but
io
n
Key Notes:
• Install licenses:
• The Citrix Licensing Manger gives you 2 options to obtain your licenses:
• Use license access code
• Use downloaded license file
• When using the Citrix Licensing Manager to allocate and download licenses, it requires internet access or
configuration with a proxy server for the license server.

186 © 2021 Citrix Authorized Content

 • After you click Allocate and Download, you cannot cancel it. If the Allocate and Download fails, use My
Account at citrix.com.
• The Citrix Licensing Manager allocates most license access codes, but doesn’t support redownloading or
reallocating of license files.
• You can return licenses on citrix.com and use the Citrix Licensing Manager to allocate them again. For
redownloading, use My Account.
• If you rename the License Server, you must reallocate any license files allocated under the old License

N
Server name.

ot
• An administrator can install licenses by either using the license access code or a license file (.lic) file.

fo
• To use “Use license access code”:
1. Type the license access code (which is supplied in an email from Citrix) and choose Display

rr
Licenses. (Your license entitlements displays. and you can choose which licenses and the quantity

es
to install for your environment).

al
2. Select a product from the displayed list, type the number of entitlements to install, and
choose Install. (To select more than one product, choose a product, click Install, choose the next

e
product, click Install, and so on. They are processed in order).

or
• After you install all the licenses for a specific license access code, you cannot use that license

di
access code again in any environment.
3. To display the newly downloaded licenses, refresh the Citrix Licensing Manager Console.

s tri
• To use “Use downloaded license file”:

b
1. Select Use downloaded license file, and then choose a .lic file that you want to use for your

ut
environment.

io
2. Click Import.
3. If your license file is successfully uploaded to the License Server, a message displays.

n
4. To display the newly downloaded licenses, refresh the Citrix Licensing Manager Console.
• Update licenses:
• You can check for available Customer Success Services renewal licenses. To check for most recent
renewals, select the link “Check for Available Renewals”.
• When licenses are available, the list of licenses, quantity, and Customer Success Services date

187 © 2021 Citrix Authorized Content

 display on this screen.
• You can download and install the licenses. This screen lists any licenses installed in the last 30 days.

Additional Resources:
• Citrix Licensing Manager:
https://docs.citrix.com/en-us/licensing/current-release/citrix-licensing-manager.html
• Install licenses:

N
https://docs.citrix.com/en-us/licensing/current-release/citrix-licensing-manager/install.html

ot
• Update licenses:

fo
https://docs.citrix.com/en-us/licensing/current-release/citrix-licensing-manager/update-licenses.html

rr
es
al
e
or
di
s tri
but
io
n

188 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
ot
What are the four key Citrix Services running

fo
on the Citrix License Server?

rr
es
• Citrix Licensing

al
• Citrix Licensing Support Service

e
• Citrix Licensing WMI

or
• Citrix Web Services for Licensing

di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

189 © 2021 Citrix Authorized Content

 N
ot
Delivery Controller Setup

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

190 © 2021 Citrix Authorized Content

 Role of the Delivery
Controller User Layer Access Layer Control Layer Resource Layer

Delivery Controller

Internal Users StoreFront

• Brokers connections Server OS Assigned
Desktop OS

N
between users and their Domain Controller

ot
desktops and applications Firewall

fo
• Optimizes and load

rr
balances user SQL Random Desktop OS Remote PC
Citrix Gateway

es
connections External Users Firewall

al
• Manages power state and License Server

e
registration

or
of desktops Hardware Layer

di
Wi-Fi

s
Network Storage Processor Memory Graphics Hypervisor

tri
b ut
io
n
Key Notes:
• The Delivery Controller is a core component of a Citrix Virtual Apps and Desktops deployment.
• The Delivery Controller only manages the power state of the machines for virtualized environments, as it needs to
communicate with the hypervisor.
• In a deployment, the Delivery Controller is the server-side component that is responsible for managing user access, plus
brokering and optimizing connections. Controllers also provide Machine Creation Services, which can be used to create
and manage desktop and server images and machines.

191 © 2021 Citrix Authorized Content

 • A Site must have at least one Delivery Controller. After you install the initial Controller and create a Site, you
can add additional Controllers. There are two primary benefits from having more than one Controller in a Site.
• Redundancy — As a leading practice, a production Site should always have at least two Controllers on
different physical servers. If one Controller fails, the others can continue to manage connections and
administer the Site.
• Scalability — As Site activity grows, so does CPU utilization on the Controller and SQL Server database
communications. Additional Controllers provide the ability to handle more users and more resource

N
requests, and can improve overall responsiveness.

ot
• Supported operating systems:

fo
• Windows Server 2019, Standard and Datacenter Editions, and with the Server Core option
• Windows Server 2016, Standard and Datacenter Editions

rr
• Windows Server 2012 R2, Standard and Datacenter Editions

es
• Requirements:

al
• Disk space: 100 MB. Connection leasing (which is disabled by default) and Local Host Cache ( enabled by
default) adds to this requirement; sizing depends on the number of users, applications, and mode (RDS or

e
VDI). For example, 100,000 RDS users with 100 recently-used applications require approximately 3 GB of

or
space for connection leases; deployments with more applications may require more space. For dedicated

di
VDI desktops, 40,000 desktops require at least 400-500 MB. In any instance, providing several GBs of
additional space is suggested.

s tri
• Microsoft .NET Framework 4.7.1

b
• Windows PowerShell 3.0

ut
• Microsoft Visual C++ 2017 Runtime, 32- and 64-bit

io
Additional Resources:

n
• Delivery Controllers:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/manage-
deployment/delivery-controllers.html
• System Requirements – Delivery Controller:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/system-requirements.html

192 © 2021 Citrix Authorized Content

 Delivery Controller Locations

On-Premise or Public Cloud On-Premise or Public Cloud with Citrix Cloud

N
ot
Citrix Cloud (Citrix-Managed)
Access Control Resource
Layer Layer Layer

fo
License Server Delivery
Controller

rr
Delivery
Controller Citrix
StoreFront Gateway

es
Server OS Assigned StoreFront* SQL
Optional Optional
Desktop OS
Domain Access Control Resource

al
Controller
Firewall Layer Layer Layer

e
SQL Random Remote PC
Citrix Gateway Desktop OS StoreFront Cloud Server OS Assigned

or
Connector Desktop OS
Firewall
License
Server

di
Citrix Domain Random
Gateway Controller Remote PC
Hardware Layer Desktop OS

s
Hardware Layer

tri
Network Wi-Fi Storage Processor Memory Graphics Hypervisor
Wi-Fi

b
Network Storage Processor Memory Graphics Hypervisor

ut
io
n
Key Notes:
• For On-Premise or Public Cloud deployments you must have at least one Delivery Controller.
• When subscribed to Citrix Cloud, you offload the management of the Delivery Controller to Citrix and in turn you must
have a Cloud Connector.
• The Cloud Connector serves as a channel for communication between Citrix Cloud and your Resource Locations,
enabling cloud management without requiring any complex networking or infrastructure configuration such as VPNs or
IPSec tunnels.

193 © 2021 Citrix Authorized Content

 • Cloud Connector provides connectivity to all services within the Citrix Cloud (Example: Citrix Virtual
Apps and Desktops service, Citrix Endpoint Management Service, Smart Tools service).
• Since Cloud Connectors are the only communication medium between a Resource Location and Citrix
Cloud they must always be deployed in pairs to ensure high availability.
• The CXD-250 course goes into more details on the cloud connector. An alternative training is the CXD-252
course.
• With Citrix Cloud subscriptions, the StoreFront and Citrix Gateway roles are optional in either On-Premise or

N
Public Cloud or with subscribed Citrix Cloud services.

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

194 © 2021 Citrix Authorized Content

 Install the Delivery Controller

• Install Options • System Requirements • Site Requirements

N
ot
• Begin with the Autorun from the • Windows Server 2019, 2016, • Every Site Deployments must
installation media 2012 R2 have at least one Delivery

fo
• Standard and Datacenter Controller, even Citrix Cloud

rr
• Start Editions, with Server Core Deployments
XenDesktopServerSetup.exe with

es
option
parameters • Microsoft .NET Framework 4.7.1 • For Citrix Cloud, the Delivery

al
• Use the command line with • Windows PowerShell 3.0+ Controller is installed for you

e
switches • Visual C++ 2017 Runtime, 32- and

or
64-bit

di
s tri
b ut
io
n
Key Notes:
• System requirements can change depending on the version of Citrix Virtual Apps and Desktops that is being installed.
Check the Citrix documentation website (docs.citrix.com) and verify the installation requirements for the version of the
product that will be used before starting a new deployment.
• Unless otherwise noted, the component installer deploys software prerequisites automatically (such as .NET and C++
packages) if they are not detected on the machine. The Citrix installation media also contains some of this prerequisite
software.

195 © 2021 Citrix Authorized Content

 • The installation media contains several third-party components. Before using the Citrix software, check for
security updates from the third party, and install them.
• Standard, Enterprise and Datacenter editions of the Windows Server OS are supported where applicable.
• Starting with Citrix Virtual Apps and Desktops 7.18, Delivery Controller installations on Windows Server Core
are supported.

Additional Resources:

N
ot
• System Requirements – Delivery Controller:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/system-requirements.html

fo
• Install using the command line:

rr
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/install-

es
command.html

al
e
or
di
s tri
b ut
io
n

196 © 2021 Citrix Authorized Content

 Delivery Controller
Services

After the installation of the

N
Citrix Delivery Controller,

ot
there are new Citrix
prefaced windows services

fo
that were installed to

rr
perform Citrix functions.

es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Citrix AD Identity Service (NT SERVICE\CitrixADIdentityService): Manages Microsoft Active Directory computer accounts
for VMs.
• Citrix Analytics (NT SERVICE\CitrixAnalytics): Collects site configuration usage information for use by Citrix, if this
collection been approved by the site administrator. It then submits this information to Citrix, to help improve the product.
• Citrix App Library (NT SERVICE\CitrixAppLibrary): Supports management and provisioning of AppDisks, AppDNA
integration, and management of App-V.

197 © 2021 Citrix Authorized Content

 • Citrix Broker Service (NT SERVICE\CitrixBrokerService): Selects the virtual desktops or applications that are
available to users.
• Citrix Config Synchronizer Service (CSS): If a change has been made since the last check, the principal
broker uses CCS to synchronize (copy) information to a secondary broker.
• Citrix Configuration Logging Service (NT SERVICE\CitrixConfigurationLogging): Records all configuration
changes and other state changes made by administrators to the site.
• Citrix Configuration Service (NT SERVICE\CitrixConfigurationService): Site-wide repository for shared

N
configuration.

ot
• Citrix Delegated Administration Service (NT SERVICE\CitrixDelegatedAdmin): Manages the permissions

fo
granted to administrators.

rr
• Citrix Environment Test Service (NT SERVICE\CitrixEnvTest): Manages self-tests of the other Delivery
Controller services.

es
• Citrix High Availability Service: Runs on the Secondary broker and communicates with the principle broker.

al
• Citrix Host Service (NT SERVICE\CitrixHostService): Stores information about the hypervisor infrastructures

e
used in a Citrix Virtual Apps and Desktops deployment, and also offers functionality used by the console to

or
enumerate resources in a hypervisor pool.
• Citrix Machine Creation Service (NT SERVICE\CitrixMachineCreationService): Orchestrates the creation of

di
desktop VMs.

s
• Citrix Monitor Service (NT SERVICE\CitrixMonitor): Collects metrics for Citrix Virtual Apps and Desktops,

tri
stores historical information, and provides a query interface for troubleshooting and reporting tools.

b
• Citrix Orchestration Service: These are not currently used, but must be enabled. Do not disable them.

ut
• Citrix Remote Broker Provider: These are not currently used, but must be enabled. Do not disable them.

io
• Citrix Smart Tool Agent Service (Local System): Coordinates software deployment and transmits deployment

n
logs
• Citrix Smart Tools Monitor Service (Local System): Monitor Application and services and collect and transmits
metrics.
• Citrix Storefront Privileged Administration Service (NT SERVICE\CitrixPrivilegedService): Supports privileged
management operations of StoreFront. (It is not part of the StoreFront component itself.)

198 © 2021 Citrix Authorized Content

 • Citrix Storefront Service (NT SERVICE\ CitrixStorefront): Supports management of StoreFront. (It is not part
of the StoreFront component itself.)
• Citrix Telemetry Service : Collects diagnostic information for analysis by Citrix, such that the analysis results
and recommendations can be viewed by administrators to help diagnose issues with the site.
• Citrix Trust Service: These are not currently used, but must be enabled. Do not disable them.
• Delivery Controller Services Look-Up:

N
• The Get-Service -DisplayName *citrix* PowerShell CMDLET enumerates all of the services on the Delivery

ot
Controller.
• This CMDLET is customizable to allow the querying of remote servers for the status of their services.

fo
rr
es
al
e
or
di
s tri
but
io
n

199 © 2021 Citrix Authorized Content

 Flex Management Architecture
Citrix Services Explained

Delivery Controller Services Core Services

N
Flex Management Architecture (FMA) is a service oriented All FMA services run independently of each other, so a

ot
architecture where multiple controllers consist of multiple failure of one service will not cause a disruption in the
independent services. functionality of any other service(s).

fo
There are three Core services that are essential for a

rr
FMA site to run optimally.
These services are independent of each other and communicate

es
• Central Configuration Service (CCS)
using service endpoints.
• Configuration Logging Service (CLS)

al
• Delegated Administration Service (DAS)

e
Each service uses a separate DB connection string to connect to

or
the primary site database.
All services run under the NT AUTHORITY\Network service

di
account.

s tri
All FMA services need to register with the configuration service on

b
start-up so that it knows they are “all good to go.”

ut
io
n
Key Notes:
• The Delivery Controller is comprised services that are responsible for authenticating users, querying for a user’s assigned
apps/desktops, brokering connections between end users and their resources, optimizing and load-balancing the
connections, and communicating with the hypervisor to determine and manage the power state of the desktops, among
other things.
• These Delivery Controller Services are – Broker Service, Machine Creation Service, Configuration Service, AD Identity
Service, Hosting Service, Delegated Administration Service, Monitoring Service, Environment Test Service, Configuration

200 © 2021 Citrix Authorized Content

 Logging Service, Analytics Service, App Library, Configuration Synchronizer Service, High Availability Service,
Orchestration Service, Remote Broker Provider, Telemetry Service, Trust Service, StoreFront Privileged
Service , StoreFront Service, Smart Tool Agent Service and Smart tool Monitor Service.
• Each of these services has an independent connection to the Site database.
• Whether the administrator selects Citrix Virtual Apps and Desktops during the installation process for the
Delivery Controller, the same binaries are installed, because Citrix Virtual Apps and Desktops now share an
architecture, called the FlexCast Management Architecture (FMA). The licenses purchased restrict the

N
FlexCast models and features that can be leveraged.

ot
• Leading practice: install the Delivery Controller role on a dedicated server so that resources are not dedicated

fo
to other tasks, as this could impact brokering times, thereby decreasing performance/end user experience.

rr
• This minimizes the risk of a scenario where the other role of the server causes a failure, which could cause
end users to be unable to access their resources.

es
• This installation will also install Citrix Studio (unless deselected), which is the management console for

al
Citrix Virtual Apps and Desktops deployments, on the Delivery Controller.

e
• All services run independently of each other, so a failure of one service will not cause a disruption in the

or
functionality of any other service(s).
• But not all services are equal – we can logically divide services into three different groups:

di
• Core Services – These services are essential for functionality of an FMA site.

s
• CCS – Central Configuration Service

tri
• Central Configuration Service Handles all inter-service communication between FMA services.

b
• Acts as a centralized directory of all FMA services.

ut
• CLS – Configuration Logging Service:

io
• Monitors and logs all configuration changes made within a Citrix Virtual Apps and Desktops Site, to include

n
all administrator activity.
• Is critical, because it needs to be involved in all changes to the environment to make sure that they’re
recorded in central database.
• DAS – Delegated Administration Service
• Manages the creation, configuration and administration of all delegated administrative permissions.
• Is also crucial, because it needs to determine if current user has required privileges for every call he is
making.

201 © 2021 Citrix Authorized Content

 Delivery Controller Services Communication

The Delivery Controller’s FMA services establishes its own direct connection to the site database.
Some services, such as Configuration Logging, will have an additional separate connection to a

N
secondary database.

ot
Configuration

fo
Monitoring Monitoring Configuration
LocalDB
Service Logging Logging
Database Service Database
Database Service

rr
es
Delegated Environme Machine
AD Identity Analytics Broker Configurati Host StoreFront

al
Administrati ntal Test Creation
Service Service Service on Service on Service
Service Service
Service Service

e
or
SITE Database

di
s tri
Config High Local
App Orchestrati Trust

b
Synchroniz Availability Database
Library on Service Service er Service Service

ut
io
n
Key Notes:
• Supported Microsoft SQL Server versions for the Site Configuration Database (which initially includes the Configuration
Logging Database and the Monitoring Database):
• SQL Server 2017, Express, Standard, and Enterprise Editions.
• For new installations: By default, SQL Server Express 2017 with Cumulative Update 16 is installed when installing
the Controller, if an existing supported SQL Server installation is not detected.
• SQL Server 2016, Express, Standard, and Enterprise Editions.

202 © 2021 Citrix Authorized Content

 • SQL Server 2014 through SP2, Express, Standard, and Enterprise Editions. By default, SQL Server 2014
SP2 Express is installed when installing the Controller, if an existing supported SQL Server installation is
not detected.
• SQL Server 2012 through SP3, Express, Standard, and Enterprise Editions.
• SQL Server 2008 R2 SP2 and SP3, Express, Standard, Enterprise, and Datacenter Editions.
• The following database features are supported (except for SQL Server Express, which supports only
standalone mode):

N
• SQL Server AlwaysOn Failover Clustered Instances

ot
• SQL Server AlwaysOn Availability Groups (including Basic Availability Groups)

fo
• SQL Server Database Mirroring

rr
• Windows authentication is required for connections between the Controller and the SQL Server Site

es
database.

al
Additional Resources:

e
• System requirements - Databases: 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-

or
ltsr/system-requirements.html

di
s tri
b ut
io
n

203 © 2021 Citrix Authorized Content

 Service Scripting
Considerations

• Scripts are easy to learn

N
and use.

ot
• Scripts allow complex

fo
tasks to be performed in a

rr
relatively few steps.

es
• For Example:

al
• Consider using a service
script to run a health

e
check on all Citrix

or
Services.

di
s
tri
utb
io
n
Key Notes:
• Scripting Introduction:
• Scripts are easy to learn and use.
• Scripts allow complex tasks to be performed in relatively
few steps.
• Scripts allow simple creation and editing.
• Service Scripting Use Cases

204 © 2021 Citrix Authorized Content

 • Service script a health check of all Citrix services.
• Service script a change database connection string for all the services.
• Service script to re-register all instances with Central Configuration Service (CCS).
• Service script to unregister instances to remove a rogue Delivery Controller out of a Site.
• Screenshot Example:
• This (Change_XD_To_ConnectionString.ps1) script uses the Citrix Virtual Desktops PowerShell API to
reconfigure the database connection strings in the correct sequence to update the connection string.

N
• It takes new connection strings as input from the Administrator and update the old connection with the new

ot
ones.

fo
• This script defines mandatory parameters to be provided by Administrator and then uses a Function to
convert the inputs into connection strings.

rr
• It then calls another Function to replace old connection strings with new connection strings.

es
Additional Resource:

al
e
• Scripts For Updating Connection Strings in XenApp/XenDesktop 7.x:
https://support.citrix.com/article/CTX221389

or
di
s tri
but
io
n

205 © 2021 Citrix Authorized Content

 Local Host Cache (LHC)
Allows the Delivery Controller to continue connection brokering operations in a Site to when a
database outage occurs.

• The Local Host Cache (LHC):

N
• Enables Delivery Controllers to leverage a local cache (LocalDB) to provide users with access to resources during

ot
a Site database connection failure.
• Utilizes two services

fo
• Config Synchronization Service

rr
• High Availability Service
• Supplements, but does not replace, a SQL high availability configuration.

es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Local Host Cache is enabled by default in build 1808+.
• Local Host Cache retains a copy of the site data in a local SQLExpress on every Delivery Controller, and relies on this
data during a database outage to continuously support VDA registrations and session brokering requests.
• Connection Leasing was a feature released with 7.6 and is no longer available in version 7.16+. (not available in LTSR
1912)
• In earlier versions of the product, to enable, run PowerShell command: Set-BrokerSite -ConnectionLeasingEnabled

206 © 2021 Citrix Authorized Content

 $true.
• Retains the local data in a XML file while updating the Site database with information periodically for
synchronization amongst Delivery Controllers.
• Delivery Controllers check for new leases every 10 seconds and sync that information into the XML file, if a
new lease exists.
• The lease expiration period can be changed via PowerShell or the registry, but need to factor in increased
storage requirements for longer time periods.

N
• With connection leasing, a Controller will cache user connections to resources to its local disk (default

ot
location: C:\Program Data\Citrix\Broker\Cache) and that the lease generated for the connection is valid for

fo
two weeks.
• Connection Leasing has limitations; it is still a leading practice to require a highly available SQL solution, as

rr
Connection Leasing has limitations.

es
• Do not enable both Local Host Cache and Connection Leasing at the same time.

al
• LHC Considerations:
• LocalDB service requires extra RAM on Delivery Controllers.

e
• LocalDB can use multiple cores (up to four), but is limited to only a single socket.

or
• During outages, LocalDB will consumes local storage and I/O.

di
• During an outage, one broker handles all the connections, meaning all Delivery Controllers
must be sized accordingly.

s tri
• Most sessions support Local Host Cache except random/non-persistent desktops.

b
• Effectively handles up to 10,000 VDAs can be handled effectively.

ut
• Local Host Cache is enabled by default on new installations.

io
• LHC Use Depends on whether the Delivery Controller is new or Upgraded:
• New install: After a new Citrix Virtual Apps and Desktops installation, Local Host Cache is enabled.

n
• Upgrade:After an upgrade, the Local Host Cache setting is unchanged. For example, if Local Host Cache
was enabled in the earlier version, it remains enabled in the upgraded version. If Local Host Cache was
disabled (or not supported) in the earlier version, it remains disabled in the upgraded version.

Additional Resources:
• Local Host Cache: 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/manage-
deployment/local-host-cache.html
207 © 2021 Citrix Authorized Content
 Local Host Cache (LHC) Normal Operations vs Outage

Normal Operations Database Outage

N
Delivery Controller Delivery Controller

ot
VDA VDA

fo
Site Database Site Database
Delivery Controller Delivery Controller

rr
StoreFront BrokerService StoreFront BrokerService

es
Config Synchronize Service Config Synchronize Service

al
Secondary BrokerService Secondary BrokerService
SQLExpress LocalDB SQLExpress LocalDB

e
Endpoints Endpoints

or
• The Delivery Controller synchronizes • During an outage, the BrokerService stops

di
configuration data from the Site Database to listening for StoreFront and VDA information.

s
a local SQL Express database every two • The BrokerService instructs the Secondary

tri
minutes, if changes have been made. BrokerService to start listening for and

b
processing connection requests.

ut
io
n
Key Notes:
• When there are multiple Delivery Controllers across one or more Zones, the secondary brokers communicate with each
other on a separate channel and determine (elect) which secondary broker will be in charge of brokering operations in the
zone, if an outage occurs.

208 © 2021 Citrix Authorized Content

 Delivery Controller
Scaling and Recommendations

• Always deploy on dedicated Windows Servers.

N
• Each Delivery Controller should begin sizing with 5 GB RAM, 800 MB Hard Disk (assumes site

ot
database is hosted on SQL)

fo
• If the following components are running on the Delivery Controller, plan ahead for the additional

rr
resource requirements:

es
• Citrix Studio: 1 GB RAM, 100 MB hard disk
• Citrix Director: 2 GB RAM, 200 MB hard disk

al
• Citrix StoreFront: 2 GB RAM

e
• Citrix License Server: 2 GB RAM

or
di
s tri
but
io
n
Additional Resources:
• Hardware requirements: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/system-requirements.html

209 © 2021 Citrix Authorized Content

 Delivery Controller
On-Premises and Citrix Cloud

On-Premises Delivery Controller Citrix Cloud Delivery Controller

N
• In an On-Premises deployment, Citrix Administrators • In a Citrix Cloud deployment, the Citrix Virtual Apps and

ot
install and configure local Delivery Controllers and add Desktops Services Site is deployed when the service is

fo
them to the Citrix Virtual Apps and Desktops Site. enabled, including the Delivery Controller requirements.
• For all resource locations, a local server, called a Cloud

rr
Connector is required to take the place of the Delivery

es
Controllers.
• While the Cloud Connector initial install and setup is the

al
local Citrix Administrator’s responsibility, once connected

e
to Citrix Cloud, Citrix maintains the version updates of

or
the local Citrix Cloud Connector.

di
s
tri
b ut
io
n
Key Notes:
• A Resource Location, is the location in which the machines hosting the User Sessions are running. For Example:
• Server OS hosting shared application sessions
• Server OS hosting shared desktop sessions
• Server OS hosting a dedicated desktop session
• Desktop OS hosting a dedicated application session
• Desktop OS hosting a dedicated desktop session

210 © 2021 Citrix Authorized Content

 Cloud Connector Locations

On-Premise or Public Cloud On-Premise or Public Cloud with Citrix Cloud

N
ot
Citrix Cloud (Citrix-Managed)
Access Control Resource
Layer Layer Layer

fo
License Server Delivery
Controller

rr
Delivery
Controller Citrix
StoreFront Gateway SQL

es
Server OS Assigned StoreFront*
Optional Optional
Desktop OS
Domain Access Control Resource

al
Controller
Firewall Layer Layer Layer

e
SQL Random Remote PC
Citrix Gateway Desktop OS StoreFront Cloud Server OS Assigned

or
Connector Desktop OS
Firewall
License
Server

di
Citrix Domain Random
Gateway Controller Remote PC
Hardware Layer Desktop OS

s
Hardware Layer

tri
Network Wi-Fi Storage Processor Memory Graphics Hypervisor
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

but
io
n
Key Notes:
• For On-Premise or Public Cloud deployments you must have at least one Delivery Controller.
• When subscribed to Citrix Cloud, you offload the management of the Delivery Controller to Citrix and in turn you must
have a Cloud Connector.
• The Cloud Connector serves as a channel for communication between Citrix Cloud and your Resource Locations,
enabling cloud management without requiring any complex networking or infrastructure configuration such as VPNs or
IPSec tunnels.

211 © 2021 Citrix Authorized Content

 • Cloud Connector provides connectivity to all services within the Citrix Cloud (Example: Citrix Virtual
Apps and Desktops service, Citrix Endpoint Management Service, Smart Tools service).
• Since Cloud Connectors are the only communication medium between a Resource Location and Citrix
Cloud they must always be deployed in pairs to ensure high availability.
• The CXD-250 course goes into more details on the cloud connector. An alternative training is the CXD-252
course.
• With Citrix Cloud subscriptions, the StoreFront and Citrix Gateway roles are optional in either On-Premise or

N
Public Cloud or with subscribed Citrix Cloud services.

ot
fo
rr
es
al
e
or
di
s tri
but
io
n

212 © 2021 Citrix Authorized Content

 The Role of the Cloud Connector
Citrix Cloud Connector Introduction

Citrix
Virtual Apps and
Desktops
The Citrix Cloud Connector: Service

N
• Serves as a channel for communication between
SSL https:// (port 443)

ot
the Citrix Cloud and resource locations. Internet Facing
• Provides several services to connect resources

fo
to the Citrix Cloud. On-Premise Cloud Connector

rr
• Supports the same protocols as a Delivery Authentication Proxy Provisioning Identity
Controller in Citrix Virtual Apps and Desktops,

es
allowing the cloud service to share the same
Hypervisors

al
VDA and Gateway communication.
Citrix Active Directory

e
Gateway Server
Server OS Desktop OS

or
VDAs VDAs

di
Public Cloud

s tri
b ut
io
n
Key Notes:
• Citrix Cloud Connector:
• Simply to deploy
• Managed by Citrix
• Not operated as a VPN
• All connections are egress (port 443 only)
• Supports enterprise web proxies

213 © 2021 Citrix Authorized Content

 • Secured by service key per-connector
• Self updating and evergreen
• Cloud Connector provides connectivity to all services within the Citrix Cloud (Example: Citrix Virtual Apps
and Desktops Service, Citrix Endpoint Management Service, Smart Tools service).
• Cloud Connector essentially acts as a bridge between a resource location and the functionalities of Citrix
Cloud.
• Since Cloud Connectors are the only communication medium between a resource location and Citrix Cloud

N
they must always be deployed in pairs to ensure high availability.

ot
• Cloud Connectors can be installed on Windows Server operating systems.

fo
• The Cloud Connector software can be downloaded from within the Citrix Cloud control plane under resource
locations.

rr
• The connector eliminates the need for any VPN or IPsec by proxying only the few specific messages needed

es
by the cloud service.

al
• Active Directory queries: The connector needs read-only access in order to broker users to VDAs. This
eliminates the need for any of the components in the cloud to be domain-joined.

e
• Provisioning: To provision VDAs to on-premises hypervisors, the cloud will relay all hypervisor calls through

or
the connector, specifically the Host Control Layer service on the Cloud Connectors.

di
• VDAs: All brokering traffic between the VDAs and the cloud passes through the connector.
• Authentication: The connector acts as a STA, which allows Citrix Gateways to accept connections brokered

s tri
by the cloud.

b
• The connector is completely stateless, which makes it simple to install. In a few clicks, simply install it on any

ut
domain-joined Windows 2012 R2 machine. The connector only needs outbound Internet access and can be

io
deployed behind a NAT. All traffic is sent over port 443, and the connector can even be configured to operate
behind an HTTP proxy.

n
• Once installed, the connector is low-touch. The connector includes an auto-update service managed by
Citrix Cloud, which ensures it is always patched and up-to-date with the latest features.
• Platform Requirements:
• .NET: .NET 4.5.1 or later.
• At least 40 GB of disk space and 4 GB of memory

214 © 2021 Citrix Authorized Content

 • Active Directory Computer account must have Read permissions on containers, Read/Write permissions
on user and computer objects.
• Active Directory (AD): Join the machine to an AD domain that contains the resources and/or users for the
assignment to service offerings (Active Directory schema versions 2008 R2 and later are supported).
• Networking: Connect the machine to a network that can contact the resources in the resource location.
These resources provide the services. The machine must have a connection to the internet.
• Make sure the clock on the server has the correct UTC time. Otherwise, you cannot connect to the cloud.

N
ot
• Citrix Cloud AD Provider

fo
• This provides connectivity into Active Directory, as used by the Identity and Access Management.
• The Citrix Cloud AD Provider enables the Citrix Cloud to facilitate management of resources associated

rr
with the Active Directory domain accounts it is installed into.

es
• Citrix Cloud Agent Logger

al
• The Citrix Cloud Agent Logger provides a support logging framework for the Citrix Cloud providers enabling
diagnosis support for the resource location both locally and within the Citrix Cloud. This service picks up

e
local logs, adds metadata to them, and uploads them to Citrix Cloud where they are then pushed into

or
SumoLogic.

di
• Citrix Cloud Agent System

s
• This is the one-and-only process that runs as Local System, which it must do in order to perform software

tri
installations. This service handles the System Calls necessary for the on-premises agents.

b
• Citrix Cloud Agent Watchdog

ut
• Monitors and upgrades the on-premises agents.

io
• This service provides the evergreen functionality. It can also upgrade itself. This service also maintains the

n
connector ID and access keys; other windows services running as Network Service can obtain these as
needed.
• Citrix Cloud Credentials Provider
• The Citrix Cloud Credential Provider
• Citrix Cloud WebRelay Provider
• The Citrix Cloud WebRelay Provider enables HTTP Requests received from WebRelay Cloud service to be

215 © 2021 Citrix Authorized Content

 forwarded to On-Premises Web Servers.
• Citrix Config Synchronizer Service
• Copies brokering configuration locally for high availability mode
• Citrix High Availability Service
• The Citrix High Availability service provides continuity of service during outage of central site.
• Cloud Citrix Gateway
• Citrix Cloud Gateway provides Internet connectivity to on-premises desktops and applications without the

N
need to open in-bound firewall rules or deploying components in the DMZ.

ot
• Citrix Remote Broker Provider

fo
• Enables communication to a remote Broker service from local VDAs and StoreFront servers.
• Citrix Remote HCL Server

rr
• The Remote HCL Server proxies communications between the Delivery Controller and the Hypervisor(s).

es
• Citrix Session Manager Proxy

al
• Manages anonymous pre-launched sessions, and uploads session count information to the cloud based
Session Manager service.

e
• The Cloud Connector is in constant development, so as the product evolves, more services are likely to be

or
added.

di
• Cloud Connector Functions:
• Active Directory (AD): Enables AD management, allowing the use of AD forests and domains within your

s tri
resource locations. It removes the need for adding any additional AD trusts.

b
• Citrix Virtual Apps and Desktops Service: Enables publishing the resources in your resource locations.

ut
• Citrix Endpoint Management: Enables a Citrix Endpoint Management enterprise mobility management

io
(EMM) environment for managing apps and devices, as well as users or groups of users.
• Machine Catalog provisioning: Enables provisioning of machines directly into the resource locations.

n
• Citrix Cloud Connector performs on-premises operations on behalf of all the cloud services and proxies the
information to Citrix Cloud.
• Citrix Cloud Connector has a services based architecture and each service performs a unique role designed to
serve a specific cloud service.
• For Example, Citrix Cloud Gateway service running in the local System context talks to the Citrix Gateway

216 © 2021 Citrix Authorized Content

 Service in the cloud to enable remote connections.

Additional Resources:
• Citrix Cloud Connector - https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/citrix-cloud-
connector.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

217 © 2021 Citrix Authorized Content

 Cloud Connector
Communication Flow
All traffic is secured over HTTPS (port 443)
Citrix Virtual Apps and
Desktops Service
with Citrix Gateway
• Works behind NATs and HTTP proxies

N
• Inbound: Citrix Cloud

ot
• Messages sent to the connector(s) rendezvous in

fo
the cloud at a special cloud service.
HTTPS / Binary Encoded
• Messages are then transferred via a Web Socket

rr
API Calls Message Passing
architecture

es
• These messages are load balanced across Cloud Connector
connectors

al
e
• Outbound: Hypervisors

or
• Standard HTTPs Web requests
Active Directory
Server

di
s
Server OS VDAs Desktop OS VDAs

tri
b ut
io
n
Key Notes:
• Cloud Connectors can be installed on domain-joined Windows Server Operating Systems. Windows Server 2012 R2,
Windows Server 2016, or Windows Server 2019.
• The Citrix Cloud Connector deploys a set of services that run on Microsoft Windows servers. It connects to the
Citrix Cloud in order to provide operation and management of resources within the network it was installed.
• The Cloud Connector installer and the Cloud Connector Services both need connection to Citrix Cloud via the internet.
• The connection to the internet from datacentres only requires port 443 on TCP protocol to be open for outbound

218 © 2021 Citrix Authorized Content

 connections.
• The Citrix Cloud Connector can work behind NATs and Web Proxy Servers.
• Evergreen: The services in Citrix Cloud Connector are designed to be part of the cloud management model
and the Cloud Connectors are fully managed from Citrix Cloud. This means if there is an newer version of
Citrix Cloud Connector it will be automatically deployed by the Citrix Cloud. Thus the administrators will not
have to manually upgrade and patch the Cloud Connector servers.

N
Additional Resources:

ot
• Citrix Cloud Connector: https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/citrix-cloud-

fo
connector.html

rr
es
al
e
or
di
s tri
b ut
io
n

219 © 2021 Citrix Authorized Content

 Citrix Cloud with Customer Resource Location

Citrix Cloud Customer Resource Location

N
Citrix Cloud Platform

ot
Resources
Port 443 Identity & Access Management Azure

Citrix Cloud Management

UI (Library, Connectors,
Service Bus

Resource Locations)
Logging & Health Services Firewall Firewall

fo
Azure AD Support Ticketing Active Directory

rr
Licensing DMZ

es
Customer Feedback Port 443 Port 443

Cloud StoreFront
Other (e.g. What’s New, Trial Requests)
Port 443

al
Connector

e
Citrix Virtual Apps and Desktops Service Citrix
Citrix Internal
Systems such as: Gateway

or
Support
Customer,
Resource Provider

Feedback, SQL Database Delivery

(PaaS) Hypervisor or IaaS
Citrix Cloud

Trial Controllers

di
Requests,
Etc.

s
Director
Customer managed StoreFront

tri
and Citrix Gateway are optional Server OS Desktop OS
Citrix Cloud
depending upon deployment.

b
Studio Gateway Workspace

ut
io
n
Key Notes:
• The diagrams depicted in this slide are a logical representation to illustrate the traffic flows between customer managed
components and the various Citrix Cloud services. It does not represent the actual physical implementation of the
components used in the Citrix managed and operated Cloud service.
• Additional detail on the Citrix Gateway as part of Citrix Cloud: In this diagram the Citrix Gateway is depicted as a
component of the Citrix Virtual Apps and Desktop. The reason for this is because the Citrix Gateway currently only
provides ICA Proxy functionality. However, end-user connectivity through the Citrix Gateway is run from separate PoPs

220 © 2021 Citrix Authorized Content

 (Point of Presence) across the globe to provide the best performance and user experience.
• Cloud Connector Functions:
• Active Directory (AD): Enables AD management, allowing the use of AD forests and domains within your
resource locations. It removes the need for adding any additional AD trusts.
• Citrix Virtual Apps and Desktops Service: Enables publishing the resources in your resource locations.
• Citrix Endpoint Management: Enables a Citrix Endpoint Management enterprise mobility management
(EMM) environment for managing apps and devices, as well as users or groups of users.

N
• Machine Catalog provisioning: Enables provisioning of machines directly into the resource locations.

ot
fo
rr
es
al
e
or
di
s tri
but
io
n

221 © 2021 Citrix Authorized Content

 Citrix Cloud Cloud Connector
Citrix Cloud
Connection Citrix Cloud Platform
Citrix Cloud Core Services
Cloud Agent Logger

Cloud Agent Watchdog

Services Focus citrix.cloud.com
*.citrixworkspaceapi.net
Cloud Credential Provider

Citrix Endpoint Management AD Provider

• Outbound Cloud Service for Mobile Device

WebRelay Provider

N
and Application Management
Communication: <customer>.cloud.com or

ot
<customer>.xm.citrix.com Cloud Agent System
• Azure Service Bus
Azure Service Bus

fo
• Citrix Cloud Platform Virtual Apps & Desktops Service High Availability Service
• Citrix Endpoint

rr
Establishes WebSocket
Cloud Services for managing Config Synchronizer Service Connection for certain
Management Apps & Desktops
Citrix Cloud Services

es
*.apps.cloud.com
*.servicebus.windows.net
• Citrix Virtual Apps and *.xendesktop.net Cloud Citrix Gateway
*.nssvc.net
Desktops Service

al
Remote Broker Provider
• Labs Services

e
• WEM Service Labs Services Remote HCL Server

or
Session Manager Service
*.sessionmanager.cloud.com Session Manager Proxy

di
WEM Cloud Auth Service

s
WEM Service

tri
Workspace Environment
Management
WEM Cloud Messaging Service
*.wem.cloud.com

utb
Service with no external communication

io
n
Additional Resources:
• Full Connectivity Requirements: https://docs.citrix.com/en-us/citrix-cloud/overview/requirements/internet-connectivity-
requirements.html

222 © 2021 Citrix Authorized Content

 Citrix Cloud Cloud Connector
AD
Connection Local
AD Provider 1

DB
Outbound WebRelay Provider
2

PKI
Communication - 5
Config Synchronizer Service
3
4
Process Focus High Availability Service
6 7

N
StoreFront
Cloud Citrix Gateway 7

ot
10

fo
Remote Broker Provider
8 VDAs

rr
Remote HCL Server 8

es
9
Session Manager Proxy
9 NSGW

al
Cloud Agent Logger

e
or
Cloud Agent Watchdog 11 Hypervisor/
Cloud IaaS

di
Cloud Credential Provider

s tri
Cloud Agent System 12 On-prem DDC

b ut
Service with no Internal communication

io
n
Key Notes:
• Step 1
• The AD Provider serves multiple Citrix Cloud services and communicates with AD Domain Controllers over various
ports.
• Steps 2, 3
• The WebRelay Provider is being used by Citrix Endpoint Management to communicate with the PKI server(s) and talks
to the PNAgent site hosted on StoreFront to allow users to add Citrix Virtual Apps and Desktops Service through

223 © 2021 Citrix Authorized Content

 Secure Hub.
• Steps 4, 5 ,6
• The Config Synchronizer, High Availability and the Remote Broker Services, work together to provide the
Local Host Cache feature in a Citrix Cloud environment.
• The Config Synchronizer Service sends its data obtained from the Virtual Apps and Desktops in the Cloud
to the High Availability Service
• The High Availability Service writes the received data into the Local Database.

N
• If Citrix Cloud is unavailable, the Remote Broker Provider will transfer brokering responsibilities to the High

ot
Availability Service.

fo
• Steps 7, 8 ,9
• The Remote Broker Provider is the Citrix Cloud version of the Broker Service running on the DDC in a

rr
traditional deployment.

es
• It operates in the same way when it interacts with on-premises StoreFront, Citrix Gateway and VDAs;

al
except that to set up XML traffic to utilize port 443 instead of 80, it requires additional configuration.
• Note dotted connections when Citrix Cloud is unavailable.

e
• Step 10

or
• HDX Traffic will run through the Connector’s Citrix Cloud Gateway service when Citrix Gateway as a

di
Service is being used in Citrix Cloud.
• Step 11

s tri
• The Remote HCL Server is used by the Citrix Virtual Apps and Desktops Service to provision VMs on-

b
demand utilizing Citrix Machine Creation Services (MCS).

ut
• Step 12

io
• The Session Manager Proxy is being used only when using the Session Manager experimental service in
Citrix Cloud with a traditional XA/XD deployment, otherwise it remains dormant.

n
Additional Resources:
• 1: https://docs.citrix.com/en-us/citrix-cloud/overview/secure-deployment-guide-for-the-citrix-cloud-
platform.html
• 2/3: https://docs.citrix.com/en-us/Citrix Endpoint Management/Citrix Endpoint Management-

224 © 2021 Citrix Authorized Content

 service/onboarding-and-resource-setup.html
• 4/5/6: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/manage-deployment/local-host-cache.html
• 7/8/9: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/technical-overview.html &
https://docs.citrix.com/en-us/xenapp-and-xendesktop/service/secure.html
• Additional Config for XML Traffic to utilize port 443: please contact Citrix Support for instructions.
Customizing the VDA Registration port is currently not supported in a Citrix Cloud environment
• 10: https://docs.citrix.com/en-us/xenapp-and-xendesktop/service/netscaler.html

N
• 11: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/install-configure/machine-catalogs-create.html

ot
Additional detail on supported Hypervisors and IaaS platforms: https://docs.citrix.com/en-us/xenapp-and-

fo
xendesktop/service/install-configure/connections.html
• 12: https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-labs/session-manager/session-manager.html

rr
es
al
e
or
di
s tri
but
io
n

225 © 2021 Citrix Authorized Content

 Consider Cloud Connector Redundancy

N
ot
Citrix Cloud Citrix Cloud

fo
X
rr
Automatic
Update

X
es
N+1

al
Cloud Connector Cloud Connector Cloud Connector Cloud Connector

e
or
Hypervisors Hypervisors
Active Directory

di
Active Directory
Server Server

stri
Server OS VDAs Desktop OS VDAs Server OS VDAs Desktop OS VDAs

b ut
Update Process Connection Failure

io
n
Key Notes:
• Cloud Connector Update Process:
• The Cloud Connector should be installed on a dedicated domain joined machine.
• Ensure to keep all of the connectors powered on at all times for proper operation.
• Always install connectors in pairs. The number of connectors you should install is (N+1) where N is the capacity needed
to support the infrastructure within your Citrix Cloud resource location.

226 © 2021 Citrix Authorized Content

 • Although 2 is technically enough to ensure HA under normal operations, having 3 would ensure that HA and
capacity is also in place while a single connector updates.
• Cloud Connectors automatically distribute the load.
• If customers only deploy a single Cloud Connector, then that resource location may experience outages
when the Cloud Connector is updated.
• Cloud Connector Connection Failure

N
• If all Cloud Connectors lose connectivity to the Citrix Cloud, all brokering and power management will seize

ot
to function.
• Existing HDX connections within the resource location will continue to run, unless they are made through

fo
Cloud Hosted Citrix ADC.

rr
• Having highly available Cloud Connectors minimizes the risk of a single point of failure and ensures that

es
users can continue to use their applications even in the event of failure on a single Cloud Connector.

al
e
or
di
s tri
but
io
n

227 © 2021 Citrix Authorized Content

 Citrix Cloud Local
Host Cache (LHC)
Local Host Cache (LHC)
allows the Citrix Virtual
Apps and Desktops service
deployment to continue Citrix Cloud

N
connection brokering LHC

ot
X
operations in a Site when

fo
the Cloud Connector fails

rr
to connect to Citrix Cloud.

es
Cloud Connector
With Local Host Cache

al
(LHC):

e
• Any users connected when Hypervisors
LHC engages continue to

or
Active Directory
stay connected, Server
uninterrupted.

di
• Users reconnecting or

s
Server OS VDAs Desktop OS VDAs
establishing new connections

tri
have minimal connection

b
delays.

ut
io
n
Key Notes:
• Check with the latest Citrix online documentation to confirm if Local Host Cache has been enabled in the product.
• If Local Host Cache is not enabled, it may be toggled on via submitting a request to enable this feature.
• If Local Host Cache is not enabled:
• If all Cloud Connectors lose connectivity to the Citrix Cloud, all brokering and power management will seize to function.
• Existing HDX connections within the resource location will continue to run, unless they are made through Cloud Hosted

228 © 2021 Citrix Authorized Content

 Citrix ADC.
• Having highly available Cloud Connectors minimizes the risk of a single point of failure and ensures that
users can continue to use their applications even in the event of failure on a single Cloud Connector.
• When LHC is enabled, the feature engages after the network connection between the
Cloud Connector and Citrix Cloud is lost for 20 seconds.
• Enables Cloud Connectors to leverage a local cache (LocalDB) to provide users with

N
access to resources during a Citrix Cloud connection failure.

ot
• Utilizes three services
• Citrix Remote Broker Provider Service (The Brokering Principal)

fo
• High Availability Service (The Secondary Broker)

rr
• Citrix Config Synchronization Service (CSS)

es
• Must be manually enabled via request.

al
• The Local Host Cache LocalDB is created when the Cloud Connector is installed.

e
• If removed for any reason, it is recreated during Cloud Connector updates.

or
• This LocalDB contains the a copy of some of the configuration data from Citrix Cloud and is updated every 2
minutes

di
after a configuration change is made.

s
• Each Cloud Connector maintains a separate copy of this configuration data in their own LocalDB, there is no

tri
redundancy method across Cloud Connectors.

but
• Local Host Cache is supported for:
• Server-hosted applications and desktops.

io
• Static (assigned) desktops.

n
• During a Resource Location outage:
• Director will not show activity or capture data.
• Resources cannot be managed from Cloud Studio or PowerShell.
• VDAs will be in unknown power state and power operations cannot be issued.
• Users can exceed their configured session limits.

229 © 2021 Citrix Authorized Content

 • The event log indicates when synchronizations and outages occur.
• There is no time limit imposed for operating in outage mode.
• What is unavailable during an outage, and other differences:
• You cannot use the Manage functions (Studio) in Citrix Cloud for items in the resource location
experiencing the outage, or run PowerShell cmdlets.
• Monitoring data is not sent to Citrix Cloud during an outage. So, the Monitor functions (Director) do not
show activity from an outage interval.

N
• Hypervisor credentials cannot be obtained from the Host Service. All machines are in the unknown power

ot
state, and power operations cannot be issued. However, VMs on the host that are powered-on can be

fo
used for connection requests.
• Power-managed desktop VDAs in pooled Delivery Groups that have the "ShutDownDesktopsAfterUse"

rr
property enabled are placed into maintenance mode when an outage occurs.

es
• An assigned machine can be used only if the assignment occurred before the outage. New assignments

al
cannot be made during an outage.
• Automatic enrollment and configuration of Remote PC Access machines is not possible. However,

e
machines that were enrolled and configured before the outage can accept connections.

or
• Server-hosted applications and desktop users can use more sessions than their configured session limits,

di
if the resources are in different resource locations.
• During an outage, if a Cloud Connector is restarted:

s tri
• If that Cloud Connector is not the elected primary broker, the restart has no impact.

b
• If that Cloud Connector is the elected primary broker, a different Cloud Connector is elected, causing

ut
VDAs to register. After the restarted Cloud Connector powers on, it automatically takes over brokering,

io
which causes VDAs to register again. In this scenario, performance can be affected during the
registrations.

n
Additional Resources:
• Local Host Cache LHC Citrix Online Documentation: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-
service/manage-deployment/local-host-cache.html

230 © 2021 Citrix Authorized Content

 Citrix Cloud Local Host Cache (LHC) Normal Operations vs Outage
Compare normal operations with an outage.

Normal Operations Database Outage

N
Delivery Controller Delivery Controller

ot
VDA VDA

fo
Site Database Site Database
Delivery Controller Delivery Controller

rr
StoreFront BrokerService StoreFront BrokerService

es
Config Synchronize Service Config Synchronize Service

al
Secondary BrokerService Secondary BrokerService
SQLExpress LocalDB SQLExpress LocalDB

e
Endpoints Endpoints

or
• The Cloud Connector synchronizes • During an outage, the BrokerService stops

di
configuration data from the Site Database to listening for StoreFront and VDA information.

s
a local SQL Express database every two • The BrokerService instructs the Secondary

tri
minutes, if changes have been made. BrokerService to start listening for and

b
processing connection requests locally.

ut
io
n
Key Notes:
• When there are multiple Delivery Controllers across one or more Zones, the secondary brokers communicate with each
other on a separate channel and determine (elect) which secondary broker will be in charge of brokering operations in the
zone, if an outage occurs.

231 © 2021 Citrix Authorized Content

 Cloud Connector Scaling and Recommendations
Scaling and recommendations

• Always deploy on dedicated Windows Servers.

N
• Citrix may reboot the machine during updates or as part of active maintenance.

ot
• Two Cloud Connectors can support 5k VDAs and 20k Sessions.

fo
• 4 vCPU and 4 GB RAM recommended.

rr
• Cloud Connectors are stateless and will balance load automatically.

es
• Keep Cloud Connectors online.

al
• If a Cloud Connector misses two updates in a row, it may lose connectivity with Citrix Cloud.

e
or
di
s tri
but
io
n
Key Notes:
• Citrix may roll out updates that require a Cloud Connector reboot, if the customer has multiple Cloud Connectors, Citrix
will automatically complete the reboot. Therefore, do not install the Cloud Connectors on file servers, database servers
and other critical production servers.
• The scalability test performed by Citrix only covers VDA registration and session launch, it does not include HDX proxy
through the Connector and it does not account for other services such as Citrix Endpoint Management using the same

232 © 2021 Citrix Authorized Content

 Connectors.
• A Cloud Connector receive automatic updates to be compliant with the build level of Citrix Cloud, if a Cloud
Connector is offline for an extended period of time >3 weeks, it may not receive the needed updates to be
compliant with Citrix Cloud. The automatic update function distributes deltas, so if you miss an update window,
the Cloud Connector may need re-install.
• If all your Cloud Connectors in a given resource location goes offline, you may experience issues with the
consoles in Citrix Cloud.

N
• A set of three 4 vCPU Cloud Connectors is recommended for sites that host no more than 5,000 Workstation

ot
VDAs.

fo
• This is an N+1 High Availability configuration.

rr
• Starting 20,000 sessions to 100 Server VDAs is 57% faster using customer-managed StoreFront compared to
using Citrix-managed StoreFront.

es
• Provisioning 1,000 VMs takes an average of 140 minutes.

al
• Scalability will decrease for customers using the Citrix Gateway Service, because the Cloud Connectors need

e
to encrypt all the HDX session data and transport it to Citrix Cloud.

or
Additional Resources:

di
• Citrix Virtual Apps and Desktops Service in Citrix Cloud, Sizing and Scalability Considerations -

s
https://docs.citrix.com/content/dam/docs/en-us/citrix-cloud/downloads/xenapp-xendesktop-service-sizing-

tri
scalability.pdf

but
io
n

233 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
ot
What is the minimum recommended number

fo
of Cloud Connectors per resource location?

rr
es
Two

al
This will both enable automatic updates of the

e
Cloud Connectors and ensure load balancing

or
and high availability for the role.

di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

234 © 2021 Citrix Authorized Content

 N
ot
Site Setup And Management

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

235 © 2021 Citrix Authorized Content

 Manual Deployment vs Citrix Cloud

N
Manual Site Deployment Citrix Cloud Site Deployment

ot
• When deploying On-Premises or in Public Cloud, all of the • With Citrix Cloud, deploying the Citrix Virtual Apps and
components for Citrix Virtual Apps and Desktops must be Desktops Site is as simple as logging in to the Citrix

fo
installed and configured. Cloud website, and with an active subscription clicking to

rr
enable the Citrix Virtual Apps and Desktops Service.

es
• The Citrix management consoles are hosted on one or • All Citrix management consoles are hosted via webpage

al
more dedicated or shared Citrix servers. in Citrix Cloud and are available right away.

e
or
di
s
tri
b ut
io
n

236 © 2021 Citrix Authorized Content

 What is a Citrix Virtual Apps and Desktops Site?
A Citrix Virtual Apps and Desktops deployment is called a Site. The Site consists of the Delivery Controller (including Cloud
Connector), the Site databases and the resources made available to users.

On-Premise or Public Cloud On-Premise or Public Cloud with Citrix

Site Components Cloud Site Components

N
ot
Access Control Resource Layer Citrix Cloud (Citrix-Managed)
Layer Layer

fo
Delivery License Server Delivery

rr
Controller Controller
StoreFront
Server OS Assigned Citrix Gateway

es
Desktop OS Optional
StoreFront* SQL
Domain Optional
Controller

al
Firewall
Access Control Resource Layer

e
Layer Layer
SQL Random Desktop OS Remote PC

or
Citrix Gateway
StoreFront Cloud Server OS Assigned
Connector Desktop OS
License Server Firewall

di
Citrix Gateway Random Desktop OS Remote PC

s
Domain
Hardware Layer Controller

tri
Hardware Layer

b
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

ut
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

io
n
Key Notes:
• A Site is the name you give to a product deployment.
• The Site is comprised of the Delivery Controllers and the other core components, VDAs, virtual resource connections (if
used), plus the Machine Catalogs and Delivery Groups that are created and managed.
• There are two methods to use a Citrix Virtual Apps and Desktops Site:
• Create Citrix Cloud Connector virtual machines to use a pre-configured Citrix Cloud Site.
• Install a Delivery Controller in an On-Premise or Public Cloud deployment and create a Site.

237 © 2021 Citrix Authorized Content

 • The Site does not necessarily correspond to a geographical location, although it can.
• An On-Premise or Public Cloud Site requires a minimum of one Delivery Controller (plus a Citrix Cloud
Connection with Citrix Cloud), and must be configured prior to join additional controllers.
• Site creation includes creating the Site Configuration databases. Make sure the SQL Server software is
installed before you use a Site.
• The Site core infrastructure can be hosted:
• On-Premises

N
• On Public Cloud, such as Azure or AWS

ot
• Subscription to Citrix Cloud

fo
• The Resource location(s) can be hosted:
• On-Premises

rr
• On Public Cloud, such as Azure or AWS

es
Additional Resources:

al
• Create a Site: 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/install-configure/site-

e
create.html

or
di
s tri
b ut
io
n

238 © 2021 Citrix Authorized Content

 Site Database Types
Three Databases for a Citrix Virtual Apps and Desktops Site

Monitoring Database
Configuration Logging Monitoring Database

N
Site Database
Database

ot
fo
rr
es
al
e
• Running Site configuration • Site configuration changes • Session and connection

or
• Current session states • Administrator activities information

di
• Connection information • Data leveraged by Director

s tri
but
io
n
Key Notes:
• The Site Database stores the running Site configuration, plus the current session state and connection information.
• The Configuration Logging Database stores information about Site configuration changes and administrative activities.
This database is used when the Configuring Logging feature is enabled.
• The Monitoring Database is used by Director; which is a monitoring tool that is included with Citrix Virtual Apps and
Desktops that displays metrics regarding sessions and enables admins/help desk to perform basic troubleshooting steps
(end processes, reset profile, etc.).

239 © 2021 Citrix Authorized Content

 • The Citrix Virtual Apps and Desktops Site supports Microsoft SQL.
• There are three databases that store data from the FMA services for the Delivery Controller.
• These FMA services leverage the Delivery Controller’s machine account to authenticate against SQL.
• The Site Database contains configuration information for the running of the system.
• High levels of transactions per second occur during logon, as each user logon requires multiple individual
transactions to be carried out, and scale based on the concurrent launch rate.

N
• Peak size is reached after 48 hours, as the database stores very little persistent information.

ot
• To review, FMA stands for the FlexCast Management Architecture, which is the architecture used in Citrix
Virtual Apps and Desktops 7.x.

fo
• Data for the Site from the FMA services is stored in the Site databases – this is why a SQL server is required

rr
(review Module 2 for details).

es
• Leveraging the Delivery Controller’s computer AD account for authentication to SQL enhances security by
preventing the service account password from being stored and by having the machine password change

al
every 30 days.

e
• During the Controller installation, if you choose to have the default SQL Server Express database installed,

or
some information is already pre-populated in the wizard. If you use a SQL server that is installed on a different
machine, enter the database and server names when prompted.

di
s
Additional Resources:

tri
• Create a Site: 1912 LTSR: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/install-configure/site-

b
create.html

ut
• Database Sizing Guidance for XenApp/XenDesktop Versions 7.6 Through Current Release:

io
http://docs.citrix.com/en-us/categories/solution_content/implementation_guides/database-sizing-guidance-for-

n
xendesktop-7-6.html
• Configuration Logging: 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-
ltsr/monitor/configuration-logging.html

240 © 2021 Citrix Authorized Content

 Site Databases Configuration
Three Options to Configure

• Option 1:
• Create databases automatically through Studio
• User account requires sysadmin permissions

N
• Option 2:

ot
• Generate database scripts to create databases
manually

fo
• Create three empty databases

rr
• Set collation to _100_CI_AS_KS

es
• Run database script on SQL server using
SQMLCMD

al
e
• Option 3:
• Configuration is not required when subscribing to

or
Citrix Cloud

di
• Site is pre-created

s
• Database backups are taken care of by Citrix

tri
but
io
n
Key Notes:
• There are three options for configuring the connection to the databases during Site creation to address the fact that not
every database team will allow Citrix administrators to have elevated rights to the SQL server.
• Option 1: user account requires sysadmin privileges on the target SQL server to enable Studio to create the
databases automatically. The elevated SQL permissions are not required during runtime, and can be removed after
installation/configuration if necessitated by the security team.
• Option 2: in cases where the security team prohibits the service account from having elevated SQL privileges, during

241 © 2021 Citrix Authorized Content

 Site creation, click the “Generate scripts” option and provide the resulting scripts to the SQL
team/appropriate contact to create the databases manually (generates two scripts – second one is for
mirrored database instances). Create the databases, make sure that the collation is correct, and run the
script with SQLCMD. After it is created, select “Test Connection” to validate that the Delivery Controller
can connect to the databases that were created.
• Option 3: No manual configuration is required when subscribing to Citrix Cloud. Site is pre created and
database backups are taken care by Citrix.

N
ot
Additional Resources:

fo
• Create a Site: 1912 LTSR: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/install-configure/site-
create.html

rr
• Permissions Required To Setup the Database: https://docs.citrix.com/en-us/citrix-virtual-apps-

es
desktops/technical-overview/databases.html#permissions-required-to-set-up-databases

al
e
or
di
s tri
b ut
io
n

242 © 2021 Citrix Authorized Content

 Site Management and Monitoring

On Premises or Public Cloud On Citrix Cloud

N
ot
fo
rr
es
al
Citrix Studio and Citrix Director

e
Citrix Studio and Citrix Director
• Setup configured and enabled by Citrix when the

or
• Requires manual installation and resource allocation
considerations. Citrix Virtual Apps and Desktops Service is enabled.

di
• Console launch via direct connection to installed location • Console navigation via Citrix Cloud.

s
servers.

tri
but
io
n

243 © 2021 Citrix Authorized Content

 Citrix Cloud Administration Overview
Cloud Studio Cloud Director Cloud Updates

Cloud Administration
Console

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Three main consoles are available for configuring and managing the Citrix Virtual Apps and Desktops Cloud Service.
• Cloud Administration Console is the web Control Pane. Here you manage resource locations, Identity and Access
Management, Support Tickets, Notifications and Account Settings. The options available here are not limited to only the
Citrix Virtual Apps and Desktops.
• Cloud Studio is a MMC Console that is accessed as a published resource from within the Cloud Web page. Cloud Studio
will look much like an on-premises Studio, but will expose a different feature set than the on-premises version. The

244 © 2021 Citrix Authorized Content

 Console is used for managing Hosting Connections, Zones, Machine Catalogs, Delivery Groups and Studio
based Policies. Options here only apply to the Citrix Virtual Apps and Desktops.
• Cloud Director is the same experience as the on-premises Director, however, the Director webpage has been
merged into a frame in the Cloud Administration Console. The Cloud Director console allows administrators
and helpdesk personnel to quickly troubleshoot environment, application and user issues. Currently, the Cloud
Director does not support delegated administration, so all logins will have the same administrative
permissions.

N
• Place resource locations where they best meet your business needs. Resource locations can be in a public

ot
cloud, in a branch office, private cloud, or a data center.

fo
• The choice of location may be impacted by the following:
• Proximity to subscribers

rr
• Proximity to data

es
• Scale requirements

al
• Security attributes
• Resource locations created in the Cloud Control Plane will show up in Cloud Studio. If you create multiple

e
resource locations, you should create the corresponding amount of Zones in Cloud Studio and link them

or
accordingly.

di
• The first resource location is automatically created in Citrix Cloud. This is named the My resource location, but
the name can be changed.

s tri
b ut
io
n

245 © 2021 Citrix Authorized Content

 Citrix Cloud
Identity and Access Management

• Administrators:

N
• Administrators use their identity to access Citrix Cloud, perform management activities and deploy the Citrix Cloud

ot
Connector.
• By default, Citrix Cloud uses the Citrix Identity provider to manage the identity information for administrators in

fo
Citrix Cloud. Alternatively, Azure Active Directory can be used instead.

rr
• Subscribers:

es
• Subscriber identity defines which subscribers (users) have access to services through Citrix Cloud. These
identities come from Active Directory domain accounts provided from the domains within the resource location.

al
• Citrix Cloud administrators can control which domains can be used to provide these identities from the Domains

e
tab in Identity and Access Management pages in Citrix Cloud.

or
• Subscribers can also be Azure Active Directory users and can benefit from multifactor authentication provided by
Azure AD.

di
s tri
but
io
n
Key Notes:
• Subscribers are users or groups from Active Directory. Active Directory is queried through Citrix Cloud Connector, which is
deployed on-premises or in a public cloud where an express route or VPN to the datacenter is defined.
• Administrators are MyCitrix identities and therefore, are not extracted from Active Directory.
• If integrating Azure AD, administrators can be extracted from Azure AD instead of creating a MyCitrix Identity.
• Onboarding:
• During the customer onboarding process an initial administrator is created.

246 © 2021 Citrix Authorized Content

 • The administrator can then invite other administrators to join Citrix Cloud.
• These new administrators can use their existing Citrix account credentials or set up a new account if
needed.
• You can not remove the last administrator from the customer account.
• There must be at least one administrator per customer.

Additional Resources:

N
• What Is Identity and Access Management ? - https://docs.citrix.com/en-us/citrix-cloud/cloud-

ot
management/what-is-identity-and-access-management.html

fo
rr
es
al
e
or
di
s tri
but
io
n

247 © 2021 Citrix Authorized Content

 Lesson Objective Review

Scenario: Your manager wants to know which

N
service account is used to access the Citrix

ot
Virtual Apps and Desktops SQL databases.

fo
What will you reply?

rr
es
The databases are accessed using the Delivery
Controllers’ Active Directory machine accounts.

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

248 © 2021 Citrix Authorized Content

 Lab Exercise Prep

Please Take a Moment and Provision Your Lab

N
For Module 2

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the
lab exercises.

249 © 2021 Citrix Authorized Content

 N
ot
Redundancy Considerations

fo
rr
Citrix Virtual Apps and Desktops Site

es
Components

al
e
or
di
s
tri
b
ut
io
n

250 © 2021 Citrix Authorized Content

 Redundancy
User Layer Access Layer Control Layer Resource Layer

2 Delivery Controller

• Depending on the Internal Users StoreFront

2 Server OS Assigned

N
deployment, some Desktop OS

ot
Domain Controller
components of a Citrix
Virtual Apps and Firewall

fo
HA
Desktops Site are a

rr
2
SQL Random Desktop OS Remote PC
“single point of failure.”

es
Citrix Gateway
External Users Firewall

• To protect against Site-

al
License Server
wide outages due to a

e
single failing component,

or
Hardware Layer
plan for redundancy.

di
s
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

tri
b ut
io
n
Key Notes:
• Redundancy can come in different forms, but mostly means duplicated systems, connections etc. so that the loss of a
single component can be compensated without threatening the performance of the complete site.
• How much redundancy is needed?
• The main components of a Site need to be redundant:
• 2x StoreFront Server

251 © 2021 Citrix Authorized Content

 • 2x Controller Server
• HA Database Server
• 2x License Server (if grace period is not acceptable)
• 2x Citrix Gateway (recommended)

N
ot
fo
rr
es
al
e
or
di
s tri
utb
io
n

252 © 2021 Citrix Authorized Content

 Impact During Failure if no Redundancy
Citrix Site Centric

• Citrix License • Citrix Delivery • Citrix Site • Citrix StoreFront

Server Controller Database

N
ot
• The Site enters a 30- • No power • User authentication via
day grace period. management actions • No power management web or Citrix

fo
• After the grace period on VMs running the actions on VMs running Workspace App fails.

rr
expires, users will no VDA. the VDA. • Citrix Workspace App
and StoreFront will not

es
longer be able to • Site is unmanageable. • Site is unmanageable.
make HDX • Studio and • Studio and PowerShell enumerate icons.

al
connections. PowerShell cmdlets cmdlets fail. • Established sessions

e
fail. • Local Host Caches is continue to run

or
• Director fails. used by the Delivery
• Citrix Workspace App Controllers to continue

di
and StoreFront will not brokering.

s
enumerate icons.

tri
• Established sessions

b
continue to run.

ut
io
n
Key Notes:
• Citrix License Server Considerations:
• If the Citrix License Server is unrecoverable:
• Restore the machine from backup.
• Set up a new license server with the same name and upload the license files.
• Re-download the license files from MyCitrix.
• When the new license server is active, Citrix Virtual Apps and Desktops exit the grace period and users can connect

253 © 2021 Citrix Authorized Content

 to their resources again.
• Customers who virtualize the Citrix License Server are provided with a redundant solution that allows for
mobility between multiple physical servers without the need for down time.
• Other licensing components could also fail: Microsoft KMS Server, Microsoft Remote Desktop Licensing
Server, AV solution license system etc.
• Failure of the license server can have different reasons:
• The license server machine or the software crashed / is broken.

N
• The license server machine is unable to communicate on the network.

ot
• All licenses of the requested type are already checked out – in certain scenarios a supplemental grace

fo
period can apply (see Additional Resources).
• The licenses have not been updated to reflect a new subscription advantage date before the site was

rr
updated – and now requires a newer SA date.

es
• Customers are granted a grace period of 90 calendar days post transaction to remove rescinded license

al
file(s) from their license server in order to remain in compliance with Citrix licensing terms and conditions.
Please note, at the point of version upgrade, edition upgrade, or trade-up, transaction access to licenses

e
identified for rescission is immediately removed from the secure My Account portal via www.citrix.com.

or
Customers are advised to make a backup copy in case of license server failure during the 90 day grace

di
period.

s
• Citrix Delivery Controller Considerations:

tri
• If the last Delivery Controller in a site fails, no new user connections or reconnections can be made.

b
• If the Delivery Controller is unrecoverable:

ut
• Set up a new Controller and use PowerShell to join the existing Site defined in the database.

io
• Instruct all VDAs to register with the new Controller.

n
• If the new Controller re-uses the DNS name of the failed machine, the VDAs will register
automatically.
• Use Group Policy to direct VDAs to the new Controller’s name.
• Citrix Site Database Considerations:
• All information is stored in the Site configuration database; Delivery Controllers communicate only with the
database and not with each other.

254 © 2021 Citrix Authorized Content

 • A Controller can be unplugged or turned off without affecting other Controllers in the Site. This means,
however, that the Site configuration database forms a single point of failure.
• If the database server fails, existing connections to virtual desktops will continue to function until a user
either logs off or disconnects from a virtual desktop. New connections can only be established if connection
leasing or Local Host Cache is enabled.
• The Local Host Cache (LHC) feature allows connection brokering operations in a Citrix Virtual Apps and

N
Desktops Site to continue when an outage occurs. An outage occurs when:

ot
• The connection between a Delivery Controller and the Site database fails in an on-premises Citrix
environment.

fo
• The WAN link between the Site and the Citrix control plane fails in a Citrix Cloud environment.

rr
• Local Host Cache is the most comprehensive high availability feature in Citrix Virtual Apps and Desktops.
It is a more powerful alternative to the connection leasing feature that was introduced in Citrix XenApp

es
7.6.

al
• Local Host Cache has certain limitations when active, when the Site database is inaccessible or

e
otherwise in a failed state:

or
• You cannot use Studio or run PowerShell cmdlets.
• Hypervisor credentials cannot be obtained from the Host Service. All machines are in the unknown

di
power state, and no power operations can be issued. However, VMs on the host that are powered-on

s
can be used for connection requests.

tri
• Machines with VDAs in pooled Delivery Groups that are configured with "Shut down after use" are

b
placed into maintenance mode.

ut
• Anonymous session launch requests are rejected.

io
• An assigned machine can be used only if the assignment occurred during normal operations. New

n
assignments cannot be made during an outage.
• Automatic enrollment and configuration of Remote PC Access machines is not possible. However,
machines that were enrolled and configured during normal operation are usable.
• Server-hosted applications and desktop users may use more sessions than their configured session
limits, if the resources are in different zones.
• Connection Leasing allows connection to certain resources based on cached launch information.

255 © 2021 Citrix Authorized Content

 • Connection Leasing has certain limitations when active, when the Site database is inaccessible or
otherwise in a failed state:
• Desktop Studio and Desktop Director operations are unavailable.
• Citrix PowerShell cmdlets requiring database access will not work.
• No VDA load balancing will occur.
• Users can only connect to the last host they connected to when the site database was available.
• There is a small window (2 minutes) during which no sessions will be brokered when the site database

N
becomes unavailable or is restored. This is to allow for environments with SQL HA enabled to fail over,

ot
such that leasing does not become enabled when there is only a short window where site database

fo
connectivity is interrupted.
• Users must have logged on to the resources within the default 14 day period. This can be configured

rr
via a registry setting.

es
• Anonymous users are not supported by Connection Leasing.

al
• Remember, in a new deployment Local Host Cache is enabled and Connection Leasing is disabled (New in
7.15).

e
• However, if the 7.15+ deployment is an upgrade, the previous Site configuration remains.

or
• For example, if my Citrix Virtual Apps and Desktops Site was version 7.12 and I had Local Host Cache

di
disabled and Connection Leasing enabled and then I performed an in place upgrade to 7.19, my Site
database would maintain my setting and even though I would be on 7 build 1808 , Local Host Cache

s tri
would still be disabled.

b
• Local Host Cache allows users to continuously launch and run most resources even during a database

ut
failure. However, it is still recommended to have SQL fault tolerance in place for production environments.

io
• The failure impact is different for each database.

n
• The Site database failure is the most critical - it can cause a production outage because users would not
be able to start new sessions to access their resources.
• New connections cannot be made, except in most cases when local host cache or connection leasing
is configured
• Administrators cannot leverage Studio or Director

256 © 2021 Citrix Authorized Content

 • Logging/Monitoring – primarily affects administrative activities, and does not have an immediate/direct
impact on production users.
• If logging is mandatory, administrators cannot make changes to the site
• If logging is not mandatory, changes are not recorded
• Administrators cannot view historical data
• Administrators cannot leverage Studio or Director

N
• Citrix recommends that you back up the databases regularly so that you can restore from the backup if the

ot
database server fails. In addition, there are several high availability solutions to consider for ensuring
automatic failover:

fo
• SQL Mirroring — This is the recommended solution. Mirroring the database makes sure that, should you

rr
lose the active database server, the automatic failover process happens in a matter of seconds, so that

es
users are generally unaffected. This method, however, is more expensive than other solutions because
full SQL Server licenses are required on each database server; you cannot use SQL Server Express

al
edition for a mirrored environment.

e
• Using the hypervisor's high availability features — With this method, you deploy the database as a virtual

or
machine and use your hypervisor's high availability features. This solution is less expensive than
mirroring as it uses your existing hypervisor software and you can also use SQL Express. However, the

di
automatic failover process is slower, as it can take time for a new machine to start for the database,

s
which may interrupt the service to users.

tri
• SQL Clustering — The Microsoft SQL clustering technology can be used to automatically allow one

b
server to take over the tasks and responsibilities of another server that has failed. However, setting up

ut
this solution is more complicated, and the automatic failover process is typically slower than with

io
alternatives such as SQL Mirroring.

n
• AlwaysOn Availability Groups is an enterprise-level high-availability and disaster recovery solution
introduced in SQL Server 2012 to enable you to maximize availability for one or more user databases.
AlwaysOn Availability Groups requires that the SQL Server instances reside on Windows Server Failover
Clustering (WSFC) nodes.
• When the failed database server is unrecoverable:

257 © 2021 Citrix Authorized Content

 • Set up a new database server and restore the database from backup.
• Restore all Controller services to point to new database server.
• If no database backup can be restored:
• Rebuild the site manually.
• Create new Catalogs from Master image.
• Create new Delivery Groups
• Ensure name consistency.

N
• Citrix StoreFront Considerations:

ot
• Although it is likely that a single StoreFront instance could support your Citrix Virtual Apps and Desktops

fo
workload, failover and redundancy are still crucial to maintaining on-demand access.

rr
• If Citrix Virtual Apps and Desktops session traffic is routing through a single StoreFront server that
suddenly fails, any new connections to the Citrix Virtual Apps and Desktops applications and desktops

es
will be unavailable.

al
• However, it should be mentioned that a StoreFront failure will not impact any existing active Citrix Virtual

e
Apps and Desktops sessions.

or
• Thus, Citrix highly recommends deploying two StoreFront servers to eliminate any possibilities of a single
point of failure that may disrupt productivity, and configuring the IP address or DNS name of one

di
Controller in each Site.

s
• To streamline the management of multiple StoreFront servers, Citrix has provided a single admin

tri
interface from which you can manage all the servers in your StoreFront cluster.

b
• To make implementation even more robust, Citrix Gateway can be configured to load balance user requests

ut
between the multiple StoreFront instances as well as monitor their availability.

io
• If the StoreFront Server is unrecoverable:

n
• Set up a new StoreFront server reusing the DNS name of the failed StoreFront server and configure:
• Base URL
• Encryption settings
• Authentication settings

258 © 2021 Citrix Authorized Content

 • Delivery controller settings
• Customization settings
• Remote access settings

Additional Resources:
• FAQ: XenApp and XenDesktop 7.x Licensing: https://support.citrix.com/article/CTX128013

N
• CtxLicChk - Citrix License Check Utility: https://support.citrix.com/article/CTX123935

ot
• Citrix Director 7.6 Deep Dive Part 1: License Monitoring: https://www.citrix.com/blogs/2014/10/10/citrix-
director-7-6-deep-dive-part-1-license-monitoring/

fo
• Technical overview: https://docs.citrix.com/en-us/licensing/current-release/technical-overview.html

rr
• Local Host Cache – Design considerations and requirements: 1912 LTSR: https://docs.citrix.com/en-us/citrix-

es
virtual-apps-desktops/1912-ltsr/manage-deployment/local-host-cache.html

al
• Citrix Site Database High Availability: 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-
desktops/1912-ltsr/technical-overview/databases.html

e
or
di
s tri
but
io
n

259 © 2021 Citrix Authorized Content

 Redundancy
Performance Gains

Redundancy not only protects from outages, but sometimes offers more performance or better
scalability than singular systems.
• Active-passive or failover configurations only protects against loss of functionality.
• Active-active configurations use multiple systems simultaneously or alternating and gain performance by

N
distributing load across available systems.

ot
fo
rr
es
Active / Active or Active / Passive Configuration

al
e
or
di
Citrix ADC
Endpoint with Load Balancer
Workspace app

s
StoreFront - A StoreFront - B

tri
b ut
io
n
Key Notes:
• Most load balancing systems (like Citrix Gateway) offer many different load balancing mechanisms as well as some
performance gains by eliminating overhead, caching requests etc.
• Although the focus of the slide is on active-passive vs. active-active redundancy configurations, note that the diagram
shows only one load balancer, which is a single point of failure. Typically, we would want to address this by adding
redundancy to the load balancer as well. For example, Citrix Gateway can be configured as an HA pair.
• Adding even more redundant systems can offer even more speed but typically offer diminishing returns with each
additional machine.
260 © 2021 Citrix Authorized Content
 Lesson Objective Review

If the Citrix Site database fails or becomes

N
unresponsive, what impact does this have to

ot
users logging in and attempting to launch

fo
sessions?

rr
es
With Local Host Cache (LHC) the Delivery
Controller continues to broker user connections.

al
e
However, LHC should hopefully never be used,

or
but instead focus on getting the database
platform redundant.

di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

261 © 2021 Citrix Authorized Content

 N
ot
Lab Exercises

fo
rr
Module 02

es
al
e
or
di
s
tri
b
ut
io
n

262 © 2021 Citrix Authorized Content

 Lab Exercise

• Ex 2-1: Install the Delivery Controller

N
• Ex 2-2: Create and Configure the Site

ot
• Ex 2-3: Using the Citrix Licensing Manager

fo
rr
es
al
e
or
di
s tri
b ut
io
n
• There are 3 lab exercises in Module 2; this slide addresses all of them.
• This Slide:
• 2-1: Install the Delivery Controller Role
• Time: 11 minutes
• 2-2: Create and Configure the Site
• Time: 9 minutes
• 2-3 Using the Citrix Licensing Manager

263 © 2021 Citrix Authorized Content

 • Time: 5 minutes

N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

264 © 2021 Citrix Authorized Content

 Key Takeaways

• Prior to deploying a Citrix Virtual Apps and Desktops Site, there

are environmental factors, to consider and possible configure.
• The Citrix Licensing Manager Console is a web portal to be used

N
to manage the License Server, for any license administration or

ot
reporting of all licensed Citrix products.

fo
• The Delivery Controller is the core server for the Citrix Virtual Apps

rr
and Desktops Site.

es
• To deploy a Citrix Virtual Apps and Desktops Site, the Citrix

al
Administrator must either manually install and configure the

e
components, or subscribe to Citrix Cloud and enable the Citrix

or
Virtual Apps and Desktops Service.

di
• Ensure the critical Citrix Site components have enough

stri
redundancy to provide functionality and capacity during an outage.

but
© 2021 Citrix Authorized Content

io
n

265 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Administration On-Premise and In
Citrix Cloud

N
ot
The Apps and Desktops Images

fo
rr
es
al
e
Module 03

or
di
s
tri
b
ut
io
n

266 © 2021 Citrix Authorized Content

 Learning Objective

• Identify the Master Image Creation Methods.

N
• Present the Master Image requirements through

ot
introducing the Virtual Delivery Agent.

fo
rr
es
al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

267 © 2021 Citrix Authorized Content

 N
Consider Master Image Creation

ot
Methods

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

268 © 2021 Citrix Authorized Content

 What is a Master Virtual Machine (VM)?

• The Master Image is a VM that is used to create other machines when using a Citrix Provisioning method, such as Machine
Creation Services (MCS) or Citrix Provisioning (PVS).

N
• Citrix Virtual Apps and Desktops can create almost identical machines from a single master image.

ot
• The Master Image should contain all required applications, patches, and settings required by all users of the production VDAs.

fo
rr
es
Define The Master Build The Master Use The Master

al
OS Defined

e
New Machine Catalog
Admin

or
MCS / PVS
VDA
Create a new VM Creates AD VDA VDA VDA VDA VDA VDA
Apps

di
Load the OS Accounts and
Requested Load the Apps new VMs
Users

s tri
b
ut
io
n
Key Notes:
• Windows Server OS and Windows Desktop OS templates can serve as the Master Image for a catalog, but each catalog can only be
based on one image at a time.
• Depending on the catalog type, it is possible to update all machines from time to time in order to reflect changes done to a Master
Image (like updates or added/removed applications).
• The amount of generalization necessary depends on the application being deployed. While some applications do not require any
modification, other applications might need custom settings to avoid conflicts caused by identical settings.

269 © 2021 Citrix Authorized Content

 • If you will use Citrix tools (Machine Creation Services or Citrix Provisioning) to create VMs for your deployment,
prepare a master image or template on your host hypervisor. Then, create the machine catalog.
• Make sure the host has sufficient processors, memory, and storage to accommodate the number of machines you will
create.
• The master image contains the operating system, non-virtualized applications, VDA, and other software. VMs are
created in a machine catalog, based on a master image you created earlier and specify when you create the catalog.
• Steps:

N
• Create the master image with desired OS

ot
• Add applications

fo
• Generalize settings
• Create a catalog from master image

rr
• The only necessary differences among the machines created from a master image are usually settings that would

es
otherwise lead to a conflict (like name, AD computer account, SID and IP Address). Machine Creation Services and Citrix

al
Provisioning take care of this, so the Master Image does not need to be “sysprepped”. If you are using Citrix Provisioning
or Machine Creation Services, do not run Sysprep on master images.

e
• A master image is also known as a clone image, golden image, or base image.

or
• When using Citrix Provisioning, you can use a master image or a physical computer as the initial master target device

di
used to create a vDisk.

s
• Update a master image to apply changes to all the desktops and applications in a machine catalog that were created

tri
with that master image. Managing common aspects through a single master image lets you deploy system-wide

b
changes such as Windows updates or configuration changes to a large number of machines quickly.

ut
io
n

270 © 2021 Citrix Authorized Content

 App and Desktop Master Image Creation Methods

• There are two primary methods to approach building a Master Image.

N
• One method, is manual creation.

ot
• Another method is to use Citrix App Layering.

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

271 © 2021 Citrix Authorized Content

 App and Desktop Master Image Creation Methods
App Layering vs. Manual Image Creation

App Layering Manual Image Creation

N
ot
Simplifies application and image management Is a more common approach

fo
The Citrix Administrator creates one VM per build (OS & App
Faster application packaging
Requirements), per hypervisor/Cloud platform

rr
es
High Availability Requires multiple gold images

Integrates well with 3rd party image management such as through

al
Real-time application delivery.
Microsoft System Center Configuration Manager

e
or
Deploy the app package on any infrastructure, hypervisor or cloud.

di
Eliminate managing multiple gold images

s tri
Reduce overall app and desktop management cost up to 80%.

b ut
io
n
Key Notes:
• In this course we use the Manual Image Creation.
• For interest in App Layering, please use the below URL to attend training on App Layering, via the CXD-303 (a three day ILT Citrix
Course) or the CXD-310 (a five day ILT Citrix Course). The CXD-310 content aligns to the Citrix Certification CCP-V.

272 © 2021 Citrix Authorized Content

 Lesson Objective Review

How many Master Images are required to support a

N
Windows 10 set and a Windows Server 2016 set of

ot
Desktops with Microsoft Office installed on one set of
Server-based desktops and Outlook and Project only on

fo
another set of Server-based desktops, across both Citrix
Hypervisor and Microsoft Azure platforms?

rr
es
• Manual Method = 6
• Windows 10 with Microsoft Office on Citrix Hypervisor

al
• Windows Server 2016 with Microsoft Office on Citrix Hypervisor

e
• Windows Server 2016 with Outlook and Project on Citrix
Hypervisor

or
• And all of the above again on Microsoft Azure

di
• App Layer Method = 2

s
tri
utb
© 2021 Citrix Authorized Content

io
n
Key Notes:
• How is App Layering only 2 Master Images?
• When you attend the App Layering training, you will gain knowledge in how to build one Master Image per OS, and configure
separate layers for the Hypervisor/Cloud platform tools and additional separate layers for the applications.
• This layer separation helps to minimize 80% desktop management costs.

273 © 2021 Citrix Authorized Content

 N
ot
Master Image Requirements

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

274 © 2021 Citrix Authorized Content

 Master Image Preparation Overview

• The Master Image preparation is used to set the VM environment to match the Citrix Administrator’s expectations

N
for the resultant machines that will be used to host the user’s apps and desktops.

ot
• This preparation includes:
• Software installations

fo
• Control panel customizations

rr
• Polices

es
• And more

al
• The final step in preparation is to install the Citrix component, the Citrix Virtual Delivery Agent (VDA).

e
or
di
s tri
b ut
io
n

275 © 2021 Citrix Authorized Content

 Lab Exercise Prep

Please Take a Moment and Provision Your Lab For

N
Module 3

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercises.

276 © 2021 Citrix Authorized Content

 What is a Virtual Delivery Agent (VDA) machine?
Definition and Explanation

• The VDA is installed on each resource machine used to host sessions running apps and/or a desktop.
• The resource session types available are dependent both on the License type and the OS of the resource machine.

N
• Users connect to these sessions using an Endpoint device.

ot
fo
rr
es
Container Label

al
e
or
di
Server OS App & Desktop OS
Endpoint Devices Desktop Sessions Desktop Session

s tri
b ut
io
n
Key Notes:
• The VDA role enables users to access their resources delivered on the machines in which the VDA is installed.
• The VDA is an agent that is installed on machines running Windows Server or Windows Desktop operating systems that allows
these machines and the resources they host to be made available to users.
• The VDA is the intermediary between the Delivery Controller and the user’s device (Citrix Workspace app, specifically).
• The VDA registers with the Delivery Controller so user connections can be brokered.
• The VDA updates the Delivery Controller with session information.

277 © 2021 Citrix Authorized Content

 • The VDA sends the information to Citrix Workspace app.
• The VDA-installed machines running Windows Server OS allow the machine to host multiple connections for multiple
users and are connected to users on one of the following ports:
• TCP port 80 or port 443 if SSL is enabled
• TCP port 2598, if Citrix Gateway Protocol (CGP) is enabled, which enables session reliability
• TCP port 1494 if CGP is disabled or if the user is connecting with a legacy client

N
Additional Resources:

ot
• Technical overview: LTSR 1912: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/technical-

fo
overview.html

rr
es
al
e
or
di
s tri
b ut
io
n

278 © 2021 Citrix Authorized Content

 The Virtual Delivery Agent (VDA) Install

The Virtual Delivery Agent (VDA) install supports the following operating system platforms.

N
ot
Server Desktop

fo
rr
es
al
Microsoft Linux Microsoft Linux

e
Windows Server SUSE Server Windows Desktop SUSE Desktop
2019 Red Hat Server 10, build 1607+ Red Hat Workstation

or
2016 CentOS CentOS
2012 R2 Ubuntu Server Ubuntu Desktop

di
s
tri
b
ut
io
n
Key Notes:
• The VDA software is required to be installed on each machine (virtual or physical) that is used to deliver apps and desktop resources
to users.
• The VDA software can be installed only on Windows Server OS, Windows Desktop OS and supported Linux Distributions.
• Visit Citrix online documentation to verify the full considerations and supporting software for the VDA install on the following:
• Platform
• Operating System

279 © 2021 Citrix Authorized Content

 • Operating System Version
• Operating System Edition
• The VDA installation loads Citrix-prefaced windows services onto the machine, such as:
• Desktop Service: Handles the registration process and the communication with the Delivery Controller. Also handles
the exchange of pre-logon ticket data and user credentials during the authentication verification process.
• PortICA Service: Handles accepting the initial connection. Also manages the communication with the display
manager for Thinwire display mode changes and manages the communication with the Desktop Service.

N
• The PortICA service is only used on Desktop OS machines. On Server OS, the RDS subsystem is leveraged instead.

ot
• Connections to Citrix Virtual Apps and Desktops sessions running on machines running the VDA can be made from

fo
virtually any OS that has Citrix Workspace app installed.
• For VDA version 7.16 and above, support for earlier Windows operating systems (those not listed in the slide) have been

rr
removed. This complicates any migrations of XenApp 6.5 or earlier session hosts. These can be upgraded to version 7.15

es
LTSR, but will be unable to be upgraded beyond that, and they will be limited to the features included in that release.

al
• During the VDA component installation, the Additional Components, Features, and Smart Tools screens will provide
options to install optional features and tools.

e
• None of these are required to enable the core functionality of the VDA role, but they may be needed to enable certain

or
features.

di
• The Additional Components page contains check boxes to enable or disable installation of other features and
technologies with the VDA. However, note that this page will not appear if:

s tri
• You are using the VDAWorkstationCoreSetup.exe installer. Also the command-line options for the additional
components are not valid with that installer.

b ut
• You are upgrading a VDA and all the additional components are already installed. Only components that are not
currently installed on the machine will be displayed.

io
• We will be reviewing many of the features and components associated with these options later in the course.

n
• For VDA version 7.17 and above, there is an option to install supportability tools, such as the Citrix Health Assistant,
Citrix Optimizer, and VDA Cleanup Utility. The option to install a PDF printer driver was removed; instead, it is installed
automatically.

Additional Resources:

280 © 2021 Citrix Authorized Content

 • System requirements – Virtual Delivery Agent (VDA) for Desktop OS/Server OS:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/system-requirements.html
• System requirements – Linux VDA:
• 1912 LTSR: https://docs.citrix.com/en-us/linux-virtual-delivery-agent/1912.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

281 © 2021 Citrix Authorized Content

 Citrix Virtual Delivery Agent (VDA)
Registration and Considerations

N
ot
Registration Considerations

fo
rr
The VDA registration is a process in which a VDA and a Delivery There are five methods to configure registration: Auto Update,
Controller establishes a trusted communication. GPO, Manual, OU-based Controller discovery and MCS.

es
al
e
Verify that the Delivery Controller is correctly specified, because if the
VDA does not register with the Delivery Controller, then the Delivery

or
Controller will be unable to broker sessions to the VM running the VDA.

di
s tri
b ut
io
n
Key Notes:
• Other Considerations:
• Test firewall configuration does not block the VDA registration port (default: 80).
• Compare the time synchronization between the Delivery Controller and the machine running the VDA.
• Validate domain membership of the machine running the VDA.
• Inspect the computer account of the machine running the VDA.
• VDA failed registration with the Delivery Controller results in the Delivery Controller being unable to broker any connection to this

282 © 2021 Citrix Authorized Content

 resource.
In other words, if the VDA on a machine fails, then none of the resources on that machine can be accessed.
• VDA registration failure is the most common issue in Citrix Virtual Apps and Desktops deployments, therefore it is
important to note some basic troubleshooting steps:
Make sure that the VDA is attempting to register with the correct controller (spelling, etc.).
Verify that the firewall is not blocking the registration communication by telnetting over the registration port
(Delivery Controller -> VDA and VDA -> Delivery Controller).

N
Compare time between the Controllers and the VDAs (max acceptable difference is 5 minutes).

ot
Check the domain membership of the VDA and test removing and rejoining the VDA to the domain.

fo
Check forward DNS lookups for Delivery Controllers and VDAs. Reverse DNS lookups are only required in specific
scenarios with multiple trusted forests.

rr
Inspect the VDA’s computer account to verify that the ServicePrincipalName attribute includes the computer’s fully

es
qualified domain name.

al
If the virtual machine has multiple network adapters, also test disabling additional network adapters (do not disable
the adapter used to communicate with the Controller).

e
or
di
s tri
b ut
io
n

283 © 2021 Citrix Authorized Content

 Office 365 Considerations for VMs Running the VDA

Define Provision Assign

N
1. Purchase Office 365 ProPlus. • Use the Citrix Deployment 1. Prepare the Master with the

ot
Guide to identify key Apps.
2. Integrate Active Directory with

fo
optimizations recommended
Azure Active Directory. 2. Build/update a catalog with

rr
when delivering Office 365
this Master.
3. Install Office 365 ProPlus. apps with Citrix Virtual Apps

es
and Desktops. 3. Publish the apps using a

al
Delivery Group.
• For example:

e
• Use Outlook Cached

or
Exchange Mode with the
.OST file on a SMB Share

di
• Use Citrix Profile

s
Management to mitigate the

tri
Outlook cache file size and

b
improve login times.

ut
io
n
Key Notes:
• Citrix Virtual Apps and Desktops customers who chose Microsoft Office 365 as their platform,
must subscribe to Microsoft Office 365 ProPlus.
• Microsoft Office 365 ProPlus is a bundled software that is a combination of online-based apps, which can be accessed anywhere
via a web browser, and the latest traditional, locally installed version of Microsoft Office.
• To deploy Office 365 ProPlus traditional locally installed Microsoft Office you must use the Office Deployment Tool.
• Visit Microsoft’s download center to locate this tool.

284 © 2021 Citrix Authorized Content

 • Follow Microsoft documentation for the installation steps.
• Microsoft Office 365 ProPlus apps can be integrated with Citrix Virtual Apps and Desktops across multiple platforms
including On-Prem, Citrix Cloud and other cloud providers such as Azure and AWS.
• Office 365 ProPlus licensing is per user, so you can’t install the traditional locally installed Microsoft Office the same
way. Without Office 365, you must use a XML file to perform a silent install that does not activate during the install.
• Azure Active Directory integration using Azure AD Connect does not require a full Azure account and is a prerequisite
to use Office 365 ProPlus.

N
• Azure AD Connect supports both the synchronized model and the federated identity model to setup and manage

ot
user accounts.

fo
• When delivering Outlook as an installed app and using Exchange Online, there are two Modes to consider:

rr
• Online Mode – Which requires constant network connection to the back-end Exchange Server.

es
• Cached Exchange Mode – Which caches mailbox content locally for a window of time, replying on the online mode

al
only for older content.
• When a user launches an Office 365 application form a shared server, a user license for Office 365 is checked out

e
silently via the internet.

or
di
Additional Resources:
• Office 365 Plan Options: https://technet.microsoft.com/library/office-365-plan-options.aspx

s tri
• Deploy Office 365 ProPlus by using Remote Desktop Services: https://docs.microsoft.com/en-us/DeployOffice/deploy-
office-365-proplus-by-using-remote-desktop-services

b ut
• Microsoft Office 365 for Citrix XenApp and XenDesktop 7.x:
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/deployment-guide-office-365-for-

io
xenapp-and-xendesktop.pdf

n
• Delivering Office 365 with XenApp and XenDesktop:
https://www.citrix.com/content/dam/citrix/en_us/documents/solution-brief/delivering-office-365-with-citrix-
xenapp.pdf
• Enable secure productivity in the cloud with Office 365 and Citrix: https://www.citrix.com/global-
partners/microsoft/office-365.html

285 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
ot
You’ve been instructed to build a master image VM
for Citrix Virtual Apps and Desktops on Windows 10.

fo
What is the minimum build for Windows 10?

rr
es
1607

al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

286 © 2021 Citrix Authorized Content

 N
ot
Lab Exercises

fo
rr
Module 3

es
al
e
or
di
s
tri
b
ut
io
n

287 © 2021 Citrix Authorized Content

 Lab Exercise

Ex 3-1: Prepare Server OS for Master Image

N
Ex 3-2: Prepare Desktop OS for Master Image

ot
fo
rr
es
al
e
or
di
s
tri
utb
io
n

288 © 2021 Citrix Authorized Content

 Key Takeaways

• The master image is the preparatory base VM the

N
Citrix Administrator tunes to install the Citrix

ot
Virtual Delivery Agent (VDA).
• The VDA is the Citrix Software, that enables a VM

fo
to register to a Delivery Controller, which in turn

rr
brokers user connections to app and desktop

es
session on that VM.

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

289 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Administration On-Premise and In
Citrix Cloud

N
ot
Provision and Deliver App and

fo
Desktop Resources

rr
es
al
e
Module 04

or
di
s
tri
b
ut
io
n

290 © 2021 Citrix Authorized Content

 Learning Objectives

• Demonstrate roles of machine catalog and

Delivery Group in defining and assigning

N
available resources.

ot
• Identify the different provisioning methods and

fo
their considerations.

rr
• Illustrate the Machine Creation Services

es
process for provisioning virtual machines.

al
• Classify Machine Creation Services

e
considerations.

or
• Present the Resource Locations

di
considerations.

s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

291 © 2021 Citrix Authorized Content

 N
Machine Catalogs and Delivery

ot
Groups

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

292 © 2021 Citrix Authorized Content

 What is a Machine Catalog?
Machine Catalog: Server OS

Windows Windows Windows Windows Windows Windows

Server Server Server Server Server Server
2016 2016 2016 2016 2016 2016
• A collection of virtual or physical machines

N
defined by the Site to host specific apps and or Machine Catalog: Desktop OS

ot
desktops.

fo
• Machine Catalogs are separated by:

rr
• Machine type Windows Windows Windows Windows Windows Windows
10 10 10 10 10 10
• Operating system

es
• Provisioning method

al
Machine Catalog: Remote PC

e
or
di
Remote PC Remote PC Remote PC Remote PC Remote PC Remote PC

s
tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Machine Catalogs are separated by:
• Machine Type and OS:
• Windows Server OS
• Windows Desktop OS
• Linux Workstation OS

293 © 2021 Citrix Authorized Content

 • Linux Server OS
• Remote PC
• Provisioning Method:
• Machine Creation Services (MCS)
• Citrix Provisioning (PVS)
• Existing

N
• The machine type maps to the different FlexCast models described in Module 1 (e.g. Windows Server OS

ot
could be for published desktops and/or Server OS published apps).

fo
• All VMs in a catalog will have the same VDA version and the same apps/desktops. Typically, there is a master
image that is used to create all VMs in a machine catalog.

rr
• The existing machines option is for machines that have already been prepared using a non-Citrix technology.

es
• Since machine catalogs can span hypervisor hosts, it is important to make sure that where applicable, master

al
images are accessible from all hosts.

e
• During machine catalog creation, the following should also be specified:

or
• (1) Power management of machines (“power managed” only permitted if a hypervisor or cloud connection
has already been configured)

di
• (2) Desktop experience if Desktop OS is selected as the machine type (connect to same or random

s
desktop). If users will connect to the same desktop, select if changes will persist.

tri
• For catalogs containing physical machines or existing machines, select or import existing accounts and assign

but
each machine to both an Active Directory computer account and to a user account.
• For machines created with Citrix Provisioning, computer accounts for target devices are managed differently;

io
see the Citrix Provisioning documentation.

n
Additional Resources:
• Create machine catalogs: 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-
ltsr/install-configure/machine-catalogs-create.html

294 © 2021 Citrix Authorized Content

 Machine Catalog Locations
Machine Catalogs are created per Site, but can be deployed across multiple locations.

• On-Premises or Public Cloud • Citrix Cloud • Considerations

N
• Locations of machines • Locations of machines • Planning where to place a

ot
within a Machine Catalog within a Machine Catalog, resource location can

fo
are defined by the Citrix are defined by the Citrix depend on:

rr
Studio as called Zones. Cloud Studio as Resource • Proximity to users

es
Locations. • Proximity to data
• The Citrix Studio must map
• Scale requirements

al
to the local or remote • Citrix Cloud must add a
• Security attributes

e
platform and define the Resource Location, before

or
hypervisor connection per the Citrix Cloud Studio can
Zone. add the remote platform

di
details to map to the

s tri
hypervisor connection for

b
the machine catalog.

ut
io
n
Key Notes:
• Resource locations contain the resources required to deliver applications and desktops to users.
• Cloud Connectors must reside in a resource location.
• A default resource location will be created with the first Cloud Connector installation.
• Can be renamed.
• In the Citrix Virtual Apps and Desktops environment, resource locations contain the resources required to deliver
applications and desktops to users. You manage those items from Citrix Cloud and the Citrix Virtual Apps and Desktops

295 © 2021 Citrix Authorized Content

 management console. Typically, resources include:
• Active Directory domain controller
• Hypervisors or cloud services, known as hosts
• Virtual Delivery Agents (VDAs)
• Citrix ADC (optional): To enable secure external access to the applications and desktops offered to users,
add a Citrix ADC VPX appliance to the resource location and set up Citrix Gateway.
• For a proof-of-concept deployment that requires only internal access, you can use the cloud-hosted

N
StoreFront that comes with Citrix Cloud.

ot
• Citrix StoreFront servers (optional)

fo
• To communicate with Citrix Cloud, every resource location must contain a Citrix Cloud Connector. At least two
Cloud Connectors per resource location is recommended, for availability.

rr
• A resource location is considered a zone in a Citrix Virtual Apps and Desktops environment.

es
Additional Resources:

al
• Set up resource locations - https://docs.citrix.com/en-us/xenapp-and-xendesktop/service/install-

e
configure/resource-location.html

or
di
s tri
but
io
n

296 © 2021 Citrix Authorized Content

 Add a Host Connection for the Resource Location

N
ot
fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Customers start a configuration of Citrix Virtual Apps and Desktops Service by creating a Host connection, followed by
creating a Machine Catalog and then a Delivery Group.
• The steps to create a Host Connection, Machine Catalog and Delivery Group are exactly the same as those for an on-
premises Citrix Virtual Apps and Desktops site.
• Add Hosting Connections:
1. Click Manage. The management console opens. If a connection has not been created yet, you are guided to that step.

297 © 2021 Citrix Authorized Content

 2. Select Configuration > Hosting in the navigation pane.
3. Select Add Connections and Resources in the Actions pane.
4. Create a new Connection. Select your hypervisor and type in the credentials.
5. Select the desired Storage for the hosting connection.
6. If deploying on Azure ARM, select the desired Region.
7. Select the desired Network where VDAs will be deployed.
• Citrix Virtual Apps and Desktops equally supports all of the following:

N
• Citrix Hypervisor (formerly known as Citrix XenServer)

ot
• Microsoft System Center Virtual Machine Manager.

fo
• VMware vSphere
• CloudPlatform

rr
• Microsoft Azure Resource Manager

es
• Nutanix Acropolis

al
• Amazon EC2
• Oracle Cloud Infrastructure (OCI) Classic, for Citrix Virtual Apps and Desktops Service Only

e
• Hypervisor requirements:

or
• If using a VMware vCenter self-signed certificate, the certificate needs to be added to the Citrix Cloud

di
Connector.
• If using a Hyper-V and System Center Virtual Machine Manager (SCVMM), the SCVMM Console must be

s tri
installed on the Citrix Cloud Connector.

b
• If using Citrix Hypervisor, consider deploying a certificate on the hosts and trusting it on the Cloud

ut
Connectors.

io
Additional Resources:

n
• Create and manage connections - https://docs.citrix.com/en-us/xenapp-and-xendesktop/service/install-
configure/connections.html
• Citrix Virtual Apps and Desktop 7 Build 1808 System Requirements, under Host / virtualization resources:
• On-Premises or Public Cloud: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/system-
requirements.html

298 © 2021 Citrix Authorized Content

 • Citrix Cloud Service: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/system-
requirements.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

299 © 2021 Citrix Authorized Content

 Machine Catalog Citrix Preferred Provisioning Methods
MCS and PVS Introduced

N
ot
Citrix Machine Creation Services (MCS) Citrix Provisioning (PVS)

fo
rr
es
Machine Creation Services is a Citrix Virtual Apps and Citrix Provisioning is an individual product within Citrix Virtual
Desktops included mechanism to create multiple machines as Apps and Desktops that can create multiple machines as

al
individual clones from a single master image using storage individual clones from a single master image using network

e
based technologies. based technologies.

or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Machine Creation Services is a very simple way of enabling single image management.
• MCS will allow you to create a number of unique machines from one single master machine by utilizing storage level
cloning and a number of mechanisms, that will individualize these machines after cloning.
• Citrix Provisioning is a little more complex to install and configure.
• It will, like MCS, allow you to deploy a number of VDAs all from a single image.
• PVS is typically for larger and more complex environments.

300 © 2021 Citrix Authorized Content

 • Remember our deployment in this course for WW Labs addresses a more simple Proof of Concept.
• The focus of our deployment is MCS.
• Citrix Provisioning is an optional component of Citrix Virtual Apps and Desktops available with some editions.
It provides an alternative to MCS for provisioning virtual machines. Whereas MCS creates copies of a master
image, Citrix Provisioning streams the master image to user device. Citrix Provisioning doesn’t require a
hypervisor to do this, so you can use it to host physical machines. When Citrix Provisioning is included in a
Site, it communicates with the Controller to provide users with resources.

N
ot
Additional Resources:

fo
• Create machine catalogs:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/machine-

rr
catalogs-create.html

es
al
e
or
di
s tri
b ut
io
n

301 © 2021 Citrix Authorized Content

 Remote PC Access
User Layer Access Layer Control Layer Resource Layer

Delivery Controller

Internal Users
• Some machine catalogs StoreFront
Server OS Assigned

N
Desktop OS
are based on physical Domain Controller

ot
PCs instead of VMs.
Firewall

fo
• Use cases include:

rr
• Leverage existing office SQL Random Desktop OS Remote PC
PCs Citrix Gateway

es
External Users Firewall
• Access high-powered

al
workstations with License Server

e
specialized hardware

or
Hardware Layer

di
s
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Remote PC Access allows an end user to log on remotely from virtually anywhere to the physical Windows PC in the
office. The Virtual Delivery Agent (VDA) is installed on the office PC; it registers with the Delivery Controller and manages
the HDX connection between the PC and the end user client devices. Remote PC Access supports a self-service model;
after you set up the whitelist of machines that users are permitted to access, those users can join their office PCs to a Site
themselves, without administrator intervention. The Citrix Workspace app running on their client device enables access to
the applications and data on the office PC from the Remote PC Access desktop session.

302 © 2021 Citrix Authorized Content

 • Remote PC Access is a feature of Citrix Virtual Desktops and can be used as an interim stage during
migration of physical office PCs to virtual machines.
• Remote PC Access can be a solution for employees to access their documents and applications during
roadblocks, quarantine or bad weather.
• Remote PC access is secure by design
• Remote PC enables mobile device access to office PC’s as well.

N
• The following Citrix Virtual Desktops features are not supported for Remote PC Access deployments:

ot
• Creating master images and virtual machines
• Delivering published apps

fo
• Personal vDisks

rr
• Client folder redirection

es
Additional Resources:

al
• Create machine catalogs:

e
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/machine-

or
catalogs-create.html
• Remote PC Access:

di
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/remote-pc-

s
access.html

tri
• Remote Access Design Guide: https://www.citrix.com/content/dam/citrix/en_us/documents/products-

b
solutions/remote-access-to-enterprise-pc-xendesktop-75-desktop-guide.pdf (this content is based on 7.5

ut
but the design guidelines are still relevant)

io
n

303 © 2021 Citrix Authorized Content

 What is a Delivery Group? Delivery Group: Assigned User Group A to Apps

Machine Catalog: Server OS

User Windows Windows Windows

Group A Server Server Server

• A collection of virtual or physical machines,

N
selected from one or more machine catalogs, Delivery Group: Assigned User Group B to a Desktop

ot
defined by the Site to specify which users can Machine Catalog: Desktop OS
use the apps and or desktops.

fo
rr
• Delivery Groups are assignments made to User Windows Windows Windows
Group B 10 10 10

es
users, user groups or unauthenticated users.

al
Delivery Group: Assigned User Group C to a Remote PC Desktop

e
or
Machine Catalog: Remote PC

di
User

s
Remote PC Remote PC Remote PC
Group C

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• A Delivery Group is the Site assigning specific apps and or desktops to the designated users.
• Collection of machines that specify which user groups can access desktops or applications.
• Allocates machines from the machine catalog(s) for user access.
• Specifies the delivery type:
• Desktops
• Applications

304 © 2021 Citrix Authorized Content

 • Desktops and applications
• Assigns user groups or unauthenticated users to resources.
• A Delivery Group is a collection of machines selected from one or more machine catalogs. The Delivery Group
specifies which users can use those machines, and the applications available to those users.
• A machine can only be in one Delivery Group.
• The “desktops and applications” option for delivery type is not available with static Desktop OS desktops.
• Leading practice: assign Active Directory groups (rather than individual AD accounts) to Delivery Groups

N
because it can be easier to add a user to the appropriate AD groups to gain access to the necessary

ot
resources when onboarding a user to the environment. This can also reduce the operational complexity

fo
involved with removing user access.

rr
• For Delivery Groups containing Server OS machines, you can select a check box that will allow users to
access applications and desktops without presenting credentials to StoreFront or Citrix Workspace app. For

es
example, when users access applications through kiosks, the application might require credentials, but the

al
Citrix access portal and tools do not. An Anonymous Users Group is created when you install the VDA.

e
Additional Resources:

or
• Create Delivery Groups:

di
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/delivery-

s
groups-create.html

tri
but
io
n

305 © 2021 Citrix Authorized Content

 Delivery Group Published Apps
Publish Apps using Delivery Groups to User
Groups

• From start menu: Select an application

N
that is discovered on one of the selected

ot
machines.

fo
• Manually: Add an application manually by

rr
specifying the path to the executable file,

es
working directory, and application name.

al
• Existing: Add an existing application in the

e
database to a new Delivery Group.

or
• App-V: Add an App-V application to a delivery

di
group.

s
• Application group: Add applications defined

tri
in an application group to a Delivery Group.

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• A list displays the applications that were discovered on a machine created from the master image, a template in the
machine catalog, or on the App-V management server. Choose one or more applications to add to the Delivery group.
• You can also add (create) applications manually. You’ll need to provide the path to the executable, working directory,
optional command line arguments, and display names for administrators and users.
• There are more options for publishing applications that can be accessed by clicking Application properties, including
command line parameters, application names, and limiting the visibility of apps. Also, can change the application folder

306 © 2021 Citrix Authorized Content

 that the application is displayed in by clicking Change under the Place the selected application in folder title.
More detail regarding this will be discussed in later module.
• Application Groups let you manage collections of applications. You can create Application Groups for
applications shared across different Delivery Groups or used by a subset of users within Delivery Groups.
Application Groups are optional; they offer an alternative to adding the same applications to multiple Delivery
Groups. Delivery Groups can be associated with more than one Application Group, and an Application Group
can be associated with more than one Delivery Group.

N
• Application Groups will be covered in module 7.

ot
fo
Additional Resources:

rr
• Create Delivery Groups: 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-
configure/delivery-groups-create.html

es
al
e
or
di
s tri
b ut
io
n

307 © 2021 Citrix Authorized Content

 The Machine Catalogs and
Delivery Groups Relationship
Machine Catalog Delivery Group

• A 1:1 relationship of machine catalogs to

N
Server OS Server OS
Delivery Groups can ease management and Machine Machine

ot
administration. Catalog
a Delivery
Group
Catalog
Delivery
Group

fo
• A Delivery Group can contain machines from Server OS
Machine
Desktop OS
Machine

rr
more than one Machine Catalog. Catalog Catalog

es
• Provided that the Machine Catalogs have the
Application
same machine type and same desktop experience Group

al
type.

e
Static Static Machine

or
Machine Catalog

a
Catalog Delivery
Delivery Group

di
Group
Random
Static

s
Machine
Machine
Catalog

tri
Catalog

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• During the creation of a Delivery Group, select a Machine Catalog and specify the number of machines you want to use
from the catalog.
• To use a specific Machine Catalog, at least one machine must remain unused in that catalog.
• A Machine Catalog can be specified in more than one Delivery Group; however, a machine can be used in only one
Delivery Group.
• A Delivery Group can use more than one Machine Catalog; however, those catalogs must contain the same machine

308 © 2021 Citrix Authorized Content

 types (Multi-session OS, Single-session OS, or Remote PC Access). In other words, you cannot mix
machine types in a Delivery group or in a Machine Catalog.
• Similarly, you cannot create a Delivery Group containing Desktop OS machines from a Machine Catalog
configured for static desktops and machines from a Machine Catalog configured for random desktops.
• Each machine in a Remote PC Access machine catalog is automatically associated with a Delivery Group.
• Application Groups are optional; they offer an alternative to adding the same applications to multiple Delivery
Groups. Delivery Groups can be associated with more than one Application Group, and an Application Group

N
can be associated with more than one Delivery Group. Application Groups will be covered in detail in Module

ot
7.

fo
Additional Resources:

rr
• Create Delivery Groups: 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-

es
configure/delivery-groups-create.html

al
e
or
di
s tri
b ut
io
n

309 © 2021 Citrix Authorized Content

 Lesson Objective Review

What must be added to a Citrix Virtual Apps

N
and Desktops Service Site, in order to use

ot
Citrix Studio to create a Machine Creation

fo
Services (MCS) catalog?

rr
es
A Resource Location

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

310 © 2021 Citrix Authorized Content

 N
Provisioning Methods and

ot
Considerations

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

311 © 2021 Citrix Authorized Content

 Machine Catalog Provisioning Leading Practices
Citrix Leading practice is to create a machine catalog using one of the Citrix provisioning
methods

Machine Creation Services (MCS) Citrix Provisioning (PVS)

N
ot
• Uses a master image to create and manage • Uses Citrix Virtual Desktops wizard to create a

fo
virtual machines. new catalog or add machines to existing catalog.

rr
• Works by taking a snapshot of a virtual machine • Machines created by PVS can also be added to a

es
and copying it to a storage location Citrix Virtual Desktops catalog later on.

al
e
• Uses the snapshot to clone new machines.

or
• Supports Machine catalogs in a cloud

di
environment.

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• This course explains a high level of both methods and then provide a deep dive into Machine Creation Services; those
interested in a deep dive of Citrix Provisioning will attend the CXD-304 course.
• Ask your Citrix Instructor about the difference between the CXD-304 course and the CXD-310 course.
• MCS or PVS does not work for Remote PC.
• MCS utilizes the underlying hypervisor APIs (Citrix Hypervisor Hyper-V, or vSphere) to create, start, stop, and delete
catalog virtual machines.

312 © 2021 Citrix Authorized Content

 • Please note, MCS is not available for physical machines.
• Manual Provisioning:
• Although supported, Manual Provisioning is not recommended, because there is no guaranteed
consistency between machines in a catalog, because each could have been built individually, by different
administrators.
• Manual provisioning is not the Citrix preferred method.

N
• Some customers are forced to provision the machines running the VDAs manually. For example:

ot
• The Citrix Admin Team does not have appropriate permissions to use MCS on the hypervisor or storage.

fo
• Some applications may need special installation procedures and cannot be installed and cloned via MCS
or PVS

rr
• Some Citrix customers are using manual creation methods. Although fully supported, manual provisioning

es
has some potential drawbacks:

al
• There is no central management for deployment or updates.

e
• Does not address and minimize the storage footprint of a machine catalog.

or
• Does not address any storage I/O optimization.
• Takes far longer to create larger machine catalogs.

di
• Creates risk for potential inconsistencies for the machines within the machine catalog.

s tri
• Consider MCS Full Clone can substitute the need for manual provisioning in many cases.

but
Additional Resources:

io
• XenApp and XenDesktop 7.11 MCS Full Clone Support (Link still holds true for Build 1808):
https://www.citrix.com/blogs/2016/10/12/xenapp-and-xendesktop-7-11-mcs-full-clone-support/

313 © 2021 Citrix Authorized Content

 Citrix Preferred Provisioning Methods
Overview

Machine Creation Services (MCS) Citrix Provisioning (PVS)

N
ot
VM-1 VM-2 VM-3 Virtual
Provisioning Server Machine

fo
rr
Virtual

es
Machine

Master

al
Image
Master Machine
vDisk

e
Virtual
Differencing Machine
Identity Disk vDisk Store
Disk

or
di
Leverages hypervisor APIs through Leverages streaming technology to

s
Studio to deploy virtual machines from provision virtual machines from a

tri
a single master image snapshot. single shared master image.

utb
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Both MCS and Citrix Provisioning are supported with Citrix Cloud
• This course only covers MCS in depth.

314 © 2021 Citrix Authorized Content

 Citrix Preferred Provisioning Methods
Explanation of Advantages

N
Machine Creation Services (MCS) Citrix Provisioning (PVS)

ot
Does not require additional infrastructure Contains versioning feature for testing

fo
Provides quick time to value Does not require hypervisor

rr
es
Option to enable read and write caching Does not require central storage repositories

al
Option to utilize full clone vDisk can be synchronized to other datacenters

e
Needs image in each storage repository Depends heavily on network infrastructure

or
Does not contain a versioning feature Needs additional infrastructure and skill-set

di
s
No built-in cloud deployment features

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• In previous versions it was easier to choose between MCS and PVS, but the feature gap is much smaller today.
• MCS:
• MCS does not require administrators to build out additional infrastructure or to learn another product, decreasing time
and build requirements.
• MCS provides administrators with a quick way to deploy multiple VMs from single shared image, decreasing time to
production rollout.

315 © 2021 Citrix Authorized Content

 • MCS has added RAM based caching to put performance on par with PVS.
• MCS can now utilize full clones to accommodate backup and storage replication of virtual machines.
• A copy of the master image needs to be stored in each storage repository configured for the host
connection for MCS, increasing storage requirements.
• MCS does not include a versioning feature that enables the same steady promotion from maintenance ->
test -> production as PVS does.
• MCS cannot be used with physical machines.

N
• PVS:

ot
• PVS has a unique versioning feature that allows for fast and easy update and roll back of updates.

fo
• PVS can work with physical machines as well as virtual machines.
• PVS can host the images on local storage, reducing the need to plan for SAN capacity.

rr
• PVS maintains the image in a .vhd or .vhdx file (also known as the vDisk), so if we have multiple

es
datacenters, we can simply copy the vDisk image between them using any preferred file sharing

al
mechanism.
• PVS relies on the networking infrastructure in place, as it streams the image over the network.

e
• PVS requires additional infrastructure to be installed and configured for high availability and redundancy.

or
Also, administrators will need to learn how to build, configure, and manage the technology.

di
• PVS does not have built in cloud deployment features. To use PVS on AWS or Azure, a separate PVS
environment has to be created in the cloud.

s tri
Additional Resources:

b ut
• Provisioning Services or Machine Creation Services (2016 Edition):

io
https://www.citrix.com/blogs/2016/06/28/provisioning-services-or-machine-creation-services-2016-edition/

316 © 2021 Citrix Authorized Content

 Lesson Objective Review

Scenario: You are about to deploy 2,000

virtual desktops.

N
Which provisioning method should be used

ot
to minimize administrative overhead? And

fo
why?

rr
es
MCS and PVS. If manually provisioning, you
would need to build 2,000 virtual desktops. With

al
e
MCS and PVS, you only have to manually build
one.

or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

317 © 2021 Citrix Authorized Content

 N
Machine Creation Services (MCS)

ot
Deep Dive

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

318 © 2021 Citrix Authorized Content

 Machine Creation Services (MCS)
Overview
In general, the MCS Process is consistent across
multiple deployments.

• MCS is a single image management solution

N
that is built into Citrix Virtual Apps and

ot
Desktops. VM-1 VM-2 VM-3

fo
• MCS creates virtual machines that are linked

rr
to a base, prepped master image.

es
• MCS attaches an identity disk and differencing

al
disk to each virtual machine created.

e
• Identity disk: a 16 MB persistent disk that contains Master Machine
hostname and Active Directory machine account

or
• Differencing disk: a disk that holds the writes for Identity Disk Differencing Disk

di
each virtual machine

s
tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• MCS leverages a linked-clone approach to provisioning, with virtual machines reading from a read-only master image that
has been de-personalized.
• Each virtual machine is assigned an identity disk that gives the machine a unique identity and a differencing disk that
handles the writes for the virtual machine.
• MCS also supports full clone copies, where the entire image is copied to each VM and does not use a differencing disk.
• MCS can now be used in on-premises, Azure, and AWS resource locations, with or without Citrix Cloud. It can be used to

319 © 2021 Citrix Authorized Content

 provision Windows and Linux VDA machines.

Additional Resources:
• MCS Storage Considerations: https://support.citrix.com/article/CTX218082

N
ot
fo
rr
es
al
e
or
di
stri
b ut
io
n

320 © 2021 Citrix Authorized Content

 Machine Creation Hypervisor
Services (MCS) 1
The Process

VM-A

1. Create the master

N
virtual machine by

ot
installing and
configuring the desired

fo
OS and applications.

rr
• This is a manual step.

es
Storage Repository

al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• In this step, the administrator is creating a virtual machine that has the necessary configurations and applications required
for the targeted use case.
• Note that deleting, moving, or renaming master images will prevent administrators from being able to revert a machine
catalog if necessary.

321 © 2021 Citrix Authorized Content

 Machine Creation Hypervisor
Services (MCS) 1
The Process

VM-A

2. Create a snapshot of

N
the master virtual

ot
machine.
• This can be a manual or

fo
2
automatic step.

rr
es
Storage Repository

al
e
or
A

di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• There are two options:
• Manual: the administrator takes a snapshot of the master VM. This option is considered leading practice because it
enables the administrator to determine a desired, meaningful naming convention.
• Automatic: if a snapshot is not taken, when the administrator selects the master VM in the MCS wizard, Studio will
automatically take a thin snapshot of the VM using an automatic naming scheme and will provide that snapshot to
MCS.

322 © 2021 Citrix Authorized Content

 Machine Creation Hypervisor
Services (MCS) 1
The Process

VM-A

3. MCS creates a full

N
copy of the snapshot

ot
and stores it in the first
storage repository

fo
2

configured (only).

rr
• This step is automatic.

es
Storage Repository

al
e
or
A A A’ A A A

di
s tri
3

b
ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• MCS is creating a full copy of the snapshot that was provided so that all machines that will be provisioned will have the
same desired properties and configurations from the master VM.
• MCS creates a full copy of the snapshot and stores it so that it can be updated in order to provision multiple VMs, and so
that there is no impact if the administrator deletes the original snapshot.

323 © 2021 Citrix Authorized Content

 Machine Creation Hypervisor
Services (MCS)
The Process 1 4

VM-A VM-A’

4. MCS creates a

N
preparation virtual

ot
machine to be used for
the image preparation

fo
2

process.

rr
• This step is automatic.

es
Storage Repository

al
e
or
A A A’ A A A

di
s tri
3

utb
© 2021 Citrix Authorized Content

io
n
Key Notes:
• A temporary virtual machine is created from the snapshot so that an image preparation process can be run to
depersonalize the VM.
• The Preparation VM is created with the network disconnected to prevent any issues with the operation of the original
master image.

324 © 2021 Citrix Authorized Content

 Machine Creation Hypervisor
Services (MCS)
The Process 1 4

VM-A VM-A’

5. MCS attaches an

N
Instruction Disk to the

ot
Preparation VM that
contains the image

fo
2

preparation steps.

rr
• This step is automatic.

es
Storage Repository

al
e
or
A A’ A A A

di
s
5

tri
3 Instruction Disk Identity Disk Differencing Disk

utb
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The Instruction Disk will tell the Preparation VM the steps that need to be run in order to depersonalize the VM.

325 © 2021 Citrix Authorized Content

 Machine Creation Hypervisor
Services (MCS) 6

The Process 1 4

VM-A VM-A’

6. MCS powers on the

N
preparation VM.

ot
• This step is automatic.

fo
2

rr
es
Storage Repository

al
e
or
A A’ A A A

di
s
5

tri
3 Instruction Disk Identity Disk Differencing Disk

utb
© 2021 Citrix Authorized Content

io
n

326 © 2021 Citrix Authorized Content

 Machine Creation Hypervisor
Services (MCS) 6

The Process 1 4

VM-A VM-A’

7. MCS begins the image

N
preparation process, 7

ot
which includes
rearming KMS,

fo
2

enabling DHCP, and

rr
(optionally) performing

es
PvD inventory. Storage Repository

al
• This step is automatic.

e
or
A A’ A A A

di
s
5

tri
3 Instruction Disk Identity Disk Differencing Disk

utb
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The PvD inventory step is only applicable if the Personal vDisk feature is being used, which will be discussed later in the
module.
• The image preparation process is where the Preparation VM runs through the list of instructions that it obtained from the
Instruction Disk. It is depersonalizing the copy of the snapshot to change the base OS so that it can be used to provision
multiple machines. This is why sysprep does not need to be run manually when creating a master image with MCS,
because the image preparation process automatically performs the necessary de-personalization.

327 © 2021 Citrix Authorized Content

 Additional Resources:
• Machine Creation Service: Image Preparation Overview and Fault-Finding:
https://www.citrix.com/blogs/2016/04/04/machine-creation-service-image-preparation-overview-and-fault-
finding/

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

328 © 2021 Citrix Authorized Content

 Machine Creation Hypervisor
Services (MCS) 6

The Process 1 4

VM-A VM-A’

8. The preparation VM

N
updates the copy of the 7

ot
snapshot following the
completed image

fo
2 8

preparation process.

rr
• This step is automatic.

es
Storage Repository

al
e
or
A A’’ A A A

di
s
5

tri
3 Instruction Disk Identity Disk Differencing Disk

b
ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The preparation VM updates the copy of the snapshot following the image update process, represented in the diagram by
the copy of the snapshot being updated from A’ to A’’.

329 © 2021 Citrix Authorized Content

 Machine Creation Hypervisor
Services (MCS) 6

The Process 1 4 9

VM-A VM-A’

9. MCS shuts down the

N
preparation VM. 7

ot
• The step is automatic.

fo
2 8

rr
es
Storage Repository

al
e
or
A A’’ A A A

di
s
5

tri
3 Instruction Disk Identity Disk Differencing Disk

b ut
© 2021 Citrix Authorized Content

io
n

330 © 2021 Citrix Authorized Content

 Machine Creation Hypervisor
Services (MCS) 6

The Process 1 4 9

VM-A VM-A’

10. The instruction disk

N
reports the results of 7

ot
the image preparation
process and is then

fo
2 8

deleted.

rr
• This step is automatic.

es
Storage Repository

al
e
or
A A’’ A A A

di
s
5 10

tri
3 Instruction Disk Identity Disk Differencing Disk

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The instruction disk reports the success/failure of the steps run during the image preparation process and only moves on
with the MCS process if the steps were successfully completed. After reading the report back to MCS, the instruction disk
is then deleted.

Additional Resources:
• Machine Creation Service: Image Preparation Overview and Fault-Finding:

331 © 2021 Citrix Authorized Content

 https://www.citrix.com/blogs/2016/04/04/machine-creation-service-image-preparation-overview-and-fault-
finding/

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

332 © 2021 Citrix Authorized Content

 Machine Creation Hypervisor
Services (MCS) 6

The Process 1 4 9

11
VM-A VM-A’

11. MCS detaches the OS

N
disk of the preparation 7

ot
VM and deletes the
virtual machine.

fo
2 8

• This step is automatic.

rr
es
Storage Repository

al
e
or
A A’’ A A A

di
s
5 10

tri
3 Instruction Disk Identity Disk Differencing Disk

b ut
© 2021 Citrix Authorized Content

io
n

333 © 2021 Citrix Authorized Content

 Machine Creation Hypervisor
Services (MCS) 6

The Process 1 4 9

11
VM-A VM-A’

12. MCS replicates the

N
copy of the updated 7

ot
snapshot to each
storage repository

fo
2 8

configured.

rr
• This step is automatic.

es
Storage Repository

al
e
or
A A’’ A A A

di
s
5 10
12

tri
3 Instruction Disk Identity Disk Differencing Disk

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Now that the copy of the snapshot has been updated and prepared for use with multiple VMs, the copy can be replicated
to each storage repository configured for the host connection.
• The copy of the snapshot is read-only, and the virtual machines will reference the copy of the snapshot in the applicable
storage repository.
• Important to note that because the snapshot copy needs to be placed in each storage repository, the number of storage
repositories will affect storage requirements.

334 © 2021 Citrix Authorized Content

 Machine Creation Hypervisor
Services (MCS) 6

The Process 1 4 9

11
VM-A VM-A’

13. MCS creates identity

N
disks in memory for 7

ot
each virtual machine to
be created.

fo
2 8

• This step is automatic.

rr
es
Storage Repository

al
e
or
A A’’

di
s
5 10
12 13

tri
3 Instruction Disk Identity Disk Differencing Disk

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The identity disks for each VM are created in memory.

335 © 2021 Citrix Authorized Content

 Machine Creation Hypervisor
Services (MCS) 6 14

The Process 1 4 9

11
VM-A VM-A’ VM-B VM-B VM-B

14.MCS creates the virtual

N
machines by attaching 7

ot
identity disks and
creating and attaching

fo
2 8

the differencing disks.

rr
• This step is automatic.

es
Storage Repository

al
e
or
A A’’

di
s
5 10
12 13

tri
3 Instruction Disk Identity Disk Differencing Disk

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• MCS creates each VM by attaching the identity disk and creating and attaching a differencing disk. This is done for each
VM that needs to be created.
• Since each virtual machine is pointing to the read-only snapshot copy, the virtual machines need a unique identity
(provided by the identity disk) and a disk to handle its writes (provided by the differencing disk).

336 © 2021 Citrix Authorized Content

 MCS I/O Hypervisor
Optimization
Read Cache
(Hypervisor dependent)

Write Cache Write Cache Write Cache

RAM
VM VM VM
• Provides the ability to

N
place differencing disks

ot
on separate local storage.

fo
• Provides the ability to

rr
leverage virtual machine

es
memory as write cache to
reduce I/O.

al
Storage Repository 1 Storage Repository 2

e
or
di
Master
Image

s
tri
Identity Disk Differencing Disk

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• With the release of version 7.9 through 7.12 we have three new features that bring the performance of MCS on par with
Citrix Provisioning.
• We can specify several Storage Repositories per hosting connection, allowing administrators to utilize less expensive local
storage, rather than expensive SAN solutions.
• We can configure a Machine Catalog to use RAM to optimize the temporary writes (similar to the PVS option “write cache
in memory with offload to disk”).

337 © 2021 Citrix Authorized Content

 • We can configure the latest release of Citrix Hypervisor to cache the common Shared OS disk in memory to
further minimize central I/O load. (This feature is not supported on any other hypervisor).
• Citrix Citrix Hypervisor IntelliCache can optimize read IO.

Additional Resources:
• Introducing MCS Storage Optimization: https://www.citrix.com/blogs/2016/08/03/introducing-mcs-storage-
optimisation/

N
ot
• Relating IntelliCache and In-memory Read Caching: https://support.citrix.com/article/CTX201887

fo
rr
es
al
e
or
di
s tri
but
io
n

338 © 2021 Citrix Authorized Content

 Create Machine Catalogs and Delivery Groups

N
ot
fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Machine Catalogs are a collection of physical or virtual machines with same type of operating system, configuration,
naming convention and provisioning method. These machines are managed as a single entity.
• A Delivery Group is a collection of machines selected from one or more Machine Catalogs. The Delivery Group specifies
which users can use those machines, plus the applications and/or desktops available to those users.
• Creating a Delivery Group is the next step in configuring your deployment after creating a Machine Catalog.

339 © 2021 Citrix Authorized Content

 Use Citrix Cloud Studio to Create
Machine Catalogs and Delivery
Groups

After adding a hosting connection:

N
• Create Machine Catalogs

ot
• Create Delivery Groups

fo
rr
• Assign Users and Groups to resources

es
• MCS is the same process as on-premises
except Cloud Connector is communicating

al
with Hypervisors and AD

e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• In contrast to an on-premises Citrix Studio, the cloud hosted Citrix Studio prompts for a user account having that has
sufficient privileges to create new machine accounts while running the Create Machine Catalog wizard.
• The applications and desktop assignment in a cloud based Citrix Virtual Apps and Desktops Service can either be done
through Delivery Groups within the Cloud Studio or using the Library offerings within the Citrix Cloud Home page.

340 © 2021 Citrix Authorized Content

 MCS and the Cloud Connector
Communication

Citrix Cloud Studio

• Studio in the cloud creates provision

N
requests.

ot
Cloud Connector
• Provision requests are sent to the hosting Authorization (STA) Remote Broker AD Provider

fo
connection.

rr
Citrix ADC Remote HCL
• The Cloud Connector Remote HCL service

es
interacts with the on-premises hypervisor.

al
• Machines are created and will register with

e
the Cloud Connector Remote Broker service

or
Hypervisors
on boot.

di
Citrix Server
Master Catalogs
Server
Gateway Active Directory

s
VDAs
VDAs Server

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• When administrators create a MCS provisioned catalog using Cloud Studio, the Delivery Controller is instructed to create
machines on the hypervisor and create new computer accounts in AD.
• The cloud based Delivery Controllers cannot directly communicate with AD or the hypervisors in the resource location.
• The instructions are proxied to the Cloud Connector Server within the resource location.
• The AD Provider Service on the Connector creates the machine accounts and the Remote HCL provider creates the
machines on the hypervisors.

341 © 2021 Citrix Authorized Content

 • Once machines are created, they register with the cloud Delivery Controller via the Remote Broker Provider.
• This process will work differently when deploying Machine Catalogs to public clouds. In these cases, Citrix
Cloud will typically communicate directly to the public cloud API.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

342 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
What is the difference between using Citrix

ot
Studio or Citrix Cloud Studio to create a

fo
machine catalog with MCS?

rr
es
Citrix Studio for a on-premises or public cloud
deployment uses a local Delivery Controller to

al
e
communicate to the hypervisor and to AD.

or
Citrix Cloud Studio is almost the same, but the
communication is performed by the local Citrix

di
Cloud Connector.

s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

343 © 2021 Citrix Authorized Content

 N
ot
MCS Environment Considerations

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

344 © 2021 Citrix Authorized Content

 MCS Created Random/Non-Persistent Desktops
Reboot Effects

• If hypervisor supports clone on boot, it resets the differencing disk on reboot.

N
• If the hypervisor does not support clone on boot, the Differencing disk is deleted following a reboot,

ot
discarding user changes.

fo
• Virtual machine is in steady state

rr
• The virtual machine is rebooted and the differencing disk is disconnected
• A new differencing disk is created

es
• A new differencing disk is attached

al
• The old differencing disk is queued for deletion

e
Step 1 Step 2 Step 3 Step 4 Step 5

or
di
VM VM VM VM VM

s
tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The differencing disks are discarded because the user changes do not persist for random/non-persistent desktops.
• Since the differencing disks are queued for deletion, this increases the storage consumption and should be taken into
account when determining the storage requirements.
• Hypervisors supporting clone on boot include:
• VMware hypervisors
• Citrix XenServer 6.1 and up (including current Citrix Hypervisor release)

345 © 2021 Citrix Authorized Content

 • Pre- XenServer 6.1 supported for local and ISCSI storage repositories, but not for NFS storage
repositories
• Pre-XenServer 5.6 not supported

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

346 © 2021 Citrix Authorized Content

 Random/Non-Persistent Desktop Example

Scenario: At the start of the workday, User A logs in to a randomly available desktop from the pool of

N
Windows 10 desktops deployed within their companies Citrix Virtual Desktops infrastructure. While

ot
working in the desktop during the day, User A decides to download and install multiple Windows
Updates available to the machine. Additionally, at the end of the workday, User A creates a new folder

fo
directory on the Windows desktop and saves multiple word doc and pdf files developed during the day

rr
to the new folder. Then, logs off the desktop to end their day.

es
al
e
• Upon returning the next morning, User A launches a new Windows 10 desktop and realizes that all the

or
updates and saved files are gone.

di
• Since this is a Random/Non-Persistent Desktop, all changes or updates made to the VM differencing

s
disk are lost when the logoff and reboot occur.

tri
but
© 2021 Citrix Authorized Content

io
n

347 © 2021 Citrix Authorized Content

 MCS Created Static/Persistent Desktop - Reboot Effects

• The Differencing disk is not deleted following a reboot, persisting user changes.

N
• The virtual machine is in steady state.

ot
• The virtual machine is rebooted.
• The virtual machine completes the startup process and the same differencing disk is still attached.

fo
rr
es
Step 1 Step 2 Step 3

al
e
VM VM VM

or
di
s tri
b
ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The differencing disk is not deleted following reboot as user changes are required to persist for the static/persistent
desktop.

348 © 2021 Citrix Authorized Content

 Static/Persistent Desktop Example

Scenario: At the start of the workday, User B logs in to a randomly available desktop from the pool of

N
Windows 10 desktops deployed within their companies Citrix Virtual Desktops infrastructure. While

ot
working in the desktop during the day, User B decides to install Microsoft Office. Additionally, they
decide to customize their taskbar and desktop settings (wallpaper, desktop icons, etc.). Then log off the

fo
desktop to end their day.

rr
es
al
• Upon returning the next morning, User B launches a Windows 10 desktop and all their changes and

e
updates are maintained and available to them.

or
• Since this is a Static/Persistent Desktop, all changes or updates made to the VM differencing disk are

di
preserved when the logoff and reboot occur.

stri
but
© 2021 Citrix Authorized Content

io
n

349 © 2021 Citrix Authorized Content

 Updating Master Image
Update Considerations

Random/Non-persistent Desktop Static/Persistent Desktop

N
ot
fo
• Virtual machines are instructed to boot from latest version • When creating a static Machine Catalog using MCS, you
following a reboot.

rr
lose the ability to update the catalog centrally using MCS.

es
1. Master VM image is updated
• Updates can be deployed by utilizing central deployment
and update solutions such as Windows Server Update

al
2. After the virtual machine reboots, it reads from the
latest image Services (WSUS).

e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Random/Non-persistent Desktop:
• When the administrator updates the master VM and goes into the machine catalog and selects Update Catalog option,
this creates a new full copy of the snapshot, which is then updated via the image preparation process.
• The VMs are then instructed on reboot to point to the latest updated image. VMs that have not been rebooted will
continue to point to the original image snapshot.
• A2 indicates the new version of the master VM.

350 © 2021 Citrix Authorized Content

 • It is leading practice to take snapshots or copies of master image for rollback purposes in the event there is
an issue with the update.
• Static/Persistent Desktop:
• Static/persistent desktops can not be instructed to read from an updated master image on reboot due to the
fact that the persistent differencing disks are tied to the original master image.
• Only newly created Catalogs can be instructed to read from an updated master image.

N
• Updates for existing machines can be done either manually on an individual basis, or collectively through

ot
the use of a third party software distribution tools.
• If Citrix App Layering is used, User Layers will enable you to deploy image updates using MCS while still

fo
preserving user-installed applications and settings. However, this approach should be tested as it may incur

rr
performance and management overhead.

es
• For more information on Citrix App Layering and User Layers, see the App Layering eLearning content or
the Citrix advanced level trainings.

al
e
or
di
s tri
but
io
n

351 © 2021 Citrix Authorized Content

 Three Core Steps to Create Resources
Review

Define Provision Assign

N
Determine the demand per user Choose the best provisioning model Publish the resources from the catalogs

ot
group: for: to the user groups.
• Estimated CPU and memory • Flexibility • Desktops or Apps

fo
resources
• Performance • Limited Access

rr
• Applications used
• Scalability • Instant Availability

es
• Mobility requirements
• Ease of use

al
e
or
di
s
tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• There are three high level concepts involved in making a resource available to end users :
1. The machine needs to be defined (this involves the process of determining user experience, sizing and available
resources such as GPU, CPU and RAM, as well as creating the Master Image ).
• Step 1 starts with research and documentation.
• Each group of users has its own requirements in terms of mobility, security, updates & flexibility, provided
applications, resource impact, level of personalization, high-availability, and other factors. Grouping users with

352 © 2021 Citrix Authorized Content

 common requirements together enables them to share a FlexCast model, an image or even a VDA and
allows for more accurate planning.
• Once the research is done, a master image must be defined
1. The correct number of machines need to be provisioned into a Catalog from a master image (typically
done through Machine Creation Services or Citrix Provisioning)
• During Step 2 the actual resources (and maybe their infrastructure) will be created. The resources can be

N
grouped into Machine Catalogs at this time.

ot
• Choosing the “best” delivery model refers to the “most appropriate” for any given company or resource
group. Some companies benefit largely by choosing just one single model to address all requirements,

fo
while others prefer to have two different models within the same company for different purposes.

rr
2. The resource needs to be assigned to the right users (done through a Delivery Group).
• During Step 3 the actual Delivery Groups are created, providing access for users and groups to their

es
desktops and applications.

al
e
or
di
s tri
but
io
n

353 © 2021 Citrix Authorized Content

 Lesson Objective Review

Scenario: You are the Citrix Admin of a large

Citrix Virtual Desktops random/non-persistent
environment, running on Citrix Hypervisor.
Your manager asks, if the Citrix Virtual
Desktops design accommodates Clone On

N
Boot?

ot
fo
What will be your answer?

rr
es
Yes.

al
e
Citrix XenServer and Citrix Hypervisor have been
supporting Clone On Boot since 6.1.

or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

354 © 2021 Citrix Authorized Content

 N
ot
Resource Locations

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

355 © 2021 Citrix Authorized Content

 Resource Locations Defined

Resource Locations Primary Resource Locations

N
Resource locations are used to define where the When defining multiple resource locations in the same Active

ot
resources reside from a Citrix Cloud control plane Directory domain, all Cloud Connectors can be used for
perspective. authentication

fo
Resource locations can contain: Defining a primary resource location makes it "most preferred" for

rr
• Active Directory domains communications between your Active

es
• Citrix ADCs
• Hypervisors

al
• Virtual Desktop Agents (VDAs)

e
• StoreFront servers

or
Resource locations are associated with Zones in Cloud Directory domain and Citrix Cloud.
Studio.

di
Ensure the primary resource location have Cloud Connectors with

s
great performance and connectivity to your domain.

tri
This enables fast user authentication to Citrix Cloud.

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Place resource locations where they best meet your business needs. resource locations can be in a public cloud, in a
branch office, private cloud, or a corporate data center.
• The choice of location may be impacted by the following:
• Proximity to subscribers
• Proximity to data
• Scale requirements

356 © 2021 Citrix Authorized Content

 • Security attributes
• There is no restriction on the number of resource locations you can build. The overhead of a resource location
is small.
• To provide identity management for subscribers and resources you need to install a Connector to access an
Active Directory.
• This makes it easy to distribute the resources across as many resource locations as you need without needing
to make compromises.

N
• As an example you could:

ot
• Build a resource location in your data center for the head office based on subscribers and applications that

fo
need to be close to the data.
• Add a separate resource location for your global users in a public cloud. Or build separate resource

rr
locations in branch offices to provide the applications best served close to the branch workers.

es
• Each resource location should have a minimum of two Cloud Connectors.

al
• Add a further resource location on a separate network that provides restricted applications. This provides
restricted visibility to other resources and subscribers without the need to adjust the other resource

e
locations.

or
• Primary Resource Locations:

di
• To decide which resource location you want to use for your primary resource location, consider the
following:

s tri
• Does the resource location have the best connectivity to your domain?

b
• Is the resource location the closest to the geographical region in which you use the Citrix Cloud

ut
management console? For example, if your Citrix Cloud console is at https://us.cloud.com, the resource

io
location you choose would be the closest one to the US region.

n
Additional Resources:
• What are resource locations? - https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-
locations/resource-locations.html

357 © 2021 Citrix Authorized Content

 Zones with Citrix Cloud

• Zones in Citrix Cloud are similar to Zones on-

N
premises.

ot
• Use Zones in Studio to map other items to

fo
resource locations:

rr
• Cloud Connectors
• Machine Catalogs

es
• Host Connections

al
• Users

e
• Application Groups

or
• Cloud Zones are not Primary/Secondary and
does not support registration fail over.

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Zones in Cloud Studio are bonded with resource locations. Using Zones you can map Cloud Connectors, Machine
Catalogs, Host Connections, Users and Application groups to a particular Resource Location.
• On-premises Virtual Desktops has a Primary Zone (which has the Site Database) and may have a Satellite Zone. VDAs in
a Satellite Zone register with the Delivery Controller in a the same Zone. If a Controller in a Satellite Zone fails, it fails over
to another local Controller, if possible. If no local Controllers are available, it fails over to a Controller in the Primary Zone.
• In a Citrix Virtual Apps and Desktops Services Site there is no Primary Zone because the Database and Delivery

358 © 2021 Citrix Authorized Content

 Controllers reside in Citrix Cloud and not inside the resource location.
• For each resource location created in the Cloud Control Plane, a corresponding Zone is created inside Cloud
Studio.
• Zones are managed through the Zones section in Cloud Studio.
• When creating new resources such as machine catalogs, hypervisors, host connections and applications
you specify which zone and resource location they will be hosted in.
• Placing items in a zone affects how the service interacts with them and with other objects related to them.

N
• When a hypervisor connection is placed in a zone, it is assumed that all the hypervisors managed through

ot
that connection also reside in that zone.

fo
• When a machine catalog is placed in a zone, it is assumed that all VDAs in the catalog are in the zone.
• Citrix Gateway instances can be added to zones. When you create a resource location, you are offered

rr
the option to add a Citrix Gateway. When a Citrix Gateway is associated with a zone, it is preferred for

es
use when connections to VDAs in that zone are used.

al
• Ideally, Citrix Gateway in a zone is used for user connections coming into that zone from other zones or
external locations, although you can use it for connections within the zone.

e
• After you create more resource locations and install Cloud Connectors in them (which automatically

or
creates more zones), you can move resources between zones. This flexibility comes with the risk of

di
separating items that work best in close proximity. For example, moving a catalog to a different zone than
the connection (host) that creates the machines in the catalog, can affect performance. So, consider

s tri
potential unintended effects before moving items between zones. Keep a catalog and the host connection

b
it uses in the same zone.

ut
Additional Resources:

io
• Zones in Citrix Cloud - https://docs.citrix.com/en-us/xenapp-and-xendesktop/service/manage-

n
deployment/zones.html

359 © 2021 Citrix Authorized Content

 Traditional On Premises
On Premises Deployment
User Layer Access Layer Control Layer Resource Layer

Delivery Controller

Internal Users StoreFront

Server OS Assigned

N
Desktop OS

ot
Domain Controller

Firewall

fo
rr
SQL Random Desktop OS Remote PC

es
Citrix Gateway
External Users Firewall

al
License Server

e
or
Hardware Layer

di
s
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• On-premises Citrix Virtual Apps and Desktops site has Delivery Controller, Citrix Studio, Citrix Director, Citrix License
Server, the Database and VDA within the customers’ datacenter.
• The maintenance and upgrade of all these components have to be done by the Citrix administrators.
• To support the Citrix infrastructure, the administrators need to have proficient knowledge of bare metal hypervisors
(Hyper-V, ESXI or Citrix Hypervisor) in order to set up a compute layer.
• If the users are remotely connecting then the Citrix ADC and Firewalls also have to be configured and maintained by the

360 © 2021 Citrix Authorized Content

 IT administrators.
• This leaves the IT team with many components to setup, configure and upgrade, hence reducing their
productivity.

N
ot
fo
rr
es
al
e
or
di
stri
b ut
io
n

361 © 2021 Citrix Authorized Content

 Public Cloud Public Cloud

Deployment User Layer Access Layer Control Layer Resource Layer

Delivery Controller

• All components hosted by Internal Users StoreFront

Server OS Assigned

N
Partner or by the Desktop OS

ot
Domain Controller
Customer.
Firewall

fo
• Also known as the forklift

rr
model. SQL Random Desktop OS Remote PC

es
Citrix Gateway
External Users Firewall

al
License Server

e
or
Hardware Layer

di
s
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The Forklift model refers to deploying all of the Citrix Components in a public cloud.
• The Forklift model saves the efforts to setup and maintain a private data center. In this, the patching and upgrade of the
underlying hypervisor is done by the cloud vendor.
• This also offloads the security considerations and practices to the cloud vendor, allowing the IT administrator to focus on
the application development, user data and remote delivery of resources.
• The perpetual licenses used in an on-premises deployment can be re-used in a cloud forklift model.

362 © 2021 Citrix Authorized Content

 • Some cloud vendors operate as Citrix Service Providers and use this deployment method to sell SAAS.
• Note: CSPs have access to special license programs for the same purpose.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

363 © 2021 Citrix Authorized Content

 Citrix Cloud with an On-Premises Resource Location
Citrix Cloud

License Server Studio Director

Citrix Cloud
(operated by Citrix)

N
Delivery Site Database

ot
Citrix Workspace
Controller
Gateway Service

fo
Access Control

rr
User Layer Resource Layer
Layer Layer

es
Cloud

al
Internal Users StoreFront Server OS Assigned
Connector
Desktop OS

On-premises
Customer or partner-

or
Firewall
managed,
on-premises hosted

di
Citrix Random Desktop OSRemote PC
External Users Firewall Active Directory

s
Gateway Server

tri
Compute Layer

b ut
Network Wi-Fi Storage Processor Memory Graphics Hypervisor
© 2021 Citrix Authorized Content

io
n
Key Notes:
• With the Citrix Virtual Apps and Desktops Service in Citrix Cloud the Delivery Controller, Citrix Studio, Citrix Director,
Citrix License Server, and the Database are maintained and managed by Citrix. Collectively, they make up the Control
Plane of the Citrix Virtual Apps and Desktops.
• The VDAs are left within the customers’ datacenter. These are managed by the Customer or Citrix Partners.
• The Cloud Connectors are also hosted in the customers datacenter. However, they are managed and updated by Citrix
Cloud.

364 © 2021 Citrix Authorized Content

 • Workspace and Citrix ADC can be hosted either in Citrix Cloud or StoreFront and Citrix ADC can be
deployed within the resource location.
• A customer can also chose to use workspace in Citrix Cloud and route the HDX connections through on-
premises Citrix ADCs.
• In such a deployment, the customers’ IT team will have to maintain:
• Compute layer: Hypervisor, Networks, Storage and Memory.
• Remote Access Solution (Optional) : If users are connecting remotely.

N
• Business Critical Applications and their databases

ot
• VDA software installed on Servers or Desktops within the resource location.

fo
• AD, Printing and other non-Citrix components.
• The customers’ datacenter hosting the Citrix VDAs is referred to as a resource location in Citrix Cloud

rr
Terminology.

es
• The Control Plane is managed by Citrix. However, the configuration of Policies, Machine Catalogs and

al
Delivery Groups are the customers’ responsibility. Also, these configurations are very similar to an on-
premises Citrix Virtual Apps and Desktops site configurations.

e
• In addition to the standard supported hypervisors, such as Citrix Hypervisor, vSphere and SCVMM/HyperV,

or
customers can also deploy resources to CloudStack and Nutanix Acropolis.

di
s tri
but
io
n

365 © 2021 Citrix Authorized Content

 Citrix Cloud with Resources on Public Cloud
Citrix Cloud

License Server Studio Director

Citrix Cloud

N
(operated by Citrix)
Delivery

ot
Citrix Workspace Site Database
Controller
Gateway Service

fo
Access Control

rr
User Layer Resource Layer
Layer Layer

es
Internal Users StoreFront Cloud Assigned

al
Server OS
Connector Desktop OS

Public Cloud
e
Customer or partner-
Firewall

or
managed,
Public cloud hosted

di
Citrix Random Desktop OS Remote PC
External Users Firewall Active Directory
Gateway Server

s
Compute Layer

tri
b
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The workloads aka the VDAs can also reside in a public cloud.
• Using public cloud as a resource location to host resources helps to offload the compute layer setup and maintenance
to a public cloud vendor so that the internal IT can focus on business critical applications and securing the mission
critical data.
• Public clouds vendors offer 99.9 % of uptime, which is very tough for any private data center to achieve.
• Also, public clouds are built using industry leading practices and strict security guidelines.

366 © 2021 Citrix Authorized Content

 • Building such a stable and secure compute layer on a private data center requires a massive skillset and
investment.
Using the public cloud helps in reducing the capacity expenditure and provides agility to expand on
demand as per business needs.
• When customers opt for Citrix Virtual Apps and Desktops Service with Public cloud, they essentially have to
configure and maintain only the workloads (aka VDAs). The rest of the components of Citrix Virtual Apps and
Desktops are maintained, secured, backed up and upgraded by Citrix. Similarly, the compute layer resources

N
are managed by other cloud vendors like Microsoft or Amazon.

ot
fo
rr
es
al
e
or
di
s tri
but
io
n

367 © 2021 Citrix Authorized Content

 Citrix Cloud with both an On-Premises Resource Location and a
Public Cloud Resource Location
User Layer
Citrix Cloud

Internal Users Studio Director

License Server
Citrix Cloud

N
(operated by Citrix)

ot
External Users Delivery Site Database
Citrix Workspace
Controller

fo
Gateway Service

rr
Access Access

es
Control Control
Resource Layer Resource Layer
Layer Layer Layer Layer

al
Customer or partner

e
Cloud StoreFront Cloud
Public Cloud

StoreFront Assigned

On Premises
Connector Random Desktop OS Connector Desktop OS managed,

or
public hosted
Firewall Firewall and

di
on-Premises

s tri
Citrix Active Directory Server OS Citrix Active Directory Server OS
Gateway Server Gateway Server

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Many companies prefer to keep mission critical data on a private datacenter and, hence, cannot move to a public cloud
entirely. In such scenarios, it is preferable to keep critical applications and their databases on a private datacenter owned
and managed by the customers themselves. The remaining applications are moved to a public cloud, thus leveraging the
benefits of both public and private cloud. Such a setup is referred to as the Hybrid cloud.

368 © 2021 Citrix Authorized Content

 Lab Exercise Prep

Please Take a Moment and Provision Your Lab

N
For Module 4

ot
fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the
lab exercises.

369 © 2021 Citrix Authorized Content

 Design and Deployment When Using Citrix Cloud—
Differences from Traditional deployments

• High Availability built into the platform

N
• Only worry about VDAs

ot
• GSLB built into the platform

fo
• Single Site per subscription

rr
• Zones/resource locations used to define where VDAs are hosted

es
• Zones

al
• Contain Cloud Connectors instead of Delivery Controllers

e
• Site Database

or
• Hosted by Citrix
• No High Speed Network Link required between Zones

di
s
• Delegated Administration

tri
• Less flexible than on-premises

but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• HA: Citrix Cloud has been designed for high availability for each customer, every component is load balanced and many
components are available from different regions.
• Citrix Cloud is built in a public cloud, and all the VMs and data is replicated amongst different sites and storage zones.
• GSLB: The Citrix ADC architecture running Citrix Cloud is built with Global Server Load Balancing in mind.
• Single Site: In Citrix Cloud a customer only has a single Site, all VDAs, Catalogs, Delivery Groups, Citrix ADCs (and
etcetera) are defined in Zones / resource locations.

370 © 2021 Citrix Authorized Content

 • Zones are not parent/child like with on-premises deployments.
• Site databases: The Site databases are hosted by Citrix Cloud.
• The customer does not have to worry about maintaining and operating the databases. Because Delivery
Controllers are only deployed within Citrix Cloud and each resource location has Cloud Connectors, the
latency and bandwidth concerns between different datacenters are not as important.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

371 © 2021 Citrix Authorized Content

 Citrix Cloud Ownership Summary

Citrix Cloud Control Plane Citrix Cloud Infrastructure

Citrix Cloud VDA Ownership
Ownership Ownership

N
ot
Citrix owns and maintains the Control Depending on the deployment model The VDAs are owned and maintained by
Plane, including: selected, the physical location of the either the end customer or a Service

fo
resource location may vary, including: Provider.

rr
• Controllers
• Databases and SQL servers • On-premises (Citrix Hypervisor, Citrix only hosts and maintains VDAs in

es
• Studio VMWare, SCVMM) the Secure Browser cloud offering.

al
• Director • Azure

e
• Workspace • AWS
• Citrix Gateway as a Service • Third party cloud vendor (CloudPlatform)

or
Resource locations are always owned and

di
maintained by the customer or a partner.

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Cloud Control Plane Ownership:
• The Control plane includes the components that are setup, maintained and backed-up by Citrix.
• It includes: Delivery Controllers, Databases, Citrix Studio, and Citrix Director.
• Citrix also provides a preconfigured Workspace Store to access the published resources, but the choice to use cloud-
hosted Workspace or an on-premises StoreFront is left with the customer.
• Similarly, to provide remote access, customers can either use the cloud hosted Citrix Gateway as a Service acting as

372 © 2021 Citrix Authorized Content

 an ICA proxy only or use an on-premises Citrix ADC.
• Citrix Cloud Infrastructure Ownership:
• Citrix provides 99.9% uptime on its Cloud Services.
• The status of the Citrix Cloud Services can be monitored from http://status.cloud.com/.
• The control plane of Citrix Cloud Services resides in public clouds with multiple datacenters across the
globe.
• The backend architecture details of Citrix Cloud are not disclosed to maintain security and integrity of the

N
cloud services.

ot
• Google Cloud is not supported from an MCS or hosting integration perspective.

fo
• However, VDAs can be deployed without image and power management.
• Citrix Cloud VDA Ownership:

rr
• VDAs are workloads where customers install their business specific applications.

es
• These workloads are managed by the customers in on-premises datacenters or public cloud solutions.

al
• If customers subscribe for Secure Browser service that provides simple and secure remote access to web
applications, then the VDAs are also maintained by Citrix.

e
or
di
s tri
but
io
n

373 © 2021 Citrix Authorized Content

 Lesson Objective Review

When implementing a hybrid deployment

N
model with resources, both in an on-premises

ot
datacenter and in Azure, where would you

fo
chose to implement Cloud Connectors?

rr
es
Deploy Cloud Connectors in an on-premises
datacenter and in Azure.

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

374 © 2021 Citrix Authorized Content

 N
ot
Lab Exercises

fo
rr
Module 4

es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

375 © 2021 Citrix Authorized Content

 Lab Exercise

• Ex 4-1: Create a Machine Catalog for Multi-session OS (Server OS) using MCS

N
• Ex 4-2: Create a Delivery Group for Server OS

ot
• Ex 4-3: Create Machine Catalog for Single-session OS (Desktop OS) using MCS

fo
rr
• Ex 4-4: Create a Delivery Group for Desktop OS

es
• Ex 4-5: Update a Machine Catalog for Single-session OS (Desktop OS)

al
e
or
di
s
tri
but
© 2021 Citrix Authorized Content

io
n

376 © 2021 Citrix Authorized Content

 Key Takeaways

• Machine Catalogs are used to define the VM platform for sessions

and Delivery Groups assign the resources from those sessions to
users/user groups.

N
• It is Citrix Leading Practice to use a Citrix Provisioning method to

ot
minimize administrative overhead in image management and

fo
improve image consistency within a machine catalog.

rr
• MCS is a single image management solution that is built into Citrix

es
Virtual Apps and Desktops.

al
• Non-Persistent MCS created catalog machines are assigned a

e
new differencing disk after restart.

or
• Zones in Citrix Cloud are different than On-Premise or Public

di
cloud deployments, but in all cases specify a resource location.

s tri
but
© 2021 Citrix Authorized Content

io
n

377 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Administration On-Premise and In
Citrix Cloud

N
ot
Provide Access to App and Desktop

fo
Resources

rr
es
al
e
Module 05

or
di
s
tri
b
ut
io
n

378 © 2021 Citrix Authorized Content

 Learning Objective

• Define the considerations for Workspace and

N
StoreFront.

ot
• Review the options for user authentication.

fo
rr
• Present the role of Citrix Workspace app and

es
use Citrix Workspace app to launch resources.

al
• Examine the StoreFront communication flow.

e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

379 © 2021 Citrix Authorized Content

 N
Consider Workspace Experience

ot
versus StoreFront

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

380 © 2021 Citrix Authorized Content

 User Access to Resources

• There are two options for Citrix Administrators to deploy a means for users to access their resources.

N
• Citrix Workspace platform

ot
• Citrix Storefront
• For the focused purpose of providing icons to users from published Apps and Desktops both Citrix

fo
Workspace platform and Citrix Storefront are capable.

rr
es
• The choice option, is dependent upon the location of the Citrix Virtual Apps and Desktops Site and the
features to present to the users.

al
e
or
di
stri
but
© 2021 Citrix Authorized Content

io
n

381 © 2021 Citrix Authorized Content

 Citrix StoreFront vs Citrix Workspace Platform

Citrix StoreFront Citrix Workspace Platform

N
Citrix Virtual Apps and Citrix Virtual Apps and
Feature Presentation Feature Presentation

ot
Desktops Site Location Desktops Site Location
StoreFront is a web- • Citrix Cloud Hosted for Citrix Workspace platform is a Citrix Cloud Hosted for Citrix

fo
based enterprise Citrix Virtual Apps and web-based enterprise store Virtual Apps and Desktops

rr
application store used to: Desktops Service used to enumerate and deliver Service Subscribers

es
• Authenticate users Subscribers. all digital workspace resources
• Enumerate resources • On-Premises StoreFront to users:

al
• Aggregate resources • A combination On- • Does everything that

e
• Store subscriptions Premises and Citrix Cloud StoreFront does and more.
• Deploy Citrix Hosted. • For Example:

or
Workspace app • Endpoint Management

di
• Content Collaboration
• Etc.

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix StoreFront, whether hosted in Citrix Cloud or local to the Resource location is limited to the focus of providing users
with access to icons populated from Citrix Virtual Apps and Desktops Delivery Groups.
• The Citrix Workspace Platform on the other hand, was designed by Citrix to bridge every day digital workspace resources
with Citrix Virtual Apps and Desktops using Citrix Cloud as a foundation to provide access to all user resources from
multiple Citrix Cloud Services:
• Citrix Virtual Apps Essential service

382 © 2021 Citrix Authorized Content

 • Citrix Virtual Desktops Essential service
• Citrix Virtual Apps and Desktops service
• Endpoint Management
• Citrix Gateway service
• Content Collaboration service
• Secure Browser service
• The function of StoreFront is to authenticate users, then enumerate and aggregate resources for them and

N
provide them with access to these resources.

ot
• StoreFront can be used in parallel to existing Web Interface installations, but both products should not be

fo
installed on the same server. Citrix Gateway can be used to divert clients to the appropriate product if
necessary.

rr
• StoreFront is the interface that authenticates users, manages applications and desktops, and hosts the

es
application store. StoreFront communicates with the Delivery Controller using XML.

al
• Using Workspace Experience provides the least maintenance and high resilience.

e
• Workspace Experience does not need manual upgrade interventions and is fully managed by Citrix.

or
• Workspace Experience is always available over the internet through a unique URL for each customer.
(https://<yourcompanyname>.cloud.com/)

di
• The <yourcompanyname> part of the URL can be customized by the administrator.

s
• Workspace Experience has some customization capabilities. However, on-premises StoreFront provides a

tri
broader customization support.

b
• Zero Effort: Does the deployment method require configuration from the customer?

ut
• Automatic Updates: Does the deployment method require updates and patching?

io
• Citrix Managed: Does the deployment method require ongoing maintenance from the customer?

n
• UI Customization: Does the deployment method support changing user interface appearance?
• Workspace App/Receiver Deployment: Does the deployment method support deploying Citrix Workspace
App/Receiver to endpoints?
• Multiple Stores: Does the deployment method support presenting multiple Stores?
• Support for Two-factor Authentication: Does the deployment method support 2-factor authentication?
• Local Password Processing: Does the deployment method keep password processing and user authentication

383 © 2021 Citrix Authorized Content

 inside your datacenter?
• Supports Session Reliability: Does the deployment method support Session Reliability to transport the HDX
traffic?
• Accessible from Internet: Cloud hosted StoreFront can be accessed from the internet. However, without a
Citrix Gateway, resources can only be launched when the endpoints are internal.

Additional Resources:

N
• Citrix StoreFront Online Documentation: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-

ot
service/storefront.html

fo
• Citrix Workspace platform Online Documentation: https://docs.citrix.com/en-us/citrix-cloud/workspace-
platform.html

rr
es
al
e
or
di
s tri
but
io
n

384 © 2021 Citrix Authorized Content

 StoreFront
Requirements
Installation Prerequisites

Required:

N
• Windows Server 2019

ot
• Windows Server 2016
• Windows Server 2012 R2

fo
• 2 GB RAM for StoreFront

rr
• IIS Web Server Role
• .NET Framework

es
• PowerShell

al
• Microsoft Management

e
Console

or
Recommended:
• Dedicated server

di
• SSL certificate

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The respective Datacenter and Standard Editions are supported for the Windows Server OS.
• StoreFront installer will install and enable required Windows Roles and Features automatically.
• StoreFront can be configured without a certificate, but doing so puts user credentials at risk and requires additional
configuration in Citrix Workspace app.
• Most deployments are set up using two StoreFront servers and two Load Balancers (e.g. Citrix Gateway) to provide high
availability. Special procedures apply and will be taught in a different Citrix training.

385 © 2021 Citrix Authorized Content

 • Depending on the size and load of the deployment, up to six StoreFront servers can be grouped.

Additional Resources:
• StoreFront System Requirements:
• StoreFront 1912 (LTSR version): https://docs.citrix.com/en-us/storefront/current-release.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

386 © 2021 Citrix Authorized Content

 Stores CR Citrix Virtual Desktops Site
An Introduction Control Layer Resource Layer

User Layer Access Layer

• Stores are the main Delivery Controller Server OS Desktop OS

configuration unit of
StoreFront servers.

N
Internal Users StoreFront
LTSR Citrix Virtual Apps Site

ot
• Stores aggregate
Control Layer Resource Layer
resources from multiple

fo
Sites/Farm. Firewall

rr
• StoreFront can host Delivery Controller Server OS Desktop OS

es
multiple Stores with

al
External Users Firewall Citrix Gateway
different settings.

e
Legacy 6.5 Citrix Virtual Apps Farm
• Receiver for Web sites

or
Control Layer Resource Layer
present the content of a

di
Store in a browser. On Premise

s
Server OS

tri
Data Collector
• Multiple websites per On Citrix Cloud

b
Store are supported.

ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Stores are used to retrieve published resources for the user from one or more Controllers via their XML service.
• There are several settings like authentication methods or XML services that are configured per Store.
• A Receiver for Web site is normally used to provide a GUI for the Store in the user’s browser, while the “native” Citrix
Workspace app (the successor to Citrix Receiver) can use its own GUI and access Stores directly to query for published
resources or to authenticate.
• A Receiver for Web site can deliver Citrix Workspace app for HTML5 (embedded into the webpage) and is therefore

387 © 2021 Citrix Authorized Content

 called “Receiver for Web.”
• Multiple Stores are often used during migration of Sites / Farms in the backend, or to separate externally
accessible Stores from internal-only accessible Stores. Different websites might be used to incorporate
different visual guidelines for users, maybe belonging to different companies within an organization.
• StoreFront Stores aggregate desktops and applications, making them available to users. Store names
appear in Citrix Workspace app under users' accounts, so choose a name that gives users information about
the content of the Store.

N
• You can configure Stores to provide resources from any mixture of Citrix Virtual Desktops, Citrix Virtual

ot
Apps, and Citrix Endpoint Management MAM deployments.

fo
• If you require both authenticated and un-authenticated users to log in, then you have to create two separate
Stores.

rr
es
Additional Resources:

al
• Create new deployment:
• StoreFront 1912 (LTSR version): https://docs.citrix.com/en-us/storefront/current-release.html

e
or
di
s tri
b ut
io
n

388 © 2021 Citrix Authorized Content

 Stores CR Citrix Virtual Desktops Site
Access Control Layer Resource Layer

User Layer Access Layer

Delivery Controller Server OS Desktop OS

1, 2 3
1. The Endpoint Device

N
launches an Internet Internal Users StoreFront
LTSR Citrix Virtual Apps Site

ot
browser and accesses Control Layer Resource Layer
receiver for web site

fo
Firewall

rr
2. The receiver for web
Delivery Controller Server OS Desktop OS

es
site accesses Store

al
Citrix Gateway
3. The Store hosted on External Users Firewall

e
StoreFront accesses the Legacy 6.5 Citrix Virtual Apps Farm

or
Controllers in parallel Control Layer Resource Layer

di
On Premise

s
Server OS

tri
On Citrix Cloud Data Collector

b ut
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Configure and manage stores:
• StoreFront 1912 LTSR: https://docs.citrix.com/en-us/storefront/current-release.html

389 © 2021 Citrix Authorized Content

 Authentication Options
Two Authentication Options

N
ot
Direct Authentication XML Service-Based Authentication

fo
StoreFront submits credentials to a Domain Controller for StoreFront submits credentials to the XML port of a

rr
validation Delivery Controller

es
Requires same domain or trust relationship between The Delivery Controller submits the credentials to a

al
StoreFront and Delivery Controller Domain Controller

e
or
Used, if no trust relationship exists between the StoreFront
Default authentication option
server and Delivery Controller domains.

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• XML service-based authentication: StoreFront 1912 LTSR: https://docs.citrix.com/en-us/storefront/current-release.html

390 © 2021 Citrix Authorized Content

 Direct Authentication Process
User Layer Access Layer Control Layer

1. User submits credentials

N
2. StoreFront forwards credentials to Domain Delivery Controller

ot
Controller
4

fo
1
3. StoreFront queries Delivery Controller to list

rr
StoreFront
available resources for the user Internal Users

es
4. Delivery Controller enumerates group

al
2
membership for the user and lists available

e
Domain Controller
resources

or
di
stri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Authentication: the process in which user identity is verified.
• Two methods for authentication with StoreFront:
• Direct: StoreFront validates credentials against Active Directory.
• Indirect: explained on the next slide.
• Explain that two Windows services are responsible for performing authentication tasks:
• Default Domain Services = provides AD based account operations (password change, authentication etc.)

391 © 2021 Citrix Authorized Content

 • Credential Wallet Service = stores encrypted passwords in memory
• Use the Create Authentication Service task to configure the StoreFront authentication service. The
authentication service authenticates users to Microsoft Active Directory, ensuring that users do not need to
log on again to access their desktops and applications.
• You can only configure one authentication service per StoreFront deployment. This task is only available
when the authentication service has not yet been configured.

N
Additional Resources:

ot
• XML service-based authentication: StoreFront 1912 LTSR: https://docs.citrix.com/en-us/storefront/current-

fo
release/configure-authentication-and-delegation/xml-authentication.html

rr
es
al
e
or
di
s tri
but
io
n

392 © 2021 Citrix Authorized Content

 XML Service
Based Authentication Process
User Layer Access Layer Control Layer

1. User submits credentials 2

N
2. StoreFront forwards credentials to Delivery Delivery Controller

ot
Controller

fo
1 3
3. Delivery Controller validates credentials with

rr
Internal Users StoreFront
the Domain Controller, then enumerates

es
group membership for the user and lists

al
available resources

e
Domain Controller

or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Indirect: StoreFront passes credentials to Delivery Controller, which validates credentials against Active Directory.
• The authentication service authenticates users to Microsoft Active Directory, ensuring that users do not need to log on
again to access their desktops and applications. You can only configure one authentication service per StoreFront
deployment.
• You can enable or disable user authentication methods set up when the authentication service was created by selecting
an authentication method in the results pane of the Citrix StoreFront management console and, in the Actions pane,

393 © 2021 Citrix Authorized Content

 clicking Enable Method or Disable Method, as appropriate. To remove an authentication method from the
authentication service or to add a new one, use the Add/Remove Methods task.

Additional Resources:
• Create and configure the authentication service: https://docs.citrix.com/en-us/storefront/3-12/configure-
authentication-and-delegation.html
• XML service-based authentication SF 3.12: https://docs.citrix.com/en-us/storefront/3-12/configure-

N
authentication-and-delegation/xml-authentication.html

ot
fo
rr
es
al
e
or
di
s tri
but
io
n

394 © 2021 Citrix Authorized Content

 Store Authentication Methods

N
Authentication Methods Description

ot
Unauthenticated Allows anonymous logon

fo
Username and Password

rr
Requires users to enter domain, username, and password
(default option)

es
Pass through from Citrix Gateway StoreFront relies on Citrix Gateway to authenticate users

al
Domain Pass through Users are automatically logged on with their domain credentials

e
or
Smart Card Authentication takes place using a physical Smartcard and PIN

HTTP Basic Provides a method to integrate with 3rd party software

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Consider the implications of Domain pass through:
• It requires domain joined computers.
• It does not work with Citrix Workspace app for HTML5.
• It requires Internet Explorer if a browser is to be used.
• The trusted domains setting also restricts other logon methods to adhere to the provided list of trusted domains.
• In short, these are the different authentication methods:

395 © 2021 Citrix Authorized Content

 • Unauthenticated: Useful for providing access to resources that use their own authentication system or
where authentication is generally not required.
• Username and Password: Users logon entering their domain username and the password. This method is
enabled by default.
• Pass through from Citrix Gateway: If Citrix Gateway is used, Storefront just validates that the user has been
authenticated and does not authenticate the user itself.

N
• Domain Pass through: Seamlessly passes through the users’ authentication from a domain joined windows

ot
computer.
• Smart Card: Enables the use of Smart Cards together with the appropriate PKI infrastructure in the

fo
backend. Users need to provide the Smart Card and their PIN to logon.

rr
• HTTP Basic: Provides an interface for 3rd party applications to single-sign-on to Storefront using the

es
underlying IIS. Useful when integrating Storefront into portal solutions.
• There are also two options relevant to the authentication methods:

al
• Trusted Domains: Restricting all logons to a list of known domains raises security – can also be used to

e
provide a list of domains to choose from to users.

or
• Change Password: Provide users the option to electively change a password or change a password on

di
expiry.

s tri
Additional Resources:

b
User Authentication: StoreFront 3.12

ut
• Configure the authentication service - Manage authentication methods: https://docs.citrix.com/en-

io
us/storefront/3-12/configure-authentication-and-delegation.html

n
• User Authentication: https://docs.citrix.com/en-us/storefront/3-12/plan/user-authentication.html
• Configure the authentication service: https://docs.citrix.com/en-us/storefront/current-release/configure-
authentication-and-delegation/configure-authentication-service.html

396 © 2021 Citrix Authorized Content

 Store
Authentication
Service

• Authentication can be

N
configured:

ot
• Individually per Store.
• Or shared between

fo
Stores

rr
• If authentication is not

es
shared, users will have to

al
authenticate to each

e
Store separately.

or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• With the Store Centric paradigm, each store can be configured to have a separate authentication service.
• For in-place upgrades, authentication will be shared by default.
• When upgrading a StoreFront deployment, where multiple stores are configured, all migrated stores will be configured
to share the same authentication service located at /Citrix/Authentication.
• If you would like to configure a separate authentication service per store, select the Advanced option to access the shared
authentication service settings.

397 © 2021 Citrix Authorized Content

 • This will open a dialog box where you can clear the check box to use the shared authentication service. An
information message is displayed explaining what steps will be performed, and a new authentication service
will be created for the store.

Additional Resources:
User Authentication: StoreFront 3.12
• Configure the authentication service - Manage authentication methods: https://docs.citrix.com/en-

N
us/storefront/3-12/configure-authentication-and-delegation.html

ot
fo
rr
es
al
e
or
di
s tri
but
io
n

398 © 2021 Citrix Authorized Content

 Password
Reminder

StoreFront can:

N
• Remind users when their

ot
passwords are about to
expire

fo
• Allow users to change

rr
their password directly
from the StoreFront

es
website.

al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• If you enable Citrix Receiver for Web site users to change their passwords at any time, local users whose passwords are
about to expire are shown a warning when they log on.
• By default, the notification period for a user is determined by the applicable Windows policy setting.
• To set a custom notification period for all users, you edit the configuration file for the authentication service.
• The reminder period settings are configured under the user name and password authentication of the Store.
• StoreFront does not support Fine Grained Password Policies in Active Directory.

399 © 2021 Citrix Authorized Content

 • Change of password via StoreFront can use more disk space.
• If you enable Citrix Receiver for Web site users to change their passwords at any time, ensure that there is
sufficient disk space on your StoreFront servers to store profiles for all your users.
• To check whether a user's password is about to expire, StoreFront creates a local profile for that user on
the server.
• StoreFront must be able to contact the Domain Controller to change users' passwords.

N
Additional Resources:

ot
• Configure the authentication service - Enable users to change their passwords: https://docs.citrix.com/en-

fo
us/storefront/3-12/configure-authentication-and-delegation.html

rr
es
al
e
or
di
s tri
b ut
io
n

400 © 2021 Citrix Authorized Content

 On-Premise, Non-
Domain Joined
Deployments
DMZ Domain 1

• StoreFront supports

N
installation and

ot
Citrix
configuration of Gateway
Delivery
Controller
Domain
Controller
StoreFront as a non-

fo
domain joined server. Users Domain 2

rr
es
• Helpful when deploying
StoreFront in DMZ, StoreFront

al
StoreFront server Delivery Domain
networks without Active can be in workgroup Controller Controller

e
Directory access, or

or
multi-domain scenarios.

di
s
tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Prior to StoreFront 3.6, you could install StoreFront only on servers that were joined to an Active Directory domain.
• StoreFront 3.6 and later supports installation and configuration of StoreFront on non-domain joined servers.
• Note that in a non-domain joined server deployment, you must delegate authentication to Delivery Controllers and server
groups are not supported.

401 © 2021 Citrix Authorized Content

 Subscriptions

• Enable users to have

N
easier access of selected

ot
applications.

fo
• Allow each store to save

rr
users’ subscriptions in a

es
local database.

al
• Provide users with same

e
application set across

or
platforms & devices.

di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Microsoft Extensible Storage Engine (ESE) is used as database backend.
• The database is located in
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Citrix\SubscriptionsStore\<#_Store
Name>\PersistentDictionary.edb
• “Add to Favorites” is used to subscribe to an application.

402 © 2021 Citrix Authorized Content

 • The entries in the database are not lost if administrator temporarily disables the subscription feature of the
store
• Keywords like “auto” or “mandatory” can be used to put published applications automatically in the users’
favorite apps.
• The database should be included in a backup routine – otherwise all users might lose their subscribed apps
and have to subscribe to them again. Also, make sure your antivirus solution does not interfere with database

N
operations on the EDB file.

ot
• The subscription data for each Store is located in:
• C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Citrix\SubscriptionsStore\1__Citrix_<Store

fo
Name>

rr
• For two stores to share a subscription datastore, you need only point one store to the subscription service end

es
point of the other store. In the case of a server group deployment, all servers have identical pairs of stores
defined and identical copies of the shared datastore.

al
• The Citrix Virtual Apps, Citrix Virtual Desktops and Citrix Endpoint Management servers configured on each

e
store must match exactly; otherwise, an inconsistent set of resource subscriptions on one store compared to

or
another might occur. Sharing a datastore is supported only when the two stores reside on the same
StoreFront server or server group deployment.

di
s
Additional Resources:

tri
b
• How to Export and Import StoreFront Subscription Database (on older Storefront versions):

ut
https://support.citrix.com/article/CTX139343

io
• How to Export and Import StoreFront Subscription Database on StoreFront 3.6 and above:
https://support.citrix.com/article/CTX216295

n
• Configure two StoreFront stores to share a common subscription datastore:
• StoreFront 1912 (LTSR version):https://docs.citrix.com/en-us/storefront/current-release.html

403 © 2021 Citrix Authorized Content

 Server Groups

Server Group

• A Server Group is a group of StoreFront

N
servers that shares a common configuration

ot
and provide access to the same resources.
StoreFront Server 1

fo
Base URL
• Storefront servers can be grouped together for

rr
high availability. Citrix ADC
Endpoint Device

es
Load Balancer
• Server Groups require external load-

al
balancing. StoreFront Server 2

e
• All servers in a group share a common base-URL
pointing to the load-balancer.

or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The main reason for grouping StoreFront servers is to provide high availability.
• Remember each store usually has its own database.
• Subscription Store Database is synced between the hosts automatically.
• Configuration changes need to be manually propagated to other servers.
• Propagating servers means “adding” as well as “deleting” objects like stores & Receiver for Web sites from other servers
of a group.

404 © 2021 Citrix Authorized Content

 • Although not a technical limit, StoreFront performs best when the number of the participating servers in a
group is kept to or below six.
• Port 808 is used to keep the database containing the user subscriptions in sync between the StoreFront
servers of a group
• To manage a multiple-server deployment, use only one server at a time to make changes to the configuration
of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other
servers in the deployment. Any configuration changes you make must be propagated to the other servers in

N
the group to ensure a consistent configuration across the deployment.

ot
Additional Resources:

fo
• Plan your StoreFront deployment:

rr
• 1912 (LTSR version): https://docs.citrix.com/en-us/storefront/current-release/plan.html

es
• Configure server groups:

al
• 1912 (LTSR version): https://docs.citrix.com/en-us/storefront/current-release/configure-server-group.html

e
or
di
s tri
but
io
n

405 © 2021 Citrix Authorized Content

 Advanced Configuration
StoreFront Stores

• Advanced settings can be configured in the

N
web.config XML files at

ot
• C:\inetpub\wwwroot\Citrix\store
• C:\inetpub\wwwroot\Citrix\storeWeb

fo
• Back up these files before editing them-

rr
propagate changes afterwards to other

es
StoreFront servers.

al
• Settings include changing the visibility of Apps

e
and Desktop views, update behavior of Citrix

or
Workspace app and automatic launching of

di
Desktop sessions.

s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Most options can be configured in the StoreFront Console starting with version 3.5.
• Use caution when editing these files – a single missing character can render the complete website unusable!
• Citrix recommends to backup every file before editing it.
• It is advisable to use a syntax highlighting editor like Notepad++ to manage the XML structure of the file.
• Remember that the edited file needs to be propagated like configuration changes as well.
• When you edit the files, be sure to close the StoreFront Management Console.

406 © 2021 Citrix Authorized Content

 • …\Store\web.config contains the primary Store functional settings
• List of Controllers
• Advanced XML settings (socket pooling, failure timeouts, etc)
• Authentication settings
• Gateway settings
• …\StoreWeb\web.config contains website settings
• Admin-defined shortcut URL settings

N
• Plugin assistant and Citrix Workspace app download settings

ot
• App vs Desktop views

fo
• Desktop auto-launch, workspace control, auto-reconnect

rr
Additional Resources:

es
• How to Disable Desktop Auto Launch in StoreFront (using web.config):

al
https://support.citrix.com/article/CTX139058
• How to Enable/Disable Workspace Control in StoreFront (using web.config):

e
https://support.citrix.com/article/CTX200828

or
• Advanced store settings:

di
• 1912 (LTSR version): https://docs.citrix.com/en-us/storefront/current-release/configure-manage-

s
stores/advanced-store-settings.html

tri
• Configure using configuration files:

b
• 1912 (LTSR version): https://docs.citrix.com/en-us/storefront/current-release/configure-using-configuration-

ut
files/strfront.html

io
n

407 © 2021 Citrix Authorized Content

 StoreFront
Encryption

To prevent disclosure of the

credentials, configure Secure Communications to StoreFront

N
StoreFront to use

ot
encryption:
• Use a SSL/TLS certificate https://SF-LB.workspacelab.com https://SFS-1. workspacelab.com

fo
on the Load Balancer that

rr
users access.

es
• Install a SSL/TLS HTTPS HTTPS

certificate on each

al
StoreFront Server. Load Balancer StoreFront

e
Endpoint Device Citrix Gateway
• Each certificate must

or
match the entered
address.

di
• The respective client has

s
to trust the certificate or

tri
the issuing certificate

b
authority.

ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• For internal addresses like “training.lab” or “somewhat.local” only certificates from local / private Certificate Authorities can
be used since these domain addresses cannot be validated.
• For external access, multi-factor authentication raises security even more.
• Certificates are prone to expire (depending on their setting, after 1-10 years, shorter validity periods mean more security),
• Authentication services and stores each require certificates for token management. StoreFront generates a self-signed

408 © 2021 Citrix Authorized Content

 certificate when an authentication service or store is created. Self-signed certificates generated by StoreFront
should not be used for any other purpose.
• If your users configure their accounts by entering store URLs directly into Citrix Workspace app and do not
use email-based account discovery, the certificate on the StoreFront server need only be valid for that server
and have a valid chain to the root certificate.
• Citrix recommends securing communications between StoreFront and users' devices using Citrix Gateway
and HTTPS. To use HTTPS, StoreFront requires that the Microsoft Internet Information Services (IIS) instance

N
hosting the authentication service and associated stores are configured for HTTPS. In the absence of the

ot
appropriate IIS configuration, StoreFront uses HTTP for communications. Citrix strongly recommends that you

fo
do not enable unsecured user connections to StoreFront in a production environment.

rr
Additional Resources:

es
• Secure your StoreFront deployment:

al
• 1912 (LTSR version): https://docs.citrix.com/en-us/storefront/current-release

e
or
di
s tri
but
io
n

409 © 2021 Citrix Authorized Content

 Credential Handling in the Cloud
With On-Premises StoreFront

• User credentials are encrypted by the Citrix Cloud Connector using AES-256 encryption and a

N
random one-time key generated for each launch.

ot
• The key is never passed into the cloud, and returned only to Citrix Workspace app.

fo
• The key is then passed to the VDA directly by Citrix Workspace app in order to decrypt the user

rr
password during session launch for a single sign-on experience.

es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• A customer-managed StoreFront offers greater security configuration options and flexibility for deployment architecture,
including the ability to maintain user credentials on-premises.
• StoreFront can be hosted behind the Citrix Gateway to provide secure remote access, enforce multifactor
authentication, and add other security features.
• In addition to user credentials the Virtual Apps and Desktops handles 3 other types of credentials:
• Administrator Credentials: Required to authenticate with Citrix Cloud. A successful authentication event returns a one-

410 © 2021 Citrix Authorized Content

 time signed JSON Web Token, which grants access to Virtual Apps and Desktops.
• Hypervisor Passwords: Required when creating a Host Connection. Encrypted and stored in SQL DB.
• Active Directory (AD) Credentials: Required at the time of creating a catalog using MCS or PVS. These
credentials are stored only in memory and only held for a single provisioning event.

Additional Resources:
• Technical security overview - https://docs.citrix.com/en-us/xenapp-and-xendesktop/service/secure.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

411 © 2021 Citrix Authorized Content

 Lesson Objective Review

A Citrix Administrator has created an

additional StoreFront Store but wants to
configure the authentication method to be the

N
same as the first Store so users do not have

ot
to logon to each Store separately.

fo
How can the administrator achieve this goal?

rr
es
In the Managing Authentication Method option for
the new Store, select Advanced -> Shared

al
e
Authentication Service Settings and ensure the
option for Use a shared Authentication Service is

or
selected. In the dropdown, select the first Store to

di
share the same authentication service.

s
tri
utb
© 2021 Citrix Authorized Content

io
n

412 © 2021 Citrix Authorized Content

 N
Workspace Experience User

ot
Authentication

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

413 © 2021 Citrix Authorized Content

 Username and
Password
Through Cloud Connectors
1
2
[email protected]
1. The user authenticates to Workspace

N
Workspace Experience. 3

ot
2. Workspace Experience

fo
determines which Resource Location A Resource Location B Resource Location C

rr
Resource Location the

es
user belongs to.

al
Cloud Cloud Cloud
3. Workspace Experience Connector Connector Connector

e
forwards the user

or
credentials to a Cloud
Connector in the users

di
DomainA.local DomainB.local DomainC.local
Resource Location.

s tri
utb
© 2021 Citrix Authorized Content

io
n
Key Notes:
• When having multiple Resource Locations defined in Citrix Cloud, you can choose which of them exposes a domain to
Citrix Cloud.
• When having the same domain/forest present in multiple Resource Locations, Workspace Experience will round robin the
authentication between all Cloud Connectors in all Resource Locations by default.
• To control this behavior, it is recommended to select the Resource Location with the best performance and least
latency to be responsible for authentication and disable the domain mapping in the other Resource Locations.

414 © 2021 Citrix Authorized Content

 • The authentication of a user cannot traverse a domain/forest trust.
• Therefore, a set of Cloud Connectors must be present in each forest that is hosting users.
• A user can be authenticated in one forest and be given access to resources in another forest, which requires
trusts to be created.
• On-premises Authentication Review:
• When StoreFront and Citrix ADC is kept on-premises, the authentication process works very similar to
an on-premises Virtual Apps and Desktops deployment.

N
1. The User authenticates to StoreFront or to the Citrix ADC.

ot
2. StoreFront or the Citrix ADC will authenticate to Active Directory, extract all group memberships

fo
for the user and forward the user and group GUIDs to Cloud Connector.
3. Cloud Connector will forward the list of GUIDs to the Delivery Controller in Citrix Cloud for

rr
resource lookup, but the password or authentication ticket will never leave the local network.

es
• This means that the Username and Password is authenticated locally and never exposed to the

al
internet.

e
or
di
s tri
b ut
io
n

415 © 2021 Citrix Authorized Content

 Federated authentication with Azure AD
Overview

• Features • Requirements • Things to note

N
ot
• Multi-factor authentication • On-premises corporate • Use only the Citrix Cloud

fo
Active Directory Library to manage users

rr
• Federation to different and user groups
• Azure AD with a user who

es
identity providers has global administrator • Users are prompted to sign

al
permissions. in again when launching an

e
• Self-service password
app or a desktop

or
change and reset • Synchronization between
on-premises Active • Users have a different sign-

di
Directory and Azure AD in experience in Azure AD

s tri
but
io
n
Key Notes:
• Only the Citrix Cloud Library is supported for managing users and user groups from Azure AD. (Do not specify users and
user groups when creating or editing Delivery Groups.)
• Users are prompted to sign in again when launching an app or a desktop. This is intentional and provides more security,
because the password information flows directly from the user’s device to the VDA that is hosting the session.
• Users have a different sign-in experience in Azure AD. You can customize the sign-in landing page for Azure AD.
• In the future this feature will expose other identify providers to Citrix Cloud including ADFS, OKTA, and Ping.

416 © 2021 Citrix Authorized Content

 Additional Resources:
• Announcing Federated Authentication using Azure Active Directory for Virtual Apps Essentials -
https://www.citrix.com/blogs/2017/10/12/announcing-federated-authentication-using-azure-active-directory-for-
xenapp-essentials/

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

417 © 2021 Citrix Authorized Content

 Federated Authentication
With Azure AD

6
Workspace
User Endpoint(s)
Citrix Cloud
1. The user accesses Citrix Workspace.

N
2. The Workspace URL redirects to Azure.

ot
4 5
3. The Azure login page is presented to the

fo
Endpoint.

rr
3 2

4. The user inputs credentials.

es
Microsoft Azure

5. The credentials are redirected back to Citrix

al
Workspace.

On-premises
Sync through
Azure Connect

or
6. Access to Citrix published resources are
available to Citrix Workspace App. Active Directory Server

di
stri
b ut
© 2021 Citrix Authorized Content

io
n

418 © 2021 Citrix Authorized Content

 Federated authentication with Azure AD
Steps to enable

1. Select Identity and Access Management > My Company’s Identity Providers section > click

N
Connect.

ot
• Enter the last portion of the Administrator Sign-in URL and click Connect. (https://citrix.cloud.com/go/your_sign-
in_URL)

fo
2. On the Microsoft login page, enter your Azure AD Global Admin credentials.

rr
• Accept Azure giving permissions to Citrix Cloud.

es
3. Test authentication via https://citrix.cloud.com/go/your_sign-in_URL.

al
e
4. Select Workspace Configuration > Authentication and configure Workspace to use Azure Active

or
Directory instead of Active Directory, then click Confirm.

di
5. Verify Subscribers on Library Offerings match the Azure AD Users.

s tri
but
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Enable federated authentication using Azure Active Directory - https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-
management/identity-access-management/connect-azure-ad.html

419 © 2021 Citrix Authorized Content

 Federated authentication with Azure AD
User Experience

• Users navigate to https://<customer>.cloud.com

N
• Users are forwarded to Azure AD login page

ot
• Can be customized.

fo
• Users enter credentials and optionally 2 factor authentication

rr
• After authentication Citrix Workspace Experience is displayed

es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Announcing Federated Authentication using Azure Active Directory - https://www.citrix.com/blogs/2017/10/12/announcing-
federated-authentication-using-azure-active-directory-for-xenapp-essentials/

420 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
ot
When integrating with Azure Active Directory,

fo
where does the users enter their credentials?

rr
es
The users will be redirected to a Microsoft Azure
logon page where they enter their credentials.

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

421 © 2021 Citrix Authorized Content

 N
ot
Workspace app

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

422 © 2021 Citrix Authorized Content

 What is Citrix Workspace app?

Citrix Workspace app is software that allows client devices to:

• Log on with their credentials
• Enumerate the available list of resources

N
• Launch the resource (Applications or Desktop)

ot
fo
rr
es
al
e
or
Resource Machine Delivery Controller

di
Running the VDA
Endpoints with

s
Citrix Workspace app

tri
utb
© 2021 Citrix Authorized Content

io
n

423 © 2021 Citrix Authorized Content

 Deploying Citrix Workspace app
Citrix Workspace app Types0

N
ot
Enterprise Software Install through Citrix Workspace
Deployment Types Manual installation
Deployment StoreFront app for HTML5

fo
rr
Install Seamless and Limited feature set
Difficult to customize Customizable
Considerations customizable installation and browser support

es
al
Upgrade Universal support and
Managed devices only Supports upgrades No upgrade support

e
Considerations no installation

or
Recommended as
Recommended for Recommended for Recommended for
Recommendations secondary (fallback)

di
managed devices unmanaged devices Advanced users only
option

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Workspace app exists for all major OS platforms and it can be used to launch a connection to a VDA after the user
has used a browser to enumerate the published resources, but also as a standalone program that authenticates the user,
enumerates the resources and launches them.

Additional Resources:
• Citrix Workspace app Feature Matrix (includes Receiver for Windows LTSR versions):

424 © 2021 Citrix Authorized Content

 https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/citrix-workspace-app/Citrix-Workspace-
app-Feature-matrix.pdf

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

425 © 2021 Citrix Authorized Content

 The Citrix Workspace app Experience

• Receiver for Web • Citrix Workspace app • Citrix Workspace app for

N
HTML5

ot
• User uses a web browser
• User uses a web browser • Installed Citrix Workspace

fo
for authentication and app authenticates user to for authentication and

rr
enumeration of resources. the store and enumerates enumeration of resources.

es
• StoreFront produces a resources. • StoreFront generates

al
launch code and pushes
launch file. • Installed Citrix Workspace

e
Citrix Workspace app for
app launches the session.

or
• Installed Citrix Workspace HTML5 to client.
app opens the launch file

di
and launches the session. • Citrix Workspace app for

s
HTML5 loads inside new

tri
browser window and

b
launches the session.

ut
io
n
Key Notes:
• Citrix Workspace app:
• Citrix Receiver for Web (will eventually change to Workspace for Web) sites enables users to access stores through a
web page. The tasks below enable you to modify settings for your Citrix Receiver for Web sites. Some advanced
settings can only be changed by editing the site configuration files.
• Use the Deploy Citrix Receiver feature to configure the behavior of a Citrix Receiver for Web site when a Windows or
Mac OS X user without Citrix Workspace app installed accesses the site. By default, Citrix Receiver for Web sites

426 © 2021 Citrix Authorized Content

 automatically attempt to determine whether Citrix Receiver or Citrix Workspace app is installed when
accessed from computers running Windows or Mac OS X.
• If Citrix Receiver or Citrix Workspace app cannot be detected, the user is prompted to download and install
the appropriate Citrix Receiver or Citrix Workspace app for their platform. The default download location is
the Citrix website, but you can also copy the installation files to the StoreFront server and provide users
with these local files instead.
• Connecting via Receiver for Web is comparable to the former Web Interface technology.

N
• This way of connecting can also apply to mobile devices, where a Citrix Workspace app is installed, but the

ot
user starts application enumeration with the installed browser (for example Safari on iOS devices) and

fo
chooses to open the downloaded launch.ica file with the Citrix Workspace app.
• This setup can be used to deploy the Citrix Workspace app.

rr
• A benefit of this setup is that almost any device can be used, since it requires no configuration – the

es
launch.ica file transmits most session relevant parameters to the client.

al
• Requirement for Clients:
• User needs to enter the URL manually & authenticate

e
• Single Sign On / Password pass-through can be established between domain-joined clients and StoreFront

or
web sites

di
• Pre-launch sessions are not supported.
• Citrix Workspace app:

s tri
• Citrix Workspace app setup requires the user to install the Citrix Workspace app or to have it pre-installed.

b
• Citrix Workspace app requires configuration, either manually by the user or by the IT staff.

ut
• This setup can be used together with single sign-on and prelaunch session support, it offers the most rich

io
feature set available.
• Citrix Workspace app attempts to contact beacon points and uses the responses to determine whether

n
users are connected to local or public networks. When a user accesses a desktop or application, the
location information is passed to the server providing the resource so that appropriate connection details
can be returned to Citrix Workspace app. This ensures that users are not prompted to log on again when
they access a desktop or application.
• The CitrixWorkspaceApp.exe or CitrixReceiver.exe installation packages can be installed in the following

427 © 2021 Citrix Authorized Content

 methods:
• By a user from Citrix.com or your own download site
• A first-time Citrix Workspace app user who obtains Citrix Workspace app from Citrix.com or your own
download site can set up an account by entering an email address instead of a server URL. Citrix
Workspace app determines the Citrix Gateway (or Access Gateway) or StoreFront Server associated with
the email address and then prompts the user to log on and continue the installation. This feature is referred
to as "email-based account discovery.“

N
• Note: A first-time user is one who does not have Citrix Workspace app or Receiver installed on the device.

ot
• Email-based account discovery for a first-time user does not apply if Citrix Workspace app or Citrix

fo
Receiver is downloaded from a location other than Citrix.com (such as a Receiver for Web site).
• If your site requires configuration of Citrix Workspace app, use an alternate deployment method.

rr
• Automatically from Receiver for Web or from a Web Interface logon screen.

es
• A first-time Citrix Workspace app user can set up an account by entering a server URL or downloading a

al
provisioning (CR) file.
• Using an Electronic Software Distribution (ESD) tool

e
• A first-time Citrix Workspace app user must enter a server URL or open a provisioning file to set up an

or
account.

di
• Citrix Workspace app does not require administrator rights to install unless it will use pass-through
authentication.

s tri
• HTML5:

b
• This setup does not require anything to be installed on the client device since Citrix Workspace app for

ut
HTML5 will be downloaded to the client as part of the website, much like an image or web browser plugin.

io
• Citrix Workspace app for HTML5 is missing numerous features compared to Citrix Workspace app for
Windows (no file redirection, no bi-directional audio) and other features are implemented using

n
“workarounds” due to platform limitations (clipboard sync, printing).
• The Citrix Workspace app for HTML5 only supports SSL/TLS connections.
• This setup can also be used to provide additional security, but comes with loss of functionality. Also, if
incompatible versions of Receiver are installed on the client side, a website can be configured to override
the client detection and instead always use Citrix Workspace app for HTML5.

428 © 2021 Citrix Authorized Content

 • Additional types of Citrix Workspace app include: Citrix Workspace app for Android, Citrix Workspace app
for Mac, Citrix Workspace app for Chrome, Citrix Workspace app for Linux, Citrix Workspace app for iOS,
and Citrix Workspace app for the Windows Store (support for Windows 10 S).

Additional Resources:
• Configure Citrix Receiver for Web sites: 1912 (LTSR version): https://docs.citrix.com/en-us/storefront/current-
release/manage-citrix-receiver-for-web-site/configure-receiver-for-web-sites.html

N
• Citrix Workspace app Feature Matrix (includes Receiver for Windows LTSR versions):

ot
https://www.citrix.com/content/dam/citrix/en_us/documents/data-sheet/citrix-workspace-app-feature-matrix.pdf

fo
• Create a single Fully Qualified Domain Name (FQDN) to access a store internally and externally: 1912 (LTSR
version): https://docs.citrix.com/en-us/storefront/current-release/advanced-configurations/configure-single-

rr
fqdn.html

es
• Citrix Workspace app Install: https://www.citrix.com/downloads/workspace-app/

al
• Citrix Receiver Install (including LTSR versions): https://www.citrix.com/downloads/citrix-receiver/

e
• Receiver Internals: How Receiver for HTML5 & Chrome Connections Work:
https://www.citrix.com/blogs/2015/07/08/receiver-internals-how-receiver-for-html5-chrome-connections-work/

or
• Citrix Workspace app (types): https://docs.citrix.com/en-us/citrix-workspace-app

di
• Citrix Receiver (types): https://docs.citrix.com/en-us/receiver

s tri
b ut
io
n

429 © 2021 Citrix Authorized Content

 Citrix Workspace app Configuration
Setup Considerations and Methods to Configure

Setup Configurations Methods to Configure

N
• Setup consideration to use Citrix

ot
Workspace app for authentication and ADMX

fo
enumeration of resources, configure it to

rr
use a specific store.

es
• Citrix Workspace app can automatically StoreFront

al
Email Activate
discover Stores that are advertised on

e
configured StoreFront servers.

or
• Stores that are hidden must be explicitly

di
specified.

s tri
Manual

but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix recommends using the Group Policy Object method, and provides a template file (receiver.adm or
receiver.admx\receiver.adml, depending on OS) to configure settings related to Citrix Workspace app for Windows. Note
that the files retain the Citrix Receiver name for backwards compatibility.
• When delivering applications with Citrix Virtual Apps and Desktops, consider the following options to enhance the
experience for users when they access their applications:
• Web Access Mode - Without any configuration, Citrix Workspace app for Windows provides browser-based access to

430 © 2021 Citrix Authorized Content

 applications and desktops. Users simply open a browser to a Receiver for Web or Web Interface site to
select and use the applications that they want. In this mode, no shortcuts are placed on the user's desktop.
• Self Service Mode - By simply adding a StoreFront account to Citrix Workspace app for Windows or
configuring Citrix Workspace app for Windows to point to a StoreFront site, you can configure self-service
mode, which allows users to subscribe to applications from the Citrix Workspace app for Windows user
interface. This enhanced user experience is similar to that of a mobile app store. In self-service mode you
can configure mandatory, auto-provisioned and featured app keyword settings as needed.

N
• By default, Citrix Workspace app for Windows allows users to select the applications they want to display in

ot
their Start menu.

fo
• Include meaningful descriptions for applications in a Delivery Group. Descriptions are visible to Citrix
Workspace app for Windows users when using Web access or self-service mode.

rr
• Hiding a store does not prevent access to it.

es
• As shown in the example provisioning file from StoreFront (on the slide), the most important part of the file is

al
the Address section pointing to a store on a StoreFront server. Most other options pertain to remote access.
• Citrix Workspace app can access up to 10 different Stores.

e
or
Additional Resources:

di
• Configuring the Group Policy Object administrative template:

s
• Receiver 4.11 LTSR: https://docs.citrix.com/en-us/receiver/windows/current-release/configure/config-gpo-

tri
template.html

b
• Configuring Citrix Workspace Updates: https://docs.citrix.com/en-us/citrix-workspace-app-for-

ut
windows/update.html

io
• Configuring auto-update (Citrix Receiver 4.11 LTSR): https://docs.citrix.com/en-us/receiver/windows/current-

n
release/configure/receiver-update.html

431 © 2021 Citrix Authorized Content

 Configure Citrix Workspace app
Use an ADMX File

Recommended for managed endpoints:

N
• Easy to configure and apply

ot
• Enforces configuration to the managed endpoint

fo
rr
Configuration steps:

es
1. Copy ADMX and ADML files to Policy Definitions
or central store.

al
2. Create a policy using the Citrix Administrative

e
Template.

or
di
stri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• If Citrix Workspace app for Windows is configured via VDA installation, admx/adml files are found in the Citrix Workspace
app for Windows installation directory. For example: <installation directory>\online plugin\Configuration.
• You can use adm template files to configure a Local GPO and/or a Domain-Based GPO.
• Citrix recommends you to use the template files provided with the latest Citrix Workspace app for Windows. While
importing the latest files, the previous settings are retained.
• One of the main benefits of using the new ADMX files is the central store. This option is available to you when you are

432 © 2021 Citrix Authorized Content

 administering domain-based GPOs, although the central store is not used by default. Unlike the case we
discussed earlier with ADM files, the Group Policy Object Editor will not copy ADMX files to each edited GPO
but will provide the ability to read from either a single domain-level location on the domain controller sysvol
(not user configurable) or from the local administrative workstation when the central store is unavailable. You
can share a custom ADMX file by copying the file to the central store, which makes it available automatically
to all Group Policy administrators in a domain. This capability simplifies policy administration and improves
storage optimization for GPO files.

N
• ADMX files are divided into language-neutral (ADMX) and language-specific (ADML) resources, available to

ot
all Group Policy administrators. These factors allow Group Policy tools to adjust their UI according to the

fo
administrator's configured language.
• An ADMX file should be used for all managed endpoints. It is the fastest and easiest way of configuring

rr
multiple machines in a consistent manner.

es
Additional Resources:

al
• Configuring the Group Policy Object administrative template:

e
• Receiver 4.11 LTSR: https://docs.citrix.com/en-us/receiver/windows/current-release/configure/config-gpo-

or
template.html

di
s tri
but
io
n

433 © 2021 Citrix Authorized Content

 Configure Citrix Workspace app
Use Email-Based Discovery

This method of discovery is recommended for

N
unmanaged endpoints, because while end-

ot
users are unlikely to know the load-balanced
StoreFront address and site path, all end-users

fo
know their email address.

rr
es
Configuration steps:
• Create SRV locator in DNS pointing to StoreFront

al
• Service = _citrixreceiver

e
• Protocol = _tcp
• Port = 443

or
• Host offering = your StoreFront FQDN

di
s
tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• You can configure Citrix Gateway to accept user connections by using an email address to discover the StoreFront or
Citrix Gateway URL. The process for user connections is:
• When users connect from inside your network or a remote location and install Citrix Workspace app for the first time,
they enter their email address or the StoreFront URL.
• Citrix Workspace app then queries the appropriate DNS server, which responds with the StoreFront or Citrix Gateway
URL. The URL depends on whether users connect from the internal network or they connect from a remote location.

434 © 2021 Citrix Authorized Content

 • Users then log on to Citrix Workspace app with their user name, password, and domain.
• If users connect from a remote location, Citrix Gateway provides the StoreFront URL to Citrix Workspace
app.
• Citrix Workspace app gets the account information from StoreFront. If users connect through Citrix
Gateway, the appliance performs SSO to StoreFront. If more than one account is available, users receive a
list of accounts from which to choose.
• When users log on to an account, a list of applications appears in Citrix Workspace app. Users can then

N
select an app to open.

ot
• End Users cannot be expected to know the load balanced address of the StoreFront server and the site path.

fo
The only way they will know this is if they read onboarding documentation or somebody walks them through
the process.

rr
• All users know their email address. This provides a much better user experience.

es
Additional resources:

al
• Providing users with account information– Citrix Receiver – Email-based account discovery:

e
https://docs.citrix.com/en-us/receiver/windows/current-release/configure/config-provide-account-info.html

or
• Connecting to StoreFront by Using Email-Based Discovery: https://docs.citrix.com/en-us/netscaler-

di
gateway/12-1/storefront-integration/ng-clg-session-policies-overview-con/ng-clg-storefront-policies-con/ng-clg-

s
storefront-email-discovery-tsk.html

tri
b ut
io
n

435 © 2021 Citrix Authorized Content

 Configure Citrix Workspace app
Use StoreFront Activation

Recommended for unmanaged endpoints:

N
• Only available when connected to Receiver for

ot
Web.
• Not recommended as primary configuration

fo
method, as end-user might not see the option.

rr
Process:

es
• User logs on to Receiver for Web and selects
Activate from drop-down list box.

al
• Browser downloads receiverconfig.cf file.

e
• User is prompted to add the configuration to Citrix

or
Workspace app.

di
s
tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• User logs on to StoreFront and uses the Activate feature to configure Citrix Workspace app.
• This method is not very intuitive. End users may miss this feature altogether. The are more likely to find it after using the
system for a while.
• Recommended as another option for configuring unmanaged endpoints. Email-based discovery provides a better end user
experience.

436 © 2021 Citrix Authorized Content

 Additional Resources:
• Overview of StoreFront’s provisioning file: https://support.citrix.com/article/CTX135919

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

437 © 2021 Citrix Authorized Content

 Configure Citrix Workspace app
Manual Configuration

• Recommended for advanced users.

N
• Supports installation from:

ot
• A Network Share

fo
• Windows Explorer
• Command Line

rr
es
• Allows advanced configuration using
Command Line.

al
e
• Use the syntax:

or
**CitrixWorkspaceApp.exe \[Options\]**

di
stri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Advanced users can use command-line parameters during installation of Citrix Workspace app.
• Command Line parameters include:
• Workspace updates
• Enable bidirectional content redirection
• Hide Settings Option
• Enable Local App Access

438 © 2021 Citrix Authorized Content

 • Display usage information
• Suppress reboot during UI installation
• Silent installation
• Enable single sign on authentication
• Enable single sign on when /includeSSON is specified
• Always-on tracing
• Using the Citrix Customer Experience Improvement Program

N
• Specify the installation directory (Default: C:\Program Files\Citrix\Workspace)

ot
• Identify a user device

fo
• Dynamic client name
• Install specified components

rr
• Configure Workspace for Windows to manually add Stores

es
• Etc

al
Additional resources:

e
• Install Workspace app Manually using Command-Line Parameters: https://docs.citrix.com/en-us/citrix-

or
workspace-app-for-windows/install.html

di
s tri
b ut
io
n

439 © 2021 Citrix Authorized Content

 Workspace Control
Workspace Control allows the roaming of sessions.

• Users can manually initiate reconnection to open or disconnect sessions.

• Policies are re-evaluated upon reconnection.
• Process of Workspace Control:

N
1. User initiates a session from PC001.

ot
2. The same User logs on to PC002.
3. The sessions are disconnected from PC001 and automatically re-connected from PC002.

fo
rr
es
User Layer Resource Layer

al
e
or
Microsoft Excel
3 Published App

di
Endpoint-1 Endpoint-2 Server OS Machine
2
1 Running the VDA

s
Session

tri
utb
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Workspace Control lets desktops and applications follow a user from one device to another. This ability to roam enables a
user to access all desktops or open applications from anywhere simply by logging on, without having to restart the
desktops or applications on each device. For example, Workspace Control can assist health-care workers in a hospital
who need to move quickly among different workstations and access the same set of applications each time they log on. If
you configure Workspace Control options to allow it, these workers can disconnect from multiple applications at one client
device and then reconnect to open the same applications on a different client device.

440 © 2021 Citrix Authorized Content

 • Workspace Control affects the following activities:
• Logging on – By default, Workspace Control enables users to reconnect automatically to all running
desktops and applications when logging on, by-passing the need to re-open them manually. Through
Workspace Control, users can open disconnected desktops or applications, as well as any that are active
on another client device. Disconnecting from a desktop or application leaves it running on the server. If you
have roaming users who need to keep some desktops or applications running on one client device while
they reconnect to a subset of their desktops or applications on another client device, you can configure the

N
logon reconnection behavior to open only the desktops or applications that the user disconnected from

ot
previously.

fo
• Reconnecting – After logging on to the server, users can reconnect to all of their desktops or applications at
any time by clicking Reconnect. By default, Reconnect opens desktops or applications that are

rr
disconnected, plus any that are currently running on another client device. You can configure Reconnect to

es
open only those desktops or applications that the user disconnected from previously.

al
• Logging off – For users opening desktops or applications through StoreFront, you can configure the Log Off
command to log the user off from StoreFront and all active sessions together, or log off from StoreFront

e
only.

or
• Disconnecting – Users can disconnect from all running desktops and applications at once, without needing

di
to disconnect from each individually.
• To Configure Workspace Control:

s tri
• Considerations:

b
• In many environments, this setting is enabled by default.

ut
• To disable or configure Workspace control, modify the settings using the Citrix StoreFront management

io
console.
• Process High-Level Overview:

n
1. Within the StoreFront management console, select Stores from the left pane, then choose the store to
modify and in the right pane click on Manage Receiver for Web Sites.
2. In the dialog box, select the Web site URL and click on the button Configure.
3. In the resultant configuration window, click Workspace Control on the left.
4. Confirm the option to Enable workspace control is selected.

441 © 2021 Citrix Authorized Content

 5. Using the drop down menu set the Logoff action.
6. Consider the remaining configuration options:
• Automatic reconnection when users log on
• Reconnect and Disconnect Buttons
7. To force the changes in IIS, launch a command prompt and use the iisreset command.
• In addition to reusing the StoreFront management console, the web.config file stored on the StoreFront
server in Inetpub\wwwroot\Citrix\<Store Name>\web.config can be edited with a text editor, such as

N
Notepad++ and verify the settings configured in the StoreFront management console.

ot
• workspaceControl enabled=“true”

fo
• autoReconnectAtLogon=“true”
• logoffAction=“disconnect”

rr
• showReconnectButton=“true”

es
• showDisconnectButton=“true”

al
• Consider that Workspace control is enabled by default for Receiver for Web sites.
• To disable this feature modify the web.config file or the Citrix StoreFront management console settings.

e
• In multiple server deployments, use only one server at a time to make changes to the configuration of the

or
server group.

di
• Close all instances of the Citrix StoreFront management consoles on those servers.
• Once complete, propagate the configuration changes to the server group so that the other servers in the

s tri
deployment are updated.

b
Additional Resources:

ut
io
• Sessions - Workspace control; Session roaming:

n
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/manage-
deployment/sessions.html

442 © 2021 Citrix Authorized Content

 Store Favorites

User Layer StoreFront (in the Access Layer)

Server Group
Users log on to StoreFront and are presented Favorites

N
with the option to add applications to their

ot
Subscription
favorites. User Logged in StoreFront-1 Store
From a Laptop

fo
Microsoft
• A unique list of favorites is kept for each Citrix Word

rr
Workspace app end user Replication

es
• Favorites are kept in a Subscription Store, a

al
Microsoft
local file-based database on the StoreFront Outlook

e
server Subscription
Store

or
User Logged in StoreFront-1
From a Tablet

di
stri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Subscription Store is stored in
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Citrix\SubscriptionsStore\<Store
Name>\PersistentDictionary.edb folder.
• The Subscription Store contains user Favorites and the Site name in the metadata.
• The subscription consists of a string that includes:
• User SID

443 © 2021 Citrix Authorized Content

 •
Site/Farm name (as defined in the StoreFront store)
•
Application/Desktop name
•
Unique, per subscription GUID
•
“subscribeddazzle:position#” with the number related to the application/desktop icon position on the screen
so that the icons maintain their order
• StoreFront servers replicate the database information across server group.
• To address some of the most common subscription-related issues, start by restarting the Citrix Subscriptions

N
Store service.

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

444 © 2021 Citrix Authorized Content

 Auto-Launch

• If there is a single hosted Desktop OS or Server OS desktop for a user, it will start automatically when
the user launches any available published application.

N
• The Auto-Launch of desktop can be disabled through either the Web. config file or the StoreFront

ot
console.

fo
rr
es
User Layer Access Layer Resource Layer

al
1. Icon Delivery

e
or
2. Outlook Launch Published
Endpoints with StoreFront Microsoft Outlook Published VDA
Citrix Workspace app Session Desktop

di
3. Outlook and the published desktop launch in the session.

s
tri
utb
© 2021 Citrix Authorized Content

io
n
Key Notes:
• When an end user has access to a single published desktop, StoreFront assumes that this is what the user wants to
connect to and automatically launches this desktop for the end user.
• StoreFront can be configured to automatically launch specific apps, if needed.
• To disable the desktop auto launch using the Web.config file:
1. Browse to: C:\inetpub\wwwroot\Citrix\StoreWeb
2. Open the Web.config file using Notepad

445 © 2021 Citrix Authorized Content

 3. Set the autoLaunchDesktop parameter to “false”
• To disabled the desktop auto launch using the StoreFront console:
1. Select the Store and then select "Manage Receiver for Websites“
2. Then, select the Store name and then the website
3. Click Configure
4. From within the edit receiver for websites window, select the option "Client Interface Settings"
5. Disable the "Auto launch desktop” checkbox

N
ot
Additional resources:

fo
• How to Disable Desktop Auto Launch in StoreFront: https://support.citrix.com/article/CTX139058

rr
es
al
e
or
di
s tri
b ut
io
n

446 © 2021 Citrix Authorized Content

 What are StoreFront Beacons?

• StoreFront Beacons are URLs defined in the StoreFront configuration that are downloaded to Citrix

N
Workspace app upon adding a Store configuration.

ot
• StoreFront Beacons help Citrix Workspace app detect whether the user is currently inside or outside

fo
the trusted network.

rr
• Once the location has been established, Citrix Workspace app will connect to the resources

es
accordingly, either directly to StoreFront or through Citrix Gateway.

al
e
or
Where am I ?

di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Workspace app attempts to contact beacon points and uses the responses to determine whether users are
connected to local or public networks. When a user accesses a desktop or application, the location information is passed
to the server providing the resource so that appropriate connection details can be returned to Citrix Workspace app. This
ensures that users are not prompted to log on again when they access a desktop or application.

447 © 2021 Citrix Authorized Content

 Additional Resources:
• Configure beacon point-StoreFront 1912:: https://docs.citrix.com/en-us/storefront/current-release/integrate-
with-citrix-gateway-and-citrix-adc/configure-beacon.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

448 © 2021 Citrix Authorized Content

 How are StoreFront Beacons
Used?
Beacon Environment

DNS
Servers
Beacons are configured in the StoreFront

N
Console & consist of: 2: Citrix

ot
Workspace app
• Internal Beacon looks up internal
• Typically, the URL for the StoreFront server or load Beacon

fo
balancer. 3: Upon successful lookup
Citrix Workspace app

rr
• External Beacon connects

• Typically, the URL for the external Citrix Gateway

es
logon page. StoreFront

al
Citrix Workspace app
• Citrix Workspace app will attempt to contact

e
1: Citrix Workspace app
downloads configuration
the internal beacon first, if this is unsuccessful

or
then Receiver attempts the external.

di
Saved Configuration Data
• Internal Beacon should not be registered on Configuration

s
the external DNS server.

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Workspace app uses internal and external URLs as beacon points. By attempting to contact these beacon points,
Citrix Workspace app can determine whether users are connected to local or public networks. When a user accesses a
desktop or application, the location information is passed to the server providing the resource so that appropriate
connection details can be returned to Citrix Workspace app. This enables Citrix Workspace app to ensure that users are
not prompted to log on again when they access a desktop or application.
• Beacons are URLs that Citrix Workspace app uses to determine its location and connection method based on that

449 © 2021 Citrix Authorized Content

 location.
• You can configure the following:
• Internal beacons.
• External beacons.
• Since StoreFront 2.6, it is supported to use the same internal and external logon point URL.

Additional Resources:

N
• Configure beacon point-StoreFront 1912:: https://docs.citrix.com/en-us/storefront/current-release/integrate-

ot
with-citrix-gateway-and-citrix-adc/configure-beacon.html

fo
rr
es
al
e
or
di
s tri
b ut
io
n

450 © 2021 Citrix Authorized Content

 StoreFront Beacon Points
Internal vs External

N
ot
Default Internal Beacon Point Default External Beacon Point

fo
The default internal Beacon Point will be the hostname Before adding a Citrix Gateway to the StoreFront configuration, an

rr
of the first StoreFront server in a server group. external Beacon will not appear

es
When adding a Citrix Gateway, the Beacon point will be the web
This should be changed when adding more servers to

al
address to configure on the Deployment tab, which is typically the
the server group

e
Citrix Gateway FQDN

or
Citrix recommends using the FQDN of the load balancer The Citrix.com FQDN will also appear under beacons; this is used

di
virtual server as the internal Beacon point to ensure Citrix Workspace app has an internet connection.

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Internal beacons: You can configure one internal beacon and zero to many external beacons. The default setting for the
internal beacon is to use the StoreFront URL. To use your own beacon, you clear the default setting and then enter the
URL in the text box. The internal beacon accepts a valid URL format only. You can use one URL and it allows a maximum
of 256 characters.
• External beacons: The default setting for external beacons uses the web address you configure on the Deployment tab,
which is typically the Citrix Gateway FQDN. To use your own beacon, you clear the default setting and enter the URL in

451 © 2021 Citrix Authorized Content

 the text box. The external beacon accepts comma-separated URLs without spaces after the comma. For
example, you can enter https://cg1.company.com,https://cg2.company.com,https://cg3.company.com. The
maximum length allowed is 1,024 characters.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

452 © 2021 Citrix Authorized Content

 StoreFront Beacon Communication
Scenario 1 of 4:

Beacon Environment

Citrix Workspace app uses beacons to

N
determine location and network availability and Internet

ot
request routing information accordingly.

fo
rr
• No beacon is reachable. Citrix StoreFront

es
Citrix
Workspace app Intranet Store
Gateway
• If no beacon is reachable, Citrix Workspace

al
app is offline.

e
• Citrix Workspace app does not prompt user.

or
Firewall

di
stri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Use the Manage Beacons task to specify URLs inside and outside your internal network to be used as beacon points.
Beacons are web addresses, typically to StoreFront, Citrix Endpoint Management, or Citrix Gateway. You can configure
the following:
• Internal beacons. You can configure one internal beacon and zero to many external beacons. The default setting for the
internal beacon is to use the StoreFront or Citrix Endpoint Management FQDN. If you have earlier editions of Citrix
Endpoint Management, use the App Controller FQDN. If you keep the default setting for the internal beacon, Citrix

453 © 2021 Citrix Authorized Content

 Endpoint Management disables the text box. To use your own beacon, you clear the default setting and
then enter the URL in the text box. The internal beacon accepts a valid URL format only. You can use one
URL and it allows a maximum of 256 characters.
• External beacons. The default setting for external beacons uses the web address you configure on the
Deployment tab, which is typically the Citrix Gateway FQDN. To use your own beacon, you clear the default
setting and enter the URL in the text box. The external beacon accepts comma-separated URLs without
spaces after the comma. For example, you can enter https://ng1.com,https://ng2.com,https://ng3.com. The

N
maximum length allowed is 1,024 characters.

ot
• There is even an additional conclusion for Citrix Workspace app: If all beacons resolve to the same content,

fo
Citrix Workspace app assumes that it is behind a paywall (catchall-portal / captive portal / a proxy solution
commonly found in public / guest Wi-Fi networks redirecting all request to the same website – either to

rr
acknowledge terms of service or to buy internet access).

es
• Storefront sets the default internal beacon to the configured SF address – which should NOT be resolvable

al
outside the LAN.

e
Additional Resources:

or
• How to Successfully Test Citrix StoreFront Beacons Inside a Remote Desktop Session:

di
https://support.citrix.com/article/CTX132037
• StoreFront Planning Guide: https://support.citrix.com/article/CTX136547

s tri
• Configure beacon point-StoreFront 1912:: https://docs.citrix.com/en-us/storefront/current-release/integrate-

b
with-citrix-gateway-and-citrix-adc/configure-beacon.html

ut
io
n

454 © 2021 Citrix Authorized Content

 StoreFront Beacon Communication
Scenario 2 of 4:

Beacon Environment

• The internal beacon is reachable.

N
Internet
• If the internal beacon is reachable, Citrix

ot
Workspace app is on an internal intranet

fo
connection.

rr
• No Citrix Gateway is necessary to connect to Citrix StoreFront

es
Citrix Gateway Intranet Store
StoreFront and VDAs. Workspace
app

al
e
or
Firewall

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• How to Successfully Test Citrix StoreFront Beacons Inside a Remote Desktop Session:
https://support.citrix.com/article/CTX132037
• Configure beacon point-StoreFront 1912:: https://docs.citrix.com/en-us/storefront/current-release/integrate-with-citrix-
gateway-and-citrix-adc/configure-beacon.html

455 © 2021 Citrix Authorized Content

 StoreFront Beacon Communication
Scenario 3 of 4:

Beacon Environment

• The external beacon is reachable.

N
• If the external beacon is reachable, but the Internet

ot
internal beacon is not reachable, Citrix

fo
Workspace app is online, but outside the

rr
corporate network.
Citrix StoreFront

es
Gateway Intranet Store
• Citrix Gateway is necessary to reach Citrix
Workspace

al
Storefront and the VDAs from an external app

e
network.

or
Firewall

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• How to Successfully Test Citrix StoreFront Beacons Inside a Remote Desktop Session:
https://support.citrix.com/article/CTX132037
• StoreFront Planning Guide: https://support.citrix.com/article/CTX136547
• Configure beacon point-StoreFront 1912:: https://docs.citrix.com/en-us/storefront/current-release/integrate-with-citrix-
gateway-and-citrix-adc/configure-beacon.html

456 © 2021 Citrix Authorized Content

 StoreFront Beacon Communication
Scenario 4 of 4:

Beacon Environment

• All external beacons resolve to the same

website.

N
Internet

ot
• If all external beacons resolve to the same

fo
website, Citrix Workspace app is behind a

rr
paywall. Citrix StoreFront
Gateway Store

es
Citrix Intranet
• Citrix Workspace app does not offer Workspace
app

al
authentication or starting applications.

e
or
Firewall

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• How to Successfully Test Citrix StoreFront Beacons Inside a Remote Desktop Session:
https://support.citrix.com/article/CTX132037
• StoreFront Planning Guide: https://support.citrix.com/article/CTX136547
• Configure beacon point-StoreFront 1912:: https://docs.citrix.com/en-us/storefront/current-release/integrate-with-citrix-
gateway-and-citrix-adc/configure-beacon.html

457 © 2021 Citrix Authorized Content

 Launch a Published Resource
Users can use any Citrix Workspace app to
launch published resources.
App or Desktop

• Workspace app for Android

N
Microsoft Excel Internet Explorer
• Workspace app for HTML5

ot
• Workspace app for Mac

fo
rr
• Workspace app for Windows Microsoft PowerPoint Skype for Business

es
• Workspace app for Windows (Store) End User
Device

al
• Workspace app for Chrome

e
IO Win 8

• Workspace app for Linux S

or
Phone

• Workspace app for iOS

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Application launched can be hosted on Desktop OS or Server OS.
• Desktop launched can be Desktop OS or Server OS.

Additional Resources:
• Citrix Workspace app (types): https://docs.citrix.com/en-us/citrix-workspace-app
• Citrix Receiver (types): http://docs.citrix.com/en-us/receiver.html

458 © 2021 Citrix Authorized Content

 Lesson Objective Review

Scenario: Choose the easiest Citrix

Workspace app type to deploy to 50 task
workers that do not require any device
mappings.

N
ot
Which type of Citrix Workspace app should

fo
you recommend?

rr
es
Citrix Workspace app for HTML5 is the easiest to
deploy; it requires no Citrix components to be

al
e
installed on the client.

or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

459 © 2021 Citrix Authorized Content

 N
ot
Communication Flow

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

460 © 2021 Citrix Authorized Content

 Workspace Experience
Communication Flow (1/2)

Citrix Cloud

License Server Studio Director

1. Workspace app contacts Workspace in

2 5

N
Cloud. Delivery Site Database

ot
Citrix Workspace
Gateway Service Controller
2. Workspace authenticates with Cloud Delivery 3

fo
Controller. User Layer 1
Access
Layer
Control
Layer
Resource Layer

rr
3. Cloud Delivery Controller proxies

es
Cloud
authentication to Cloud Connector. Internal
Users
StoreFront
Connector
Server OS Assigned
Desktop OS
4

al

On-premises
4. Cloud Connector queries Domain Controller. Firewall

e
5. Cloud Delivery Controller queries the

or
External Firewall Citrix Active Directory Random Remote PC
Desktop OS
database. Users Gateway Server

di
Compute Layer

s tri
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• It is worth noticing that the Workspace Experience passes the credentials to Citrix Cloud Delivery Controllers, which then
proxy the authentication to Citrix Cloud Connectors. Finally, the Cloud Connectors talk to Domain Controllers to
authenticate the users.
• Credentials are being parsed in the Cloud . This might be a security concern for some organizations.
• Workspace does not support direct authentication since it is not a member of the domain.

461 © 2021 Citrix Authorized Content

 Workspace Experience
Communication Flow (2/2)

Citrix Cloud

License Server Studio Director

9
6. Cloud Delivery Controller returns XML to 6

N
Workspace. Delivery Site Database

ot
Citrix Workspace
Gateway Service 7 Controller
7. Workspace displays available resources. 10

fo
Access Control
8. User selects a resource. User Layer 8 Layer Layer
Resource Layer

rr
9. Cloud Delivery Controller checks out 10

es
StoreFront Cloud
Internal Server OS Assigned
Connector
license. Users Desktop OS

al

On-premises
Firewall
10. Cloud Delivery Controller checks resource

e
availability through Cloud Connector.

or
External Firewall Citrix Active Directory Random Remote PC
Users Gateway Server Desktop OS

di
Compute Layer

s tri
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• If a user logs in to Workspace and a single Desktop is published, then the desktop will auto-launch.
• This is a default behavior and cannot be customized for a Cloud Hosted StoreFront.

462 © 2021 Citrix Authorized Content

 Lab Exercise Prep

Please Take a Moment and Provision Your Lab

N
For Module 5

ot
fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the
lab exercises.

463 © 2021 Citrix Authorized Content

 StoreFront On-Premises
Communication Flow (1/2)

Citrix Cloud

License Server Studio Director

1. Workspace app contacts StoreFront on LAN. 5

N
2. StoreFront authenticates with AD. Delivery Site Database

ot
Citrix
Gateway Service Workspace Controller
4
3. StoreFront forwards credentials to XML

fo
Access Control
service on Cloud Connector. User Layer Layer Layer
Resource Layer

rr
1 3
4. Cloud Connector proxies the XML request to

es
StoreFront Cloud
Internal Server OS Assigned
Connector
Cloud Delivery Controller. Users Desktop OS

al
2

On-premises
Firewall
5. Cloud Delivery Controller queries the

e
database.

or
External Firewall Citrix Active Directory Random Remote PC
Users Gateway Server Desktop OS

di
Compute Layer

s tri
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• It is worth noticing that the on-premises StoreFront communicates with Cloud Connector servers and Cloud Connector
servers proxy the data to the Cloud Hosted Virtual Apps and Desktops.
• An on-premises StoreFront offers greater security configuration options and flexibility for deployment architecture,
including the ability to maintain user credentials on-premises.
• StoreFront can be hosted behind the Citrix Gateway in order to enforce multi-factor authentication and other security
features.

464 © 2021 Citrix Authorized Content

 • The authentication in this deployment method happens on-premises, after the user has been authenticated,
credentials are sent via the Cloud Connector to the Cloud Delivery Controller for resource enumeration.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

465 © 2021 Citrix Authorized Content

 StoreFront On-Premises
Communication Flow (2/2)

Citrix Cloud

License Server Studio Director

9
6. Cloud Delivery Controller returns XML to

N
Cloud Connector. Delivery Site Database

ot
Citrix
Gateway Service Workspace Controller
7. StoreFront displays available resources. 6

fo
Access Control
8. User selects a resource. User Layer Layer Layer
Resource Layer

rr
8 7
9. Cloud Delivery Controller checks out 10

es
StoreFront Cloud
Internal Server OS Assigned
Connector
license. Users Desktop OS

al

On-premises
Firewall
10. Cloud Connector checks resource

e
availability.

or
External Firewall Citrix Active Directory Random Remote PC
Users Gateway Server Desktop OS

di
Compute Layer

s tri
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• StoreFront on-premises does not support delegating authentication to the Delivery Controllers in a cloud deployment.

466 © 2021 Citrix Authorized Content

 Configure On-Premises StoreFront with Cloud Connectors

N
ot
fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• When using on-premises StoreFront and Citrix ADC, a customer can chose to integrate both the Virtual Apps and
Desktops by pointing at the Cloud Connectors. Additionally, customers can also add their on-premises Delivery Controllers
as a separate Site. Doing this will aggregate all the resources available for users between both the on-premises site and
Citrix Cloud.
• By default, the XML service is only exposing port 80 on the Citrix Cloud Connectors.
• This should be changed by adding a certificate to the Cloud Connector servers.

467 © 2021 Citrix Authorized Content

 • Certificate can be bound using IIS or by manually attaching it to XAXDProxyService.
• Similar process to binding certificate to Delivery Controller.
• Citrix leading practice is to load balance the Delivery Controllers using a Citrix ADC.
• With this configuration, specify the Citrix ADC load balancing virtual server as the first XML server in the
list.
• List the XML servers next.
• Deselect the option “Servers are load balanced”.

N
ot
Additional Resources:

fo
• How to Enable SSL on Virtual Desktops 7.x Controllers to Secure XML Traffic -
https://support.citrix.com/article/CTX200415

rr
es
al
e
or
di
s tri
but
io
n

468 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
Can an on-premise StoreFront use delegated

ot
authentication towards the Cloud

fo
Connectors?

rr
es
No, with an on-premise StoreFront, only direct
authentication is supported.

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

469 © 2021 Citrix Authorized Content

 N
ot
Lab Exercises

fo
rr
Module 5

es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

470 © 2021 Citrix Authorized Content

 Lab Exercise
• Exercise 5-1: Install the StoreFront Server
• Exercise 5-2: Create a StoreFront Store
• Exercise 5-3: Encrypt the Store Traffic
• Exercise 5-4: Set the Store Default Page in IIS
• Exercise 5-5: Configure the Store Default Domain

N
ot
• Exercise 5-6: Adjust the StoreFront Timeout

fo
• Exercise 5-7: Deploy Citrix Workspace app

rr
• Exercise 5-8: Configure Email-Based Account Discovery

es
• Exercise 5-9: Add Store Favorites

al
e
• Exercise 5-10: Disable Desktop Auto-Launch

or
• Exercise 5-11: Modify Workspace Control Settings

di
• Exercise 5-12: Launch an App and Desktop from a Server OS

s tri
• Exercise 5-13: Launch a Desktop from a Desktop OS

but
© 2021 Citrix Authorized Content

io
n

471 © 2021 Citrix Authorized Content

 Key Takeaways

• For access to icons from the Citrix Virtual Apps

N
and Desktops Site, StoreFront can be

ot
deployed to On-Premise or within Citrix Cloud.

fo
• User Credentials are authenticated by Active

rr
Directory through the Cloud Connector.

es
• Citrix Workspace App is the endpoint device

al
software used to make a connection to an app

e
or a desktop.

or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

472 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Administration On-Premise and In
Citrix Cloud

N
ot
Manage the User Experience

fo
rr
es
al
e
Module 06

or
di
s
tri
b
ut
io
n

473 © 2021 Citrix Authorized Content

 Learning Objective

• Introduce methods to manage the user

N
experience.

ot
• Identify common user experience settings.

fo
rr
es
al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

474 © 2021 Citrix Authorized Content

 N
Methods to Manage the User

ot
Experience

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

475 © 2021 Citrix Authorized Content

 Methods to Enable, Disable, and Control Settings in Citrix Virtual
Apps and Desktops

• Microsoft Group Policy Management Console (GPMC)

N
• Citrix Studio

ot
• Citrix Workspace Environment Management (WEM)

fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Group Policy Management Console (GPMC): Microsoft Management Console (MMC) based tool used to apply or manage
user / computer settings.
• Citrix Studio: Microsoft Management Console (MMC) based tool used to manage the Citrix Virtual Apps and Desktops.
The tool provides the capability to apply or manage Citrix specific settings related to Virtual Apps or Desktops.
• Citrix Workspace Environment Management (WEM): A citrix solution to provide the best user experience using intelligent
resource management and Profile Management technologies. An administration console to configure and manage Citrix

476 © 2021 Citrix Authorized Content

 WEM. Citrix WEM console allows to configure user / computer settings and enforce them on any machine
having the WEM agent installed.

Additional Resources:
• Policies (1912 LTSR): https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

477 © 2021 Citrix Authorized Content

 Policies Introduction

• Policies are a collection of settings that define

N
how sessions, bandwidth, and security are

ot
managed for a group of users, devices, or
connection types.

fo
rr
• They define the user environment within a

es
session, as well as the machine hosting the
session.

al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Policies are a collection of settings that define how sessions, bandwidth, and security are managed for a group of users,
devices, or connection types.
• You can apply policy settings to physical and virtual machines, or to users. You can apply settings to individual users at
the local level or in security groups in Active Directory. The configurations define specific criteria and rules, and if you do
not specifically assign the policies, the settings are applied to all connections.

478 © 2021 Citrix Authorized Content

 Additional Resources:
• Policies (1912 LTSR): https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

479 © 2021 Citrix Authorized Content

 Citrix Policy Engine

• Citrix policy engine can connect with three different consoles:

• Local Group Policy Editor (Gpedit.msc)

N
• Citrix Studio

ot
• Group Policy Management Console (GPMC)

fo
• Citrix Policy engine is installed:

rr
• On all Delivery Controllers, by default.

es
• Automatically with Studio.
• Manually using the installation media on other computers.

al
e
* Save location will be different depending on the console used to create a Citrix policy.

or
Local Group Policy Editor with installed Citrix Policy Engine Citrix Studio with installed Citrix Policy Engine GPMC with installed Citrix Policy Engine

di
s
Saves to local Saves to Site Saves to AD Sysvol
Share

tri
registry Database

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• According to leading practices, Citrix policies should be created either in Active Directory or Citrix Studio, but not both at
the same time.
• The Citrix Group Policy management extension is required to actually see and edit the Citrix policies “inside” the Microsoft
GPOs.
• These extensions can be installed silently together with Citrix Studio or explicitly from a directory on the Citrix Virtual Apps
and Desktops installation media – both x64/x86 versions exist in separate directories.

480 © 2021 Citrix Authorized Content

 • These extensions are only needed on systems that will be used to create or modify the Citrix policies.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

481 © 2021 Citrix Authorized Content

 Policy Precedence
Policy Precedence Considerations

Organizational Unit

• All Group Policies are applied in the following

Domain

Order of precedence
order: Local, Citrix Local (Site Database), Site,

ot

Order of application
Domain and OU.

fo
• The last applied policy is the winning policy.
Site

rr
• Although it is possible to create Citrix Policies

es
from different places, it can cause conflicts
Citrix Local

al
resulting in settings overriding each other,
(Site Database)

e
depending on the order in which they are

or
applied, and their order of precedence.
Local Computer

di
Gpedit.msc

s
tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Group Policy settings are processed in the following order:
• Local GPO
• Citrix local (stored in the Site database)
• Site-level GPOs
• Domain-level GPOs
• Organizational Units

482 © 2021 Citrix Authorized Content

 • However, if a conflict occurs, policy settings that are processed last can overwrite those that are processed
earlier. This means that policy settings take precedence in the following order:
• Organizational Units
• Domain-level GPOs
• Site-level GPOs
• Citrix local (stored in the Site database)
• Local GPO

N
• Citrix local policies from the Site database are transferred to the VDA and written to the registry upon

ot
registration of the VDA and on logon of a user.

fo
• Citrix local policies cannot modify settings on VDAs that have not (yet) registered to the Site or which are
registered to a different Site.

rr
es
Additional Resources:

al
• Policies (1912 LTSR): https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies.html

e
or
di
s tri
but
io
n

483 © 2021 Citrix Authorized Content

 Citrix Policy Locations

GPO Site Level GPO Domain GPO OU Level Local Policies Citrix Site

N
Level

ot
fo
rr
es
al
e
or
Use the Microsoft Group Policy Use the Microsoft Use Citrix

di
Management Console (GPMC) to Local Group Policy Studio to

s
create Microsoft Group Policy Editor to create Local create Citrix

tri
Objects (GPO). Policies. Site Policies.

b
ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• All Citrix Local Policies are created and managed in the Citrix Studio console and stored in the Site Database; whereas,
Group Policies are created and managed with the Microsoft Group Policy Management Console (GPMC) and stored in
Active Directory. Microsoft Local Policies are created in the Windows Operating System and are stored in the registry.
• Studio uses a Modeling Wizard to help administrators compare configuration settings within templates and policies to help
eliminate conflicting and redundant settings. Administrators can set GPOs using the GPMC to configure settings and apply
them to a target set of users at different levels of the network.

484 © 2021 Citrix Authorized Content

 • These GPOs are saved in Active Directory, and access to the management of these settings is generally
restricted for most of IT for security.
• Settings are merged according to priority and their condition. Any disabled setting overrides a lower-ranked
enabled setting. Un-configured policy settings are ignored and do not override lower-ranked settings.
• Local policies can also have conflicts with group policies in Active Directory, which could override each other
depending on the situation.
• Policy Precedence Considerations:

N
• All Group Policies are applied in the following order: Local, Citrix Local (Site Database), Site, Domain and

ot
OU.

fo
• The last applied policy is the winning policy.
• Although it is possible to create Citrix Policies from different places, it can cause conflicts resulting in

rr
settings overriding each other, depending on the order in which they are applied, and their order of

es
precedence.

al
• Group Policy settings are processed in the following order:
• Local GPO

e
• Citrix local (stored in the Site database)

or
• Site-level GPOs

di
• Domain-level GPOs
• Organizational Units

s tri
• However, if a conflict occurs, policy settings that are processed last can overwrite those that are processed

b
earlier. This means that policy settings take precedence in the following order:

ut
• Organizational Units

io
• Domain-level GPOs
• Site-level GPOs

n
• Citrix local (stored in the Site database)
• Local GPO
• Citrix local policies from the Site database are transferred to the VDA and written to the registry upon
registration of the VDA and on logon of a user.
• Citrix local policies cannot modify settings on VDAs that have not (yet) registered to the Site or which are

485 © 2021 Citrix Authorized Content

 registered to a different Site.

Additional Resources:
• Policies (1912 LTSR): https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies.html
• Group Policy Loopback mode explanation: https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-
to-loopback/

N
ot
fo
rr
es
al
e
or
di
stri
b ut
io
n

486 © 2021 Citrix Authorized Content

 Citrix Policy Permission Considerations

GPO Site Level GPO Domain GPO OU Level Local Policies Citrix Site

N
Level

ot
fo
rr
es
al
e
or
Using the Microsoft Group Policy Using the Microsoft Using Citrix Studio to
create Policies

di
Management Console (GPMC) to Local Group Policy
requires Site

s
create policies requires Active Editor requires local

tri
Directory administrative privileges. administrative privileges. administrative
privileges.

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Consider that the permissions to create / modify GPOs are required for Site, Domain, and OU based policies. However,
Citrix Site policies can be configured by Citrix Administrators in Studio, so that settings can still be applied to VDAs even
though the administrators have no AD permissions.

487 © 2021 Citrix Authorized Content

 Citrix Policy Settings Introduction

• The Citrix Policy Settings are organized into sections.

N
• Each section as a collection of Citrix Policy settings and in some cases provide additional sub-

ot
sections for more in-depth configuration.

fo
• The following list is a high-level overview of the Citrix Policy settings Sections:

rr
• ICA policy settings

es
• Load Management policy settings
• Profile Management policy settings

al
• Receiver policy settings

e
• Virtual Delivery Agent (VDA) policy settings

or
• Virtual IP policy settings

di
• The sections and the policy settings contained within the sections are in a state of growth from

s
product build to build; review Citrix online documentation when changing product builds.

tri
utb
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Use Case Examples for the high-level Citrix policy sections:
• ICA policy settings
• Load Management policy settings
• Profile Management policy settings
• Receiver policy settings
• Virtual Delivery Agent (VDA) policy settings

488 © 2021 Citrix Authorized Content

 • Virtual IP policy settings

Additional Resources:
• Policies reference: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference.html
• Policies (1912 LTSR): https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

489 © 2021 Citrix Authorized Content

 Citrix Policy Settings
Examples (1 of 2)

Category Use Case (Examples) Relevant policy settings (Examples)

N
Enforce user’s local time within the • Use local time of client

ot
Citrix HDX session. • Estimate local time for legacy clients

fo
ICA policies • View Window contents while dragging
High-latency low bandwidth user

rr
• Limit video quality
connections.
• Target frame rate and color depth

es
• Concurrent logon tolerance

al
Manage VDA resource utilization and
Load management policies • CPU usage
performance

e
• Maximum number of sessions

or
User personalization with pooled • Enable Profile management
random machines • Path to user store

di
Profile Management Policies • Redirection setting for Documents,

s tri
Improve logon performance Downloads, Desktop etc.
• Profile Streaming

b
ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• In the first example ICA policies can be used to adjust the time zone settings within the HDX session. Use local time of
client policy can be used to enforce the time zone setting of the user session. Similarly, to reduce the amount of HDX data
transiting over a low bandwidth network, ICA policies can be used to limit video quality, reduce target frame rate and color
depth.

490 © 2021 Citrix Authorized Content

 Additional Resources:
• Policies reference: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

491 © 2021 Citrix Authorized Content

 Citrix Policy Settings
Examples (2 of 2)

Category Use Case (Examples) Relevant policy settings (Examples)

N
• Enable or Disable AutoUpdate
To control the update behavior

ot
• Set the Delay in checking for Update
Receiver Policies

fo
Configuring StoreFront • StoreFront Accounts List

rr
• Enable Auto-update for Controllers

es
Configure Delivery Controller address • Controllers
• Controller registration port

al
VDA Policies
• Enable process monitoring

e
Monitoring • Enable resource monitoring

or
• IOPs and disk latency data.

di
Configure per session virtual • Virtual IP loopback support
Virtual IP policy settings
loopback address • Virtual IP virtual loopback program list

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Policies reference: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference.html

492 © 2021 Citrix Authorized Content

 Citrix Policy GPO Loopback Considerations

When you enable loopback processing, you also have to select the desired mode.

N
• There are two modes for loopback processing:

ot
• Merge

fo
• Replace

rr
• Loopback Mode set to Merge:

es
• All user settings from the Users’ OU are applied.
• All user settings from Computers’ OU are applied,

al
overwriting conflicting settings.

e
• Loopback Mode set to Replace:

or
• No user settings from the OU of user is applied.

di
• Only User settings from the OU of computers is applied.

stri
utb
© 2021 Citrix Authorized Content

io
n
Key Notes:
• When you enable loopback processing, you also have to select the desired mode. There are two modes for loopback
processing: Merge or Replace.
• During loopback processing in merge mode, user GPOs process first (exactly as they do during normal policy processing),
but with an additional step. Following normal user policy processing the Group Policy engine applies user settings from
GPOs linked to the computer’s OU. The result – the user receives all user settings from GPOs applied to the user and all
user settings from GPOs applied to the computer. The user settings from the computer’s GPOs win any conflicts since

493 © 2021 Citrix Authorized Content

 they apply last.
• During loopback processing in Replace Mode, the user settings applied to the computer “replace” those
applied to the user. In actuality, the Group Policy service skips the GPOs linked to the user’s OU. Group
Policy effectively processes as if user object was in the OU of the computer rather than its current OU.
• “Replace” might mean that necessary settings from other GPOs for the user will be missing, like Folder
Redirection etc.
• “Merge wins conflicts (1 vs A)”, but settings without conflict will apply. Replace eliminates conflicts by

N
discarding ABC completely”.

ot
• Group Policy loopback is a computer configuration setting that enables different Group Policy user settings to

fo
apply based upon the computer from which logon occurs.
• Administrators use loopback processing in kiosk, lab, and Terminal Server environments to provide a

rr
consistent user experience across all computers, regardless of the GPOs linked to the user’s OU.

es
• Loopback mode has to be enabled for a machine, it is a computer setting.

al
• The screenshot explains the order of policy application and how the computer “loops back” to re-evaluate all
User settings from the GPOs that apply to the computer object.

e
• Loopback mode is useful when permissions restrict attaching a GPO to the users’ OU, or more often specific

or
settings for users are required depending on the machine they log on to.

di
• Loopback Example:
• If Nurse1 logs on to VDA-W12-01, the GPOs would apply in this order:

s tri
• Computer settings from Domain

b
• Computer settings from OU of VDA

ut
• Computer settings from Sub-OU of VDA

io
• User settings from Domain
• User settings from OU of Nurse1

n
• With Loopback Mode enabled for the Computer, additionally User settings apply:
• User settings from OU of VDA
• User settings from Sub-OU of VDA

Additional Resources:
• Group Policy Loopback mode explanation: https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-
to-loopback/
494 © 2021 Citrix Authorized Content
 Citrix Policy Priority
Example OU Structure:

Citrix Production

• If multiple policies are linked to an OU, the link New York

N
order determines their precedence.

ot
• Policies that have lower numbers take Infrastructure Servers

fo
precedence over policies with higher numbers.

rr
• If multiple Citrix Policies exist within a single VDAs

es
GPO, their priority is used for conflict

al
resolution. Windows 2016 Published
Desktops

e
• If Studio Site policies are used, then highest

or
priority wins as well. Windows 10 VDI Random

di
• Policies can be disabled to exclude them from

s
Test Citrix
processing.

tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Because it’s possible (and even likely) that you may have multiple GPOs to apply, there is always the possibility that these
GPOs will have conflicting settings. In this case, how do we know which GPO will win and have its settings applied? The
simple rule to remember is that the last GPO applied will overwrite any settings applied earlier. And the GPOs closest to
the client location in the directory structure will be applied last. The order goes as follows:
• Local
• Site

495 © 2021 Citrix Authorized Content

 • Domain
• Organizational Unit
• In both Citrix and Microsoft Policies, a lower number means higher precedence. The Local, Site, Domain, OU
order still applies – the link order system is used only for conflict resolution inside a single OU, while the
Priority system is used for conflict resolution inside a GPO.
• New Citrix Polices are added to the priority list with a higher number – so they would not have much effect and
need to be repositioned to their correct rank.

N
• The priority numbers will be re-numbered automatically, if needed, so no gaps will exist.

ot
Additional Resources:

fo
• Group Policy Basics – Part 2: Understanding Which GPOs to Apply:

rr
https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/15/group-policy-basics-part-2-

es
understanding-which-gpos-to-apply/

al
e
or
di
s tri
b ut
io
n

496 © 2021 Citrix Authorized Content

 Citrix Policy Filters

Policy Filters

Access Control
• Filtered policies only apply to the filtered

N
targets. Citrix CloudBridge

ot
• Policies without filters apply to all users and

fo
Client IP Address
connections.

rr
• Combine multiple filters for more complex Client Name

es
scenarios.

al
• Filters are AND-combined. Delivery Group

e
• Available filters are different for

or
Delivery Group Type
User/Computer settings.

di
• Filters can allow or deny the application of a Tag

s tri
policy by reversing their expression.

b
User or Group

ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• In Studio, policies and templates are displayed in a single list regardless of whether they contain user, computer or both
types of settings and can be applied using both user and computer filters.
• Studio Policy Filters summary overview:
• Access Control – use Citrix Gateway EPA scans to detect client scenarios
• Citrix CloudBridge – detect the presence of the bandwidth saving appliance (Note current name of the CloudBridge
product is SD-WAN).

497 © 2021 Citrix Authorized Content

 • Client IP address – filter on ranges or specific addresses
• Client name – filter on client names
• Delivery Group – apply policies to named Delivery Groups
• Delivery Group type – apply policies to certain types of Delivery Groups (like shared or private VDAs)
• Tag – filter policies based on tags from Citrix Studio
• User or Group – apply the policy to specific domain users or groups
• Organizational Unit (only within Studio) – filter the policy on the OU of the VDAs

N
• If multiple Filters are set, they will be AND-combined. Only if each Filter result is true, the policy will apply.

ot
(Think of “the more you filter, the less you target”). Example: Filter A set to domain\nurse-group, Filter B set to

fo
192.168.10.20 would only match for specific nurses logging on from a specific address.

rr
Additional Resources:

es
• Create Policies (LTSR 1912): https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-

al
ltsr/policies/policies-create.html
• Cloud Bridge: https://docs.citrix.com/en-us/legacy-archive/cloudbridge.html

e
or
di
s tri
b ut
io
n

498 © 2021 Citrix Authorized Content

 Citrix Policy Resultant Set Recommendations

• Most settings are enabled by default which could compromise security.

N
• Create a policy with settings that apply to most users and scenarios.

ot
• Rank this policy lowest.

fo
• Do not filter this policy.
• Define exceptions in higher ranking policies.

rr
es
• Do not use the “Unfiltered” policy

al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Assign policies to groups rather than individual users. If you assign policies to groups, assignments are updated
automatically when you add or remove users from the group.
• Do not enable conflicting or overlapping settings in Remote Desktop Session Host Configuration. In some cases, Remote
Desktop Session Host Configuration provides similar functionality to Citrix Policy settings. When possible, keep all settings
consistent (enabled or disabled) for ease of troubleshooting.
• Disable unused policies. Policies with no settings added create unnecessary processing.

499 © 2021 Citrix Authorized Content

 • An unfiltered, lowest-ranking policy with custom settings is basically “a new system default” more suitable for
the company.
• Exceptions from the baseline can be defined on a per user/per scenario basis in higher ranking policies that
are filtered to specific needs.
• Using the “Unfiltered policy” (which exists in every GPO as well as in Studio) is not recommended, since
Director (a Citrix Help Desk web application) and several reporting tools will refer to this name in their reports
or charts. It is better to create an alternative unfiltered policy instead and provide it with a meaningful name.

N
ot
Additional Resources:

fo
• Create Policies (LTSR 1912): https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-

rr
ltsr/policies/policies-create.html

es
al
e
or
di
s tri
but
io
n

500 © 2021 Citrix Authorized Content

 Citrix Policy Modeling
Resultant Set

Each Policy Setting can assume different states:

• Enabled/Allowed

N
• Disabled/Prohibited

ot
• Value
• Not configured

fo
rr
Audio Audio Printing Drive
Priority Policy Name Filter(s)
Channel Quality Channel Mapping

es
Marketing work from

al
1 Marketing Users External IP Enabled - Disabled Enabled
Home

e
2 Marketing work from Office Marketing Users Internal IP Enabled Low quality Enabled Enabled

or
3 Accounting Accounting Users Disabled - Enabled -

di
4 Baseline No filter Disabled - Disabled Disabled

s
- System default - Enabled High quality Enabled Enabled

tri
b
ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• “Not configured” enables lower ranking policies to get applied for that specific setting.
• Some features have dependencies – Audio quality will be meaningless if the Audio channel is disabled altogether.
• Policy Example:
• A Marketing User (Jimmy) works from home today – the policy system uses the filters to find policies that apply, in
addition to the System default settings, that always apply at a fixed lowest rank but can be modified with higher ranking
policies. For Jimmy, the “Marketing work from Home” and “Baseline” policies apply (Jimmy is not a member of the

501 © 2021 Citrix Authorized Content

 accounting group, and Jimmy does not connect from an internal IP address).
• Next, all settings are processed, where conflicts will be resolved by taking the respective setting’s value
from the highest ranking (lowest number) policy.
• So for “Audio channel” this means “enabled” (since Priority 1 wins over Priority 4), for “Audio quality” this
means “High quality” (since the highest ranking policy is not configured, and the lower ranking polices are
also not configured, the system default applies. Note that audio quality could be degraded if a future policy

N
introduces a setting of “low quality” for marketing users.

ot
• Use the Citrix Group Policy Modeling Wizard to simulate a connection scenario and discern how Citrix policies
might be applied. You can specify conditions for a connection scenario such as Domain Controller, users,

fo
Citrix policy assignment evidence values, and simulated environment settings-such as a slow network

rr
connection. The report that the wizard produces lists the Citrix Policies that would likely take effect in the

es
scenario. If you are logged on to the Controller as a domain user, the wizard calculates the Resultant Set of
Policy using both Site policy settings and Active Directory Group Policy Objects (GPOs).

al
• Use Group Policy Results to produce a report describing the Citrix Policies in effect for a given user and

e
controller. The Group Policy Results tool helps you evaluate the current state of GPOs in your environment

or
and generates a report that describes how these objects, including Citrix Policies, are currently being applied
to a particular user and Controller.

di
s
Additional Resources:

tri
• Compare, prioritize, model, and troubleshoot policies (1912 LTSR): https://docs.citrix.com/en-us/citrix-virtual-

b
apps-desktops/1912-ltsr/policies/policies-compare-model.html

ut
io
n

502 © 2021 Citrix Authorized Content

 Citrix Policy Templates

• Use Citrix Group Policy Modelling Wizard to

N
find possible results for various filter criteria.

ot
• For example:

fo
• Helps to clarify which settings are defined if User1

rr
logs on to VDA2 from IP address 10.20.30.40.

es
• Start this wizard from the GPMC or Citrix
Studio.

al
e
• Only the wizard within Citrix Studio includes

or
local Citrix policies.

di
• Use Citrix Studio for Group policy modeling.

s
tri
b
ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• You can launch the Citrix Group Policy Modeling Wizard from the Actions pane in Studio. You can launch either tool from
the Group Policy Management Console in Windows.
• To ensure you obtain the most comprehensive Resultant Set of Policy, Citrix recommends launching the Citrix Group
Policy Modeling wizard from Studio, unless you create policies using only the Group Policy Management Console.
• If you run the Citrix Group Policy Modeling Wizard or Group Policy Results tool from the Group Policy Management
Console, local Citrix policy settings created using Studio are not included in the Resultant Set of Policy.

503 © 2021 Citrix Authorized Content

 • The Citrix Studio based Wizard will include local Citrix policies as well as policies created or stored in GPOs
within AD.
• The reports can be viewed, printed or saved as HTML files.
• CtxCseUtil is a tool that can generate resultant set of policy (RSOP) report (per computer, per user or both) for
Citrix policies on a device that has the Group Policy Management Console installed.
• If using Citrix Cloud to host Delivery Controller , Modelling Wizard is not available in Studio console.

N
Additional Resources:

ot
• Compare, prioritize, model, and troubleshoot policies (1912 LTSR): https://docs.citrix.com/en-us/citrix-virtual-

fo
apps-desktops/1912-ltsr/policies/policies-compare-model.html
• Citrix Policy Reporter - RSOP CtxCseUtil Tool: https://support.citrix.com/article/CTX138533

rr
es
al
e
or
di
s tri
but
io
n

504 © 2021 Citrix Authorized Content

 Citrix Policy Process
Overview

N
ot
Citrix Policy Creation Citrix Policy Validation

fo
rr
1. Create the policy 1. Launch the Citrix Policy Modeling Wizard.

es
2. Configure the policy Settings 2. Specify the Domain Controller.

al
3. Apply the policy using configured filters. 3. Specify the Users and Computers.

e
4. Enable the policy 4. Specify the Filter evidence.

or
5. Prioritize the policy in the list with others 5. Finish and Review the results.

di
s
tri
b ut
© 2021 Citrix Authorized Content

io
n

505 © 2021 Citrix Authorized Content

 Citrix Workspace Environment Management (WEM)
Introduction

Citrix Workspace Environment Management (WEM) is a software solution that utilizes powerful

N
Resource Management and User Environment Management technologies for Citrix Virtual Apps and

ot
Desktops deployments, resulting in optimized performance and app response times, while helping to
maintain the best possible logon performance for Users.

fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix WEM is a powerful feature that contains settings for the Citrix Virtual Apps and Desktops environment. Such as:
• Resource Management
• Profile Management
• CPU Management
• Memory Management
• Process Management

506 © 2021 Citrix Authorized Content

 • Environmental Settings
• Microsoft USV Settings
• Citrix UPM Settings
• Fast Logoff
• Etcetera
• For more information, and a hands-on learning experience, take the CXD-303 or the CXD-310 Citrix Training
Course.

N
ot
Additional Resources:

fo
• CXD-303 Citrix Training Course: https://training.citrix.com/#/learning/course?courseId=1772
• CXD-310 Citrix Training Course: https://training.citrix.com/#/learning/course?courseId=1776

rr
es
al
e
or
di
s tri
b ut
io
n

507 © 2021 Citrix Authorized Content

 Lesson Objective Review
Scenario: You are the Citrix Admin and you
have recently configured a user setting to
hide the server C: drive for all users using
Published Desktops.
The setting was configured in the Citrix

N
Baseline GPO linked to the XAW OU,

ot
however, the setting does not apply.

fo
What could you be missing out?

rr
es
Loopback processing – by default, user settings
will only be applied if the GPO is linked to a user

al
e
OU.

or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

508 © 2021 Citrix Authorized Content

 N
Common User Experience

ot
Settings

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

509 © 2021 Citrix Authorized Content

 Load Management

Load Management Environment

1. Each Server OS VDA reports its load values
to the Delivery Controller
2. The Delivery Controller saves the load

N
Site Database
values in the Site Database

ot
(2)
3. Requests for Resources come into

fo
StoreFront

rr
(3) (4)
(5)
4. StoreFront relays the request to the Delivery

es
StoreFront Delivery Controller
Controller who for a new session makes a Endpoints

al
load-balancing decision by using the load (1)

e
values from the database:

or
1. Load Values range from 0-10000
2. Load Values can be viewed in Studio, Director, and

di
Server OS VDAs
PowerShell

s
tri
5. The Delivery Controller decides the least

b
busy VDA

ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Any value higher than 10000 is usually some warning or error message within the load balancing system (like 20000 =
feature not licensed).
• Multiple criteria can be combined to evaluate load on VDAs (memory, CPU etc.), but only the highest value will be
reported as load value for this server.
• For Example:
• A machine is running a task that is consuming 100% of the CPU capacity and reports a load value of 10000. After the

510 © 2021 Citrix Authorized Content

 administrator ends the task, the load drops to 7000 although the CPU is only 20% loaded. The reason
might be, that now a different configured value (memory?) is the “highest value” and thus gets reported as
load value.
• Load balancing normally only applies to NEW sessions, so it is best practice to have some spare resources
for existing sessions left on the VDA.
• The counters that can be used to report load values:
• Concurrent logons tolerance

N
• CPU usage

ot
• CPU usage excluded process priority

fo
• Disk usage
• Maximum number of sessions (default value of 250)

rr
• Memory usage

es
• Memory usage base load

al
• Use PowerShell Command “Get-BrokerMachine -SessionSupport Multisession | select
machinename,loadindex” to get an overview of the load values.

e
• Use “select columns” in Studio within the search pane to display “Load index”.

or
• Use the Load Evaluator Index tab within the Trends section of Citrix Director to display the load values for

di
specific delivery groups. In contrast to PowerShell and Studio, Director can display historical recorded load
values, which can be helpful during capacity planning.

s tri
• Concurrent logon tolerance:

b
• This setting specifies the maximum number of concurrent logons a server can accept.

ut
• By default, this is set to 2.

io
• CPU usage:
• This setting specifies the level of CPU usage, as a percentage, at which the server reports a full load. When

n
enabled, the default value at which the server reports a full load is 90%.
• By default, this setting is disabled and CPU usage is excluded from load calculations.
• CPU usage excluded process priority:
• This setting specifies the priority level at which a process' CPU usage is excluded from the CPU Usage load
index.

511 © 2021 Citrix Authorized Content

 • By default, this is set to Below Normal or Low.
• Disk usage:
• This setting specifies the disk queue length at which the server reports a 75% full load. When enabled, the
default value for disk queue length is 8.
• By default, this setting is disabled and disk usage is excluded from load calculations.
• Maximum number of sessions:
• This setting specifies the maximum number of sessions a server can host. When enabled, the default

N
setting for maximum number of sessions a server can host is 250.

ot
• By default, this setting is enabled.

fo
• Memory usage:
• This setting specifies the level of memory usage, as a percentage, at which the server reports a full load.

rr
When enabled, the default value at which the server reports a full load is 90%.

es
• By default, this setting is disabled and memory usage is excluded from load calculations.

al
• Memory usage base load:
• This setting specifies an approximation of the base operating system's memory usage and defines, in MB,

e
the memory usage below which a server is considered to have zero load.

or
• By default, this is set to 768 MB.

di
Additional Resources:

s tri
• How to Calculate the Load Evaluator Index on DDC: https://support.citrix.com/article/CTX202150

b
• Load Management policy settings: https://docs.citrix.com/en-us/citrix-virtual-apps-

ut
desktops/policies/reference/load-management-policy-settings.html

io
n

512 © 2021 Citrix Authorized Content

 Session Reliability
Session Reliability Process

Session Reliability Process Example

1
1. User initiates a session from PC001.

N
Endpoints with
2. The network connection is interrupted. Citrix Workspace App Word 2013

ot
Hosted App
• Citrix Workspace app displays a still image and

fo
buffers user input for 180 seconds.
• The VDA is aware of the broken connection, but

rr
2
does not disconnect the session for 180 seconds.

es
3. The network connection is restored and Endpoints with

al
Citrix Workspace app
buffered input is sent to the server.

e
or
3

di
Endpoints with
Citrix Workspace app

s tri
Note: All session data is transmitted on port 2598, when using Session Reliability

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• By default, Session Reliability is enabled.
• Session Reliability keeps sessions active and on the user's screen when network connectivity is interrupted. Users
continue to see the application they are using until network connectivity resumes.
• With Session Reliability, the session remains active on the server. To indicate that connectivity is lost, the user's display
freezes and the cursor changes to a spinning hourglass until connectivity is restored. The user continues to access the
display during the interruption and can resume interacting with the application when the network connection is restored.

513 © 2021 Citrix Authorized Content

 Session Reliability re-connects users without re-authentication prompts. If you do not want users to be able to
re-connect to interrupted sessions without having to re-authenticate, configure the Auto client re-connect
authentication setting to require authentication. Users are then prompted to re-authenticate when reconnecting
to interrupted sessions.
• The default of 180 seconds is configurable (should not be set too high to compromise security, because re-
connects do not require re-authentication).
• Seeing a spinning hourglass icon attached to the mouse pointer within a session is normally is an indicator

N
that the session is currently reconnected in the background. Users often describe this behavior as “the

ot
session being stuck for a moment” which might be better than having to start a new session again. If this

fo
happens a lot, the underlying network connection should be checked.
• This feature is most useful for connections that drop packets frequently or disconnect often (mobile networks,

rr
roaming Wi-Fi).

es
• Takes precedence over Auto Client Reconnect feature (explained in the next slide).

al
• Some users MUST NOT have still images of their sessions displayed (monitoring systems, healthcare,
intraday trading & brokerage), since their decisions would rely on outdated information. This feature can be

e
disabled using a Computer based GPO, but will disable Session Reliability for the entire machine (not for a

or
user or group).

di
Additional Resources:

s tri
• Session reliability policy settings: (1912 LTSR): https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-

b
ltsr/manage-deployment/sessions.html

ut
io
n

514 © 2021 Citrix Authorized Content

 Auto Client Reconnect

Auto Client Reconnect Process Example

• Setting to control automatic reconnection, in Endpoints with

Citrix Workspace App Word 2013

N
case of interrupted connections. Hosted App

ot
• Auto Client Reconnect Process:

fo
1. User initiates a session from PC001.
2

rr
2. The network connection is interrupted.
3. Citrix Workspace app on PC001 automatically

es
Endpoints with
Citrix Workspace app
reconnects to the session from PC001.

al
e
3

or
Endpoints with
Citrix Workspace app

di
Can be set to require re-authentication.

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• If you use both Session Reliability and auto client reconnect, the two features work in sequence. Session Reliability closes
(or disconnects) the user session after the amount of time specified in the Session Reliability timeout setting. After that,
the auto client reconnect settings take effect, attempting to reconnect the user to the disconnected session.

515 © 2021 Citrix Authorized Content

 Additional Resources:
• Auto client reconnect policy settings: (1912 LTSR): https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/
policies/reference/ica-policy-settings/auto-client-reconnect-policy-settings.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

516 © 2021 Citrix Authorized Content

 ICA Keep-Alive

Keep-Alive Scenario
• Enables to send packets from server to client

N
at configurable interval.

ot
• Enables servers to detect connection failures.

fo
Keep-Alive Packets
• Can be enabled via policy.

rr
sent every 60 seconds

• Session Reliability uses similar mechanism. Endpoints with Microsoft Word

es
Citrix Workspace app Published App

al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• ICA Keep-Alive is not used for Sessions running CGP / Session Reliability (Port 2598), but only for “plain” ICA Sessions
(Port 1494) since Session Reliability uses a similar mechanism by itself.
• ICA keep-alive does not work if you are using Session Reliability. Configure ICA keep-alive only for connections that are
not using Session Reliability.
• By default, the interval between keep-alive messages is 60 seconds.
• Specify an interval between 1-3600 seconds in which to send ICA keep-alive messages. Do not configure this setting if

517 © 2021 Citrix Authorized Content

 your network monitoring software is responsible for closing inactive connections.
• Normally, the server does not send packets to the client (to save bandwidth). If in a desktop session, the clock
is visible, you already have a keep-alive because the updated bitmap needs to be sent to the client every
minute.
• If the server does not send packets to the client, network disruptions can go unnoticed – the server might keep
the session of the client open and reconnection might fail (the client would have to wait for the session to
become disconnected to reconnect again).

N
• Normally most clients today support automatic reconnection even to sessions that are not (yet) marked as

ot
disconnected.

fo
• Ultimately, if Session Reliability is configured ICA Keep-Alive is ignored. Remember that Session Reliability is
configured by default.

rr
es
Additional Resources:

al
• Keep alive policy settings: (1912 LTSR): https://docs.citrix.com/en-us/citrix-virtual-apps-
desktops/policies/reference/ica-policy-settings/keep-alive-policy-settings.html

e
or
di
s tri
b ut
io
n

518 © 2021 Citrix Authorized Content

 Browser Content Redirection
Whitelist and Blacklisting for URL’s

• Prevents webpages on the whitelist from rendering on the VDA; browser viewport is redirected to the client.

N
• Items not in the viewpoint, such as the Address Bar, Favorites Toolbar, etc., run on the browser on the VDA.

ot
• Uses Citrix Workspace app to fetch the HTTP and HTTPS content from the URL on the VDA, and then runs the

fo
overlay web layout engine (viewpoint) on the endpoint device using its HW power.

rr
• Is managed and configured via Citrix Studio policies.

es
Citrix.com

al
Browser Address
Viewpoint and Toolbar

e
or
HDX Session

di
s
Browser Viewport Redirection VDA

tri
Laptop Endpoint

but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• With Browser content redirection enabled, it prevents the rendering of whitelisted webpages on the VDA side.
• You can specify that webpages be redirected to the VDA side (and not redirected on the client side) by using a blacklist.
• The viewport is the rectangular area in your browser where content displays.
• Studio Policies:
• Configure a Studio policy that specifies an Access Control List containing the URLs whitelisted for redirection or the
blacklist that disables redirection for specific URL paths.

519 © 2021 Citrix Authorized Content

 • For the browser on the VDA to detect that the URL the user is navigating to matches the whitelist, or does
not match a blacklist, a browser extension performs the comparison.
• The browser running on the VDA uses an extension to perform the comparison to detect that the URL the
user is navigating to matches the whitelist or does not match a blacklist
• The browser extension (BHO) for Internet Explorer 11 is included in the installation media and is installed
automatically.
• For Chrome, the browser extension is available in the Chrome Web Store, and you can deploy it using

N
the Group Policies and ADMX files.

ot
• Chrome extensions are installed on a per-user basis.

fo
• HDX Policy Settings:
• Browser Content Redirection: Enabled by default; and Citrix Workspace App will attempt to client fetch

rr
and client render. Calling the visible area of the browser, the viewpoint, to be presented on the client-

es
side.

al
• Browser Content Redirection ACL Configuration: This is where you would add URL to build an Access
Control List (ACL) of URL that can use the Browser Content Redirection feature.

e
• Browser Content Redirection Authentication Sites: This is optional and empty by default. Any URL added

or
to this site can be used to authenticate a user.

di
• Supports the use of * wildcards. However, wildcards are not supported as part of the domain address
aspect of the URL.

s tri
• This setting allows for better granularity of a site; for example: a site URL of http://www.abc,com, can

b
be more specific by adding a URL path of http://www.abc,com/stocks/index.html. Now only index.html

ut
pages would be redirected.

io
• Browser Content Redirection Blacklist Configuration: This setting allows you to build a list of URL that
can not use the Browser Content Redirection feature. All URL added to this setting will render browser

n
content only on the server.
• Browser Content Redirection Proxy Configuration: This setting allows for proxy configuration on the VDA.
• If Enabled, then a valid proxy address and port are required. This would result in only Server Fetch
Client Rendering to take place.
• If Disabled, or unconfigured, then Client Fetch Client Rendering is always attempted.

520 © 2021 Citrix Authorized Content

 • Redirection:
• A virtual channel (CTXCSB) is used to instruct the Citrix Workspace app when a redirection is required,
and then relays the URL.
• Citrix Workspace app then instantiates a local rendering engine and displays the website by blending
back the website into the virtual desktop browser content area seamlessly.
• How Citrix Workspace app fetches content:
• Server fetch and server render- No redirection takes place as the site as not whitelisted, or the redirection

N
failed for some reason.

ot
• If this occurs, we will fall back to rendering the webpage on the VDA and use Thinwire to remote the

fo
graphics.
• Use policies to control the fallback behavior. High CPU, RAM, and bandwidth consumption on the VDA.

rr
• Server fetch and client render:- Citrix Workspace app contacts and fetches content from the web server

es
through the VDA using a virtual channel (CTXPFWD).

al
• This option is useful when the client doesn’t have internet access (for example, thin clients).
• This creates low CPU and RAM consumption on the VDA, but more bandwidth is consumed on the HDX

e
virtual channel.

or
• Proxies:

di
• There are three modes of operation for this scenario. The term proxy refers to a proxy device that the
VDA accesses to gain Internet access. Which policy option to choose?:

s tri
• Explicit Proxy - If you have a single explicit proxy in your Datacenter. This routes browser content

b
redirection traffic through the VDA and forwards it to the specified web proxy.

ut
• Direct or Transparent - If you do not have proxies, or if you use transparent proxies. This routes

io
browser content redirection traffic through the VDA and forwards it directly to the web server
hosting the content.

n
• PAC files - If you rely on PAC files so browsers in the VDA can automatically choose the
appropriate proxy server for fetching a specified URL. This routes browser content redirection
traffic through the VDA and forwards it to the web proxy determined by evaluating the specified
PAC file.
• Client fetch and client render - Because Citrix Workspace app contacts the web server directly, it requires

521 © 2021 Citrix Authorized Content

 internet access.
• This scenario offloads all the network, CPU, and RAM usage from your CVAD Site.
• Fallback mechanism: For various reasons, client redirection might fail at times.
• For example, if the client machine does not have direct internet access, an error response might go back to
the VDA, and then the browser on the VDA would reload and render the page instead.
• If you do not want content to ever revert back to the server VDA for rendering, you can enable the
existing Windows media fallback prevention policy.

N
• Set this policy to ”Play all content only on client” or ”Play only client-accessible content on client”.

ot
• These settings block video elements from playing on the server if there are failures in client

fo
redirection.
• This policy takes effect only when you enable browser content redirection, and the Access Control

rr
List policy contains the URL that falls back. The URL can’t be in the blacklist policy.

es
• System Requirements:

al
• Windows endpoints:
• Windows 7, 8.x, or 10

e
• Citrix Workspace app 1808 or later

or
• Citrix Receiver for Windows 4.10 or later

di
• Linux endpoints:
• Citrix Workspace app 1808 for Linux or later

s tri
• Citrix Receiver for Linux 13.9 or later

b
• Thin client terminals must include WebKitGTK+

ut
• Browser on the VDA:

io
• Google Chrome v66 or higher (Chrome requires Citrix Workspace app 1809 for Windows on the user
endpoint, Citrix Virtual Apps and Desktops 7 1808 VDA, and the browser content redirection extension)

n
• Internet Explorer 11 and configure these options:
• Clear Enhanced Protected Mode under: Internet Options > Advanced > Security
• Check Enable third-party browser extensions under: Internet Options > Advanced > Browsing
• Browser content redirection Edge Chromium extension:
1. To install the browser content redirection extension in Edge, make sure you have version 83.0.478.37 or

522 © 2021 Citrix Authorized Content

 higher of the Edge browser installed.
2. Click the Extensions option in the menu and turn on Allow extensions from other stores.
3. Click the Chrome Web Store link and the extension appears at the bar on the top right. For more info on
Microsoft Edge extensions, see Extensions.
• Browser content redirection and DPI:
• When using browser content redirection with the DPI (scaling) set to anything over 100% on the user’s
machine, the redirected browser content screen displays incorrectly.

N
• To avoid this issue, do not set the DPI when using browser content redirection.

ot
• Another way to avoid the issue is by disabling browser content redirection GPU acceleration for Chrome

fo
by creating the following register key on the user’s machine:
• \HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\HdxMediaStream

rr
• Name: GPU

es
• Type: DWORD

al
• Data: 0

e
Additional Resources:

or
• Browser content redirection:

di
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/multimedia/browser-content-redirection.html
• How to Troubleshoot Browser Content Redirection:

s tri
https://support.citrix.com/article/CTX230052

but
io
n

523 © 2021 Citrix Authorized Content

 Client Drive Mapping (CDM) Example A

End users connecting to a Citrix Virtual Apps Local Client Client Drives in Host Server
Drives Session Drives
and Desktop's environment will have their local
A A --
device drives mapped within their sessions.
C V C
• Mappings occur during user logon and will
remain active until logoff from the session. D U D

N
E T E

ot
• During logon, Citrix Workspace informs the
host server of the drives on the end user

fo
Example B
device.

rr
Host Server
• CDM allows drive letters on the host-side to be Local Client Client Drives in

es
Drives
redirected to drives that exist on the user Drives Session
(Re-Mapped)

al
device. A A --

e
• The host CVAD server can be configured during

or
installation to map client drives automatically to a C C M (from C)
given set of drive letters, if preferred.

di
D D N (from D)
• Client drive mapping is enabled by default.

s
E E O (from E)

tri
• Configured and managed by HDX policies.

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• During logon, Citrix Workspace App informs the server of all the available client drives, COM ports, and LPT ports.
• By default, all found client drives are mapped to server drive letters.
• All CDM that take place at logon, are available only for the current user during the current session. They are deleted when
the user logs off and recreated the next time a session is created.
• Client drive mapping is built into the standard Citrix device redirection facilities transparently
• The server hosting virtual desktops and applications can be configured during installation to map client drives

524 © 2021 Citrix Authorized Content

 automatically to a given set of drive letters.
• The default installation maps drive letters assigned to client drives starting with V and works backward,
assigning a drive letter to each fixed drive and CD-ROM drive. (Floppy drives are assigned their existing
drive letter).
• The server can be configured so that the server drive letters do not conflict with the client drive letters, if
preferred.
• For example, changing server drives C to M and D to N allows client devices to access their C and D

N
drives directly.

ot
• The drive letter used to replace the server drive C is defined during Setup. All other fixed drive and CD-

fo
ROM drive letters are replaced with sequential drive letters (for example; C > M, D > N, E > O).
• These drive letters must not conflict with any existing network drive mappings. If a network drive is

rr
mapped to the same drive letter as a server drive letter, the network drive mapping is not valid.

es
• Client-drive mapping performance improvements:

al
• Client-drive mapping now supports the transfer of data between the host and the client as a stream.
• This stream capability ensures that the file transfer adapts to any changing network throughput conditions.

e
It also uses any available extra bandwidth to scale up the data-transfer rate.

or
• HDX Polices for Client Drive Mapping: Client Drive Mapping maintains several policies that can be used to

di
manage and customize its functions:
• Auto connect client drives - Allows or prevents automatic connection of client drives when users logon. It is

s tri
allowed by default.

b
• Client drive redirection – Enables or disables file drive redirection from the client device. When enabled,

ut
users can save files to all their client drives. It is allowed by default

io
• Client fixed drives – When enabled allows users to access and save files to local fixed drives when in a
session. It is allowed by default. This setting is dependent on both “Client drive redirection” and “Auto

n
connect client drives” being configured and allowed to work.
• Client floppy drives - When enabled allows users to access and save files to local floppy drives if they are
being used. It is allowed by default This setting is dependent on both “Client drive redirection” and “Auto
connect client drives” being configured and allowed to work.
• Client network drives - When enabled allows users to access and save files to client network (remote)

525 © 2021 Citrix Authorized Content

 drives. It is allowed by default. This setting is dependent on both “Client drive redirection” and “Auto connect
client drives” being configured and allowed to work.
• Client optical drives - When enabled allows users to access and save files to CD-ROM, DVD-ROM or BD-
ROM drives. . It is allowed by default. This setting is dependent on both “Client drive redirection” and “Auto
connect client drives” being configured and allowed to work.
• Client removable drives - When enabled allows users to access and save files to removable drives. It is
allowed by default. This setting is dependent on both “Client drive redirection” and “Auto connect client

N
drives” being configured and allowed to work.

ot
• Preserve client drive letters – Enabled or disabled the preservation of client drive letters. When enabled,

fo
client local drive letters are mapped to the same letter within the session. This setting is not enabled by
default.

rr
• Read-only client drive access – When enabled, client files and folders on mapped client drives can be

es
accessed in read-only mode while in the session. This setting is not enabled by default.

al
Additional Resources:

e
• Citrix Workspace app 1812 for Windows – an experience you’ll love

or
https://www.citrix.com/blogs/2018/12/21/citrix-workspace-app-1812-for-windows-an-experience-youll-love/

di
• How to Disable Specific Client Drive Mappings:
https://support.citrix.com/article/CTX135999

s tri
• How to Troubleshoot Client Drive Mapping:

b
https://support.citrix.com/article/CTX238200

ut
• Mapping client devices

io
https://docs.citrix.com/en-us/receiver/windows/current-release/optimize/map-client-devices.html
• Map client drives to host-side drive letters:

n
https://docs.citrix.com/en-us/receiver/windows/current-release/optimize/map-client-devices.html#map-client-
drives-to-host-side-drive-letters
• Redirection of client drives and user devices
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference.html

526 © 2021 Citrix Authorized Content

 Copy and Paste Files in Sessions

HDX sessions allow for the copy and paste

(clipboard function) of text, and also files or
folders from a desktop session to any drive on

N
ot
the local client endpoint. Clipboard
Clipbo

fo
• Configured and managed by HDX policies ard

rr
• Transfers data over the Clipboard virtual channel

es
and new Generic Data Transfer virtual channel.

al
• Support for HTML- formatted text between apps

e
• Session Sharing support between active HDX

or
sessions.

di
• Text support for both applications or desktop

s
sessions,

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Clipboard functions in HDX sessions with or without Client Drive Mapping enabled.
• Uses a clipboard virtual channel compiled into other files; such as wfica32.exe.
• Support for Double Hop sessions.
• There is now support for copying and pasting HTML-formatted text from a local application to another application.
• Only available on Chrome and Safari browsers.
• You can copy and paste only plain text and not images and files.

527 © 2021 Citrix Authorized Content

 • Does not support large data.
• To configure clipboard support, add the following registry entry to the VDA:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\Virtual Clipboard\Additional
Formats\HTML Format “Name”=”HTML Format
• Session sharing:
• A floating toolbar containing controls for Citrix Receiver for HTML5 is displayed in the browser tab.
• The clipboard button enables users to copy and paste Unicode plain text between the local clipboard on the

N
device and the resource running in the browser.

ot
• Copy from a Remote Session and Paste in Your Device (native clipboard experience):

fo
• Pasting data from your local device to your remote session works with just Ctrl+V/Cmd+V commands,
across all the supported browsers for the Citrix Workspace app for HTML5.

rr
• Pasting using the right click on your mouse is not supported for copying data from a local device to a

es
remote session.

al
• On Google Chrome and Safari, you can copy text with a simple Ctrl+C/Cmd+C within the session, and
paste using Ctrl+V/Cmd+V outside the session.

e
• Copying text from a secondary monitor requires an extra click (through the Copy confirmation dialog) for

or
Google Chrome and Safari browsers

di
• Internet Explorer requires you to allow access for the API used for the feature once for each session
launch.

s tri
• You would need to click on Allow access to enable the feature.

b
• Firefox and Edge require an extra click because of how the API works with the browsers. For every copy

ut
operation, you’ll need to click the Confirm button.

io
• For Edge and Firefox browsers, copying text from both, single and secondary monitors requires an extra
click.

n
• Support on Windows, Mac, or Chrome operating systems.
• HDX Clipboard Policies:
• Client clipboard redirection – This setting configures whether or not the client clipboard is mapped to the
clipboard on the host server where the session is running. This setting is enabled by default.
• Setting this to “Prohibited” will prevent copy and paste of data transfer between a session and the local

528 © 2021 Citrix Authorized Content

 clipboard.
• Client Clipboard Write Allowed Formats - To make an exception for pasting files from clipboard to the client
(Use format CFX_FILE to allow the feature).
• Clipboard redirection bandwidth limit- This setting allows for a maximum allowed bandwidth to be used, per
second, for data transfer between a session and the local clipboard.
• If this setting is configured along with the Clipboard redirection bandwidth limit percentage setting will
result in the most restrictive (lower value) setting being applied.

N
• Clipboard redirection bandwidth limit percentage - This setting allows for a maximum allowed bandwidth for

ot
data transfer to be used as a percentage of the total session bandwidth.

fo
• Clipboard selection update mode – Configuration of clipboard functions for Linux VDA (versions 1.4 and
up).

rr
• Readonly clipboard – This setting can be configured (set to Enabled) to prevent the copy/paste of data from

es
application(s) within sessions to local clients.

al
• When Enabled it does not prevent the copy/paste of data from local client clipboards applications inside
of sessions.

e
• Restrict client clipboard write – When Enabled host clipboard information can not be shared with local client

or
endpoints.

di
• Restrict session clipboard write – When Enabled client clipboard data can not be shared within the user
session.

s tri
• Session clipboard write allowed formats – If you have Enabled the “Restrict session clipboard write“ policy

b
setting, then this setting can be used to selectively allow specific data formats to be shared with session

ut
clipboard.

io
• This setting will now work if Client clipboard redirection is set to “Prohibited”.

n
Additional Resources:
• Clipboard:
https://docs.citrix.com/en-us/citrix-workspace-app-for-html5/configure.html
• Client clipboard redirection:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-
settings.html#client-clipboard-redirection

529 © 2021 Citrix Authorized Content

 • Enhanced clipboard support:
https://docs.citrix.com/en-us/receiver/html5/current-release/user-experience.html
• Copy and paste between session and client:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings/bidirectional-
content-redirection.html
• Native clipboard experience is here for Citrix Workspace app for HTML5

N
https://www.citrix.com/blogs/2019/07/17/native-clipboard-experience-is-here-for-citrix-workspace-app-for-

ot
html5/

fo
rr
es
al
e
or
di
s tri
b ut
io
n

530 © 2021 Citrix Authorized Content

 Lab Exercise Prep

Please Take a Moment and Provision Your Lab

N
For Module 6

ot
fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the
lab exercises.

531 © 2021 Citrix Authorized Content

 User Profile Management

4 Network drives/printers

N
3 Logon scripts

ot
fo
No more complex scripts:

rr
• No more « wait 5000 »

es
• No more « if member »

al
2 GPO/GPP

e
or
1 User
profile

di
Session

s
Initialization

tri
b
Login : 10 - 15s

ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The No more << wait 5000 >> refers to a command used in scripts to wait 5 seconds for the current in progress script to
finish executing before starting the next script (when there are multiple logon scripts).
• The No more << if member >> refers to a command to apply the script or portions of the script based on the AD group
membership of the user account logging on.
• Using WEM to assign resources to users/user groups, these two commands are no longer needed, which simplifies the
logon and speeds up the logon.

532 © 2021 Citrix Authorized Content

 Printer Management
Using WEM and Citrix Policies

N
ot
Printer assignment settings
Printer Use XML
WEM Use Actions tab are enforced to WEM clients
Assignment Printer List

fo
only.

rr
es
al
Printer Session Printer Client Printer

e
Assignment Policies Policies Printer assignment settings
are enforced to HDX

or
sessions only.
Print Driver Universal Print Model specific
Citrix

di
Mapping drivers drivers
Policies

s
tri
Print Server

b
Configuration

ut
© 2021 Citrix Authorized Content

io
n

533 © 2021 Citrix Authorized Content

 Lesson Objective Review

Scenario: You are the Citrix Admin and you

have just deployed Citrix Virtual Apps and
Desktops. However, users are unable to
connect to their sessions.
In checking with the Networking team, you’ve

N
learned that port 1494 was enabled for HDX

ot
connections.

fo
What are you missing out?

rr
es
Session Reliability is enabled by default and uses
port 2598 for user connections to sessions.

al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

534 © 2021 Citrix Authorized Content

 N
ot
Lab Exercises

fo
rr
Module 6

es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

535 © 2021 Citrix Authorized Content

 Lab Exercise

• Exercise 6-1: Configure Load Management Using a Citrix Policy

N
• Exercise 6-2: Test The User Experience

ot
• Exercise 6-3: Configure and Test Browser Content Redirection

fo
rr
es
al
e
or
di
s tri
b
ut
© 2021 Citrix Authorized Content

io
n

536 © 2021 Citrix Authorized Content

 Key Takeaways

• Policies are a most flexible instrument of

N
controlling most aspects of a Citrix Virtual

ot
Apps and Desktops deployment.

fo
• Configuring session management features

rr
can provide users with a better user

es
experience.

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

537 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Administration On-Premise and In
Citrix Cloud

N
ot
Published App and Desktop

fo
Presentation and Management

rr
es
al
e
Module 07

or
di
s
tri
b
ut
io
n

538 © 2021 Citrix Authorized Content

 Learning Objectives

• Identify the properties of published Apps.

N
ot
• Describe key optimizations for Server OS
published resources.

fo
rr
• Explain presentation options for published

es
Apps.

al
• Classify the functionality of Application Groups.

e
or
• Identify how to successfully deploy resources
using Desktop OS and Server OS together in a

di
single presentation.

s
tri
utb
© 2021 Citrix Authorized Content

io
n

539 © 2021 Citrix Authorized Content

 N
ot
Published App Properties

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

540 © 2021 Citrix Authorized Content

 Applications Node
Enables to:

• View, assign, and edit apps all in one place.

N
• Host apps to multiple Delivery Groups at the

ot
same time.

fo
• Add existing apps to a Delivery Group.

rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Under the legacy IMA architecture, Citrix Virtual Apps has had an Applications node for years, up through version 6.5.
• When Citrix carved Citrix Virtual Apps out of IMA and brought it to FMA and the Site architecture, the individual App node
was hidden.
• It was not completely lost; it was just buried under the Delivery Groups node, in the Applications tab.
• Starting with Citrix Virtual Apps and Desktops 7.8, the Applications node has been exposed directly in Studio. It’s not the
same Applications node from the IMA days, because Catalog and Delivery Group considerations now come into play.

541 © 2021 Citrix Authorized Content

 Application Folders

• Organizes delivered applications.

N
• Invisible to clients.

ot
• Allows applications to have same name, if they

fo
are in separate folders.

rr
• Can be nested up to five levels.

es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Although application folders are technically not a part of application properties it is very helpful to know about the feature.
• These folders are only visible inside the administrative console – not on the client side. They are meant as a means for the
administrator to structure the published apps for simpler management.
• These folders often get confused with the “Categories” which are defined in the Application properties. Categories can be
made visible on the client side in the web GUI, native receiver or Start Menu of the endpoint.
• Each application can only be in one application folder at a time.

542 © 2021 Citrix Authorized Content

 • By default, applications you add are placed in a folder named Applications. You can:
• Create additional folders and then move applications into those new folders.
• Folders can be nested up to five levels.
• Folders do not have to contain applications; empty folders are allowed.
• Folders are listed alphabetically unless you move them or specify a different location when you create
them.
• You can have more than one folder with the same name, as long as each has a different parent folder.

N
Similarly, you can have more than one application with the same name, as long as each is in a different

ot
folder.

fo
• Move a folder to the same or a different level. Moving is easiest using drag-and-drop.
• You cannot rename or delete the Applications folder, but you can move all the applications it contains to

rr
other folders you create.

es
Additional Resources:

al
• Applications:

e
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/manage-

or
deployment/applications-manage.html

di
• Citrix XenApp and XenDesktop 7.6 - Studio Application folders:
https://www.youtube.com/watch?v=9ktLbPAoT7k&feature=youtu.be

s tri
b ut
io
n

543 © 2021 Citrix Authorized Content

 Application Properties
Settings Overview

• Identification
• Application Name
• Description/Keywords

N
ot
• Delivery
• Category

fo
• Location

rr
• Executable

es
• Command Line argument

al
• Working Directory

e
• Groups

or
• Limit Visibility

di
• File Type Association

s tri
• Zone

but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Each app can use two different names (for user / for administrator) – this makes it possible to offer a program with the
same name but different command line parameters or originating from different Delivery Groups to users.
• Within each application folder, the Application Name (for administrator) must be unique.
• To change the properties of an application:
• Select Applications in the Studio navigation pane.
• Select an application and then select Edit Application Properties in the Actions pane.

544 © 2021 Citrix Authorized Content

 Additional Resources:
• Applications:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/manage-
deployment/applications-manage.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

545 © 2021 Citrix Authorized Content

 Application Properties
Identification Tab: Use KEYWORDS

• Auto
• Applications display automatically as favorite & in

N
start menu

ot
• User can still remove app from favorites

fo
• Mandatory

rr
• Like Auto, but user cannot remove app from
favorites

es
• Featured

al
• Special visual emphasis, depending on client

e
• Prefer

or
• Substitute published app with a local app on the
client

di
• TreatAsApp

s
tri
• For virtual desktops to display in the app folder

but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• What are Keywords? Keywords are a method that Citrix administrators can use to control or direct how an application is
displayed to the user, when that user connects to the Storefront store. The Specific Keywords, as mentioned above, are
used to provide this level of control.
• A description and multiple Keywords can be combined in the “Description and keywords:” field, as shown in the
screenshot. Everything after “KEYWORDS:” is considered to be a Keyword.
• Multiple Keywords are separated using blank spaces.

546 © 2021 Citrix Authorized Content

 • Using Auto or Mandatory does not really subscribe users to applications (no database entry will be made in
the StoreFront-based subscription store). Using these Keywords just makes it look as if the user was
subscribed to an app. As soon as the Keyword is removed, users will no longer see the app icon within their
Favorites in StoreFront & Citrix Workspace app (or the Start menu).
• Append Keywords to the descriptions you provide for Delivery Group applications:
• To make an individual app mandatory, so that it cannot be removed from Citrix Workspace app for
Windows, append the string KEYWORDS:Mandatory to the application description. There is no Remove

N
option for users to unsubscribe to mandatory apps.

ot
• To automatically subscribe all users of a store to an application, append the string KEYWORDS:Auto to the

fo
description. When users log on to the store, the application is automatically provisioned without users
needing to manually subscribe to the application.

rr
• To advertise applications to users or to make commonly used applications easier to find by listing them in

es
the Citrix Workspace app Featured list, append the string KEYWORDS:Featured to the application

al
description.

e
Additional Resources:

or
• Configuring application delivery: 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-

di
ltsr/manage-deployment/applications-manage.html
• Citrix Receiver for Windows 4.12: https://docs.citrix.com/en-us/receiver/windows/current-

s tri
release/configure/config-app-delivery.html

but
io
n

547 © 2021 Citrix Authorized Content

 Application Properties
Delivery Tab

Use App Limits to:

N
• Limit the number of resource-intensive apps

ot
that can be launched.

fo
• Control licensing of an application.

rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• This feature was available in Citrix XenApp version 6.5 and earlier, within both the Publishing wizard and the Application
Properties Advanced settings.

548 © 2021 Citrix Authorized Content

 Application Properties
Location Tab

• Specify local or remote applications in the path

N
field.

ot
• Use UNC paths instead of mapped drive letters
• Variables may also be used, like %homedrive%

fo
• Submit special parameters to the program by

rr
using the command line argument field.

es
• Variables can also be passed to the program, like

al
%username%

e
or
di
s
tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Mapped drive letters are mapped on a per user basis and might not be available to the FMA subsystem upon the launch of
the app. It is therefore a leading practice to use UNC paths instead.
• Most programs do not evaluate the working directory anymore, but instead use different directories for specific functions,
usually configurable in the program’s menu or via policies.
• If needed, specify a working directory for the program to use as default when saving or loading files from within the
program.

549 © 2021 Citrix Authorized Content

 Additional Resources:
• Applications:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/manage-
deployment/applications-manage.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

550 © 2021 Citrix Authorized Content

 Application Properties
Group Tab

The Groups screen provided the ability to add ,

N
remove, or edit the priority of any application for

ot
a Application Group or Delivery Group.

fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Delivery Group
• Application(s) can be added to any available Delivery Group(s), and then be available to users from any machines
within that group
• Application Group
• Application(s) can be added to any available Application group(s)
• You can specify either specific users who will only have access to the Application Group applications, or select specific

551 © 2021 Citrix Authorized Content

 Deliver Group(s) you want to run these applications.

N
ot
fo
rr
es
al
e
or
di
s
tri
utb
io
n

552 © 2021 Citrix Authorized Content

 Application Properties
Limit Visibility Tab

• Use Limit Visibility to restrict application

N
access to specified groups.

ot
• To limit access to the Desktops delivered on a

fo
Server OS Delivery Group that is also hosting

rr
applications, use PowerShell, or Studio on

es
version 7.7 and above.

al
• This will not block users from starting the

e
application itself from another application or a

or
desktop session.

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• This feature functions like a whitelist.
• Every group (or member of the group) needs to be able to access the Delivery Group itself, so allowing access on the
delivery group to “doctors” and later specifying the “nurses” group for access to an application hosted from this Delivery
Group does not enable the nurses to start the program.
• By default, all applications are accessible to anyone having permissions to access the Delivery Group.
• Starting with Citrix Virtual Desktops 7.7, permissions to access the desktop of a Delivery Group can also be set in Studio

553 © 2021 Citrix Authorized Content

 (previous to this version, PoSh has to be used).
• This does not prevent access to the app in general for other users – they might still be able to access the app
from another app that they are able to launch (for example, starting WinZip by clicking the ZIP-File-Attachment
from within Outlook).

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

554 © 2021 Citrix Authorized Content

 Application Properties
File Type Association Tab

Configure File-Type Association to allow users

N
to leverage Citrix Workspace app and access

ot
resources from the Citrix Virtual Apps and
Desktops Site—providing a seamless user

fo
experience. To configure:

rr
• On an endpoint system: Install FTA-capable Citrix

es
Workspace app
• In Citrix Studio: Select all the file extensions for an

al
app that you want to use on an endpoint system

e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Configure File-Type Association to allow users to leverage Citrix Workspace app and access resources from the Citrix
Virtual Apps and Desktops Site - providing a seamless user experience. To configure:
• On an endpoint system: Install FTA-capable Citrix Workspace app
• In Citrix Studio: Select all the file extensions for an app that you want to use on an endpoint system
• FTA launches a published app when a specified file type is launched on the local device, and Citrix Workspace app is
running. To function correctly, the VDA hosting the published app must have access to the file to open it. Therefore, you

555 © 2021 Citrix Authorized Content

 can only open files that reside on network shares or on client drives (with client drive mapping enabled).
• This feature is also known as FTA (abbreviation), “Client to Server Content redirection”, and “File Open in
Citrix Workspace app.”
• This feature is currently available in Windows, Linux, Android, and Chrome OS according to the Citrix
Workspace app client feature matrix. It will not work with Receiver for Web or Citrix Workspace for HTML5.
• Keep in mind that for FTAs to work, the user must have the target published app as a Favorite in Citrix
Workspace app. Keywords such as “Auto” or “Mandatory” can be used to ensure that this is in place.

N
• Note the differences between FTA and host to client redirection (also known as URL redirection and Local App

ot
Access).

fo
• Host to client redirection is a different kind of content redirection. It is supported only on server OS VDAs (not

rr
desktop OS VDAs).
• When host to client redirection is enabled, URLs are intercepted at the server VDA and sent to the user

es
device. The web browser or multimedia player on the user device opens these URLs.

al
• If you enable Host to Client redirection and the user device fails to connect to a URL, the URL is redirected

e
back to the server VDA.
• When Host to Client redirection is disabled, users open the URLs with web browsers or multimedia players

or
located on the server VDA.

di
• When Host to Client redirection is enabled, users cannot disable it.

s
• Host to Client redirection was previously known as Server to Client redirection.

tri
• File Type Association (FTA) – The Process

b
1. Citrix Workspace app loads the published resources for the user and also retrieves any File-Type

ut
Associations for the published apps.

io
2. Citrix Workspace app starts a remote session and launches the associated published app in the session.

n
3. If the file is located on a file server accessible to both Endpoint and VDA, the VDA will open the file from
within the user’s session directly.
• For Endpoint Process:
• Citrix Workspace app associates its own executable as default handler for the specified file-types.
• The user double-clicks file on endpoint.
• File can be local or remote to the endpoint.

556 © 2021 Citrix Authorized Content

 • Content redirection allows you to control whether users access information with applications published on
servers or with applications running locally on user devices.
• Citrix Workspace app saves the original File-Type Association and restores it if the user de-favorites the
program.
• The files can be on local media or a network share (local or accessible to both VDA and endpoint system).
• For VDA Process:
• Citrix Workspace app passes a pointer to the file to the published app inside the session.

N
• The app opens the file through the HDX session from the client drive or network share and displays it to the

ot
user in the session.

fo
• The client drive mapping virtual channel is necessary to open local files on the endpoint. The VDA can only
access the file on the endpoint if this channel has not been restricted (via policy).

rr
• With this feature it is not necessary to have applications installed on the endpoint in order to open the file / if

es
an application supporting the file type is installed, Citrix Workspace app can override the default File-Type

al
Association for this program since it is usually loaded later (last writer wins).
• For Endpoint Process:

e
• The credentials of the user from the session are used on the file server.

or
• This is essentially the same situation as 2a, however, in this case the user opens a file saved on a network

di
share that is reachable from the VDA. Instead of opening the file through client drive mapping, the session will

s
pick up the file from a network share.

tri
• You can use client to host redirection for an enhanced user experience by creating a seamless workflow to

b
enable users to begin working moments after clicking a target file on their local device or network share.

ut
• Alternatively, it can be implemented for security reasons, for example to prevent users from working on certain

io
types of documents on a managed endpoint.

n
• Before implementing file-type associations, keep in mind the additional Citrix Virtual Apps and Desktops
hosting resources that may be needed to support the increased number of HDX sessions that would result.

Additional Resources:
• Citrix Workspace app Feature Matrix (includes Receiver for Windows LTSR):
https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/citrix-workspace-app/Citrix-
Workspace-app-Feature-matrix.pdf

557 © 2021 Citrix Authorized Content

 Workspace App Application
Delivery Categories
A Category

• Provides a hierarchical structure in the Start

menu of the client and helps to locate related
applications.

N
ot
• Provides additional words that can be

fo
searched for, to find an application.

rr
• Can be nested using backslash, as shown

es
below:
• Folder\Subfolder1\Subfolder2

al
• Note that the Windows 8 start menu only shows

e
the top-level folder.

or
• Each app can be placed in only one category

di
at a time.

s tri
• Multiple applications can share a category.

but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The screenshot shows several applications that have all been put in the “Office” category – without any subfolders.
• In the Application category field, optionally specify the category in Citrix Workspace app where the application appears.
For example, if you are adding shortcuts to Microsoft Office applications, enter Microsoft Office.
• If you want applications displayed in specific folders use the following options:
• If you want the application shortcuts Citrix Workspace app places in the Start menu to be shown in their associated
category (folder) - configure Citrix Workspace app with UseCategoryAsStartMenuPath=True.

558 © 2021 Citrix Authorized Content

 • Note: Windows 8/8.1 does not allow the creation of nested folders within the Start Menu. Applications will
be displayed individually or under the root folder but not within Category sub folders defined within Citrix
Virtual Apps and Desktops.
• If you want the applications that Citrix Workspace app puts in the Start menu to be in a specific folder -
configure Citrix Workspace app with StartMenuDir=the name of the Start Menu folder name.
• Backslash serves as delimiter to create a hierarchical structure.

N
Additional Resources:

ot
• Configuring application delivery:

fo
• Receiver 4.12: https://docs.citrix.com/en-us/receiver/windows/current-release/configure.html

rr
es
al
e
or
di
s tri
but
io
n

559 © 2021 Citrix Authorized Content

 Lesson Objective Review

Scenario: You are a Citrix Admin and you

have to ensure that only specific employees
have access to Publisher, as a published app.
Currently, Publisher is installed across all

N
Server OS VDAs. Your manager suggests to

ot
implement Limit Visibility, would this be

fo
sufficient?

rr
es
Limit Visibility only hides the application in
StoreFront; the user can still open the application

al
e
through File Type Association (FTA) on the
server.

or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

560 © 2021 Citrix Authorized Content

 N
Server OS Published App

ot
Optimizations

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

561 © 2021 Citrix Authorized Content

 Delivery Group Properties -
Application Prelaunch

• The session prelaunch feature helps specified

N
users to access applications

ot
quickly, by initiating sessions before they are
requested.

fo
rr
• A session is started when a user logs on to

es
Citrix Workspace app, and remains active until
the last open application in the

al
session closes.

e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The Session Pre-launch helps specified users access applications quickly, by starting sessions before they are requested
(Session Pre-launch).
• The launch of the session itself is not faster, it just happens in the background before the user is actually requesting a
session. When the user requests a session to run a certain application, this application is started almost instantly within
the existing session without the need to wait for the session to be fully negotiated between the endpoint and the VDA.
• You can also configure session pre-launch for a scheduled time of day in Citrix Workspace app.

562 © 2021 Citrix Authorized Content

 • Administrators can specify an idle time after which unused blank sessions are terminated to conserve
resources on the VDA.
• When using session pre-launch:
• Regardless of the admin-side settings, if an end user’s machine is put into "suspend" or "hibernate" mode,
pre-launch will not work.
• Pre-launch will work as long as the end user locks their machine/session, but if the end user logs off from
Citrix Workspace app, the session is ended and pre-launch no longer applies.

N
• To save time for the user during application launch, Citrix Workspace app can re-use existing sessions:

ot
• Citrix Workspace app is loaded

fo
• Citrix Workspace app starts a blank session
• User launches application in existing session

rr
es
Additional Resources:

al
• Manage Delivery Groups - Configure session prelaunch and session linger in a Delivery Group:

e
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/delivery-
groups-manage.html#configure-session-prelaunch-and-session-linger-in-a-delivery-group

or
di
s tri
but
io
n

563 © 2021 Citrix Authorized Content

 Delivery Group Properties –
Application Pre-Launch
Considerations

1
To save time for the user during application

N
launch, Citrix Workspace app can re-use Endpoints with
VDA

ot
Citrix Workspace app
existing sessions:
2 Blank

fo
1. Citrix Workspace app is loaded session

rr
2. Citrix Workspace app starts a blank session Endpoints with VDA

es
Citrix Workspace app

3. User launches application in existing session

al
Microsoft
3 Word

e
Application
session

or
Endpoints with VDA

di
Citrix Workspace app

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The Session Pre-launch and Session Linger features help specified users access applications quickly, by starting sessions
before they are requested (Session Pre-launch) and keeping application sessions active after a user closes all
applications (Session Linger).
• By default, session Pre-launch and Session Linger are not used: a session starts (launches) when a user starts an
application, and remains active until the last open application in the session closes.
• Session pre-launch requires Citrix Workspace app for Windows on the endpoint system.

564 © 2021 Citrix Authorized Content

 • Sessions can only be pre-launched for published apps, not published desktops.
• The launch of the session itself is not faster, it just happens in the background before the user is actually
requesting a session. When the user requests a session to run a certain application, this application is started
almost instantly within the existing session without the need to wait for the session to be fully negotiated
between the endpoint and the VDA.
• You can also configure session pre-launch for a scheduled time of day in Citrix Workspace app.
• Administrators can specify an idle time after which unused blank sessions are terminated to conserve

N
resources on the VDA. Pre-launched sessions also consume a license.

ot
• Session Pre-launch only works with Server-OS published apps, not desktop sessions or applications hosted

fo
on Desktop OS VDAs.

rr
• When using session pre-launch:
• Regardless of the admin-side settings, if an end user’s machine is put into "suspend" or "hibernate" mode,

es
pre-launch will not work.

al
• Pre-launch will work as long as the end user locks their machine/session, but if the end user logs off from

e
Citrix Workspace app, the session is ended and pre-launch no longer applies.

or
Additional Resources:

di
• Manage Delivery Groups - Configure session prelaunch and session linger in a Delivery Group:

s
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/delivery-

tri
groups-manage.html#configure-session-prelaunch-and-session-linger-in-a-delivery-group

but
io
n

565 © 2021 Citrix Authorized Content

 Delivery Group Properties -
Application Lingering

The session linger features help specified

N
application sessions stay active, after a user

ot
closes all applications within the session.

fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The Delivery Group must support applications, and the machines must be running a VDA for Server OS, minimum version
7.6.
• Although unused pre-launched and lingering sessions disconnect after 15 minutes by default, the value can be configured
in PowerShell (New/Set-BrokerSessionPreLaunch cmdlet).
• Optimal configuration balances the benefits of earlier application availability for users against the cost of keeping licenses
in use and resources allocated.

566 © 2021 Citrix Authorized Content

 • Roaming of profiles is delayed until the lingering session is finally closed.
• A session can linger in a connected or disconnected state; an administrator can set timers to terminate
lingering sessions that are not being used.
• Session Lingering works to save time when starting a new application after closing the last application of a
session:
• A user closes the last application
• Yet the VDA keeps the session open

N
• The VDA re-uses the existing session to launch succeeding applications in it

ot
Additional Resources:

fo
• Manage Delivery Groups - Configure session prelaunch and session linger in a Delivery Group:

rr
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/install-configure/delivery-groups-

es
manage.html#configure-session-prelaunch-and-session-linger-in-a-delivery-group

al
e
or
di
s tri
but
io
n

567 © 2021 Citrix Authorized Content

 Delivery Group Properties -
Application Lingering
Considerations

To save time when starting a new application 1

Microsoft

N
after closing the last application of a session: Word

ot
Endpoints with VDA

1. A user closes the last application. Citrix Workspace app

fo
2
2. Yet the VDA keeps the session open. Blank session

rr
3. The VDA reuses the existing session to

es
Endpoints with VDA
Citrix Workspace app
launch succeeding applications in it.

al
3

e
Microsoft
Word

or
Application session

di
Endpoints with VDA

s
Citrix Workspace app

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The Delivery Group must support applications, and the machines must be running a VDA for Server OS, minimum version
7.6.
• Session pre-launch is supported only when using Citrix Workspace app for Windows. Session Linger is supported when
using Citrix Workspace app for Windows and Receiver for Web. Additional Citrix Workspace app configuration is required.
• Note: Citrix Workspace app for HTML5 is not supported.
• Pre-launched and lingering sessions consume a license, but only when connected. Unused pre-launched and lingering

568 © 2021 Citrix Authorized Content

 sessions disconnect after 15 minutes by default. This value can be configured in PowerShell (New/Set-
BrokerSessionPreLaunch cmdlet).
• Careful planning and monitoring of your users’ activity patterns are essential to tailoring these features to
complement each other. Optimal configuration balances the benefits of earlier application availability for users
against the cost of keeping licenses in use and resources allocated.
• Roaming of profiles is delayed until the lingering session is finally closed.
• A session can linger in a connected or disconnected state; an administrator can set timers to terminate

N
lingering sessions that are not being used.

ot
• Session Linger is only supported with Server-OS published apps.

fo
Additional Resources:

rr
• Manage Delivery Groups - Configure session prelaunch and session linger in a Delivery Group:

es
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/install-configure/delivery-groups-

al
manage.html#configure-session-prelaunch-and-session-linger-in-a-delivery-group

e
or
di
s tri
but
io
n

569 © 2021 Citrix Authorized Content

 Session Sharing Existing Session

Delivery
Controller
Microsoft Microsoft
Excel Excel

When a user has an active app session, and HDX

then launches an additional app, the system

N
Server OS

ot
will override the Delivery Controller’s Endpoints with
Citrix Workspace app
attempt to load balance the application request;

fo
Session Sharing
and if the new requested application is also

rr
hosted on the system where the current session

es
is running, then the new app request launches
Delivery
Microsoft Controller Microsoft

al
inside of the existing session.
Excel Excel
Microsoft Outlook
Microsoft Outlook

e
or
HDX

di
s
Server OS
Endpoints with

tri
Citrix Workspace app

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Session sharing is a mode in which more than one published application runs on a single connection. Session sharing
occurs when a user has an open session and launches another application that is published on the same server; the result
is that the two applications run in the same session.
• Session sharing between Application Groups is enabled when you create an Application Group; you cannot change this
when you create the group.
• For session sharing to occur, both applications must be hosted on the same server.

570 © 2021 Citrix Authorized Content

 • If a user runs multiple applications with session sharing, the session counts as one connection.
• If you want to share sessions, ensure all applications are published with the same settings. Inconsistent
results may occur when applications are configured for different requirements, such as encryption.
• Session Sharing saves time from subsequent app session launches, by loading the new app instance within
the existing users’ session.

Additional Resources:

N
• Manage Application Groups – Disable application session sharing within an Application Group:

ot
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/install-configure/application-groups-

fo
manage.html

rr
es
al
e
or
di
s tri
but
io
n

571 © 2021 Citrix Authorized Content

 Session Sharing Configuration

• Session Sharing is enabled by default.

N
• To view or make changes, Session Sharing is

ot
configured via Power Shell.

fo
• Use the cmdlet:

rr
• Get-BrokerApplicationGroup

es
• Take note of the two settings:
• SessionSharingEnabled = True

al
• SingleAppPerSession = False

e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• There may be instances where the Citrix Administrator may wish to individually load balance app launches.
• Session sharing between Application Groups is enabled when you create an Application Group; you cannot change this
when you create the group
• Session Sharing may be disabled using a cmdlet available only via the Broker PowerShell SDK:
• Set-BrokerApplicationGroup “App Group MS Office” –SessionSharingEnabled $false –SingleAppPerSession $true
• Session sharing can also be enabled or disabled between application groups using the GUI in Edit Application groups >

572 © 2021 Citrix Authorized Content

 Settings > Enable application session sharing between Application Groups.
• Session sharing between applications in the same Application Group is enabled by default when you create an
Application Group. If you disable application session sharing between Application Groups, session sharing
between applications in the same Application Group remains enabled.
• You can use the Broker PowerShell SDK to configure Application Groups with application session sharing
disabled between the applications they contain. In some circumstances this may be desirable: for example,
you may want users to start non-seamless applications in full-size application windows on separate monitors.

N
• When you disable application session sharing within an Application Group, each application in that group

ot
launches in a new application session. If a suitable disconnected session is available which is running the

fo
same application, it is reconnected. For example, if you launch Notepad, and there is a disconnected session
with Notepad running, that session is reconnected instead of creating a new one. If multiple suitable

rr
disconnected sessions are available, one of the sessions is chosen to reconnect to, in a random but

es
deterministic manner: if the situation reoccurs in the same circumstances, the same session is chosen, but the

al
session is not necessarily predictable otherwise.
• You can use the Broker PowerShell SDK either to disable application session sharing for all applications in an

e
existing Application Group, or to create an Application Group with application session sharing disabled.

or
Additional Resources:

di
• Manage Application Groups – Disable application session sharing within an Application Group:

s tri
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/install-configure/application-groups-

b
manage.html

ut
io
n

573 © 2021 Citrix Authorized Content

 Lesson Objective Review
Scenario: An administrator manages an Citrix
Virtual Desktops environment that exclusively
uses VDA Desktops for its users. The
administrator wants to configure and use the
Session prelaunch and Session Lingering
features to improve the overall session

N
performance for users.

ot
Can the Administrator configure their current

fo
infrastructure

rr
to take advantage of these features?

es
al
No.

e
Session Pre-launch and Session Lingering only

or
works with Server-OS published apps.

di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

574 © 2021 Citrix Authorized Content

 N
ot
Published App Presentation

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

575 © 2021 Citrix Authorized Content

 Featured App Groups

• Displaying applications together as a bundle makes it easier for users to find related applications.

N
• Use Featured App Groups by specifying keywords, categories, or specific application names to

ot
create bundles of related applications.

fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Featured App Groups are a visual emphasis and a grouping mechanism in addition to the categories.
• Each app can be part of multiple Featured App Groups.
• All applications in a Featured App Group can be favorited / subscribed to at once.

Additional Resources:
• How to display the Featured apps group under the "Category" view than the "All" view on storefront website:
https://support.citrix.com/article/CTX217236
576 © 2021 Citrix Authorized Content
 Shortcut Integration

StoreFront Shortcuts in
Start Menu

• Start menu integration and desktop shortcut

N
management provide a seamless desktop

ot
experience for users.
Shortcuts

fo
• Defining a common Start Menu directory to put on Desktop

rr
all shortcuts makes it easy for users to locate

es
their published apps.

al
• Tidy-up the desktop by specifying a common

e
Desktop directory where shortcuts are placed.

or
di
s tri
Endpoint

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Configure Citrix Workspace app to remove shortcut icons on logoff or exit if the device is shared between users.
• Control shortcut integration in the following places:
• Citrix Workspace app ADMX and GPO
• StoreFront – web.config
• PowerShell

577 © 2021 Citrix Authorized Content

 • Citrix Studio
• Start menu integration and desktop shortcut only mode lets you bring published app shortcuts into the
Windows Start menu and onto the desktop. In this way, users do not have to subscribe to applications from
the Citrix Workspace app user interface. Start menu integration and desktop shortcut management provides a
seamless desktop experience for groups of users, who need access to a core set of applications in a
consistent way.
• As a Citrix Workspace app administrator, you can use command-line install flags, GPOs, account services, or

N
registry settings to disable the usual "self service" Citrix Workspace app interface and replace it with a pre-

ot
configured Start Menu. The flag is called SelfServiceMode and is set to true by default. When the

fo
administrator sets the SelfServiceMode flag to false, the user no longer has access to the self service Citrix
Workspace app user interface. Instead, they can access subscribed apps from the Start Menu and via

rr
desktop shortcuts - referred to here as shortcut-only mode.

es
Additional Resources:

al
• Configuring application delivery:

e
• Receiver 4.12 LTSR: Current: https://docs.citrix.com/en-us/receiver/windows/current-

or
release/configure/config-app-delivery.html

di
• How to Customize App Shortcuts with Receiver for Windows: https://support.citrix.com/article/CTX200924

s tri
b ut
io
n

578 © 2021 Citrix Authorized Content

 Self-Service Mode
For the Citrix Workspace app

Self-Service Mode Behavior

N
ot
• Users can choose which app they favorite and add to the Start Menu or desktop.
• Applications can be removed.

fo
Enabled • Users can add additional stores.
• Citrix Workspace app offers an interface to manipulate application subscription and start

rr
applications.

es
• All assigned published apps are automatically subscribed to.

al
• Applications will automatically be placed in the Start Menu.

e
• Categories will be used as Start Menu folders.
Disabled

or
• Applications cannot be removed / will reappear.
• Citrix Workspace app does not offer an interface to manipulate application subscription &

di
start applications.

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Self-Service Mode can be configured using the registry, a GPO or the Web.Config file on StoreFront.
• By adding a StoreFront account to Citrix Workspace app or configuring Citrix Workspace app to point to a site, you can
configure self-service mode, which allows users to subscribe to applications from the Citrix Workspace app user interface.
This enhanced user experience is similar to that of a mobile app store.
• In self-service mode you can configure mandatory, auto-provisioned and featured app keyword settings as needed:
• To automatically subscribe all users of a store to an application, append the string KEYWORDS:Auto to the description

579 © 2021 Citrix Authorized Content

 you provide when you publish the application in Citrix Virtual Apps. When users log on to the store, the
application is automatically provisioned without the need for users to manually subscribe to the application.
• To advertise applications to users or make commonly used applications easier to find by listing them in the
Citrix Workspace app Featured list, append the string KEYWORDS:Featured to the application description.
• Disabling subscriptions on a StoreFront store has a similar effect, but will affect also the WebGUI and other
variants of Citrix Workspace app accessing the store.

N
Additional Resources:

ot
• How to Customize App Shortcuts with Receiver for Windows: https://support.citrix.com/article/CTX200924

fo
• Configuring application delivery:

rr
• Receiver 4.12 LTSR: https://docs.citrix.com/en-us/receiver/windows/current-release/configure/config-app-
delivery.html

es
• Current Release: https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/configure/config-app-

al
delivery.html

e
or
di
s tri
but
io
n

580 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
ot
fo
Where are Featured App Groups configured?

rr
es
In the StoreFront Management Console, in the
Edit properties under the Receiver for Web site.

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

581 © 2021 Citrix Authorized Content

 N
ot
Application Groups

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

582 © 2021 Citrix Authorized Content

 Application Groups
Application Groups are optional

AppGroup1

DeliveryGroup1 Catalog1

• Application Groups let you manage collections Settings 1

N
of applications across different Delivery AppGroup2
Image

ot
Groups or used by a subset of users within
Delivery Groups.

fo
Image
DeliveryGroup2

rr
• Application Groups provide application Settings 2

es
management advantages over using Delivery AppGroup3
Image

Groups. For Example:

al
• Application Groups can be tagged with restrictions

e
Image
to use existing machines for more than one

or
Settings 3
publishing task.

di
s
tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Application Groups is a feature (available for XA/XD 7.9+) that allows admins to group all or some applications from
several Delivery Groups to manage and configure them as a single entity.
• Citrix recommends adding applications to either Application Groups or Delivery Groups, but not both at the same time.
• By default, application session sharing between Application Groups is enabled.
• To review, session sharing means that subsequent application launches on the same server OS will launch within
the existing session.

583 © 2021 Citrix Authorized Content

 • Configuring unauthenticated user access is available only in Delivery Groups, not in Application Groups.
• To use Application Groups, your core components must be minimum version 7.9.

Additional Resources:
• Introducing Application Groups in XenApp and XenDesktop 7.9:
https://www.citrix.com/blogs/2016/07/20/xenapp-xendesktop-7-9-introducing-application-groups/

N
• Create Application Groups:

ot
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/install-configure/application-groups-
create.html

fo
rr
es
al
e
or
di
s tri
but
io
n

584 © 2021 Citrix Authorized Content

 Considerations

• Use either Application Groups or Delivery Groups, but not both.

N
• Session sharing between Application Groups is enabled by default, and can be disabled.

ot
• Creating Application Groups requires the delegated administration permission of the Delivery Group

fo
Administrator built-in role.

rr
• Application Groups can be linked to multiple Delivery Groups and Delivery Group priorities can be

es
used to control failover and load balancing.

al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Using both Application Groups and Delivery Groups at the same time will work, but the administrator will potentially lose
track of where published apps are configured as the environment grows.

Additional Resources:
• Create Application Groups:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/install-configure/application-groups-create.html

585 © 2021 Citrix Authorized Content

 Tagging

AppGroup1 DeliveryGroup1 Catalog1

• With tag restrictions, you can use your existing

N
machines for more than one publishing task, saving

ot
the costs associated with deploying and managing Image

TAG: YELLOW TAG: BLUE

additional machines.

fo
• A tag restriction can be thought of as subdividing

rr
Image
the machines in a Delivery Group. Its functionality is

es
similar to Worker Groups in Citrix XenApp 6.5.

al
Image

e
or
Image

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• A tag restriction involves several steps:
• Create the tag and then add (apply) it to machines.
• Create or edit a group with the tag restriction (in other words, "restrict launches to machines with tag x").
• A tag restriction extends the broker's machine selection process. The broker selects a machine from an associated
Delivery Group subject to access policy, configured user lists, zone preference, and launch readiness, plus the tag
restriction (if present). For published apps, the broker falls back to other Delivery Groups in priority order, applying the

586 © 2021 Citrix Authorized Content

 same machine selection rules for each considered Delivery Group.

Additional Resources:
• Tags:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/manage-
deployment/tags.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

587 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
Which of the built-in delegated administration

ot
roles are required as a minimum to create an

fo
Application Group?

rr
es
The Delivery Group Administrator role is required
as minimum to create an Application Group.

al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

588 © 2021 Citrix Authorized Content

 Lab Exercise Prep

Please Take a Moment and Provision Your Lab

N
For Module 7

ot
fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the
lab exercises.

589 © 2021 Citrix Authorized Content

 N
ot
Apps and Desktops Presentation

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

590 © 2021 Citrix Authorized Content

 Apps and Desktops Presented Through HDX Double Hop

1. User1 launches a published desktop from their endpoint device.

2. User1 launches a published app from within their current published desktop.

N
ot
3. The additional HDX application, in this case Microsoft Word runs from within the second “hop”
application session.

fo
rr
es
User Layer Resource Layer

al
3 1 2

e
Published

or
Microsoft Word
Session Session
Session

di
s tri
Endpoints with Desktop OS Sever OS
Citrix Workspace app

utb
© 2021 Citrix Authorized Content

io
n
Key Notes:
• ICA pass-through and Double-Hop HDX are different names for the same concept.
• Hosted Desktop can be Citrix Virtual Apps and Citrix Virtual Desktops.
• The Hosted App can be on Citrix Virtual Apps or Citrix Virtual Desktops (VM Hosted Apps).
• User1 will see their Hosted App running within their Hosted Desktop.
• Benefits:
• Improve stability. Desktop delivery group with core, stable applications. Put all resource-intensive and unstable apps

591 © 2021 Citrix Authorized Content

 (often called bad apps) in a different delivery group. If one of these apps crashes or consumes an unfair
share of resources, the impact is limited.
• When making a change to an image, you need to test all apps to make sure that they still work correctly.
Increasing the number of images and reducing the number of apps reduces the amount of app compatibility
testing required. It is necessary to balance between having too many images and too many apps per
image.
• Considerations:

N
• Apps in separate delivery groups will have limited integration. For example, Object Linking and Embedding

ot
will not be supported. Place apps with integration requirements (helper apps) in the same delivery group.

fo
• Summary:
• Double-Hop HDX is a concept and not a feature. There is nothing to enable.

rr
• Why use Double-Hop HDX? Why not have separate sessions for apps to endpoint?

es
• Users more familiar with accessing apps through single desktop

al
• Single, integrated landing point
• Some organizations require a desktop for corporate branding—for example, a background and

e
screensaver.

or
Additional Resources:

di
• Introducing Application Groups in XenApp and XenDesktop 7.9:

s tri
https://www.citrix.com/blogs/2016/07/20/xenapp-xendesktop-7-9-introducing-application-groups/

b
• Create Application Groups:

ut
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/application-

io
groups-create.html

592 © 2021 Citrix Authorized Content

 HDX Double Hop
Benefits and Considerations

Benefits:

N
• Isolate apps that are resource intensive and unstable

ot
• Reduce updates to core desktop image and reduce app compatibility testing
• Automatically maps drives from the endpoint machine

fo
rr
Considerations:

es
• Reduced integration between apps – OLE
• Requires additional infrastructure

al
• Additional redundancy for each Delivery Group

e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The third point under benefits, assumes the Citrix Policy to map drives has been enabled.

593 © 2021 Citrix Authorized Content

 HDX Double Hop
Store Subscription Sharing

• When configuring StoreFront to have multiple stores, you may want these stores to share the same

N
subscription database.

ot
• Use subscription synchronization so users only select their favorite apps once.

fo
• For users logging into multiple stores for the same resources it can be an inconvenience to set your

rr
favorites more than once, especially if you don't make consistent choices.

es
• Double Hop Store reads and writes subscriptions from the Store database.

al
• If you follow the Double Hop model, but find it's not for all users within the company, then you will

e
need to support multiple separate stores.

or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Consider this example - a StoreFront has two stores, Store 1 and Store 2. Store 2 is to be pointed to Store-1.
• Edit C:\Inetpub\wwwroot\Citrix\Store-2\web.config
• Locate: <clientEndpoint uri="net.pipe://localhost/Citrix/Subscriptions/1__Citrix_Store-2«
• Change to: <clientEndpoint uri="net.pipe://localhost/Citrix/Subscriptions/1__Citrix_Store-1«
• This redirects Store 2 to read and write subscriptions from the Store 1 database.
• Remember to propagate changes.

594 © 2021 Citrix Authorized Content

 HDX Double Hop Store Filtering

StoreFront Store Filtering

Use filtering to present a subset of resources:

N
• First hop or second hop

ot
• Thin client or PC

fo
StoreFront

rr
• Trusted or untrusted

es
• Internal or external

al
e
or
di
Unmanaged Endpoint Managed Endpoint Hosted Desktop

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• If you follow the Double Hop model, then you don't want the same presentation of resources from the Endpoint as you
would see from the VDI first Hop. Therefore, create two stores; however, when you allow customizations users expect
these customizations to flow across the stores. So you have to share the subscriptions between stores.

595 © 2021 Citrix Authorized Content

 Additional Resources:
• Now you see me…. Now you don’t! (A guide to hiding published resources):
https://blogs.citrix.com/2014/05/20/now-you-see-me-now-you-dont-a-guide-to-hiding-published-resources/
• Hiding Applications in Citrix StoreFront: https://blogs.citrix.com/2014/03/27/hiding-applications-in-citrix-
storefront/

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

596 © 2021 Citrix Authorized Content

 Session Launch Control
vPrefer Tags

• This is a new feature that controls how

N
published applications are treated when

ot
launched from a published desktop session in
a double-hop scenario.

fo
rr
• In this situation, a Citrix Workspace app for

es
Windows policy controls whether the app will
launch the locally installed version of the app

al
on the VDA instead.

e
or
• A new PowerShell commandlet on the
Delivery Controller controls, on an app-by-app

di
basis, whether the published app will launch or

s tri
the VDA-installed equivalent.

but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The new session launch control settings are available when at least XenApp and XenDesktop 7.17, StoreFront 3.14, and
Receiver for Windows 4.11 (or Citrix Workspace app) are used.
• Double-hop published application launch control has historically required the use of the KEYWORDS:Prefer tag along with
some complex workarounds by customers to achieve certain use cases. The VPrefer feature simplifies local app launches
in published desktop sessions and provides precise control through a combination of Citrix Workspace app policy and
PowerShell.

597 © 2021 Citrix Authorized Content

 • A Citrix Workspace app for Windows policy setting controls the overall behavior. Options are:
• When the setting is Enabled, an AllowApps Options drop-down menu allows administrators to configure
whether all apps should be launched locally, installed apps only (excludes Win32 apps such as
Calculator and Notepad), or to allow network apps (ensures the published app will always launch).
• When the setting is Not Configured, the default behavior is equivalent to “Enabled > AllowInstalledApps”
• StoreFront 3.14 includes support for the VPrefer setting. The XML data in the app launch request
incorporates the VPrefer tags and data.

N
• Delivery Controller 7.17 includes PowerShell support for the new VPrefer feature.

ot
• A new “LocalLaunchDisabled” property has been added to the “Set-BrokerApplication” and “New-

fo
BrokerApplication” cmdlets.
• By default, the “LocalLaunchDisabled” property is set to $false, which means that by default, the Citrix

rr
Workspace app for Windows VPrefer policy can successfully allow local installs of an app to launch

es
instead of the published app equivalent.

al
• If the “LocalLaunchDisabled” property is set to $true, the published app will always launch, no matter
what the Citrix Workspace app for Windows VPrefer policy is configured to.

e
• Admins can check the current “LocalLaunchDisabled” property value for each published app by using the

or
Get-BrokerApplication cmdlet.

di
• For limitations and considerations of the VPrefer feature, please see the URL in Additional Resources.

s
Additional Resources:

tri
b
• vPrefer launch (available in Receiver 4.11+):

ut
• Current Release 1912 LTSR: https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/1912-

io
ltsr/configure.html

598 © 2021 Citrix Authorized Content

 Lesson Objective Review

Scenario: You are a Citrix administrator

troubleshooting an issue where specific
seamless applications are displaying
sporadic, excessive resource utilization in
their HDX sessions.

N
You want to isolate these apps so you can

ot
monitor them.

fo
What configuration may help the

rr
Administrator?

es
al
Configure HDX Desktop Double Hop

e
configuration to isolate the apps.

or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

599 © 2021 Citrix Authorized Content

 N
ot
Lab Exercises

fo
rr
Module 7

es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

600 © 2021 Citrix Authorized Content

 Lab Exercise

• Ex 7-1: Configure and Test App Limits

N
• Ex 7-2: Configure Subscription Keywords

ot
• Ex 7-3: Test Subscription Keywords

fo
rr
• Ex 7-4: Configure Featured App Groups and App Categories

es
• Ex 7-5: Test the App Group and App Categories

al
• Ex 7-6: Configure Shortcut Placement

e
• Ex 7-7: Test Shortcut Placement

or
• Ex 7-8: Disable Self-Service Mode and Test

di
s
• Ex 7-9: Create and Test an Application Group

tri
• Ex 7-10: Controlling Double-hop Application Launches Using the vPrefer Feature

b
ut
© 2021 Citrix Authorized Content

io
n

601 © 2021 Citrix Authorized Content

 Key Takeaways

• Application properties control the presentation and delivery of

published resources to users.

N
• Session prelaunch and Session Lingering can be configured to

ot
provide a faster and more convenient application launch, and reuse
of existing sessions for users.

fo
rr
• Shortcut placement options integrate published resources and apps

es
with a user’s desktop and Start menu.

al
• Create Application Groups to manage applications across multiple

e
Delivery Groups and tags to control launch priority between

or
machines in a single Delivery Group.

di
• HDX Double-hop can be configured to provide a seamless

s
experience for users launching resources across multiple platforms.

tri
but
© 2021 Citrix Authorized Content

io
n

602 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Administration On-Premise and In
Citrix Cloud

N
ot
Manage Printing for User Sessions

fo
rr
es
al
e
Module 08

or
di
s
tri
b
ut
io
n

603 © 2021 Citrix Authorized Content

 Learning Objectives

• Identify how printing in a Citrix Virtual Apps

N
and Desktops environment processes.

ot
• Classify the different types of print drivers.

fo
rr
• Consider the printing environment.

es
al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

604 © 2021 Citrix Authorized Content

 N
ot
Map Printers to the User Session

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

605 © 2021 Citrix Authorized Content

 Printing Scenarios
Endpoint Mapped and Attached Printers

External Location Internal Location

N
ot
External
Endpoint

fo
attached printer Printer-A
Sessions

rr
Citrix Gateway

es
External Internal
Endpoints Internal Endpoint

al
External Endpoint Internal mapped local
Endpoint attached Endpoints printer

e
mapped local printer
printer PrintServer-001 PrintServer-002

or
di
s tri
Printer-B Printer-C Printer-D

b ut
io
n
Key Notes:
• The diagram illustrates various endpoint attached and mapped printing scenarios. To understand the different printing
topologies, the following descriptive names will be used throughout the slide deck :
• Printer A: External Endpoint attached printer
• Printer B: External Endpoint mapped local printer
• Printer C: Internal Endpoint attached printer
• Printer D: Internal Endpoint mapped local printer

606 © 2021 Citrix Authorized Content

 • Every “attached” printer has to use a driver (OS- or manufacturer-provided), in order to be able to print.
• All displayed printers can be used from within the session (e.g. Word 2013 published app).
• Endpoint-based printers may also be referred to as “client printers” in Citrix Studio and some documentation.

Additional Resources:
• Print:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/printing.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

607 © 2021 Citrix Authorized Content

 Printer Type: External Location Internal Location

Endpoint Attached
External
Endpoint Printer-A
attached
printer
• This type of printer is

N
directly connected to the Citrix Gateway
Sessions

ot
External
endpoint via: External
Endpoint
Endpoints

• A parallel port mapped local

fo
printer
• USB

rr
Internal
• An IP address Endpoint

es
PrintServer-001
Internal mapped local
Endpoints printer

al
PrintServer-002

e
Internal
Endpoint
attached

or
printer

Printer-B

di
s
Printer-C Printer-D

tri
b ut
io
n
Key Notes:
• A parallel port: An interface found on computers for connecting peripherals, such as a print device.
• USB printer: An type of peripheral print device that connects to a computer via a USB port.
• IP Printer: A peripheral print device assigned an IP address from the local network.
• This scenario does not require a print server. For this printer type, it is assumed that endpoints are connected to the
printer either with a cable or over the network, but without a print server.
• Usually the endpoint has the model specific printer driver installed to print on this printer.

608 © 2021 Citrix Authorized Content

 • Some printers have network interfaces (cable / wireless) and can be addressed via TCP/IP directly. Although
these printers are often advertised as network printers by their manufacturers, they are directly attached to an
endpoint, just using a different method.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

609 © 2021 Citrix Authorized Content

 Endpoint Attached External Location Internal Location

Print Job Routing 3

External
1. The External Endpoint Endpoint Printer-A
attached
connects to the VDA printer
1
over HDX and 2

N
negotiates Printer-A Citrix Gateway

ot
External Sessions
External Endpoints
Endpoint
2. User creates a print mapped local

fo
printer
request to the Printer-A.

rr
The HDX protocol Internal
Endpoint

es
PrintServer-001
mapped local
optimizes and Internal
Endpoints printer
compresses the print

al
PrintServer-002
job.

e
Internal
Endpoint
attached

or
3. The system routes the printer

print job over the HDX Printer-B

di
virtual channel, through

s
Printer-C Printer-D

tri
the client, and then to

b
the local print device

ut
(Printer-A)

io
n
Key Notes:
• Locally attached printers - The system routes jobs to locally attached printers from the Server OS machine, through the
client, and then to the print device. The ICA protocol optimizes and compresses the print job traffic. When a printing device
is attached locally to the user device, print jobs are routed over the ICA virtual channel.
• For Endpoint attached printers:
• The print job is routed through the HDX protocol from VDA to Endpoint

610 © 2021 Citrix Authorized Content

 • The Endpoint passes the print job on to the printer

Additional Resources:
• Printing configuration example:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/printing/printing-
configuration-example.html

N
ot
fo
rr
es
al
e
or
di
s tri
b
ut
io
n

611 © 2021 Citrix Authorized Content

 Printer Type: External Location Internal Location

Endpoint Mapped
External
Printer-A
Endpoint
attached
printer
• Requires a print server

N
• Mapped printers are Citrix Gateway

ot
External Sessions
External Endpoints
usually addressed like: Endpoint
mapped local

fo
• \\PrnSrv\Printer001 printer

rr
Internal
• Printer drivers need to be Endpoint

es
PrintServer-001
Internal mapped local
installed on the print Endpoints printer

server (unless using the

al
PrintServer-002

e
Universal Print Server) Internal
Endpoint
attached

or
printer

Printer-B

di
s
Printer-C Printer-D

tri
b ut
io
n
Key Notes:
• A direct connection from the endpoint to the printer is not necessary.
• The endpoint hands over the print job to the print server, which transfers the print job to the printer or queues it if the
printer is busy.
• Print servers enable the central management of printing devices and can also enforce permissions on printers.
• Print servers are typically used when users need to share a printer.
• HDX polices can be used to map to print servers’ printers, so they auto-connect in user sessions.

612 © 2021 Citrix Authorized Content

 Endpoint Mapped: External Location Internal Location

Print Job Routing

External
Endpoint Printer-A
attached
printer
• The Internal Endpoint

N
connects to the VDA over Citrix Gateway

ot
External Sessions
HDX and auto-connects External
Endpoint
Endpoints
2
to Printer-D, via the print mapped local 1

fo
printer
server

rr
Internal
Endpoint

es
PrintServer-001
• User creates a print Internal
Endpoints
mapped local
printer
request to Printer-D from

al
3
within their HDX session PrintServer-002

e
Internal
Endpoint
attached

or
• The system routes the printer

print job directly to the Printer-B

di
network print server and

s
Printer-C Printer-D

tri
then the print device
(Printer-D)

b ut
io
n
Key Notes:
• For Endpoint mapped printers:
• The system routes the print job directly to the print server over the network. This can be changed with the “Direct
connections to print server” policy.
• As a fallback, the print job can be routed through the HDX protocol from VDA to Endpoint.
• If direct connections to print server fail due to authentication, trust, or accessibility reasons, this fallback is used.

613 © 2021 Citrix Authorized Content

 • If the necessary printer driver or substitute is not available on the VDA, this fallback is used.
• The term “printing pathway” encompasses both the path by which print jobs are routed, and the location
where print jobs are spooled. Both aspects of this concept are important. Routing affects network traffic.
Spooling affects utilization of local resources on the device that processes the job.
• Network-based printers - By default, all print jobs destined for the network printers route from the Server OS
machine, across the network, and directly to the print server. However, print jobs are automatically routed over
the ICA connection in the following situations:

N
• If the virtual desktop or application cannot contact the print server.

ot
• If the native printer driver is not available on the Server OS machine.

fo
• Depending on the WAN load, the print job might also be blocking other traffic, causing performance issues. In

rr
this case, it is recommended to set the “Direct connections to print server” policy to Prohibited, so the VDA
connects to the printer only via the endpoint – every print job will now be sent over the HDX protocol and can

es
be further managed with other policies to gain performance and control.

al
Additional Resources:

e
or
• Printing configuration example:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/printing/printing-

di
configuration-example.html

s tri
b ut
io
n

614 © 2021 Citrix Authorized Content

 Printer Type: VDA External Location Internal Location

Attached VDA
Attached
Printer

External Printer-E
Endpoint Printer-A
attached
printer
VDA Attached printers are:

N
• Installed locally on each
External Citrix Gateway

ot
Sessions
VDA External Endpoints
Endpoint
• Available for each session mapped local

fo
on the VDA printer

rr
• Typical use case could be Internal
Endpoint
a PDF printer

es
PrintServer-001
Internal mapped local
Endpoints printer

al
PrintServer-002

e
Internal
Endpoint

or
attached
printer

di
Printer-B

s
Printer-C Printer-D

tri
b ut
io
n
Key Notes:
• Avoid using this method on a large scale with Server OS VDAs. Attaching several printer objects to every VDA is difficult
to manage and can cause extra resource usage, essentially turning the VDA into a print server.
• Use mapped printers instead; these can be controlled through policies and login scripts, and will cause less resource
usage because they offload the print processing to the print server.

615 © 2021 Citrix Authorized Content

 VDA Attached Print External Location Internal Location

Job Routing VDA

Attached
Printer

External Printer-E 3
Endpoint Printer-A
attached
printer
2
1. The Internal Endpoint

N
connects to the VDA External Citrix Gateway

ot
Sessions
over HDX External
Endpoint
Endpoints

mapped local 1

fo
2. The VDA installed printer

rr
printer is made available Internal
Endpoint

es
to the end user from PrintServer-001
Internal mapped local
Endpoints printer
within session

al
PrintServer-002

e
Internal
3. The system routes the Endpoint

or
attached
print job directly from printer

the VDA to the local

di
Printer-B

attached print device

s
Printer-C Printer-D

tri
(Printer-E)

b ut
io
n
Key Notes:
• VDA Attached printer:
• The Server OS VDA has a locally installed printer available on it. It is made available to users from within their HDX
sessions automatically, unless it is locked down by policy, etc.
1. Users connect to their published application resource over HDX session on the Server OS VDA.
2. The locally installed printer(s) are available as a print device resource for users to print from their published
applications.

616 © 2021 Citrix Authorized Content

 3. User creates a print job from one of the VDA’s local attached printers, and the job is routed directly from
the VDA server to the print device for output.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

617 © 2021 Citrix Authorized Content

 Printer Type: External Location Internal Location

VDA Mapped VDA

Mapped
Printer
PrintServer-003
External Printer-E
Endpoint Printer-A
attached
printer
• Network Printers or

N
Session Printers are: External Citrix Gateway

ot
Sessions
• Used inside the HDX External Endpoints
Endpoint
session mapped local

fo
printer
• Mapped for each user

rr
according to preferences Internal
Endpoint

es
• Typically mapped using PrintServer-001
Internal mapped local
printer
Citrix local policies, login Endpoints

al
scripts, or GPO PrintServer-002

e
Internal
Endpoint

or
attached
printer

di
Printer-B

s
Printer-C Printer-D

tri
b ut
io
n
Key Notes:
• Network Printers (or session printers) usually are connected from the VDA by using a print server.
• These types of printers can be mapped via a logon script, using policies, or manually by the user.
• The VDA hands over the print job to the print server, which transfers the print job to the printer; or queues it if the printer is
busy.
• Print servers enable the central management of printing devices and can also enforce permissions on printers.

618 © 2021 Citrix Authorized Content

 VDA Mapped Print External Location Internal Location

Job Routing VDA

Attached
Printer
PrintServer-003
External
3
Printer-E
Endpoint Printer-A
attached
1. The Internal Endpoint printer

connects to the VDA

N
over HDX External Citrix Gateway 2

ot
Endpoints Sessions
External
Endpoint
2. The VDA mapped mapped local 1

fo
printer
printer is made available

rr
Internal
to the end user within Endpoint

es
PrintServer-001 Internal
mapped local
the session using Citrix Endpoints
printer

al
local policies, login
PrintServer-002

e
Internal
scripts, or GPO Endpoint

or
attached
3. The system routes the printer

di
Printer-B
print job directly from

s
the VDA to the print Printer-C Printer-D

tri
server, and then the

b
print device (Printer-E)

ut
io
n
Key Notes:
• For VDA mapped printers:
• The print job is routed directly from VDA to print server.
• This can be changed with the “Direct connections to print server” policy.
• As a fallback, the print job can be routed through the HDX protocol from VDA to Endpoint.
• If direct connections to print server fail due to authentication, trust, or accessibility reasons, this fallback is used.
• If the necessary printer driver or substitute is not available on the VDA, this fallback is used.

619 © 2021 Citrix Authorized Content

 • VDA mapped printer:
1. Users connect to their published application resource over HDX session on the Server OS VDA.
2. The print server printers are made available to users via HDX policy configuration, or other policies, GPO
or logon scripts set to map these network printers; for example: \\PrnSrv\Printer003.
3. User creates a print job from one of the VDA’s mapped network printers, and the job is routed directly from
the VDA server to the print server and then the print device for output.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

620 © 2021 Citrix Authorized Content

 Printing Provisioning
Overview

There are three Citrix methods used to provision or map the printing environment to user sessions:

N
• Citrix Policies via Microsoft GPOs

ot
• Citrix Policies via Citrix Studio

fo
rr
• Citrix Workspace Environment Management (WEM) settings

es
al
e
or
di
stri
but
io
n

621 © 2021 Citrix Authorized Content

 Auto Creation
Printer Mapping Setting

Use the “Auto-create client printers” policy

N
setting to control which endpoint-side printers

ot
are automatically made available in user
sessions.

fo
• The setting maintains four options for managing

rr
the client created printers.

es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• The process that makes printers available in a session is known as provisioning. Printer provisioning is typically handled
dynamically. That is, the printers that appear in a session are not predetermined and stored. Instead, the printers are
assembled, based on policies, as the session is built during log on and re-connection. As a result, the printers can change
according to policy, user location, and network changes, provided they are reflected in policies. Thus, users who roam to a
different location might see changes to their workspace.
• The system also monitors client-side printers and dynamically adjusts in-session auto-created printers based on additions,

622 © 2021 Citrix Authorized Content

 deletions, and changes to the client-side printers. This dynamic printer discovery benefits mobile users as they
connect from various devices.
• Creating all endpoint printers may be time consuming and induces load for the VDA.
• Different options are available to select the printers made available:
• Auto-create all client printers (default option)
• Auto-create the client’s default printer only
• Auto-create local (non-network) client printers only

N
• Do not auto-create client printers

ot
• “Do not auto-create client printers” does not block users from manually creating printers in their session. To

fo
effectively prevent this, the “Client Printer Redirection” Policy has to be set to “Prohibited”, as this will prevent
the printing virtual channel within the HDX protocol to get created.

rr
es
Additional Resources:

al
• Print:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/printing.html

e
• Provision printers – Auto-created client printers:

or
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/printing/printing-provision-

di
printers.html

s tri
b ut
io
n

623 © 2021 Citrix Authorized Content

 Session Printers
Printer Mapping Setting

• Use the “Session printers” policy

N
setting to control which network

ot
printers are mapped in user sessions.

fo
• All matching policies will be merged for a

rr
session.

es
• Enables the proximity printing feature.

al
• Combine with “Default printer”

e
policy setting to set a default printer for the

or
session.

di
s tri
but
io
n
Key Notes:
• All session printer policies for a connection will add up to a resultant set of printers that will be mapped into the session.
Example: User A is given access to a printer depending on the name of the endpoint device, and in another policy which is
filtered on AD-group membership, the user is given access to a different printer. Both printers would be added to the users
session in this case. Note, that this is an exception to policy processing since normally only one policy can set a result
(like audio on or audio off).
• Unless the Citrix universal print server is used, an appropriate printer driver for each mapped printer has to be installed on

624 © 2021 Citrix Authorized Content

 the VDA.
• Instead of creating multiple session printer policies for different user groups, a single “Printer assignments”
policy setting can be used. If both “Printer assignment” and “Session printers” settings are used, both types of
settings will be merged.
• Normally the endpoint’s main printer is the default printer within the session – which might not always be ideal.
Use the “Default printer” setting to set the endpoint’s main printer, a session printer, or a different printer as the
default. The last writing policy with the highest priority effectively sets the default printer.

N
• A similar function exists within MS AD GPOs – although lacking some of the filtering options that Citrix policies

ot
provide.

fo
• “Proximity printing” refers to a state of printer provisioning management that always provides users the printer
closest to their current location.

rr
• Example: User A is travelling to two remote offices today. In office A, a policy filtered on the local subnet

es
address maps a local shared printer and sets it as default for the session. In the next office (B), a different

al
printer is mapped and declared default. Independent of the current location, a printer in the main office
where User A normally works is mapped in addition to the respective printers in each location.

e
• Proximity printing can also be used in a single location that has multiple buildings (campus) or floors – but only

or
if a criteria exists that the policies can be filtered on. A DHCP scope/IP address range that spans an entire

di
building or multiple floors might need to be split first (although a filter based on endpoint names could be used
for stationary endpoints).

s tri
• Note that policies are only applied on logon or re-connection of a session, so a user that seamlessly roams

b
from one floor to the next floor might not have the policies re-evaluated.

ut
• Universal Print Server - The Citrix Universal Print Server provides universal printing support for network

io
printers. The Universal Print Server uses the Universal print driver. This solution enables you to use a single
driver on a Server OS machine to allow network printing from any device. Citrix recommends the Citrix

n
Universal Print Server for remote print server scenarios. The Universal Print Server transfers the print job over
the network in an optimized and compressed format, thus minimizing network use and improving the user
experience.

625 © 2021 Citrix Authorized Content

 Additional Resources:
• Provision printers – Auto-created client printers:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/printing/printing-provision-
printers.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

626 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
ot
What are the three Citrix methods to map

fo
printers to user sessions?

rr
es
1. Citrix Policies via Microsoft GPOs

al
2. Citrix Policies via Citrix Studio

e
3. Workspace Environment Management (WEM)

or
settings

di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

627 © 2021 Citrix Authorized Content

 N
ot
Print Drivers

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

628 © 2021 Citrix Authorized Content

 Printer Drivers

External Location Internal Location

• Each endpoint needs the drivers for its Drivers

N
External
printers. Endpoint Printer-A

ot
attached
• Each VDA needs all drivers for all printers of printer
Drivers

fo
the endpoints. External Citrix Sessions

rr
Endpoints Gateway Drivers
• Drivers can be automatically installed upon

es
External
connection. Endpoint Internal
Endpoint

al
mapped PrintServer-
local Internal mapped
• Installing many drivers can cause system 001
Endpoints local

e
printer
printer
instability. Internal PrintServer-002

or
Endpoint
attached
• Use manufacturer Universal Drivers to reduce printer

di
Printer-B
number of required printer drivers.

s
Printer-C Printer-D

tri
b ut
io
n
Key Notes:
• The automatically installed drivers are coming from a repository which is part of the OS – these are mainly stripped down
drivers from different manufacturers covering a broad range of common printers. They are supported by Microsoft.
• There is a policy to allow or prohibit the automatic installation of printer drivers on the VDA.
• During logon peaks, installation of drivers can cause slowness/instability. Also, VDAs might be provisioned to lose every
change on reboot, including the print drivers, so they would have to be automatically re-installed over and over again.
• Having multiple printer drivers on one system can slow down the logon or logoff process, or cause printing system

629 © 2021 Citrix Authorized Content

 issues/system instability. Also, drivers can conflict with each other. Having the least amount of printer drivers
necessary is therefore recommended.
• Most printer manufacturers offer universal drivers covering multiple printer models with a single driver – this is
a good approach to limit the number of drivers to test, implement and maintain.
• Leading practices:
• Minimize the number of printer drivers installed on Server OS machines.
• Use driver mapping to native drivers.

N
• Never install untested printer drivers on a production Site.

ot
• Avoid updating a driver. Always attempt to uninstall a driver, restart the print server, and then install the

fo
replacement driver.
• Uninstall unused drivers or use the “Printer driver mapping and compatibility” policy setting to prevent

rr
printers from being created with the driver.

es
• Try to avoid using version 2 kernel-mode drivers.

al
Additional Resources:

e
• Print driver management:

or
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/printing.html

di
s tri
b ut
io
n

630 © 2021 Citrix Authorized Content

 Printer Driver Mapping

Internal Location
Map
• Use the “Printer driver mapping and Printer-C
using

N
compatibility” policy setting to specify Mapping Table Driver-B

ot
substitution rules for endpoint printers.
• Mapping is based on printer model name Driver A

fo
Driver C Sessions
• Example: Canon MX-725

rr
• Printer models can be generalized using wildcards Driver B

es
• Example: Canon MX*

• The policy can be filtered on different

al
Internal
Endpoint Internal
Endpoints
scenarios to substitute accordingly.

e
attached
printer

or
di
Printer-C

s tri
b ut
io
n
Key Notes:
• Mapping several printers to a single driver can reduce the amount of required printer drivers.
• Mapping can create cross-vendor relationships (mapping Brother Laser printers to HP LaserJet drivers) – if device and
driver are compatible.
• The driver mapping table can also be used to prevent the installation of specific drivers while allowing the automatic
installation of printer drivers globally.
• The mapping table will be consulted by the system upon session initialization first before resorting to other mechanisms.

631 © 2021 Citrix Authorized Content

 • Map client printer drivers - Each client provides information about client-side printers during logon, including
the printer driver name. During client printer auto-creation, Windows server printer driver names are selected
that correspond to the printer model names provided by the client. The auto-creation process then uses the
identified, available printer drivers to construct redirected client print queues.
• Remember mapping to the printer model name is case sensitive.

Additional Resources:

N
ot
• Maintain the printing environment:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/printing/printing-maintain-

fo
environment.html

rr
es
al
e
or
di
s tri
but
io
n

632 © 2021 Citrix Authorized Content

 Universal Print Driver
Internal Location

Citrix Universal
The Citrix Universal Print Driver (UPD) is a 2
Print Driver

N
feature-rich, device independent driver that Sessions

ot
converts print jobs to a transfer format, which
Driver
can then be printed on the endpoint.

fo
rr
Printing process with UPD:

es
1. UPD converts the print job from the published app to Internal
3
EMF format. Endpoints

al
2. The compressed EMF data is transferred over the HDX
protocol to the endpoint.

e
3. The endpoint prints the EMF file using the installed EMF

or
manufacturer print driver for Printer-C. File Internal
Endpoint

di
mapped
printer

s tri
Printer-C

b ut
io
n
Key Notes:
• UPD can be configured to produce EMF, XPS, PCL or PostScript files.
• UPD is only compatible with Windows-based endpoints where Citrix Workspace app has been installed.
• UPD offers a consistent user experience across VDA platforms, but might not offer all options of dedicated manufacturer’s
printer driver. Special functions like stapling, cutting, punching etc. might require the original driver to be installed instead.
• Per default, UPD is used as a fallback in sessions, whenever no suitable driver for a printer can be found.
• UPD consists of two components – a driver on the VDA and a driver on the endpoint which forwards the print job to the

633 © 2021 Citrix Authorized Content

 local printing system.
• EMF is short for Enhanced Metafile Format and is a newer version of the Windows metafile (WMF) format.
• The EMF format is device-independent, meaning that the dimensions of graphics in the print job is maintained
on the printed copy, no matter which resolution the printer uses.
• When determining the best print solution for your environment, consider the following:
• The Universal Print Server provides features not available for the Windows Print Provider: Image and font
caching, advanced compression, optimization, and QoS support.

N
• The Universal print driver supports the public device-independent settings defined by Microsoft. If users

ot
need access to device settings that are specific to a print driver manufacturer, the Universal Print Server

fo
paired with a Windows-native driver might be the best solution. With that configuration, you retain the
benefits of the Universal Print Server while providing users access to specialized printer functionality. A

rr
trade-off to consider is that Windows-native drivers require maintenance.

es
• The Citrix Universal Print Server provides universal printing support for network printers. The Universal

al
Print Server uses the Universal print driver, a single driver on the Server OS machine that allows local or
network printing from any device, including thin clients and tablets.

e
• To use the Universal Print Server with a Windows-native driver, enable the Universal Print Server. By default,

or
if the Windows-native driver is available, it is used. Otherwise, the Universal print driver is used. To specify

di
changes to that behavior, such as to use only the Windows-native driver or only the Universal print driver,
update the Universal print driver usage policy setting.

s tri
• If the Citrix Universal print driver is not an option for all scenarios, map printer drivers to minimize the amount

b
of drivers installed on Server OS machines.

ut
Additional Resources:

io
n
• Provision printers – Universal Print Driver
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/printing.html

634 © 2021 Citrix Authorized Content

 Universal Printer Internal Location

• The Citrix Universal Printer (CUP) is a single, Sessions

Citrix

N
generic printer in a session on a VDA. Universal
Print Driver

ot
• The Citrix Universal Printer is an auto-created Driver

printer object that is not linked to any specific Internal

fo
Endpoint
printer defined on the client. mapped

rr
• The CUP uses the Universal print driver to transfer local printer
Internal

es
print jobs to the endpoint device. Endpoints
• Users can print to this pseudo-device and can Internal
PrintServer-

al
002
choose to output the print job on any endpoint Endpoint

e
attached or mapped printer. attached
printer

or
di
Printer-C Printer-D

s tri
b ut
io
n
Key Notes:
• Server load can be reduced when only one printer object needs to be created on session launch.
• The Universal Printer is a generic front-end for the Universal Print Driver, so users will not see all their printers created in
the session, but only the CUP. When they print to the CUP, per default, they will be asked on the endpoint machine what
printer the output should be sent to. This can be configured with polices to omit the dialog and just print to the endpoint’s
main printer.
• The Citrix Universal Printer requires a Windows environment.

635 © 2021 Citrix Authorized Content

 • The Citrix Universal Printer is an auto-created printer object that uses the Citrix Universal Print Driver and is
not linked to any specific printer defined on the client. Once implemented, Citrix Universal Printer is available
in all sessions that use the 32-bit Windows client. Citrix Universal Printer is independent of any printing
policies defined in the management console hence it is possible to implement the Citrix Universal Printer with
other auto-created printers, session printers, and/or non-Citrix defined printers. Citrix Universal Printer auto-
creates in a standard name “Citrix UNIVERSAL Printer”

N
Additional Resources:

ot
• How to Auto-Create the Generic Citrix Universal Printer in User Sessions:

fo
https://support.citrix.com/article/CTX106812

rr
es
al
e
or
di
s tri
b ut
io
n

636 © 2021 Citrix Authorized Content

 Universal Print Server Internal Location

Citrix Universal
Print Driver
The Citrix Universal Print Server Component is Sessions

N
a service component that can be installed on VDA

ot
print servers. Mapped
Local

fo
Printer
• It enables the VDAs to map printers using the

rr
Universal print driver instead of OEM printer

es
drivers. Internal
Endpoints

al
• Enables UPD features like caching, QoS and Internal
Citrix Universal
Print Server

e
Endpoint
compression attached

or
printer
• Reduces printer drivers on VDAs

di
• Is recommended for VDA mapped remote

s
Printer-C Printer-D
printers

tri
b ut
io
n
Key Notes:
• Universal Print Server needs to be installed on (all) print servers that VDAs map printers from. The UPD can then be used
to transfer EMF files to the print server, essentially in the same way that UPD is used for endpoint side printing.
• Citrix Universal Print Server consists of two services that use Port 8080 (HTTP/SOAP) and 7229 (CGP) (not to be
confused with License Vendor Daemon 7279!) for management and data transfer. A necessary VDA side component is
installed with the VDA but can (/needs to be) updated independently.
• Citrix Universal Print Server functionality, per default, is disabled and has to be enabled explicitly using a policy for the

637 © 2021 Citrix Authorized Content

 VDAs.
• Some options are missing in comparison with endpoint side printing (local settings) and only basic settings of
the printer are exposed.
• To use the Universal Print Server with a Windows-native driver, enable the Universal Print Server. By default,
if the Windows-native driver is available, it is used. Otherwise, the Universal print driver is used. To specify
changes to that behavior, such as to use only the Windows-native driver or only the Universal print driver,
update the Universal print driver usage policy setting.

N
• A new policy called “Universal Print Servers for load balancing” was added in 7.12. This setting lists the

ot
Universal Print Servers to be used to load balance printer connections established at session launch, after

fo
evaluating other Citrix printing policy settings. To optimize printer creation time, Citrix recommends that all
print servers have the same set of shared printers.

rr
es
Additional Resources:

al
• Provision printers - Citrix Universal Print Server:

e
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/printing/printing-provision-

or
printers.html

di
s tri
but
io
n

638 © 2021 Citrix Authorized Content

 Printing Server OS Machines

Environment Model HDX connection

Example Print job routing

Universal Print Server

• No printer drivers

N
installed on Server OS

ot
machines; only the Citrix
Universal printer driver is

fo
Windows Workstations Thin Client Apple iMac
used.

rr
es
• A policy is configured to
auto-create all client

al
printers for all users.

e
Local printers (ex. USB) Network-based Printer Local
printers

or
• A session printer policy is
configured for every floor

di
of Branch B.

s tri
• QoS is implemented for Branch A Branch B Home Office

b
Branch B.

ut
io
n
Key Notes:
• Details of each location:
• Branch A: Small overseas branch office with a few Windows workstations, each of which has a locally attached, private
printer.
• Since all users work on Windows-based workstations, auto-created client printers and the Universal printer driver are
used.
• To ensure that a single user printing a large document cannot degrade the session performance of other users, a

639 © 2021 Citrix Authorized Content

 Citrix policy is configured to specify the maximum printing bandwidth. An alternative solution is to
leverage a multi-stream ICA connection, in which the print traffic is transferred within a separate low
priority TCP connection. Multi-stream ICA is an option when Quality of Service (QoS) is not implemented
on the WAN connection.
• Branch B: Large branch office with thin clients and Windows devices; users share one network-based
printer per floor.
• All printers are network-based and their queues are managed on a Windows print server, thus the Citrix

N
Universal Print Server is the most efficient configuration.

ot
• All required printer drivers are installed and managed on the print server by local administrators. Mapping

fo
the printers into the virtual desktop or application session works as follows:
• For Windows-based workstations - The local IT team helps users connect the appropriate network-

rr
based printer to their Windows workstations. This enables users to print from locally-installed

es
applications. During a virtual desktop or application session, the printers configured locally are

al
enumerated through autocreation. The virtual desktop or application then connects to the print server
as a direct network connection if possible.

e
• For thin clients - For thin client users, printers must be connected within the virtual desktop or

or
application session. To provide users with the simplest printing experience, administrators configure a

di
single Citrix Session Printer policy per floor to connect a floor’s printer as the default printer. To ensure
the correct printer is connected even if users roam between floors, the policies are filtered based on

s tri
the subnet or the name of the thin client. That configuration, referred to as proximity printing, allows for

b
local printer driver maintenance (according to the delegated administration model).

ut
• Because the network printing traffic will be sent outside the ICA virtual channel, QoS is implemented.

io
Inbound and outbound network traffic on ports used by ICA/HDX traffic are prioritized over all other
network traffic. That configuration ensures that user sessions are not impacted by large print jobs.

n
• Home Office: A home office with a Mac OS-based device, with a locally attached printer.
• For home offices where users work on non-standard workstations and use non-managed print devices,
the simplest approach is to use auto-created client printers and the Universal printer driver.
• Choosing the most appropriate printing configuration options for your needs and environment can simplify
administration. Although the default print configuration enables users to print in most environments, the

640 © 2021 Citrix Authorized Content

 defaults might not provide the expected user experience or the optimum network usage and management
overhead for your environment.
• Design your printing configuration around the needs of your organization. Your existing printing
implementation (whether users can add printers, which users have access to what printers, and so on) might
be a useful guide when defining your printing configuration.
• When designing your printing configuration, try to give users the same experience in a session as they have
when printing from local user devices.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

641 © 2021 Citrix Authorized Content

 Lesson Objective Review

Scenario: The company has dozens of different

printers models, all from the same vendor.
Discovery shows the printers all have similar
features.
The vendor acknowledges that while there is a

N
driver per printer, there is also another driver that

ot
could work for all Printers.

fo
What should you do?

rr
es
Download and test this other printer driver with all
targeted printer models.

al
e
If successful, configure the Printer Driver Mapping

or
policy to specify a substitution rule, so that these
targeted printers use the same drive.

di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

642 © 2021 Citrix Authorized Content

 N
ot
Print Environment

fo
rr
Considerations

es
al
e
or
di
s
tri
b
ut
io
n

643 © 2021 Citrix Authorized Content

 Saving User Printing Preferences

• The Citrix policy “Printer properties retention”

N
specifies whether or not to store printer

ot
properties and where to store them.

fo
• By default, the system determines if printer

rr
properties are stored on the user device, if

es
available, or in the user profile.

al
• Citrix recommends that the default setting not

e
be changed, because saving printer properties

or
on the user device is the easiest way to
ensure consistent printing properties.

di
s tri
but
io
n
Key Notes:
• Situations that may justify changing the printer properties retention policy setting include:
• If legacy plug-ins are used that do not allow users to store printer properties on a user device
• If mandatory profiles are used, but user’s printer properties need to be retained
• The options for the Printer properties retention Citrix policy setting include:
• “Saved on the client device only” is for user devices that have a mandatory or roaming profile that is not saved.
• “Retained in user profile only” is for user devices constrained by bandwidth (this option reduces network traffic) and

644 © 2021 Citrix Authorized Content

 logon speed, or for users with legacy plug-ins on their device. This option stores printer properties in the
user profile on the server and prevents any properties exchange with the user device. Note that this is
applicable only if a Remote Desktop Services (RDS) roaming profile is used.
• “Held in profile only if not saved on client” allows the system to determine where printer properties are
stored. Printer properties are stored either on the user device, if available, or in the user profile. Although
this option is the most flexible, it can also slow logon time and use extra bandwidth for system-checking.
• “Do not retain printer properties” prevents storing printer properties.

N
ot
Additional Resources:

fo
• Client printers policy settings:

rr
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-
settings/printing-policy-settings.html

es
• Printing policies and preferences:

al
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/printing/printing-policies-

e
preferences.html

or
di
s tri
b ut
io
n

645 © 2021 Citrix Authorized Content

 Printing Preference
Locations

• In Windows printing In a Citrix Virtual Apps and Desktops environment, when users

N
environments, changes modify printing settings, the settings are stored in these locations:

ot
made to printing
preferences can be 1. On the user device itself

fo
stored in multiple 2. Inside of a document

rr
locations. 3. From changes made during a session (saved in the user profile)

es
4. On the Server OS machine (default settings)
• The settings preserved in

al
any Windows-based

e
environment vary 1 2

or
according to where the Document

di
user made the changes. 4

s
Resource Machine

tri
Running the VDA
Endpoints with
3

b
Citrix Workspace app
Profile

ut
io
n
Key Notes:
• More on printing preference locations:
• Windows users can change device settings on the user device by right-clicking the printer in the Control Panel and
selecting Printing Preferences. For example, if Landscape is selected as page orientation, landscape is saved as the
default page orientation preference for that printer.
• In word-processing and desktop-publishing programs, document settings, such as page orientation, are often stored
inside documents. For example, when you queue a document to print, Microsoft Word typically stores the printing

646 © 2021 Citrix Authorized Content

 preferences you specified, such as page orientation and the printer name, inside the document. These
settings appear by default the next time you print that document.
• The system keeps only changes to the printing settings of an auto-created printer if the change was made
in the Control Panel in the session; that is, on the Server OS machine.
• Server OS machines will also have default settings associated with a particular printer driver on the
machine.
• Keep in mind that that the printing settings that appear in one place, such as in a spreadsheet program, can

N
be different than those in others, such as documents. As result, printing settings applied to a specific printer

ot
can change throughout a session.

fo
• Because printing preferences can be stored in multiple places, the system processes them according to a
specific priority.

rr
• By default, the system always applies any printing settings a user modified during a session (that is, the

es
retained settings) before considering any other settings.

al
• It is important to note that device settings are treated distinctly from, and usually take precedence over,

e
document settings.
• When the user prints, the system merges and applies the default printer settings stored on the Server OS

or
machine with any retained or client printer settings.

di
Additional Resources:

s tri
• Printing policies and preferences:

b
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/printing/printing-policies-

ut
preferences.html

io
n

647 © 2021 Citrix Authorized Content

 Printer Driver Citrix Leading Practices

1. Minimize the number of printer drivers installed on Server OS machines.

N
• Use the Citrix Universal Print Server.

ot
• Use the Universal printer driver or Windows-native drivers.
• Use driver mapping to Windows-native drivers.

fo
• Uninstall unused drivers or use the Printer driver mapping and compatibility tool to prevent

rr
printers from being created with the driver.

es
2. Avoid updating a driver.
• Always attempt to uninstall a driver, restart the printer server, and

al
then install the replacement driver.

e
or
3. Never install untested printer drivers on a production Site.

di
s tri
b ut
io
n
Key Notes:
• Many factors determine the best printing solution for a particular environment. Some of these leading practices might not
apply to your Site.
• In general, all of the Microsoft-supplied printer drivers are tested with Remote Desktop Services and guaranteed to work
with Citrix. However, before using a third-party printer driver, consult your printer driver vendor so that the driver is certified
for Remote Desktop Services by the Windows Hardware Quality Labs (WHQL) program. Citrix does not certify printer
drivers.

648 © 2021 Citrix Authorized Content

 • To determine if a printer model is supported, contact the manufacturer or see the Citrix Ready product guide
(see Additional Resources).
• Citrix strongly suggests avoiding the use of version 2 kernel-mode drivers. Fortunately, Windows Server 2008
and later blocks the installation of these type of drivers, so this is not a concern in Citrix Virtual Apps and
Desktops 7.19.

Additional Resources:

N
• Citrix Ready Marketplace: https://citrixready.citrix.com/

ot
• Best practices, security considerations, and default operations:

fo
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/printing/printing-best-
practices.html

rr
es
al
e
or
di
s tri
b ut
io
n

649 © 2021 Citrix Authorized Content

 Built-In Citrix Secure Printing

N
ot
fo
• The Citrix Print Manager • Citrix printing sets the
• Citrix printing assigns

rr
Service constantly default security descriptor
each printer a unique

es
monitors and responds to for auto-created printers to
namespace in a session.
session events such as

al
ensure that client printers
logon and logoff, • By default, administrative

e
auto-created in one
disconnect, reconnect, and users cannot accidentally

or
session are inaccessible
session termination. It print to another session’s to users running in other

di
handles service requests client printer, even though sessions.

s
by impersonating the they can see and manually

tri
actual session user. adjust permissions for any

b
client printer.

ut
io
n
Key Notes:
• Citrix printing solutions are secure by design, so no additional configuration is needed to enable to described security
features.

Additional Resources:
• Best practices, security considerations, and default operations (“Security considerations” section):
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/printing/printing-best-practices.html

650 © 2021 Citrix Authorized Content

 Lab Exercise Prep

Please Take a Moment and Provision Your Lab

N
For Module 8

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the
lab exercises.

651 © 2021 Citrix Authorized Content

 Out-of-the-Box Default Printer Settings via Citrix Policies (1 of 2)
By default, if you do not configure any policy rules, printing behavior is as follows:

Default Printing Behavior Equivalent Policy Setting

N
ot
Universal print server is disabled. Universal Print Server enable: Disabled

fo
All printers configured on the user device are created

rr
Auto-create client printers: Auto-create all client printers
automatically at the beginning of each session.

es
Print jobs to endpoint attached printers are sent over the HDX

al
N/A
connection and processed at the endpoint.

e
or
Print jobs to network printers are routed directly from the Server
Direct connections to print servers: Enabled

di
OS machines, with fallback to routing through the endpoint.

s
tri
b ut
io
n
Key Notes:
• It is useful to be familiar with the default printing settings so that the needed printing policy settings can be determined
during a new environment design.
• If unsure about what the printing setting defaults are for a given version of Citrix Virtual Apps and Desktops, display them
by creating a new policy and setting all printing policy rules to Enabled. The option that appears is the default.

652 © 2021 Citrix Authorized Content

 Additional Resources:
• Best practices, security considerations, and default operations (“Default print operations” section): :
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/printing/printing-best-
practices.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

653 © 2021 Citrix Authorized Content

 Out-of-the-Box Default Printer Settings via Citrix Policies (2 of 2)
By default, if you do not configure any policy rules, printing behavior is as follows:

N
Default Printing Behavior Equivalent Policy Setting

ot
Printing properties and preferences are stored on the

fo
Printer properties retention:
endpoint device, with fallback to a user profile on the
Held in profile only if not saved on the client

rr
Server OS machine.

es
Printer driver usage priority:

al
Automatic installation of in-box printer drivers: Enabled
1. Use the Windows version of a printer driver if available

e
on the Server OS machine.
Universal print driver usage: Use universal printing only if

or
2. Attempt to install the driver from the Windows OS.
requested driver is unavailable
3. Use the Citrix Universal print driver.

di
s tri
b ut
io
n
Key Notes:
• Enabling “Automatic installation of in-box printer drivers” (or leaving the default settings in place) might result in the
installation of a large number of native printer drivers. Consider whether the universal printer driver will be sufficient to
meet the printing needs of the use cases in the environment.

Additional Resources:

654 © 2021 Citrix Authorized Content

 • Best practices, security considerations, and default operations (“Default print operations” section):
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/printing/printing-best-
practices.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

655 © 2021 Citrix Authorized Content

 Universal Print Driver Default Fallback

• By default, if auto-creation fails the system installs a Windows-native printer driver provided with the

N
Windows operating system.

ot
• If a native driver is not available for a specific printer, the system falls back to the Universal print

fo
driver.

rr
• To minimize administrative tasks and the potential for print driver issues, Citrix recommends use of

es
the Citrix Universal print driver, whenever possible.

al
e
or
di
s tri
but
io
n
Additional Resources:
• Maintain the printing environment:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/printing/printing-maintain-
environment.html

656 © 2021 Citrix Authorized Content

 Citrix Universal Print Server
Print Driver Certification Tool

• Can be used to test the compatibility of a

N
printer driver with the Citrix Universal Print

ot
Server.

fo
• The tool checks for compatibility by using the

rr
printer driver to simulate load.

es
• Can determine:

al
• If printer driver is capable of handling the load
• If printer driver meets the Citrix Universal

e
Print Server performance requirement

or
• Potential printer driver issues, allowing the

di
administrator to further troubleshoot problem
areas.

s tri
but
io
n
Note to the Developer: Present as a consideration not a troubleshooting effort.

Key Notes:
• The Citrix UPS Print Driver Certification Tool can be used to test the compatibility of a printer driver with the Citrix
Universal Print Server. The tool checks for compatibility by using the printer driver to simulate load, allowing a network
administrator or printer driver manufacturer to determine the following:
• Printer driver is capable of handling the load normally seen with a Citrix Universal Print Server.

657 © 2021 Citrix Authorized Content

 • Printer driver meets the Citrix Universal Print Server performance requirement.
• Identifies potential printer driver issues, allowing a network administrator or printer driver manufacturer to
further troubleshoot problem areas.
• Steps to run a test and view results:
• Launch UpsCertTool.exe
• Configure test users
• Select printer model to test

N
• Click Start to begin testing the printer driver

ot
• Test status is displayed by the tool, including Pass or Fail.

fo
• To view a summary of the test results, click on Details.
• To save the test results, click on Save.

rr
es
Additional Resources:

al
• Citrix UPS Print Driver Certification Tool: https://support.citrix.com/article/CTX142119

e
or
di
s tri
b ut
io
n

658 © 2021 Citrix Authorized Content

 Lesson Objective Review
Scenario: You are the Citrix Administrator for
an enterprise environment. You are notified
that a new user group will be onboarded to
the Citrix Virtual Apps and Desktops
environment, and that users in this group
frequently need to print documents as part of

N
their job.

ot
fo
What is the first thing you should do to
prepare for this requirement?

rr
es
al
Determine which printers the users can currently

e
access from their endpoints, and what their

or
current local printing experience is like.

di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

659 © 2021 Citrix Authorized Content

 N
ot
Lab Exercises

fo
rr
Module 8

es
al
e
or
di
s
tri
b
ut
io
n

660 © 2021 Citrix Authorized Content

 Lab Exercise

• Exercise 8-1: Configure Auto Creation

N
• Exercise 8-2: Test the Auto Creation Setting

ot
• Exercise 8-3: Configure Session Printers

fo
rr
• Exercise 8-4: Test the Session Printers Setting

es
• Exercise 8-5: Configure Print Driver Mapping

al
• Exercise 8-6: Test Print Driver Mapping Setting

e
• Exercise 8-7: Configure the Universal Print Driver

or
• Exercise 8-8: Test the Universal Print Driver Setting

di
s
• Exercise 8-9: Configure the Universal Print Server Component

tri
• Exercise 8-10: Test the Universal Print Server Component Setting

utb
io
n

661 © 2021 Citrix Authorized Content

 Key Takeaways

• Printers in sessions can originate from both

N
endpoints and print servers, and use policies

ot
or scripts to control the creation of printers.

fo
• Use the Citrix Universal print driver as default

rr
to keep the number of required printer drivers

es
as low as possible.

al
• Familiarity with the default Citrix printing

e
settings can expedite the design process for

or
new user groups with printing requirements.

di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

662 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Administration On-Premise and In
Citrix Cloud

N
ot
Citrix Profile Management

fo
rr
es
al
e
Module 09

or
di
s
tri
b
ut
io
n

663 © 2021 Citrix Authorized Content

 Learning Objectives

• Explain different user profile types from Citrix

N
Profile Management.

ot
• Identify the features of Citrix Profile

fo
Management and how to configure them.

rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

664 © 2021 Citrix Authorized Content

 N
User Profiles

ot
Introduction and Considerations

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

665 © 2021 Citrix Authorized Content

 User Profile Types
Review
Internal VDA File Server
Endpoints

The following profile types exist:

N
• Local VDA

ot
Internal
Endpoints
File Server
• A profile that is created and reused on a single

fo
machine.

rr
• Roaming

es
• A profile that is stored on a file server and loaded
to the user’s machine(Client / VDA).

al
VDA File Server
Internal
Endpoints
• Temporary

e
• Used only in error conditions to provide the user

or
with a profile, no changes are saved on logoff.

di
• Mandatory

s
• A type of preconfigured roaming profile where Internal VDA

tri
File Server
Endpoints
administrators specify settings for users. Changes

b
are not written back when the user logs off.

ut
io
n
Key Notes:
• A profile is a set of files, including a part of the registry, which together contain all system and application settings for a
user.
• Roaming profiles are the main type of profile currently in use.
• The benefit of roaming profiles:
• Consistent user experience on different VDAs
• Settings follow the user (printer settings, app specific settings, desktop wallpaper etc.)

666 © 2021 Citrix Authorized Content

 Additional Resources:
• About User Profiles: https://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

667 © 2021 Citrix Authorized Content

 Citrix Profile Management
Benefits

• Consistent user experience across devices,

N
platforms, and sessions.

ot
• More control over the profile contents for Citrix Profile

fo
Management
administrators.

rr
• Detailed logging for troubleshooting purposes.

es
• Conflict resolution options and silent migration

al
support.

e
• Easy implementation and support.

or
di
s tri
b ut
io
n
Key Notes:
• Since the release of the FMA, the Citrix Profile Management components have been included in the VDA installer.
• The only two steps required to enable Citrix Profile Management is to create the profile store and enable CPM through
policies or by editing UPMPolicyDefaults_all.ini on the VDA.
• By default, Citrix Profile Management is installed silently on master images when you install the Virtual Delivery Agent, but
you do not have to use Profile Management as a profile solution.

668 © 2021 Citrix Authorized Content

 Citrix Profile Management
The Process
VDA VDA VDA
Internal 1
Endpoint

How it works: VDA VDA VDA

N
Internal 2
1. User logs on to VDA. Endpoint

ot
File Server
2. The Profile Management service on the

fo
VDA loads profile data from the user store

rr
path on a file server.

es
VDA VDA VDA
3. User modifies files and registry settings Internal 3

al
Endpoint
during the session.

e
File Server

4. At log off the Profile Management service

or
on the VDA writes profile data to the user

di
store path on a file server.

s
VDA VDA VDA
4

tri
Internal
Endpoint

b
File Server

ut
io
n
Key Notes:
• By default (if Profile Management is enabled) all users are managed and all files & registry settings are included to roam.
• Profile Management can be used on VDA as well as on clients.

669 © 2021 Citrix Authorized Content

 Citrix Profile Management
Prerequisites For Use Citrix Profile Management
GPO

• Installation Software:

N
• On any system that the users’ profiles should be

ot
managed on.
• The Citrix Profile Management agent installation

fo
is included with the VDA install.

rr
• Create a user store on a location reachable by
VDA
the managed systems.

es
Endpoints with
Citrix Workspace app
• Enable/configure with Citrix Policies:

al
• Enable Profile Management to start processing

e
user profiles.

or
• Configure Profile Management for the user store User Store

• Enable via Citrix Policies.

di
s tri
File Server

b ut
io
n
Key Notes:
• UPM is installed together with the VDA software but might need to be updated separately if a newer version of UPM is to
be used.
• By default, UPM does not process user profiles until it is enabled by administrators.
• UPM is independent and can manage profiles outside of the Citrix Session Hosts such as local profiles.
• These Citrix Policies can be configured with either Group Policy or Studio Site Policy.
• Alternatively, a local .ini file can be used for configuration settings. However, but the .ini file should be used only for testing

670 © 2021 Citrix Authorized Content

 purposes. The settings in the .ini file are applied for any setting not configured in the GPO.
• Citrix offers a more advanced course (CXD-310) that introduces (WEM) Workspace Environment
Management; a product containing more scalable profile management capabilities for an AD infrastructure.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

671 © 2021 Citrix Authorized Content

 User Profile Migration Process
Configure UPM to migrate existing profiles Citrix User Profile Management Migration Example

1. User logs on to VDA. Previous Roaming

Profile Path

N
2. The Profile Management service detects 1 2

ot
that a roaming profile exists, but the user 3

fo
store is empty. Windows loads the roaming VDA

rr
profile from the defined profile path. Endpoints with
VDA

es
Citrix Workspace app
3. User modifies files and registry settings

al
during the session and then logs off. 4

e
4. The Profile Management service on the

or
VDA writes profile data to the user store User Store

di
path on a file server and will use this profile

s
for any subsequent logon.

tri
b ut
io
n
Key Notes:
• Profile Management offers a smooth transition from MS roaming profiles to UPM based profiles.
• The structure in which the profile contents are saved can even be used to migrate back again.
• Profile Management can migrate existing profiles "on the fly" during logon if a user has no profile in the user store. After
this, the user store profile is used by Profile Management in both the current session and any other session configured
with the path to the same user store.
• By default, both local and roaming profiles are migrated to the user store during logon.

672 © 2021 Citrix Authorized Content

 • To specifies the types of profile migrated to the user store during logon, choose one of the following options:
• Local and roaming profiles
• Local
• Roaming
• None (Disabled)
• If you select None, the system uses the existing Windows mechanism to create new profiles, as if in a
environment where Profile Management is not installed.

N
ot
Additional Resources:

fo
• Profile handling policy settings:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies/reference/profile-

rr
management/profile-handling-policy-settings.html

es
al
e
or
di
s tri
but
io
n

673 © 2021 Citrix Authorized Content

 Citrix Profile Management
User Store Deployment Planning
Path to user store:
\\NYC-FSR-001\PR$\%USERNAME%\!CTX_OSNAME!

• Set required permissions to the user store on NYC-FSR-001

N
a file server

ot
PR
• Plan for redundancy

fo
User1
• Variables from the following providers can be

rr
used: Win7

es
• System (%username%)
• Active Directory (#department#)

al
Win2012R2
• UPM (!ctx_osname!)

e
User2

or
di
Win8

s tri
Win2012R2

but
io
n
Key Notes:
• Variables can be used to separate users’ profile folders per platform (OS, bitness, language, purpose).
• Profile Management variables can only be used by UPM, while system and AD variables are accessible to other programs
as well. AD variables are a good choice to separate profiles by country or department, provided the according fields on the
user object in AD have been filled in.
• For redundancy, a clustered share or DFS-R can be used.
• Normally, administrators should not have access to the files saved in user profiles.

674 © 2021 Citrix Authorized Content

 • “Path to user store” specifies the path to the directory (user store) in which user settings, such as registry
settings and synchronized files, are saved.
• By default, the Windows directory on the home drive is used.
• If this setting is disabled, user settings are saved in the Windows subdirectory of the home directory.
• The path can be:
• A relative path. This must be relative to the home directory, typically configured as the #homeDirectory#
attribute for a user in Active Directory.

N
• An absolute UNC path. This typically specifies a server share or a DFS namespace.

ot
• Disabled or un-configured. In this case, a value of #homeDirectory#\Windows is assumed.

fo
• Use the following types of variables when configuring this policy setting:
• System environment variables enclosed in percent signs (for example, %ProfVer%). Note that system

rr
environment variables generally require additional setup.

es
• Attributes of the Active Directory user object enclosed in hashes (for example, #sAMAccountName#).

al
• Profile Management variables. For more information, see the Profile Management documentation.
• You can also use the %username% and %userdomain% user environment variables and create custom

e
attributes to fully define organizational variables such as location or users. Attributes are case-sensitive.

or
Additional Resources:

di
• Basic policy settings:

s tri
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies/reference/profile-

b
management/basic-policy-settings.html

ut
io
n

675 © 2021 Citrix Authorized Content

 Folder Redirection
Folder Redirection Example
Considerations

Windows 10 Microsoft Word

Use folder redirection to enable simultaneous 2016

access to common folders.

1. User starts a session with a random, non-

N
persistent desktop, the profile is loaded from

ot
the Win10 store. 1 2

fo
2. User opens published app from a different

rr
VDA VDA
VDA, the profile is loaded from the Internal 3 4

es
Endpoint
Server2016 store.

al
3. User uses browser on virtual desktop to save 2
1

e
a document from the Internet to the Documents

or
redirected documents folder.

di
4. User opens the saved document in the Win10 Pictures Server 2016

s
Profile Profile
published app from the redirected documents

tri
folder.

b ut
io
n
Key Notes:
• Folder redirection is an excellent addition to most Profile Management solutions.
• Redirected folders do not roam as part of the profile and therefore speed up the logon and logoff process.
• Redirected folders normally require a file share different from the profile share.
• Accessing large files from redirected folders can take more time since they are opened over the network – depending on
topology.
• Folder redirection lets you store user data on network shares other than the location where the profiles are stored. This

676 © 2021 Citrix Authorized Content

 reduces profile size and load time, but it might impact network bandwidth. Folder redirection does not require
that Citrix user profiles are employed. You can choose to manage user profiles on your own, and still redirect
folders.
• Configure folder redirection using Citrix policies in Studio.
• Ensure that the network locations used to store the contents of redirected folders are available and have
the correct permissions. The location properties are validated.
• Redirected folders are set up on the network and their contents populated from users' virtual desktops at

N
logon.

ot
• Note: Configure folder redirection using only Citrix Policies or Active Directory Group Policy Objects, not both.

fo
Configuring folder redirection using both policy engines may result in unpredictable behavior.
• In Citrix Profile Management (but not in Studio), a performance enhancement allows you to prevent folders

rr
from being processed using exclusions. If you use this feature, do not exclude any redirected folders. The

es
folder redirection and exclusion features work together, so ensuring no redirected folders are excluded allows

al
Profile Management to move them back into the profile folder structure again, while preserving data integrity-if
you later decide not to redirect them.

e
• Grant administrator access: This setting enables an administrator to access the contents of a user's redirected

or
folders.

di
• By default, this setting is disabled and users are granted exclusive access to the contents of their redirected
folders.

s tri
Additional Resources:

b ut
• Folder redirection policy settings:

io
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies/reference/profile-
management/folder-redirection-policy-settings.html

677 © 2021 Citrix Authorized Content

 Advanced Folder Redirection

Advanced Folder Redirection Example

Used when using different operating systems in

N
which you want some of a user's profile Adobe Version 11

ot
information to be shared by other operating Shared Adobe
File
systems.

fo
1
2

rr
1. Maintains a different configuration for each

es
operating system (OS).
Internal Client VDI in 8

al
2. Remaining content of the profile is not Single Network
File Location

e
shared and is used only by one OS.
3

or
3. Important to understand the structure of your Adobe Version 9 Win 8 Start
Menu

di
users' profile data to determine which parts

s
can be shared between OSs.

tri
b ut
io
n
Key Notes:
• To deploy Advanced Folder Redirection:
• Use a separate Delivery Group for each OS.
• Understand where all virtual applications, including those on virtual desktops, store user data and settings, and
understand how the data is structured.
• For shared profile data that can safely roam redirect the containing folders in each Delivery Group.
• For non-shared profile data that cannot roam, redirect the containing folder in only one of the Desktop Groups; typically

678 © 2021 Citrix Authorized Content

 the one with the most used OS or the one where the data is most relevant. Alternatively, for non-shared
data that cannot roam between OSs, redirect the containing folders on both systems to separate network
locations.

Additional Resources:
• User profiles - Advanced folder redirection:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/manage-deployment/user-

N
profiles.html

ot
fo
rr
es
al
e
or
di
s tri
but
io
n

679 © 2021 Citrix Authorized Content

 Lesson Objective Review

Scenario: You are the Citrix Admin and your

manager has just tasked you to configure

N
Citrix Profile Management.

ot
What is the easiest method to ensure

fo
configuration is consistent across all VDAs?

rr
es
Utilize Citrix policies to configure Citrix Profile
Management settings and filter this policy to the

al
e
VDAs.

or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

680 © 2021 Citrix Authorized Content

 N
Configure Citrix Profile

ot
Management

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

681 © 2021 Citrix Authorized Content

 Identify Users to Apply Citrix
Profile Management
Processed Groups and Excluded Groups

Exclude Processed
Using Citrix policies select which users' profiles

N
to manage with Citrix Profile Management.

ot
Citrix Profile Manager

• Processed Groups:

fo
• Define which users’ profiles are processed

rr
• Excluded Groups:
• Exempt users’ profiles from being processed

es
• Process Logons of local administrators
Radiology-Group Doctors-Group

al
• For users of personal desktops with administrative
permissions

e
• The specified groups are matched by their name

or
only!

di
Windows Citrix Profile
roaming Management is

s
profile is used used

tri
but
io
n
Key Notes:
• By default, all users are managed.
• If only two groups are specified within the processed group policy setting, then only these two groups are managed.
• If a single group is specified in the excluded groups policy setting, then all groups except this one are managed.
• If both settings are used, the resulting set is merged.
• Management of profiles can fail if groups are used for restricting Profile Management and these groups are renamed in
Active Directory since they are matched by their name only.

682 © 2021 Citrix Authorized Content

 • On static, persistent desktops, users are possibly given local administrator permission (sometimes to solve
some software restrictions). Normally Profile Management would not manage these users unless the
according policy is set.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

683 © 2021 Citrix Authorized Content

 Inclusions and Exclusions
Exclusions to speed up profile roaming and
conserve space
Users

User1
• Exclude directories

N
• Like Downloads, Temp, AppData\Local

ot
• Exclude file patterns Desktop

fo
• Like *.mp3 or *.tmp

rr
• Exclude Registry Hives Documents

es
• Like HKCU\Software\BadlyCoded

al
• Include registry hives AppData

e
• Like HKCU\Software\BadlyCoded\Important-Hive

or
di
AppData Local

s tri
b
Pictures

ut
io
n
Key Notes:
• If a single entry exists in the Registry-Include-Setting (e.g. HKCU\SOFTWARE\Adobe) then this will be the **only**
registry key that roams. All other keys are implicitly considered to be black-listed and will be excluded from roaming.
• By default, the complete HKCU hive roams and nothing needs to be included.
• This can be beneficial if designing profiles for an environment (silo) that hosts a single, specialized application. Defining
only the printers key and the application keys to be included could result in a fast loading profile that can hardly be
corrupted.

684 © 2021 Citrix Authorized Content

 • In case exclusion and inclusion are defined, most specific match wins (in the above example, the hive
“BadlyCoded” would not roam, but its sub-key “Important-Hive” would).
• Exclusions are processed at logoff. This will not block entries to the registry or filesystem during the session.
• The Exclusions section contains policy settings for configuring which files and directories in a user’s profile are
excluded from the synchronization process.
• Exclusion list – directories specifies a list of folders in the user profile that are ignored during synchronization.
• Specify folder names as paths relative to the user profile (%USERPROFILE%).

N
• By default, this setting is disabled and all folders in the user profile are synchronized.

ot
Additional Resources:

fo
• Exclusions policy settings:

rr
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies/reference/profile-

es
management/file-system/exclusions-policy-settings.html

al
e
or
di
s tri
b ut
io
n

685 © 2021 Citrix Authorized Content

 Simplified Configuration

• Profile Management offers predefined,

N
recommended items for inclusion and

ot
exclusion.

fo
• Instead of having to include and exclude items

rr
manually, you can use the default policy lists:

es
• Enable Default Exclusion List – directories
• Enable Default Exclusion List

al
e
or
di
s tri
b ut
io
n
Key Notes:
• In previous versions of Profile Management these settings were either controlled by an .ini configuration file or through
manual entry in a policy setting. The pre-defined settings in the .ini file have now been migrated into the policy objects to
make configuration and adjustments easier.
• Exclusion list – files : List of files that are ignored during synchronization. File names must be paths relative to the user
profile (%USERPROFILE%). Wildcards are allowed and are applied recursively.
• Examples:

686 © 2021 Citrix Authorized Content

 • Desktop\Desktop.ini ignores the file Desktop.ini in the Desktop folder.
• %USERPROFILE%\*.tmp ignores all files with the extension .tmp in the entire profile.
• AppData\Roaming\MyApp\*.tmp ignores all files with the extension .tmp in one part of the profile.
• If this policy is disabled, no files are excluded. If this policy is not configured here, the value from the .ini file is
used. If this policy is not configured here or in the .ini file, no files are excluded.
• Exclusion list – directories: List of folders that are ignored during synchronization. Folder names must be
specified as paths relative to the user profile (%USERPROFILE%).

N
• Example:

ot
• Desktop ignores the Desktop folder in the user profile.

fo
• If this policy is disabled, no folders are excluded. If this policy is not configured here, the value from the .ini file
is used. If this policy is not configured here or in the .ini file, no folders are excluded.

rr
• Enable Default Exclusion List - directories - Profile Management 5.5: Default list of directories ignored during

es
synchronization. Use this policy to specify GPO exclusion directories without having to fill them in manually.

al
• If you disable this policy, Profile Management does not exclude any directories by default. If you do not
configure this policy here, Profile Management uses the value from the .ini file. If you do not configure this

e
policy here or in the .ini file, Profile Management does not exclude any directories by default.

or
Additional Resources:

di
• What's New in Profile Management 5.x: https://docs.citrix.com/en-us/profile-management/5.html

s tri
b ut
io
n

687 © 2021 Citrix Authorized Content

 Profile Caching
Cache vs Delete

N
ot
Cache Delete

fo
By default, profiles are cached locally to be reused on Use policy to “Delete locally cached profiles on logoff” for:

rr
subsequent logons. This is recommended for: • Persistent published desktop environments

es
• Hosted VDI – Dedicated, Existing, Physical • Hosted VDI – Pooled without reboot on logoff
• Hosted VDI – Static with PVD

al
• Hosted VDI – Remote PC

e
• Non-persistent published desktop environments

or
di
s tri
b ut
io
n
Key Notes:
• Stale profiles could accumulate on published desktop environments where multiple users log on during the day, depending
on when the servers are rebooted and if they are set to discard changes on reboot.
• In non-persistent published desktop environments where servers are rebooted every night, this action will clean up the
cached profiles.
• Caching the profile and reusing it can speed up the logon process dramatically, but makes sense only when the machine
is “assigned” to one user and by implication is persistent.

688 © 2021 Citrix Authorized Content

 • There is also a policy to delay the deletion – this will save storage IO load, especially on random, non-
persistent desktops where the machine will be shut down after the user logs off, discarding any change to the
machine anyway.

Additional Resources:
• Profiles: To cache or not to cache, that is the question: https://www.citrix.com/blogs/2012/11/30/to-cache-or-
not-to-cache-that-is-the-question

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

689 © 2021 Citrix Authorized Content

 Active Write Back
• Enable the Active Write Back feature to save some profile contents back prior to logging off.
• Changed files are written back to a special folder within the profile directory on the file server
(pending).
• This only affects files, not registry hives.

N
• Files are written back every 5 minutes to save bandwidth.

ot
• Active Write Back includes registry items.

fo
rr
es
al
e
Active Write Back

or
di
File Server
Internal Endpoint VDAs

s
tri
b ut
io
n
Key Notes:
• A user might work on a document which is saved in a local folder on his VDA. When the VDA crashes (or the user does
not log off, but just disconnects…) the profile changes (including the document) has not been saved on the file server and
is lost. With Active Write Back, every 5 minutes the latest copy of each changed file is copied back to the file server. When
a user logs on again (after crash or from different machine), the saved version of the document will be included in the
profile.
• For some applications a certain registry entry must match a certain file, so only saving the files might cause this

690 © 2021 Citrix Authorized Content

 application’s configuration to break.
• Active Write Back enables modified files and folders (but not registry settings) to be synchronized to the user
store during a session, before logoff.
• By default, synchronization to the user store during a session is disabled.
• Support for Active Write Back for registry entries - registry entries that are modified on the local computer can
be backed up to the user store in the middle of a session, before logoff.

N
Additional Resources:

ot
• Basic policy settings:

fo
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies/reference/profile-
management/basic-policy-settings.html

rr
es
al
e
or
di
s tri
but
io
n

691 © 2021 Citrix Authorized Content

 Lab Exercise Prep

Please Take a Moment and Provision Your Lab

N
For Module 9

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the
lab exercises.

692 © 2021 Citrix Authorized Content

 Profile Streaming

Enable Profile Streaming to create placeholder entries for files from the user profile–files will be loaded

N
on access only.

ot
Use the Always cache policy to:

fo
• Roam all files exceeding a specified size in the background:

rr
• To reduce the time required when user opens large files
• Saves some network traffic

es
• Roam all files of any size in the background:

al
• To reduce the time required when user opens any file

e
• No network traffic is saved

or
di
s
tri
utb
io
n
Key Notes:
• Profile Streaming typically allows for a much faster logon as the amount of data copied from the file servers will be
minimized.
• Profile Streaming can be restricted to a group. So this feature can be tested/enabled only for specific users.
• Creating placeholder files (each 4kb in size) might be a lot faster than downloading larger files or many files from the
profile share – especially if the user just logged on to check emails and logs back out afterwards.
• Profile Streaming will automatically be disabled if used together with the Citrix Personal vDisk feature.

693 © 2021 Citrix Authorized Content

 • Profile Streaming enables and disables the Citrix streamed user profiles feature. When enabled, files and
folders contained in a profile are fetched from the user store to the local computer only when they are
accessed by users after they have logged on. Registry entries and files in the pending area are fetched
immediately.

Additional Resources:
• Streamed user profiles policy settings:

N
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies/reference/profile-

ot
management/streamed-user-profiles-policy-settings.html

fo
rr
es
al
e
or
di
s tri
b ut
io
n

694 © 2021 Citrix Authorized Content

 Profile Streaming
How It Works
1. User starts session on a VDA; the profile is loaded, but only placeholder files are created on the
VDA.
2. User opens a file from his profile using an application on the VDA. Citrix Profile Management
downloads the actual file from the user store path and replaces the placeholder.

N
3. The file now resides locally on the VDA and can be manipulated.

ot
4. On logoff, the file is saved back to the user store path.

fo
rr
es
3

al
Profile Streaming

e
2

or
4

di
1

s
VDAs File Server

tri
Internal Endpoint

b ut
io
n
Key Notes:
• A special filter driver is used to intercept the access to the placeholder files (reparse points, a special function of NTFS).
• Enabling the “Always Cache” policy but setting the value to “0” enables background downloading of **all** files from the
user profile.
• Streamed user profile groups specifies which user profiles within an OU are streamed, based on Windows user groups.
• When enabled, only user profiles within the specified user groups are streamed. All other user profiles are processed
normally.

695 © 2021 Citrix Authorized Content

 Additional Resources:
• Streamed user profiles policy settings:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies/reference/profile-
management/streamed-user-profiles-policy-settings.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

696 © 2021 Citrix Authorized Content

 Profile Protection

• Profile Management provides profile protection

N
by enhancing the way it handles profiles.

ot
• Profile Management maintains a last known

fo
good backup of the NTUSER.DAT file.

rr
• If Profile Management detects corruption, it

es
uses the last known good backup copy to

al
recover the profile.

e
or
di
s tri
but
io
n
Key Notes:
• Enables a backup of the last known good copy of NTUSER.DAT and rollback in case of corruption.
• If you do not configure this policy here, Profile Management uses the value from the .ini file. If you do not configure this
policy here or in the .ini file, Profile Management does not back up NTUSER.DAT.

Additional Resources:
• What's New in Profile Management 5.x: https://docs.citrix.com/en-us/profile-management/5.html

697 © 2021 Citrix Authorized Content

 Lesson Objective Review

Scenario: You are the Citrix admin and you

have recently enabled Citrix Profile
Management with the basic profile settings to
migrate roaming profiles.
After you enabled with the basic profile

N
settings, you notice that the size of the

ot
profiles have started to grow. What could be

fo
the reason?

rr
es
With the default settings enabled, Citrix Profile
Manager synchronizes more profile data than

al
e
roaming profiles does.

or
Use the folder and file exclude rules to filter out

di
unnecessary data.

s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

698 © 2021 Citrix Authorized Content

 N
ot
Lab Exercises

fo
rr
Module 9

es
al
e
or
di
s
tri
b
ut
io
n

699 © 2021 Citrix Authorized Content

 Lab Exercise

• Ex 9-1: Log in to Experience an Un-Optimized User Profile

N
• Ex 9-2: Configure Citrix Profile Management

ot
• Ex 9-3: Log in to Experience an Optimized User Profile

fo
rr
es
al
e
or
di
s tri
b
ut
io
n

700 © 2021 Citrix Authorized Content

 Key Takeaways

• User Profile Management enables a

N
consistent user experience across multiple

ot
sessions.

fo
• Features such as Active Write Back and

rr
Profile Streaming offer additional logon and

es
logoff performance gains.

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

701 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Administration On-Premise and In
Citrix Cloud

N
ot
Manage the Site

fo
rr
es
al
e
Module 10

or
di
s
tri
b
ut
io
n

702 © 2021 Citrix Authorized Content

 Learning Objectives

• Identify how to create and manage delegated

N
administrators in Citrix Studio.

ot
• Explore the correlation between PowerShell

fo
and the Citrix Studio.

rr
• Present how to power manage the machines

es
hosting the sessions.

al
e
or
di
s
tri
b
ut
io
n

703 © 2021 Citrix Authorized Content

 N
ot
Delegated Administration

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

704 © 2021 Citrix Authorized Content

 On-Premises Studio vs Citrix Cloud Studio

On-premises Citrix Studio Citrix Cloud Studio

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• It is useful to delegate administration when there is a large Citrix Administrative team, with multiple tiers of responsibility.
• The Citrix Virtual Apps and Desktops Service does not have licenses node in Cloud Studio because licensing is based on
a subscription model. This does not require an on premises license server.
• Currently App-V Publishing is not supported with Citrix Cloud.
• Controllers node is not shown in Cloud Studio because the controllers are operated and managed by Citrix.
• The Zones node contain Cloud Connectors and not Citrix Virtual Apps and Desktops Controllers.

705 © 2021 Citrix Authorized Content

 • Delegated administration is available from the Cloud control plane, it is not exposed in Cloud Studio, only full
admin and helpdesk roles available currently.
• Currently, Cloud Studio is a published MMC console that a customer accesses through the HTML5 Receiver
client.
• Configuration logging in currently not available from Cloud Studio, but the functionality is on the road map.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

706 © 2021 Citrix Authorized Content

 Delegated Administration
On-Premises and Citrix Cloud

• Delegated Administration for both On-Premises and Citrix Cloud deployments is useful when there is

N
more than one tier within the Citrix Administrative team, and the need to assign different levels of

ot
permissions to the deployment for more than one administrator.

fo
• On-Premises Deployments Delegated Administration is configured within Citrix Studio.

rr
• Citrix Cloud Deployments Delegated Administration is configured at both the Citrix Cloud and the

es
Citrix Virtual Apps and Desktops Service levels.

al
e
or
di
stri
but
io
n

707 © 2021 Citrix Authorized Content

 On-Premises Delegated Administration
Overview

Who is a Delegated Administrator? Delegated Administrators

N
Administrator Roles Scopes

ot
fo
Delivery Group

rr
Allowed to view

es
Domain\Helpdesk Not allowed to create
-Group Not allowed
to modify

al
Not allowed to delete

e
or
Machine Catalog

di
User or User A Role A Scope

s
A delegated administrator is a Citrix Virtual Apps and Desktops Site
Administrator that combines three elements to define Site Group (Set of permissions) (Objects in the site)

tri
administration rights.

b ut
io
n
Key Notes:
• Delegated Administrators:
• The three elements that define a Site Delegated Administrator:
• User or User Group
• A Role set of permissions
• A Scope Objects in the Site
• Both individual users and user groups qualify as one of the three elements for delegated administration.

708 © 2021 Citrix Authorized Content

 • Individual users:
• Requires management of individual accounts.
• Will most often require updates to delegated administration within Studio for staffing changes.
• User groups: (Citrix Recommended)
• Enables central management of multiple accounts.
• Staffing changes can be managed within Active Directory group membership.
• The Delegated Administration model offers the flexibility to match how your organization wants to delegate

N
administration activities, using role and object-based control.

ot
• Delegated Administration accommodates deployments of all sizes, and allows you to configure more

fo
permission granularity as your deployment grows in complexity.

rr
• For example, we can give the Junior Admin full admin privileges on the test Delivery Group and the test
Catalog, while he only has limited permissions on the production resources.

es
• Delegated Administrators Use Case Examples:

al
• Below we have three different types of administrators, each requiring individual privileges on the same

e
objects. We use Roles to create the permission levels.

or
• First-level User Helpdesk group - Can monitor license servers, infrastructure components and access
session related data inside a session. Additionally, can log off or reset user sessions of certain user groups

di
only.

s tri
• Second-level User Helpdesk group – (In addition to First level User Helpdesk permissions):

b
• Can reset user profiles, sessions and VDAs.

ut
• Can Allowed assign users to VDAs.

io
• Can modify and assign policies to VDAs.
• Citrix Administrative Group – Can modify every aspect of all objects in the site.

n
• During the initial Site configuration, an “All” Scope and six different predefined Roles are created.
• Administrators — An administrator represents an individual person or a group of people identified by their
Active Directory account. Each administrator is associated with one or more Role and Scope pairs.
• Roles — A Role represents a job function, and has defined permissions associated with it. For example, the
Delivery Group Administrator Role has permissions such as 'Create Delivery Group' and 'Remove Desktop

709 © 2021 Citrix Authorized Content

 from Delivery Group.' An administrator can have multiple Roles for a Site, so a person could be a Delivery
Group Administrator and a Machine Catalog Administrator. Roles can be built-in or custom.
• Scopes — A Scope represents a collection of objects. Scopes are used to group objects in a way that is
relevant to your organization (for example, the set of Delivery Groups used by the Sales team). Objects can
be in more than one Scope; you can think of objects being labeled with one or more Scopes. There is one
built-in Scope: 'All,' which contains all objects. The Full Administrator Role is always paired with the All
Scope.

N
• Consider:

ot
• Delegated administrators are Site specific.

fo
• The site database stores the configuration of delegated administrators.
• Although Citrix Studio can delegate to local users or groups, Studio cannot be run using local credentials –

rr
a domain account is required!

es
• Using domain groups is a leading practice for delegating administrative permissions within a Site.

al
Additional Resources:

e
• Delegated Administration:

or
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/secure/delegated-

di
administration.html

s tri
but
io
n

710 © 2021 Citrix Authorized Content

 On-Premises Administrator Roles

Six Built-in Roles

• A Role is one of the three elements that
defines a Site Delegated Administrator Full

N
• A Role qualifies as one of the three elements

ot
for delegated administration. Delivery Group

fo
• A Role defines a specific set of permissions

rr
that a user or group has. Machine Catalog

es
• The permissions within a Role typically

al
depend on the job responsibility of the Help Desk

e
Delegated Administrator.

or
• The Citrix Virtual Apps and Desktops Site Host

di
offers six built-in Roles.

s tri
Read Only
• In addition to these built-in Roles, custom

b
Roles can also be created.

ut
io
n
Key Notes:
• The account that is used to create the Site is added to the Full Administrator Role automatically.
• It is important to understand the function of the built in Roles and how they relate to typical job functions:
• Full Administrator
• Can perform all tasks and operations. The Full Administrator Role only applies to the “All” Scope.
• Delivery Group Administrator

711 © 2021 Citrix Authorized Content

 • Can deliver applications, desktops, and machines; can also manage the associated sessions.
• Can also manage application and desktop configurations such as policies and power management
settings.
• Machine Catalog Administrator
• Can create and manage Machine Catalogs and provision machines into them.
• Can build Machine Catalogs from the virtualization infrastructure, Citrix Provisioning, and physical
machines.

N
• This Role can manage base images and install software, but cannot assign applications or desktops to

ot
users.

fo
• Help Desk Administrator
• Can view Delivery Groups, and manage the sessions and machines associated with those groups.

rr
• Can see the Machine Catalog and host information for the Delivery Groups being monitored; and can

es
also perform session management and machine power management operations for the machines in

al
those Delivery Groups.
• Host Administrator

e
• Can manage host connections and their associated resource settings.

or
• Cannot deliver machines, applications, or desktops to users.

di
• Read Only Administrator

s
• Can see all objects in specified Scopes as well as global information, but cannot change anything.

tri
• For example, a Read Only Administrator with Scope=London can see all global objects (such as

b
Configuration Logging) and any London-Scoped objects (for example, London Delivery Groups).

ut
However, that administrator cannot see objects in the New York Scope (assuming that the London and

io
New York Scopes do not overlap).

n
• Custom Roles can be created from scratch or by copying permissions from an existing Role. The following
steps should be followed to create or copy a Role.
1. Create new Role / Copy Role.
2. Enter a name for the Role.
3. Select all permissions from all sections necessary for the new Role.
4. Save the new Role.

712 © 2021 Citrix Authorized Content

 • You can create custom Roles to match the requirements of your organization, and delegate permissions
with more detail. You can use custom Roles to allocate permissions at the granularity of an action or task in
a console.
• Creating a Custom Role is very useful since the built in Roles might not meet a customer’s specific needs.
• It can be helpful to copy an existing Role instead of creating one from scratch.
• Role names can contain up to 64 Unicode characters; they cannot contain the following characters: \
(backslash), / (forward slash), ; (semicolon), : (colon), # (pound sign) , (comma), * (asterisk), ? (question

N
mark), = (equal sign), < (left arrow), > (right arrow), | (pipe), [ ] (left or right bracket), ( ) (left or right

ot
parenthesis), " (quotation marks), and ' (apostrophe). Descriptions can contain up to 256 Unicode

fo
characters.
• You cannot edit or delete a built-in Role. You cannot delete a custom Role if any administrator is using it.

rr
• Note: Only certain product editions support custom Roles. Editions that do not support custom Roles do not

es
have related entries in the Actions pane. At this time, the Enterprise and Platinum editions of both Citrix

al
Virtual Apps and Desktops support custom Roles. For the latest information, check the Citrix Virtual Apps
and Desktops feature matrix (link provided in Additional Resources).

e
or
Additional Resources:

di
• Delegated Administration:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/secure/delegated-

s tri
administration.html

b ut
io
n

713 © 2021 Citrix Authorized Content

 On-Premises Administrator Scope

One built-in Scope

• A Scope is one of the three elements that
defines a Site Delegated Administrator All Scope

• A Scope combines objects from the Site to a

N
unit that a Role can be applied to. All Site Objects

ot
• Objects can be part of multiple Scopes.

fo
Machine Catalogs

rr
• Only specific objects can be added to Scopes.

es
• Includes: Machine Catalogs, Delivery Groups,
Hosting Connections and Application Groups. Delivery Groups

al
• Excludes: Individual published apps and VDAs

e
• The Citrix Virtual Apps and Desktops Site Hosting Connections

or
offers one built-in Scope called “All.”
Custom Scopes may also be created.

di
• Includes: all objects in the Site and all newly Application Groups

s
added objects are automatically included.

tri
• The “All” Scope is associated with the Site Full

b
Administrator Role.

ut
io
n
Key Notes:
• The account that is used to create the Site is added to the Full Administrator Role automatically.
• It is important to understand the function of the built in Roles and how they relate to typical job functions:
• Full Administrator
• Can perform all tasks and operations. The Full Administrator Role only applies to the “All” Scope.
• Delivery Group Administrator

714 © 2021 Citrix Authorized Content

 • Can deliver applications, desktops, and machines; can also manage the associated sessions.
• Can also manage application and desktop configurations such as policies and power management
settings.
• Machine Catalog Administrator
• Can create and manage Machine Catalogs and provision machines into them.
• Can build Machine Catalogs from the virtualization infrastructure, Citrix Provisioning, and physical
machines.

N
• This Role can manage base images and install software, but cannot assign applications or desktops to

ot
users.

fo
• Help Desk Administrator
• Can view Delivery Groups, and manage the sessions and machines associated with those groups.

rr
• Can see the Machine Catalog and host information for the Delivery Groups being monitored; and can

es
also perform session management and machine power management operations for the machines in

al
those Delivery Groups.
• Host Administrator

e
• Can manage host connections and their associated resource settings.

or
• Cannot deliver machines, applications, or desktops to users.

di
• Read Only Administrator

s
• Can see all objects in specified Scopes as well as global information, but cannot change anything.

tri
• For example, a Read Only Administrator with Scope=London can see all global objects (such as

b
Configuration Logging) and any London-Scoped objects (for example, London Delivery Groups).

ut
However, that administrator cannot see objects in the New York Scope (assuming that the London and

io
New York Scopes do not overlap).

n
• Custom Roles can be created from scratch or by copying permissions from an existing Role. The following
steps should be followed to create or copy a Role.
1.Create new Role / Copy Role.
2.Enter a name for the Role.
3.Select all permissions from all sections necessary for the new Role.
4.Save the new Role.

715 © 2021 Citrix Authorized Content

 • You can create custom Roles to match the requirements of your organization, and delegate permissions
with more detail. You can use custom Roles to allocate permissions at the granularity of an action or task in
a console.
• Creating a Custom Role is very useful since the built in Roles might not meet a customer’s specific needs.
• It can be helpful to copy an existing Role instead of creating one from scratch.
• Role names can contain up to 64 Unicode characters; they cannot contain the following characters: \
(backslash), / (forward slash), ; (semicolon), : (colon), # (pound sign) , (comma), * (asterisk), ? (question

N
mark), = (equal sign), < (left arrow), > (right arrow), | (pipe), [ ] (left or right bracket), ( ) (left or right

ot
parenthesis), " (quotation marks), and ' (apostrophe). Descriptions can contain up to 256 Unicode

fo
characters.
• You cannot edit or delete a built-in Role. You cannot delete a custom Role if any administrator is using it.

rr
• Note: Only certain product editions support custom Roles. Editions that do not support custom Roles do not

es
have related entries in the Actions pane. At this time, the Enterprise and Platinum editions of both Citrix

al
Virtual Apps and Desktops support custom Roles. For the latest information, check the Citrix Virtual Apps
and Desktops feature matrix (link provided in Additional Resources).

e
or
Additional Resources:

di
• Delegated Administration:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/secure/delegated-

s tri
administration.html

b ut
io
n

716 © 2021 Citrix Authorized Content

 Steps to Create an On-Premises Custom Administrator
Create from scratch or by copying an existing administrator.

1. Create the intended scope and role by defining the permissions and the objects to apply them to.

N
2. Create a new Administrator.

ot
3. Specify a user or user group for the new Administrator.

fo
4. Select the Scope. (Such as the one created in step 1)

rr
5. Assign the Role. (Such as the one created in step 1)

es
al
6. Save the new Administrator.

e
7. Edit the Administrator to assign additional Scope and Role pairs as needed.

or
1 1 2, 3 6

di
s
Define Define Create Save 7

tri
the the the the (If Needed)

b
Scope Role Admin Admin

ut
4, 5

io
n
Key Notes:
• As the diagram shows, a group of users can have different permissions to different objects at the same time. The diagram
shows three Scope & Role pairs. One Scope contains different types of objects (Delivery Group & machine catalog), while
other Scopes contain just Delivery Groups.
• When you create a Site as a local administrator, your user account automatically becomes a Full Administrator with full
permissions over all objects. After a Site is created, other local administrators have no special privileges.
• The Full Administrator Role always has the All Scope; you cannot change this.

717 © 2021 Citrix Authorized Content

 • By default, an administrator is enabled. Disabling an administrator might be necessary if you are creating the
new administrator now, but that person will not begin administration duties until later. For existing enabled
administrators, you might want to disable several of them while you are reorganizing your object/Scopes, then
re-enable them when you are ready to go live with the updated configuration. You cannot disable a Full
Administrator if it will result in there being no enabled Full Administrator. The enable/disable check box is
available when you create, copy, or edit an administrator.

N
Additional Resources:

ot
• Delegated Administration:

fo
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/secure/delegated-
administration.html

rr
es
al
e
or
di
s tri
but
io
n

718 © 2021 Citrix Authorized Content

 Two Approaches to Delegated Administration on Citrix Cloud

N
Citrix Cloud Citrix Cloud:

ot
Citrix Virtual Apps and Desktops Service

fo
rr
Administrators can be given permissions at the Citrix Cloud Administrators can be given permissions at the specific

es
level, which could be used to delegate functions across Citrix Virtual Apps and Desktops Service, which could be
subscribed services. used to delegate functions limited to a deployed Site.

al
e
or
di
s tri
b ut
io
n

719 © 2021 Citrix Authorized Content

 Citrix Cloud Delegated Administration
The First Citrix Cloud Administrator

• The first Citrix Cloud Administrator is created during the onboarding process.

N
• This Administrator has full rights to the full subscribed service(s).

ot
• This first Administrator can add additional administrators to Citrix Cloud using an invite from the

fo
Citrix Cloud Console.

rr
es
al
e
Onboarding Process

or
Onboarding Process

di
s tri
New Customer Citrix Cloud First Citrix Cloud
Administrator

utb
io
n
Key Notes:
• When the first Citrix Cloud Administrator invites additional administrators, their permissions can be configured to delegate
access appropriate to their administrative role.
• The following are the different levels of Delegated Administration:
• Help Desk access limited to Virtual Apps and Desktop Service
• Access to manage one or more specific cloud services
• Access restricted to partner administrators

720 © 2021 Citrix Authorized Content

 • Access restricted to Read Only
• Only full access administrators can add delegated administrators and define their level of access.
• Check with the latest Citrix online documentation to confirm if any updates have been made to Delegated
Administration in the product.

Additional Resources:
• Online Citrix Documentation for Identity and Access Management (See under Administrators):

N
https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management

ot
fo
rr
es
al
e
or
di
s tri
but
io
n

721 © 2021 Citrix Authorized Content

 Add an Administrator to Citrix
Cloud

1. Login to Citrix Cloud with full access 2

1

N
administrator credentials. 3

ot
Full Access 4
2. Navigate to Identity and Access Cloud Administrator Citrix Cloud Management Console

fo
Management.

rr
3. Click on the Administrators tab. 5

es
4. Click on the Invite button.

al
5. An email invite is sent to the targeted new

e
5
Administrator.

or
Invite Email

di
Targeted
Administrator

s tri
b ut
io
n
Key Notes:
• The invite to be a Citrix Cloud Administrator is received via email from the [email protected] account.
• This email details how to access the account and join the invitation.
• When the joining steps are followed a browser window will launch giving the new administrator an interface to setup a
password.
• If the invited administrator already has a Citrix Cloud account, they are asked to input their existing password, and accept
the invitation.

722 © 2021 Citrix Authorized Content

 • At any time, the administrator’s list can be viewed on the Administrators tab of the Identity and Access
Management page.

Additional Resources:
• Online Citrix Documentation for Adding Administrators to a Citrix Cloud Account (See under Administrators):
https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/add-
admins.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

723 © 2021 Citrix Authorized Content

 Define Administrator Access
Permissions for Citrix Cloud

Full Access
Cloud Administrator 1
1. Begin from the Identity and Access

N
Management page on the Administrators tab. Citrix Cloud Management Console

ot
2
2. Click the More options button for the targeted

fo
administrator and select Edit Access.

rr
(Requires Full Access permissions) Custom Access

es
a Permission
3. Select Custom access to delegate 3 a Permission
4

al
permissions and configure. a Permission

e
Permission
New Administrator
4. Save your changes. a Permission Save

or
c Permission

a Permission

di
s tri
b ut
io
n
Key Notes:
• All invited administrators default to full access permissions.
• Delegating permissions through defining access must be considered before send an invite to join Citrix Cloud
administration.

Additional Resources:
• Online Citrix Documentation for Delegating Administration (Configure administrator permissions):

724 © 2021 Citrix Authorized Content

 https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/add-
admins.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

725 © 2021 Citrix Authorized Content

 Citrix Cloud and On-Premise Delegated Administration
Similarities and Differences

• Both The Citrix Cloud Citrix Virtual Apps and Desktops Service and the On-Prem installation have the

N
same 3 key elements to delegate administration: Administrators, Roles and Scopes.

ot
• The main difference is the Citrix Cloud deployment must add the first Administrator to Citrix Cloud

fo
before you can delegate.

rr
Six Built-in Roles One built-in Scope

es
Full (Cloud Administrator) All Scope

al
Delivery Group All Site Objects

e
Delegated
Administrator

or
Machine Catalog Machine Catalogs

di
Citrix Cloud Help Desk Delivery Groups
Administrator

s
Host Hosting Connections

tri
b
Read Only Application Groups

ut
io
n
Key Notes:
• When a full access Citrix Cloud Administrator invites additional administrators, their permissions can be configured to
delegate access appropriate to their administrative role in the Citrix Virtual Apps and Desktops Service deployed Site.
• The following are the key three elements combined to define Site Delegated Administration:
• Administrator
• Role
• Scope

726 © 2021 Citrix Authorized Content

 • Check with the latest Citrix online documentation to confirm if Citrix Virtual Apps and Desktops Service
Delegated Administration has been enabled in the product.
• If Delegated Administration is not enabled, it may be toggled on via submitting a request to enable this feature.
• Remember: By default all invited administrators have full access.
• To delegate permissions three elements must be defined:
• Administrator: which is the Citrix Cloud Account that was invited.

N
• To delegate, Administrators must have at least one Role and Scope.

ot
• Role; which is the representation within the product of the administrator’s job function

fo
• Any one Administrator may have more than one Role.

rr
• Scope; which is the collection of objects and assigned level of permission to these objects
• Consider:

es
• Delegated Administrators are Site specific.

al
• The site database stores the configuration of delegated administrators.

e
• Using domain groups is a leading practice for delegating administrative permissions within a Site.

or
• A Role is:
• One of the three elements that defines a Site Delegated Administrator.

di
• Defines a specific set of permissions that a user or group has.

s
• A set of permissions typically designed to match the job responsibility of the Delegated Administrator.

tri
• There are six built-in Roles:

b
• Full Administrator: Can perform all tasks and operations. The Full Administrator Role only applies to the

ut
“All” Scope.

io
• Delivery Group Administrator: Can deliver applications, desktops, and machines; can also manage the

n
associated sessions. Can also manage application and desktop configurations such as policies and
power management settings.
• Machine Catalog Administrator: Can create and manage Machine Catalogs and provision machines into
them.
• Can build Machine Catalogs from the virtualization infrastructure, Citrix Provisioning, and physical
machines.

727 © 2021 Citrix Authorized Content

 • This Role can manage base images and install software, but cannot assign applications or desktops to
users.
• Help Desk Administrator: Can view Delivery Groups, and manage the sessions and machines associated
with those groups. Can see the Machine Catalog and host information for the Delivery Groups being
monitored; and can also perform session management and machine power management operations for
the machines in those Delivery Groups.
• Host Administrator: Can manage host connections and their associated resource settings.

N
• Cannot deliver machines, applications, or desktops to users.

ot
• Read Only Administrator: Can see all objects in specified Scopes as well as global information, but

fo
cannot change anything.

rr
• The Role configuration is used to define the Custom Access in the Citrix Cloud Console.
• A Scope is:

es
• One of the three elements that defines a Site Delegated Administrator.

al
• Combines objects from the Site to a unit that a role can be applied to.

e
• A set of objects that can be part of multiple scopes.
• Limited to specific objects: All Site, Machine Catalogs, Delivery Groups, Hosting Connections and

or
Application Groups.

di
• The default scope is “All”.

stri
b ut
io
n

728 © 2021 Citrix Authorized Content

 Citrix Cloud
Delegated
Administrator
This is the high-level 1. Add an Administrator to the Citrix Cloud subscription via an invite.
process to delegate
2. Use the Citrix Cloud Studio and click on Configuration >

N
administration permissions
Administrators > and click Scopes.

ot
for an administrator role in

fo
the Citrix Virtual Apps and
3. Click Create Scope and define the scope.

rr
Desktops Service deployed
Site.

es
4. Pair the Scope with a Role.

al
5. Navigate to the Citrix Cloud Identity and Access Management

e
> Administrators and select the newly invited administrator.

or
6. Choose Edit access and delegate specifically to the Citrix Virtual

di
Apps and Desktops.

s tri
7. Choose the pre-configured Scope and Role and then click Save.

b ut
io
n
Key Notes:
• Remember, although Delegated Administration for Citrix Cloud and the Citrix Virtual Apps and Desktops Service is very
similar to an On-Premise deployment, there are some clear differences. For Example:
• On-Premise uses Active Directory to add an Administrator account.
• Citrix Cloud relies on the invited Citrix Cloud Login
• Citrix Cloud does not have a Custom Role
• Reports in Citrix Cloud are note available, however the configuration can be viewed both in the Citrix Cloud Identity and

729 © 2021 Citrix Authorized Content

 Access Management Administrator page and in the Citrix Cloud Studio.

Additional Resources:
• Citrix Online Documentation for Delegated Administration: https://docs.citrix.com/en-us/citrix-virtual-apps-
desktops-service/manage-deployment/delegated-administration

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

730 © 2021 Citrix Authorized Content

 On-Premises Delegated
Administration Reports
Create reports on delegated administrators

Detailed reports can be used to validate

N
permissions per administrator on:

ot
• Delivery groups
• Machine catalogs

fo
• Hosting Connections and Resources

rr
• Applications, application groups, directors and

es
general functions
• Assigned scope & role pairs

al
• Resulting set of permissions on specific objects

e
• Knowing which role is assigned to a specific

or
permission

di
s tri
b ut
io
n
Key Notes:
• You can create two types of Delegated Administration reports:
• An HTML report that lists the Role/Scope pairs associated with an administrator, plus the individual permissions for
each type of object (for example, Delivery Groups and Machine Catalogs). You generate this report from Studio. To
create this report, click Configuration > Administrators in the navigation pane. Select an administrator in the middle
pane and then click Create Report in the Actions pane. 
You can also request this report when creating, copying, or
editing an administrator.

731 © 2021 Citrix Authorized Content

 • An HTML or CSV report that maps all built-in and custom Roles to permissions. You generate this report by
running a PowerShell script named OutputPermissionMapping.ps1. To run this script, you must be a Full
Administrator, a Read Only Administrator, or a custom administrator with permission to read Roles. The
script is located in: Program Files\Citrix\DelegatedAdmin\SnapIn\Citrix.DelegatedAdmin.Admin.V1\Scripts\.
• To create a Delegated Administration Report:
1. Select Create Report in Citrix Studio.
2. Specify a user or group to report on.

N
3. Name the output file (HTML format).

ot
• To create a Role to permission Report:

fo
1. Run the PowerShell-Script OutputPermissionMapping.ps1
2. Specify the output file and format (CSV or HTML).

rr
• The script to generate the Role to permission mapping can normally be found at the following location where

es
Citrix Studio is installed: “C:\Program

al
Files\Citrix\DelegatedAdmin\SnapIn\Citrix.DelegatedAdmin.Admin.V1\Scripts\OutputPermissionMapping.ps1”

e
• The following example writes an HTML table to a file named Roles.html and opens the table in a web browser:
• &"$env:ProgramFiles\Citrix\DelegatedAdmin\SnapIn\Citrix.DelegatedAdmin.Admin.V1\Scripts\OutputPermis

or
sionMapping.ps1" -Path Roles.html –Show

di
Additional Resources:

s tri
• Delegated Administration:

b
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/secure/delegated-

ut
administration.html

io
n

732 © 2021 Citrix Authorized Content

 On-Premises Configuration
Logging Reports

• Create Configuration Logging Reports to

N
document changes to a Site.

ot
• The built-in logging facility tracks all

fo
configuration changes within a Site by default

rr
including:

es
• The account used
• Date and time

al
• Success or failure of the change

e
or
di
s tri
b ut
io
n
Key Notes:
• This report will only cover changes that are saved in the Configuration Logging database.
• Any changes made from Studio, Director, and PowerShell scripts, involving the creation, editing, deleting, or assigning to
the below objects are tracked by Configuration Logging:
• Machine Catalogs
• Delivery Groups
• Administrator Roles and Scopes

733 © 2021 Citrix Authorized Content

 • Host resources and connections
• Citrix policies made via Studio
• Configuration Logging does not track the following administrative changes:
• Any changes to VDA images, such as application installations and Windows updates.
• Autonomic operations (i.e.: pool management power-on of virtual machines).
• Policy actions implemented via the Group Policy Management Console (GPMC)
• Changes made through the registry, direct access of the database, or from sources other than Studio,

N
Director, or PowerShell.

ot
• Initial deployment Configuration Logging changes are not logged (for example, when the database schema

fo
is obtained and applied, when a hypervisor is initialized). Configuration Logging becomes available when
the first Configuration Logging Service instance registers with the Configuration Service.

rr
• Logged content can be used to diagnose and troubleshoot problems after configuration changes are made;

es
the log provides a “breadcrumb” trail to track configuration and report administration activity.

al
• You can generate CSV and HTML reports containing configuration log data.
• The CSV report contains all the logging data from a specified time interval. The hierarchical data in the

e
database is flattened into a single CSV table. No aspect of the data has precedence in the file. No

or
formatting is used and no human readability is assumed. The file (named MyReport) simply contains the

di
data in a universally consumable format. CSV files are often used for archiving data or as a data source for
a reporting or data manipulation tool such as Microsoft Excel.

s tri
• The HTML report provides a human-readable form of the logging data for a specified time interval. It

b
provides a structured, navigable view for reviewing changes. An HTML report comprises two files, named

ut
Summary and Details. Summary lists high level operations: when each operation occurred, by whom, and

io
the outcome. Clicking a Details link next to each operation takes you to the low level operations in the
Details file, which provides additional information.

n
• To generate a configuration log report, select Logging in the Studio navigation pane, and then select Create
custom report in the Actions pane.
• Select the date range for the report.
• Select the report format: CSV, HTML, or both.
• Browse to the location where the report should be saved.

734 © 2021 Citrix Authorized Content

 Additional Resources:
• Configuration Logging:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/monitor/configuration-
logging.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

735 © 2021 Citrix Authorized Content

 On-Premises Configuration
Logging Report Process

To create a configuration logging report:

N
1. Select Create Custom Report in Citrix

ot
Studio.

fo
2. Specify a date range to report on.

rr
3. Select the output format (CSV or HTML).

es
4. Name the output file.

al
e
or
di
s tri
but
io
n
Key Notes:
• CSV is often used for archiving purposes or further processing using data manipulation tools like MS Excel, while HTML
output can be included in project documentations and reports.
• To create Configuration Logging reports using PowerShell, leverage the Export-LogReportHTML and Export-
LogReportCSV cmdlets.

736 © 2021 Citrix Authorized Content

 Additional Resources:
• Configuration Logging - Generate reports:
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/monitor/configuration-
logging.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

737 © 2021 Citrix Authorized Content

 Citrix Cloud Configuration Logging
Track Changes to the Citrix Virtual Apps and Desktops Service Deployed Site

Feature Description Logging and Examples How To View Logging

N
• Configuration Logging enables a • Configuration changes and • Only Full or Read-Only

ot
Citrix Administrator to capture from administrative activities performed Administrators can view the
Citrix Virtual Apps and Desktops within Citrix Cloud Studio, Citrix configuration logs within Studio.

fo
the Site Configuration changes and Cloud Director, and via PowerShell • Only Full Administrators can

rr
administrative activities. scripts. download a CSV report via

es
• Configuration Logging is stored • Actions used to create, edit, delete, PowerShell.
within a logging database in Citrix and assign are all logged. 1. Sign in to Citrix Cloud.

al
Cloud. • For Example: 2. Navigate to Citrix Virtual Apps
and Desktops Service.

e
• Machine Catalogs
3. Click Manage to access Citrix
• Delivery Groups

or
Cloud Studio.
• Administrator Roles and Scopes
4. Within the Studio navigation
• Citrix Studio-based policies

di
pane, select Logging.
• Power Management of a VM or

s
user desktop

tri
b ut
io
n
Key Notes:
• Check with the latest Citrix online documentation to confirm if Citrix Virtual Apps and Desktops Service Configuration
Logging has been enabled in the product.
• If Configuration Logging is not enabled, it may be toggled on via submitting a request to enable this feature.
• How often should Configuration Logging be checked?
• Consider the following uses:

738 © 2021 Citrix Authorized Content

 • Change Control Process review: to ensure the scheduled changes were made and meet expectations.
• Troubleshooting: to review the Site configuration changes and use the log to provide a breadcrumb trail.
• Report administration activity: to Verify the expected administrators performing according to their role and
in compliance with company written policies.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

739 © 2021 Citrix Authorized Content

 How often Should a Configuration Logging Report be Run?

• Most companies and organizations will have a change control process in place designed to follow up

N
on any administrative updates and/or changes made.

ot
• This change control process helps to assure that any changes, or scheduled changes made, were in

fo
compliance with their specific Change-Control policy.

rr
es
al
e
or
di
s tri
but
io
n
Key Notes:
Considerations:
• Once an administrator has completed any scheduled maintenance within the Citrix Virtual Apps and Desktops site,
configuration logging should be used to verify the changes made are as expected and that they were applied correctly.
• In the event of unexpected changes being made, configuration logging can also be utilized to review changes as well.

740 © 2021 Citrix Authorized Content

 Sample Scenario Reason for Running Regular Configuration
Logging Reports
Example to Using Configuration Logging

• Scenario: You are a Lead Citrix Administrator for a large company and you have to create two new

N
machine catalogs for your Citrix Virtual Desktops infrastructure, due to a growing number of end-users

ot
within the company.

fo
• You have decided to delegate this task to one of your junior administrators to complete.

rr
• You want to track all activities related to the creation of these new catalogs, and ensure that they are

es
completed successfully.

al
• Configuration logging allows you to view when the task was completed, as well as what changes were

e
made to the site.

or
di
s tri
but
io
n

741 © 2021 Citrix Authorized Content

 Lesson Objective Review

Scenario: You are the Citrix Admin and you

are in process of adding Joe, a new junior
admin, as a delegated administrator.
You decide that you want to add him to the

N
development and test scope, only using the

ot
full administrator role.

fo
Will this work?

rr
es
No.

al
e
The Full Administrator Role will always be
associated with the All Scope.

or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

742 © 2021 Citrix Authorized Content

 N
Use PowerShell with Citrix Virtual

ot
Apps and Desktops

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

743 © 2021 Citrix Authorized Content

 PowerShell Architecture

Citrix Virtual
Citrix PowerShell
Desktops
Windows PowerShell is a task automation and Studio Snap-Ins
Controller

N
configuration management framework from

ot
Microsoft, which is included by default in
modern Windows systems.

fo
PowerShell
• Commands in PowerShell are called ‘cmdlets’

rr
• Commands are built upon special .NET

es
Framework functions. .NET Framework

al
e
or
Operating System

di
s tri
Microsoft

but
io
n
Key Notes:
• PowerShell is object oriented, so almost every command returns not just plain text or tables, but objects with properties
that can easily be filtered & manipulated.
• To manage specific products like Citrix Virtual Apps and Desktops, PowerShell can be extended by loading sets of cmdlets
(called modules or Snap-Ins) from 3rd party developers like Citrix.

744 © 2021 Citrix Authorized Content

 Additional Resources:
• SDK reference (general): https://developer-docs.citrix.com/projects/delivery-controller-sdk/en/latest/

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

745 © 2021 Citrix Authorized Content

 PowerShell Benefits

• Citrix Virtual Apps and Desktops benefits from

N
PowerShell:

ot
fo
• Common language to manage Operating System,
Citrix products and other third-party products.

rr
• Language can be used in a script and

es
interactively, on the command line.
• Methods available to address .NET, WMI, COM,

al
and other executables directly.

e
or
di
s tri
but
io
n
Key Notes:
• Each of the FMA services has a corresponding PowerShell snap-in (DLL) that contains the interfaces and objects that can
be controlled from the SDK.
• Individual service .MSI Snap-in install files can be found on the installation media:
• x86\Citrix Desktop Delivery Controller
• x64\Citrix Desktop Delivery Controller

746 © 2021 Citrix Authorized Content

 Additional Resources:
• TechEdge Orlando 2015: Advanced Configuration of XenApp and XenDesktop 7.6 using the PowerShell SDK:
https://support.citrix.com/article/CTX142511

N
ot
fo
rr
es
al
e
or
di
stri
but
io
n

747 © 2021 Citrix Authorized Content

 PowerShell Integration

• Both On-Premise and Citrix Cloud Deployments of Citrix Virtual Apps and Desktops can use

N
PowerShell cmdlets, but each requires their own unique SDK.

ot
• In both cases, each SDK can be used as a Citrix Administrative tool to automate complex and

fo
repetitive tasks.

rr
• Citrix Virtual Apps and Desktops PowerShell SDK
• Citrix Virtual Apps and Desktops Service Remote PowerShell SDK

es
al
e
or
di
s tri
but
io
n
Additional Resources:
• PowerShell SDK: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/sdk-api.html
• Remote PowerShell SDK: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/sdk-api.html

748 © 2021 Citrix Authorized Content

 On-Premise PowerShell and Citrix
Studio Integration

• Citrix Studio is a graphical console that uses

N
PowerShell commands for all tasks.

ot
• To see a history of issued commands from

fo
Studio, click the top node and select the

rr
PowerShell tab.

es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• During troubleshooting it is recommended to have a look at the command that is failing since most tasks consist of several
necessary cmdlets that are started in a specific order.
• Often only one of these commands fails and the reason might be visible in the PowerShell pane inside Studio.
• PowerShell allows for additional configuration of settings and infrastructure reporting beyond what is provided in
Citrix Studio. For Example:

749 © 2021 Citrix Authorized Content

 • Enabling Local Host Cache (Connection Leasing is disabled by default)
• Load Index Reporting
• Enabling XML Trust Request (used for Pass-Through authentication, Smart Card, FAS,SAML w/
Citrix Gateway)
• Remember, Local Host Cache is enabled by default in new deployments. If however the deployment was
upgraded from a previous version in which Local Host Cache was not in use, it would be disabled after the
upgrade.

N
• You can choose the correct tool based on to the specific needs of your organization.

ot
• Using Citrix Studio:

fo
• Graphical interface
• Automatically uses all necessary commands to perform tasks

rr
• Structure matches common job roles

es
• Manages a single Site only

al
• Offers easy access to common functions and data
• Intuitive, easy operation

e
• Using PowerShell:

or
• Text based interface

di
• Requires knowledge of PowerShell syntax and commands
• Automation possible

s tri
• Management of multiple Sites possible
• Can configure settings not exposed by Studio

b ut
• May require a script editor program or developer tools
• To enable LHC and disable Connection Leasing- Set-BrokerSite -LocalHostCacheEnabled $true -

io
ConnectionLeasingEnabled $false

n
• To Enable XML Trust- Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
• To Get Load Index reporting data - Get-BrokerMachine –SessionSupport MultiSession –Property
‘DnsName’,’LoadIndex’,’SessionCount’

Additional Resources:

750 © 2021 Citrix Authorized Content

 • Error: “An error occurred while making the requested connection” (How to enable XML Trust):
https://support.citrix.com/article/CTX132461
• Get XenDesktop load balancing information using the SDK: https://www.citrix.com/blogs/2013/07/22/get-
xendesktop-load-balancing-information-using-the-sdk/

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

751 © 2021 Citrix Authorized Content

 Use PowerShell with an On-
Premises Deployment

• To manage Citrix Virtual Apps and Desktops

N
using PowerShell:

ot
fo
• Install Citrix Studio or the PowerShell SDK.

rr
• Open a PowerShell console window.
• Load the Citrix PowerShell Snap-ins Add-

es
PSSnapin Citrix*.

al
• Enter the commands needed, for example: Get-
BrokerSite.

e
or
di
s tri
b ut
io
n
Key Notes:
• While typing on the PowerShell command line, commands are often abbreviated. You might have seen the above
command before in a shorter version like: “asnp cit*”. Many cmdlets have shorter aliases that can be used instead (get-
childitem => gci, add-pssnapin => asnp).
• Depending on manufacturer, Snap-ins or Modules are used to extend the management capabilities of PowerShell. Citrix
Virtual Apps and Desktops uses mostly Snap-ins.
• To list all available Snap-ins, issue the following command: get-pssnapin –registered

752 © 2021 Citrix Authorized Content

 • To list all available modules, issue the following command: get-module -listavailable
• PowerShell Modules:
• Citrix Virtual Apps and Desktops uses different services to provide many of its functions.
• Manage each service with the cmdlets included in a specific snap-in.
• SERVICE = Citrix AD Identity Service | POWERSHELL SNAPIN = Citrix.ADIdentity.Admin.V2
• SERVICE = Citrix Analytics | POWERSHELL SNAPIN = Citrix.Analytics.Admin.V1
• SERVICE = Citrix Broker Service | POWERSHELL SNAPIN = Citrix.Broker.Admin.V2

N
• SERVICE = Citrix Configuration Logging Service | POWERSHELL SNAPIN =

ot
Citrix.ConfigurationLogging.Admin.V1

fo
• SERVICE = Citrix Configuration Service | POWERSHELL SNAPIN =
Citrix.Configuration.Admin.V2

rr
• SERVICE = Citrix Delegated Administration Service | POWERSHELL SNAPIN =

es
Citrix.DelegatedAdmin.Admin.V1

al
• SERVICE = Citrix Environment Test Service | POWERSHELL SNAPIN =
Citrix.EnvTest.Admin.V1

e
• SERVICE = Citrix Host Service | POWERSHELL SNAPIN = Citrix.Host.Admin.V2

or
• SERVICE = Citrix Machine Creation Service | POWERSHELL SNAPIN =

di
Citrix.MachineCreation.Admin.V2
• SERVICE = Citrix Monitor Service | POWERSHELL SNAPIN = Citrix.Monitor.Admin.V1

s tri
• SERVICE = Citrix StoreFront Service | POWERSHELL SNAPIN = Citrix.StoreFront.Admin.V1

b
• To demonstrate how many cmdlets are contained inside each PowerShell Snap-in, use the following

ut
statement:

io
Get-PSSnapin -Registered -name Citrix* | ForEach-Object {write-host $_.name -NoNewline; write-host "
contains "(get-command -module $_.name).count "cmdlets."}

n
• Add-PSSnapin Citrix* – can be used to load all the snap-ins

Additional Resources:
• TechEdge Orlando 2015 - Automation and troubleshooting of Citrix Group Policy for Citrix Virtual Apps and
Desktops 7.x using PowerShell: https://support.citrix.com/article/CTX142512
• XenDesktop 7.x Services Overview: https://support.citrix.com/article/CTX139415

753 © 2021 Citrix Authorized Content

 Use PowerShell with a Citrix Cloud Deployment

• To use the Citrix Remote PowerShell SDK with Citrix Virtual Apps and Desktops Service deployment,

N
the SDK must first be installed.

ot
• Download the installer.
• Install the installer.

fo
• Follow the dialogs to complete the installation

rr
• To use the now installed Remote PowerShell SDK, run it from a domain-joined computer within the

es
resource location.

al
• The process then becomes very similar to On-Premise deployments, by executing the asnp citrix*

e
cmdlet.

or
di
s tri
but
io
n
Additional Resources:
• Install and use the Remote PowerShell SDK: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/sdk-
api.html

754 © 2021 Citrix Authorized Content

 Discovering Citrix cmdlets

Command Result

N
ot
Get-Command Returns all cmdlets, functions and aliases from any module and snap-in
loaded.

fo
rr
• To find appropriate
Get-Command PowerShell
–module Citrix* cmdlets,
Only use thecmdlets
returns GET-COMMAND
from Citrix. cmdlet.

es
Get-Command –module
• To learn about theCitrix* *session*
function, Returns
syntax and see all cmdlets dealing
examples, with sessions of any kind.
use GET-HELP.
Get-Command –module Citrix* *application* Returns all cmdlets dealing with applications of any kind.

al
• To list available properties of returned objects, pipe the output of a cmdlet to GET-MEMBER.

e
Get-Help Get-BrokerSession Shows the usage and function of the Get-BrokerSession cmdlet.

or
Get-Help Get-BrokerSession –examples Shows examples of the use of the Get-BrokerSession cmdlet.

di
Get-BrokerSession | Get-Member Lists all properties that the objects retrieved by the cmdlet Get-BrokerSession
expose (like session start time or Citrix Workspace app version).

s tri
b ut
io
n
Key Notes:
• Get-Command and Get-Help are very important to understand if you are new to PowerShell.
• Get-Command will allow you to find commands if you only remember part of the name and will allow you to use wildcards.
• Get-Help will show you more details about a specific command once you know the name.
• If command-line is too advanced, PS ISE can be a bit easier as it has the ability to show inline help and formatting hints.

755 © 2021 Citrix Authorized Content

 Lesson Objective Review
What will the following statement most likely
do?
(line-breaks have been introduced for
readability)
Get-BrokerSession |

N
Where-Object

ot
{$_.UserName -match "Doctor"

fo
-and $_.SessionState -match "Active“

rr
}|

es
Stop-BrokerSession=

al
The Statement should immediately logoff all

e
“Doctor”-Users (containing “doctor” in their name,

or
so “SuperDoctor” and Doctor01 would match) out

di
of their active sessions.

s
tri
utb
© 2021 Citrix Authorized Content

io
n

756 © 2021 Citrix Authorized Content

 Lab Exercise Prep

Please Take a Moment and Provision Your Lab

N
For Module 10

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the
lab exercises.

757 © 2021 Citrix Authorized Content

 N
Power Management

ot
Considerations

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

758 © 2021 Citrix Authorized Content

 Schedule Restarts

• Scheduled restarts can be configured for

Multi-session OS (Server OS) Machine

N
ot
Catalogs; Single-session OS (Desktop OS)
Catalogs cannot be.

fo
• Both Catalogs can be power managed via

rr
es
Citrix Studio or PowerShell.

al
e
or
di
stri
b ut
io
n
Key Notes:
• Administrators can customize restart schedules for restart frequency, initialization time, and restart duration.
• Custom notifications can be sent to users at a specified time before restart takes place.
• Be careful that Administrators ensure that they never power cycle machines while user sessions are active on them.

759 © 2021 Citrix Authorized Content

 Why Schedule a Restart?
Considerations

• Server OS VDAs typically host a wide array of both current and legacy applications for many users.

N
• Over time a Server OS VDA may suffer from application memory leaks or processes not terminating

ot
correctly as users log off.

fo
• Restart schedules can be used to power cycle Server OS VDAs at certain non-production hours,

rr
ensuring that users experience a well functioning system the next time they log on.

es
al
e
or
di
stri
but
io
n

760 © 2021 Citrix Authorized Content

 How to Schedule a Restart?

Using Citrix Studio:

N
• Restart Schedules can be configured within

ot
the properties of a Delivery Group.

fo
rr
es
al
e
or
di
s tri
but
io
n
Key Notes:
• A restart schedule specifies when machines in a Delivery Group are periodically restarted. You can create one or more
schedules for a Delivery Group. A schedule can affect either:
• All of the machines in the group.
• One or more (but not all) machines in the group. The machines are identified by a tag that you apply to the machine.
This is called a tag restriction, because the tag restricts an action to only items (in this case, machines) that have the
tag.

761 © 2021 Citrix Authorized Content

 • For example, let’s say all of your machines are in one Delivery Group. You want every machine restarted
once every week, and you want the machines used by the accounting team restarted daily. To
accomplish this, set up one schedule for all machines, and another schedule for only the machines in
accounting.
• A schedule includes the day and time the restart begins, and the duration. The duration is either “start all
affected machines at the same time” or an interval it should take to restart all affected machines.
• You can enable or disable a schedule. Disabling a schedule can be helpful when testing, during special

N
intervals, or when preparing schedules before you need them.

ot
• Multiple schedules can overlap. In the example above, both schedules affect the accounting machines. Those

fo
machines might be restarted twice on Sunday. The scheduling code is designed to avoid restarting the same
machine more often than intended, but it cannot be guaranteed.

rr
• If the schedules coincide precisely in start and duration times, it is more likely that the machines will be

es
restarted only once.

al
• The more the schedules differ in start and duration times, it’s more likely that multiple restarts will occur.
• The number of machines affected by a schedule also affects the chance of an overlap. In the example, the

e
weekly schedule that affects all machines might initiate restarts significantly faster than the daily schedule

or
for accounting machines, depending on the duration specified for each.

di
Additional Resources:

s tri
• Manage Delivery Groups - Create a restart schedule for machines in a Delivery Group:

b
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/delivery-

ut
groups-manage.html

io
n

762 © 2021 Citrix Authorized Content

 How to Power Manage a Single-
session OS (Desktop) Machine
Single-session OS Catalog machines can be
power managed from within Citrix Studio

Settings include:

N
• The number of machines to be powered on at

ot
a specific time (both weekday and

fo
weekend hours).

rr
• Peak and non-peak hour settings.

es
• Actions to take when sessions are

al
disconnected for specified time (minutes);

e
Suspend or Shut down.

or
di
s tri
but
io
n
Key Notes:
• You can power manage only virtual Single-session OS (Desktop) machines, not physical ones (including Remote PC
Access machines).

763 © 2021 Citrix Authorized Content

 Lesson Objective Review

Scenario: You have 20 Server OS VDAs in a

Delivery Group. You would like to restart 10 of
these on Tuesdays and 10 on Thursdays and

N
all of them Sunday night.

ot
Will you be using Studio or PowerShell for

fo
this task?

rr
es
When using Citrix Virtual Apps and Desktops 7
1811 or later, Citrix Studio can be used to

al
e
configure multiple restart schedules. PowerShell
can also accomplish this task.

or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

764 © 2021 Citrix Authorized Content

 N
ot
Lab Exercise

fo
rr
Module 10

es
al
e
or
di
s
tri
b
ut
io
n

765 © 2021 Citrix Authorized Content

 Lab Exercise

• Ex 10-1: Create an On-Premises Custom Role

N
• Ex 10-2: Create an On-Premises Custom Scope

ot
• Ex 10-3: Create an On-Premises Custom Administrator

fo
rr
• Ex 10-4: Create an On-Premises Custom Administrator for a Help Desk Role

es
• Ex 10-5: Log in and Test the Delegated Custom Administrator

al
• Ex 10-6: Create an On-Premises Delegated Administration Report

e
• Ex 10-7: Create an On-Premises Configuration Logging Report

or
di
s tri
b
ut
io
n

766 © 2021 Citrix Authorized Content

 Key Takeaways

• Use Delegated Administration to enhance

N
security and logging capabilities.

ot
• Use PowerShell to configure settings not

fo
exposed by Citrix Studio and automate

rr
recurring tasks.

es
• Power management schedules can improve

al
the user experience on machines running the

e
VDA’s.

or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

767 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Administration On-Premise and In
Citrix Cloud

N
ot
Citrix Virtual Apps and Desktops

fo
Basic Security Considerations

rr
es
al
e
Module 11

or
di
s
tri
b
ut
io
n

768 © 2021 Citrix Authorized Content

 Learning Objectives

• Identify Citrix admin security considerations.

N
ot
• Identify XML Service security considerations.

fo
• Explain the importance of securing external

rr
HDX traffic.

es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

769 © 2021 Citrix Authorized Content

 N
ot
Citrix Admin Security

fo
rr
Considerations

es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

770 © 2021 Citrix Authorized Content

 General Network Security
Expectations
Expectations

Large Company Security Department

• While larger companies usually have a

N
dedicated security department, security

ot
personnel in smaller companies might have
additional roles in the company.

fo
Expectations

rr
• They expect the Citrix Administrator to secure

es
new Citrix components of Medium Company Networking Department Citrix Administrator

a deployment.

al
e
or
Expectations

di
s
Small Company IT Department

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• While large organizations have a dedicated security team in charge of all security concerns, smaller companies might
leave some of these concerns with the individual Citrix Admin.
• As a Citrix Admin, it is important to be aware of the expectations from the organization as well as being aware of the
different security mechanisms that can be implemented in the Citrix environment.

771 © 2021 Citrix Authorized Content

 Network Topology
Security 1494/2598 HDX
443 HDX

User Layer Access Layer Control Layer Resource Layer

80 HTTP
443 HTTPS
• Citrix Virtual Apps and 80 XML/STA
443 XML/STA

Desktops network Delivery Controller

80 HTTP
communication is not 443 HTTPS 1433 SQL

N
443 SQL
Internal Users StoreFront
secured by default. Server OS Assigned

ot
80 HTTP
443 HTTPS Desktop OS

• The network connections Domain Controller

fo
389 LDAP
636 LDAP
in the diagram suggest Firewall

rr
80 HTTP

possible unsecured 443 HTTPS

es
communication ports in a SQL Random Desktop OS Remote PC
Citrix Gateway

al
default Citrix Virtual Apps External Users Firewall
80 HTTP
80 HTTP
443 HTTPS

e
443 HTTPS
and Desktops License Server

or
27000, 7279,
environment. 8082

di
• All highlighted network Hardware Layer

s
connections can be

tri
secured. Network Wi-Fi Storage Processor Memory Graphics Hypervisor

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The diagram serves as a high level overview; use it to investigate all the possibilities of creating a more secure solution.
• Some companies allow internal access only, so securing internal components also requires blocking external access.
• Some companies require security for all external facing components while only using basic security for internal
components.
• Diagram Overview:
• Internal Users to StoreFront: 80 HTTP or 443 HTTPS

772 © 2021 Citrix Authorized Content

 • External Users to Citrix Gateway: 80 HTTP or 443 HTTPS
• StoreFront and/or Citrix Gateway to Delivery Controller: 80 XML/STA or 443 XML/STA
• Internal Users and External Users (via Citrix Gateway) to Sessions in the Resource Layer: 1494/2598 HDX
or 443 HDX
• Citrix Gateway to Domain Controller: 389 LDAP or 636 LDAP
• Delivery Controller to SQL: 1433 SQL or 443 SQL
• Delivery Controller to License Server: 27000, 7279, 8082

N
• Delivery Controller to the machines running the VDA in the Resource Layer and the VDA registration to the

ot
Delivery Controller: 80 HTTP or 443 HTTPS

fo
• Delivery Controller to Hypervisor: 80 HTTP or 443 HTTPS

rr
es
al
e
or
di
s tri
but
io
n

773 © 2021 Citrix Authorized Content

 Certificates

• Confirm that both ends of the communication are in fact trusted entities; providing identifying

N
information

ot
• Contain name of the certificate holder, serial number, expiration dates, and a copy of the certificate

fo
holder's public key

rr
• Can use wildcards to specify a range of hostnames, by using a wildcard (asterisk *) in the subject

es
field.

al
• Use cryptographic keys, which are the keystones to encryption algorithms, to secure data

e
• SSL certificates are used to protect sensitive data (username and passwords)

or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Certificates are electronic "passports" that permit a person, computer or organization to exchange information securely
over the Internet (or within their internal infrastructure) using the public key infrastructure (PKI).
• SSL certificate file are presented to a third-party. The third-party then validates the file based on a number of criteria to
determine if it will be accepted or rejected.
• SSL certificates utilize an “SSL Handshake” ;using a server’s public and private keys (asymmetric keys) to generate

774 © 2021 Citrix Authorized Content

 unique, temporary session key (symmetric key).
• SSL certificates validate identity and enable encryption for data in transit.
• A digital certificate can also be referred to as a public key certificate.
• Certificates can be Internal or Public.
• Public certificates cost money, so internal certificates are preferred where possible.
• Public certificates are generated by public Certificate Authorities, such as GoDaddy, VeriSign, and etcetera.

N
• Internal certificates are generated by an internal or corporate Certificate Authority.

ot
• In order to provide validation that a certificate is genuine and viable, it is digitally signed by a root certificate
belonging to a trusted certificate authority.

fo
• Common certificate fields:

rr
• Serial number: The unique serial number that the issuing certificate authority (CA) assigns to the certificate.
• Issuer: Information about the CA that issued the certificate.

es
• Valid from: The start date for the period in which the certificate is valid.

al
• Valid to: The final date for the period in which the certificate is valid.

e
• Subject: The name of the individual, computer, device, or CA to whom the certificate is issued.

or
• Public key: The public key type and length associated with the certificate.
• Thumbprint: The digest (or thumbprint) of the certificate data.

di
• Common certificate types:

s
• Server Certificate: Associated with the identity of a particular server or group of servers using hostnames.

tri
• Client Certificate: Associated with the identity of particular person or device typically using emails or

b
personal names.

ut
• Intermediate Certificate: A certificate used to digitally sign other certificates, but is not itself self-signed.

io
• Root Certificate: A self-signed certificate used to sign other certificates.

n
• Self-Signed Certificate: A certificate where the subject is the same as the issuer.
• WW Labs Deployment – This Courses Lab Environment:
• The most common parts of the solution have been assigned certificates within the lab.
• More components could be secured in a production environment.
• The following machines in the lab use certificates:
• Domain Controller

775 © 2021 Citrix Authorized Content

 • StoreFront
• Delivery Controller
• Citrix Gateway

N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

776 © 2021 Citrix Authorized Content

 Certificate Authorities (CA)
General IT leading practices

N
User Layer Access Layer Control Layer

ot
Public CA Private CA

fo
Trusted CA

rr
Delivery Controller
Is included
• For use within companies or
• Use certificates from publicly

es
StoreFront
managed environments.
available trusted Certificate Verifies
Revocation • Use internal or private CAs to

al
Authorities (CA) to secure Domain Controller issue certificates.
List of

e
Internal CA
network connections. Trusted CAs
• Add the internal CA to the list
Firewall
• Keep private key secured.

or
Internal CA
of trusted CAs.
• Intermediate certificates may • Citrix also supports the use of
be required. SQL

di
self-signed certificates
Citrix Gateway

s
Endpoints Firewall

tri
Endpoints
must trust CA License Server

b
Issues Certificate
Issues Certificate

ut
Certificates
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Using certificates from public CAs often does not require additional management on client devices, since the public CAs
are already included in their built in list of trusted certificate authorities.
• Private (or internal) CAs are often used for domains that cannot be verified (company.local or company.intranet) and can
reduce the cost compared to certificates from public CAs.
• An additional benefit for hosting a private CA is the complete control over certificate management – but this also comes
with the responsibility for protecting the CA against attacks or compromise.

777 © 2021 Citrix Authorized Content

 • Self-signed certificates do not require a CA. In fact, the certificate is signed using its own private key. By
design, such certificates cannot be revoked if compromised which is a large drawback. Self-signed certificates
also lack central management, which is often a requirement for larger organizations.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

778 © 2021 Citrix Authorized Content

 Lesson Objective Review
Scenario: You are the Citrix Admin and you
have decided to implement self-signed
certificates from the Domain CA to the
StoreFront servers.
Domain joined Windows computers are able

N
to connect to StoreFront but Mac computers

ot
receive a certificate error.

fo
What could be wrong?

rr
es
The Mac computers do not trust the internal CA.

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

779 © 2021 Citrix Authorized Content

 N
ot
XML Service Security

fo
rr
Considerations

es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

780 © 2021 Citrix Authorized Content

 XML Service
Trust Introduction

Introduction: XML Service Communication Citrix Leading Practice

N
• Is used to exchange information • StoreFront and the Delivery • Secure XML traffic over port 443

ot
between Citrix Gateway, Controller communicate via XML. (https), to prevent credentials from
StoreFront, and the Delivery being sent in clear text.

fo
• This traffic includes user
Controller in XML format. • Install a private server

rr
credentials and available
certificate on each Delivery
• Hosted on the Delivery Controller resources for the user.

es
Controller.
as a subservice of the Broker
• By default, XML traffic is insecure • Bind the certificate to port 443.

al
Service.
using HTTP on port 80 • Disable port 80 listener on the

e
• Listens on port 80 by default Delivery Controller.

or
• Can share it’s port with IIS

di
• Some authentication functions
require the XML service to be

s tri
trusted.

b ut
io
n
Key Notes:
• The Broker Service also hosts the Secure Ticket Authority (STA) required for remote access.
• By using HTTP as the transport type, information is sent in clear text, with passwords obfuscated, posing a security risk.
• By default, the XML service on the Controller listens on port 80 for HTTP traffic and port 443 for HTTPS traffic. Although
you can use non-default ports, be aware of the security risks of exposing a Controller to untrusted networks.
• To change the default HTTP or HTTPS ports used by the Controller, run the following command from Studio:
BrokerService.exe -WIPORT <http-port> -WISSLPORT <https-port> - where <http-port> is the port number for HTTP

781 © 2021 Citrix Authorized Content

 traffic and <https-port> is the port number for HTTPS traffic.
• While it is leading practice to secure XML traffic, unsecured XML traffic does not present the same security
risk as an unsecured connection to StoreFront, because the XML traffic between StoreFront and Delivery
Controller is typically internal with both servers on the same VLAN - unlike a browser connection to StoreFront
where the user could be coming in from untrusted/public Wi-Fi connections.
• Steps for configuring SSL/TLS for XML traffic:
• Install server certificate on each Delivery Controller (private certificate should be used because it is only

N
accessed by StoreFront).

ot
• Configure correct port (default:443) with SSL/TLS certificate created in above step.

fo
• Disable the port 80 listener on the Delivery Controller.
• Later will also have to configure StoreFront to leverage https as the transport type for the Delivery

rr
Controller.

es
• On top of securing the XML traffic, the VDA registration traffic and HDX traffic can also be secured by using

al
the following procedures:
• Obtain, install, and register a server certificate on all Delivery Controllers, and configure a port with the

e
SSL/TLS certificate. Optionally, you can change the ports the Controller uses to listen for HTTP and HTTPS

or
traffic.

di
• Enable SSL/TLS connections between users and Virtual Delivery Agents (VDAs) by completing the following
tasks:

s tri
• Configure SSL/TLS on the machines where the VDAs are installed. (For convenience, further references to

b
machines where VDAs are installed are simply called "VDAs.") You can use a PowerShell script supplied by

ut
Citrix, or configure it manually. For general information, see About SSL settings on VDAs. For details, see

io
Configure SSL on a VDA using the PowerShell script and Manually configure SSL/TLS on a VDA.
• Configure SSL/TLS in the Delivery Groups containing the VDAs by running a set of PowerShell cmdlets in

n
Studio. For details, see Configure SSL/TLS on Delivery Groups.
• Requirements and considerations:
• Enabling SSL/TLS connections between users and VDAs is valid only for Citrix Virtual Apps 7.6 and
Citrix Virtual Desktops 7.6 Sites, plus later supported releases.
• Configure SSL/TLS in the Delivery Groups and on the VDAs after you install components, create a Site,

782 © 2021 Citrix Authorized Content

 create Machine Catalogs, and create Delivery Groups.
• To configure SSL/TLS in the Delivery Groups, you must have permission to change Controller access
rules; a Full Administrator has this permission.
• To configure SSL/TLS on the VDAs, you must be a Windows administrator on the machine where the
VDA is installed.
• If you intend to configure SSL/TLS on VDAs that have been upgraded from earlier versions, uninstall any
SSL relay software on those machines before upgrading them.

N
• The PowerShell script configures SSL/TLS on static VDAs; it does not configure SSL/TLS on pooled

ot
VDAs that are provisioned by Machine Creation Services or Citrix Provisioning, where the machine

fo
image resets on each restart.
• Securing the XML traffic also reduces the possibility of Delivery Controller impersonation and the interception

rr
of authentication requests.

es
Additional Resources:

al
• Securing the XenApp/XenDesktop XML Service: Important Steps to Prevent Theft of User Passwords:

e
https://www.citrix.com/blogs/2016/11/03/securing-the-xenappxendesktop-xml-service-important-steps-to-

or
prevent-theft-of-user-passwords

di
• Transport Layer Security (TLS): 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/secure/tls.html

s tri
• How to Enable SSL on XenDesktop 7.x Controllers to Secure XML Traffic:

b
https://support.citrix.com/article/CTX200415/

ut
io
n

783 © 2021 Citrix Authorized Content

 Features Requiring XML Service
Trust

The following features require the XML Service

N
Trust to be configured:

ot
• Smart Access

fo
• Pass-Through Authentication

rr
• Smart Card Authentication

es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

784 © 2021 Citrix Authorized Content

 Smart Access
Endpoint Analysis

• Smart Access uses Citrix Gateway Endpoint

N
Analysis to scan endpoint devices.
1

ot
1. The Citrix Gateway sends an endpoint scan to
3 4
the endpoint device.

fo
2. The Citrix Gateway receives the scan result.

rr
3. The scan result is presented to StoreFront at
Citrix Workspace Citrix Gateway StoreFront Controller

es
logon. app

4. The scan result is evaluated against policies and 2

al
hosted resources.

e
• Based on the results:

or
• Published resources can be restricted to launch.
• Policies can be triggered to adapt to the status of

di
the endpoint device.

s
tri
b ut
© 2021 Citrix Authorized Content

io
n

785 © 2021 Citrix Authorized Content

 Pass-through Authentication

• Pass-through authentication enables comfortable logons for users across systems.

N
• Some companies consider this feature to lessen security.

ot
• A leading practice is to consult with the persons responsible for company security before

fo
implementation.

rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The slide only covers the first part of the of the Pass-through authentication process.
• At this point, we are only presenting the feature and how it ties in to the XML trust feature.
1. Citrix Workspace app contacts StoreFront
2. StoreFront uses integrated windows authentication
3. The Delivery Controller receives the user and group SID from StoreFront

786 © 2021 Citrix Authorized Content

 Additional Resources:
• How to Manually Install and Configure Citrix Receiver for Pass-Through Authentication:
https://support.citrix.com/article/CTX133982
• A Comprehensive Guide to Enabling Pass-Through Authentication with XenDesktop 7.5:
https://www.citrix.com/blogs/2014/04/11/a-comprehensive-guide-to-enabling-pass-through-authentication-with-
xendesktop-7-5/

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

787 © 2021 Citrix Authorized Content

 Smart Card Authentication

• Smart card authentication is a multi-factor

authentication type.

N
• Smart cards are typically the same size as a

ot
credit card. Some organizations use the same

fo
card for physical access to their buildings.

rr
• Think of a little plastic card that contains a

es
certificate for a specific user.
Smart Card Reader

al
• This feature requires smart card reader

e
hardware on endpoints and central server

or
configuration.

di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

788 © 2021 Citrix Authorized Content

 How to configure an XML Service
Trust

The Citrix XML Service Trust is enabled by

N
using the following PowerShell command:

ot
Set-BrokerSite –

fo
TrustRequestsSentToTheXMLServicePort $true

rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Prior to entering the command, the appropriate Citrix PowerShell Snap-In needs to be loaded.
• Use IPsec, firewalls, or any technology that ensures that only trusted services communicate with the XML Service.
• Enable this setting only on servers that are contacted by StoreFront.
• Restrict access to the XML Service to only the servers running StoreFront.

789 © 2021 Citrix Authorized Content

 Lesson Objective Review

Scenario: You are the Citrix Admin and you

receive a call from the help desk Monday
morning that users are not able to log on to
StoreFront. You verify the StoreFront
configuration and you verify port 443 is not

N
blocked on the Delivery Controllers.

ot
What could be the root cause of this sudden

fo
change?

rr
es
The certificate on the Delivery Controllers might have
expired.

al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• What are the high level steps for configuring a Citrix Virtual Apps and Desktops Site?
• Answers:
• Step 1: Install Delivery Controller Role
• Step 2: Create Citrix Virtual Apps and Desktops Site
• Step 3: Secure XML traffic

790 © 2021 Citrix Authorized Content

 N
ot
Secure HDX External Traffic

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

791 © 2021 Citrix Authorized Content

 Why secure HDX traffic?

Framehawk

• The HDX protocol consists of 32 virtual DCR

N
channels, all capable of transporting sensitive

ot
Thin wire
information, including:
Multimedia
• Client and server capabilities

fo
• Connection information such as username and Generic Data Transfer Generic USB
HDX

rr
matching token
CDM Audio

es
• Image data from applications running inside the
session Printing

al
Mobility SDK
• Clipboard and keyboard data

e
Mobility Sensors
Smart Card

or
Clipboard

KB &
Mouse

di
s
tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• To prevent disclosure of data, transfer HDX protocol data over encrypted network connections.
• HDX is the name used for ICA and CGP (Common Gateway Protocol) connections.
• While this module focuses on enabling secure access from external networks using the Citrix Gateway, the HDX protocol
can also be encrypted internally using SSL/TLS.
• For more information on internal encryption, refer to the links below.

792 © 2021 Citrix Authorized Content

 Additional Resources:
• What is HDX?:
https://www.citrix.com/products/citrix-virtual-apps-and-desktops/hdx-technologies.html
• Transport Layer Security (TLS) - TLS settings on VDAs: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/secure/tls.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

793 © 2021 Citrix Authorized Content

 Citrix Gateway
Introduction to Securing External Access

Securing External Access

• Citrix Gateway is a security hardened

N
appliance (virtual or physical) which

ot
communicates with internal resources on
Domain Controller
behalf of external users to:

fo
• Authenticate users

rr
• Allow secured external connections to StoreFront

es
(reverse web proxy) Endpoints with Firewall Citrix Gateway Firewall StoreFront
• Allow secured access to internal hosted Citrix Workspace app

al
applications and desktops (HDX proxy)

e
or
Delivery Controller VDA

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Gateway has a huge feature set; this is just a small percentage of what Citrix Gateway can do.
• A proxy server is typically hosted internally to allow users to browse externally-hosted websites without actually having a
TCP session to the web servers.
• Reverse web proxy uses the same idea; however, instead it allows external users to browse internal resources without
enabling TCP access to the web servers themselves (many customers may be familiar with Microsoft ISA or TMG servers,
which have similar functionalities).

794 © 2021 Citrix Authorized Content

 • HDX proxy is similar to reverse web proxy; however, instead of protecting webservers, it protects the internal
VDAs and converts port 1494/2598 data to encrypted SSL/TLS data in real time.
• The security appliance can be a Citrix Gateway or a Citrix Gateway with the Gateway Feature, depending on
how it is licensed. If you License it to be a Citrix Gateway and use the Gateway Feature it is a Citrix Gateway
containing the Gateway feature. If you only License it to be a Citrix Gateway, then it is just that.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

795 © 2021 Citrix Authorized Content

 Secure Ticket Authority
Introduction

Securing External Access

• The Secure Ticket Authority (STA) produces

N
Secure Tickets, which can be exchanged for

ot
session information.
Domain Controller
• Every Delivery Controller hosts a Secure Ticket

fo
Authority

rr
• The STA must be reachable by StoreFront and the

es
Citrix Gateway
Endpoints with Firewall Citrix Gateway Firewall StoreFront
• The Secure Ticket is used to avoid transporting Citrix Workspace app

al
user-specific data over unsecured networks.

e
• A new Secure Ticket is issued for every resource

or
launch, is only valid inside the current SSL/TLS STA
Delivery Controller VDA
session, and has a limited lifespan.

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The, authentication, application browsing, the request to start an application, and load balancing decisions have already
taken place.
• The next step would be Citrix Gateway launching the session on the user’s behalf.
• Like the XML service, the STA service is a sub-service within BrokerService.
• Like the XML service, the STA service is reachable on port 80 by default.
• This service should be secured using SSL/TLS and certificates.

796 © 2021 Citrix Authorized Content

 • Think of the STA like a parking valet desk. You turn in your car and receive a randomized number, which can
be used to authorize you to pick up your car later without presenting your credentials. The concern in this
situation, much like with STA, is you don’t want anyone to intercept your randomized number and pick up your
car.
• The STA functions much like a valet parking attendant:
1. StoreFront “parks” session launch information and is issued a “parking token” (the STA ticket).
• This contains the secret information that should not be sent to an untrusted network.

N
• It also contains the session specific token (STA ticket) necessary for that session.

ot
2. StoreFront passes this token back to the endpoint device through the Citrix Gateway, along with the

fo
resource launch file.

rr
3. The endpoint device transmits the token to Citrix Gateway which presents it to the STA to access the
“parked” session launch information.

es
al
Additional Resources:

e
• Establishing a Secure Connection to the Server Farm:

or
https://docs.citrix.com/en-us/netscaler-gateway/12-1/integrate-web-interface-apps/ng-wi-integrate-apps-secure-
connection.html

di
(this document talks about Web Interface but the STA exchange is similar for StoreFront).

s tri
b ut
io
n

797 © 2021 Citrix Authorized Content

 HDX Proxy

Securing External Access

• A leading practice is to have Citrix Gateway as

N
the HDX Proxy component for the following

ot
reasons:
• Security hardened SSL VPN appliance Domain Controller

fo
• Single point of contact for vendor support

rr
• Deep integration with all Citrix products and

es
features
• Available as virtual and physical appliance Endpoints with Firewall Citrix Gateway Firewall StoreFront

al
Citrix Workspace app
• Citrix Gateway can scale and grow on demand

e
or
Delivery Controller VDA

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• While there are other products on the market that can do “HDX proxy”, Citrix Gateway is the only product supported by
Citrix.
• When new features are added to the HDX protocol, they are immediately supported on Citrix Gateway.
• Competition does not have the same knowledge about the HDX protocol as Citrix does.

Additional Resources:

798 © 2021 Citrix Authorized Content

 • How to Configure NetScaler Gateway Session Policies for StoreFront:
https://support.citrix.com/article/CTX139963

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

799 © 2021 Citrix Authorized Content

 HDX Proxy Connection
Overview

Securing External Access

The HDX Proxy establishes the connection for

N
users on endpoint devices from any place to

ot
their hosted resources on the corporate Domain Controller

network.

fo
rr
• The requirements are:

es
• An externally accessible internet address (IP & Endpoints with Firewall Citrix Gateway Firewall StoreFront
DNS name) Citrix Workspace app

al
• A certificate that endpoint devices trust

e
• A firewall rule to allow access to Citrix Gateway

or
using SSL/TLS and port 443 Delivery Controller VDA

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The next slides will highlight the connection flow step by step in more detail; this slide serves only as an introduction and
overview of the connection process as such.
• All ports can be changed, but this might complicate troubleshooting and monitoring. Deviating from default ports should be
only be done with careful planning.

800 © 2021 Citrix Authorized Content

 HDX Proxy
Part 1 of 8

Securing External Access

1. An endpoint device accesses the company

N
remote access URL; the external firewall

ot
Domain Controller
passes traffic to the Citrix Gateway

fo
2. Citrix Gateway displays the authentication

rr
page to the user, optionally running an
Endpoints with Firewall Citrix Gateway Firewall StoreFront

es
endpoint analysis scan on the endpoint Citrix Workspace app

1 2
device

al
e
Delivery Controller VDA

or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n

801 © 2021 Citrix Authorized Content

 HDX Proxy
Part 2 of 8

Securing External Access

3. The user authenticates to Citrix Gateway

N
4. Citrix Gateway authenticates the user via

ot
Domain Controller
LDAP(S) to the Domain Controller 4

fo
rr
es
Endpoints with Firewall Citrix Gateway Firewall StoreFront
Citrix Workspace app

al
3

e
or
Delivery Controller VDA

di
stri
b ut
© 2021 Citrix Authorized Content

io
n

802 © 2021 Citrix Authorized Content

 HDX Proxy
Part 3 of 8

Securing External Access

5. If authentication is successful, Citrix

N
Gateway queries StoreFront for available

ot
resources on behalf of the user Domain Controller

fo
6. StoreFront queries the configured Delivery 5

rr
Controllers for available resources

es
accessible to the user Endpoints with
Citrix Workspace app
Firewall Citrix Gateway Firewall StoreFront

al
e
or
Delivery Controller VDA

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n

803 © 2021 Citrix Authorized Content

 HDX Proxy
Part 4 of 8

Securing External Access

7. The Controller queries the site database

N
and returns a list of all available resources

ot
Domain Controller
for the user to StoreFront.

fo
8. StoreFront builds a web page with the 8
8

rr
available resources which is proxied to the

es
endpoint device via Citrix Gateway. Endpoints with Firewall Citrix Gateway Firewall StoreFront
Citrix Workspace app

al
7

e
or
Delivery Controller VDA

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n

804 © 2021 Citrix Authorized Content

 HDX Proxy
Part 5 of 8

Securing External Access

9. The user clicks on a published resource & Citrix

N
Gateway transmits this launch request to

ot
StoreFront. Domain Controller

10.StoreFront forwards the request to the Delivery

fo
Controller. 9

rr
9

11.The Delivery Controller chooses the appropriate

es
Endpoints with Firewall Citrix Gateway Firewall StoreFront
VDA to host the session using load-balancing Citrix Workspace app
12 10

al
rules & returns the session information to

e
StoreFront. 11

or
12.StoreFront buffers the session information in the Delivery Controller VDA

di
STA service of the Delivery Controller and
receives a STA ticket in return.

s tri
b ut
© 2021 Citrix Authorized Content

io
n

805 © 2021 Citrix Authorized Content

 HDX Proxy
Part 6 of 8

Securing External Access

13.StoreFront generates a launch file including the

N
STA ticket

ot
Domain Controller
14.StoreFront sends the launch file via Citrix
Gateway to the endpoint device as the answer to

fo
14 13
the user’s click on a resource

rr
es
Endpoints with Firewall Citrix Gateway Firewall StoreFront
Citrix Workspace app

al
e
or
Delivery Controller VDA

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n

806 © 2021 Citrix Authorized Content

 HDX Proxy
Part 7 of 8

Securing External Access

15.Citrix Workspace app on the endpoint device

N
processes the launch file and presents the STA

ot
ticket to Citrix Gateway.
Domain Controller

16.Citrix Gateway validates the STA ticket with the

fo
STA on the Delivery Controller.

rr
15

17.If validation is successful, the STA returns the

es
Endpoints with Firewall Citrix Gateway Firewall StoreFront
session information to Citrix Gateway. Citrix Workspace app
17 16

al
e
or
Delivery Controller VDA

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n

807 © 2021 Citrix Authorized Content

 HDX Proxy
Part 8 of 8

18. Citrix Gateway uses the session information Securing External Access

N
to establish a session to the VDA, and

ot
forwards all session traffic between the
Citrix Workspace app on the endpoint

fo
Domain Controller

device and the VDA

rr
es
al
Endpoints with Firewall Citrix Gateway Firewall StoreFront
Citrix Workspace app
18

e
or
Delivery Controller VDA

di
18

s tri
b ut
© 2021 Citrix Authorized Content

io
n

808 © 2021 Citrix Authorized Content

 Lab Exercise Prep

Please Take a Moment and Provision Your Lab

N
For Module 11

ot
fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the
lab exercise.

809 © 2021 Citrix Authorized Content

 Lesson Objective Review

Scenario: You are the Citrix Admin and you

have recently configured Citrix Gateway.
Testing shows that you can log on from

N
outside and see the list of resources,

ot
however, you cannot launch resources.

fo
You have identified all options to be

rr
configured correctly and you have verified

es
with the Network team that Citrix Gateway can

al
communicate with StoreFront and all VDAs.

e
What could be missing?

or
Citrix Gateway also needs firewall access to

di
Delivery Controllers to verify the STA Ticket.

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• StoreFront has scalability built into the architecture and does not rely on clustering technologies.
• However, StoreFront is relying on Citrix Gateway to distribute the incoming client connections and mitigate in case of
failures.
• StoreFront checks out a Secure Ticket for the users session and passes this information back through the Citrix Gateway
to the user’s device in the form of a ICA launch file. When Citrix Workspace app opens the ICA launch file, the Secure
Ticket is presented to the Citrix Gateway. The Citrix Gateway will then attempt to validate this ticket with the STA, if this
operation fails resources cannot be launched.
810 © 2021 Citrix Authorized Content
 N
ot
Lab Exercises

fo
rr
Module 11

es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

811 © 2021 Citrix Authorized Content

 Lab Exercise

• 11-1: Secure XML Traffic on NYC-VDC-001

N
• 11-2: Configure the Store to Use Secure XML

ot
Connections

fo
• 11-3: Integrate StoreFront with the Citrix

rr
Gateway

es
• 11-4: Enable Remote Access to the Store

al
• 11-5: Test External Access through the Citrix

e
Gateway

or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

812 © 2021 Citrix Authorized Content

 Key Takeaways

• Administrators are expected to secure the Citrix

Virtual Apps and Desktops components.

N
ot
• Enable XML service trust to support more

fo
authentication options.

rr
• Integrate Citrix Gateway to securely connect to

es
company resources from unsecured networks.

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

813 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Administration On-Premise and In
Citrix Cloud

N
ot
Monitor the Site

fo
rr
es
al
e
Module 12

or
di
s
tri
b
ut
io
n

814 © 2021 Citrix Authorized Content

 Learning Objectives

• Introduce the Citrix Director management

console.
• Explain how to use Citrix Director to monitor a

N
session.

ot
• Analyze published Apps using Citrix Director.

fo
• Explain how to monitor machines running the

rr
VDA using Citrix Director.

es
• Use Citrix Director to monitor the Citrix Virtual

al
Apps and Desktops Site.

e
• Configure alerts and notifications on Citrix

or
Director.

di
• Integrate Citrix Director with Citrix Application

s
tri
Delivery Management.

b
ut
© 2021 Citrix Authorized Content

io
n

815 © 2021 Citrix Authorized Content

 N
ot
Citrix Director Introduction

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

816 © 2021 Citrix Authorized Content

 Citrix Director
Introduction

Citrix Director is … Citrix Director can …

N
ot
A web-based management console. Monitor and troubleshoot Sites, infrastructure and sessions.

fo
A user help-desk portal. Help troubleshoot connection and performance issues.

rr
Included with the Citrix Virtual Apps and Desktops advanced Gather data from different sources and integrate with Citrix

es
edition and higher Application Delivery Management.

al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Director can access:
• Real-time data from the Broker Agent using a unified console integrated with Analytics, Performance Manager, and
Network Inspector.
• Analytics includes performance management for health and capacity assurance, and historical trending and network
analysis, powered by Citrix Application Delivery Management, to identify bottlenecks due to the network in your Citrix
Virtual Apps and Desktops environment.

817 © 2021 Citrix Authorized Content

 • Historical data stored in the Monitor database to access the Configuration Logging database.
• ICA data from the Citrix Gateway using Citrix Application Delivery Management.
• Gain visibility into the end-user experience for virtual applications, desktops, and users for Citrix Virtual
Apps or Citrix Virtual Desktops.
• Correlate network data with application data and real-time metrics for effective troubleshooting.
• Integrate with Citrix Director monitoring tool.
• Director is an on-premise component, typically hosted on Delivery Controllers or separate servers depending

N
on scale and use case.

ot
• Citrix Application Delivery Management is an appliance that can deliver data from the ICA sessions flowing

fo
through Citrix Gateway like latency, bandwidth consumption and packet loss.

rr
Additional Resources:

es
• Director: 1912 LTSR:

al
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director.html
• NMAS Overview:

e
http://docs.citrix.com/en-us/netscaler-mas/11-1/netscaler-mas-overview.html

or
• Citrix Application Delivery Management:

di
https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13.html

s tri
b ut
io
n

818 © 2021 Citrix Authorized Content

 On-Premise vs Citrix Cloud

On-premises Director Cloud Director

N
ot
fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Cloud Hosted Director is not accessed through a HDX connection like Cloud Hosted Studio.
• Citrix Application Delivery Management can be purchased as a separate service in Citrix Cloud but currently it does not
integrate with Cloud Director.
• Hosting Connections and Licensing information are not currently shown in Cloud Director.
• New reports will be available faster in Cloud Director than in on-premises Citrix Director.

819 © 2021 Citrix Authorized Content

 Additional Resources:
• Cloud Director:
https://docs.citrix.com/en-us/xenapp-and-xendesktop/service/director.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

820 © 2021 Citrix Authorized Content

 Citrix Director

• Both On-Premises and Citrix Cloud Directors requires a login from either a Full Administrator or a

N
delegated administrator, so the permissions can be allowed or restricted appropriately.

ot
• Data retention for On-Premises Citrix Director is dependent on both the license edition of the

fo
deployment and the data type.

rr
• Citrix Director reports can be exported to PDF, Excel, and CSV report formats.

es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Director functionality is available on the Monitor tab of the Virtual Apps and Desktops console.
• Alerts are displayed in Director on the dashboard and other high-level views with warning and critical alert symbols. Alerts
update automatically every minute; you can also update alerts on demand.
• The Trends view accesses historical trend information for sessions, connection failures, machine failures, logon
performance, load evaluation, capacity management, machine usage and resource utilization for each Site.
• The Applications tab displays application-based analytics in a single, consolidated view to help analyze and manage

821 © 2021 Citrix Authorized Content

 application performance efficiently. You can gain valuable insight into the health and usage information of all
applications published on the Site.
• Reports available:
• Filter data to troubleshoot failures
• Alerts and notifications
• Monitor historical trends
• Export reports

N
• Application instance prediction

ot
• Application Analytics – VDA 7.15 or later

fo
• Data retention for Citrix Cloud based is 90 days and On-Premise based is 180 days.

rr
Additional Resources:

es
• Cloud Director:

al
https://docs.citrix.com/en-us/xenapp-and-xendesktop/service/director.html

e
• Data Granularity and Retention:

or
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/data-retention.html

di
s tri
b ut
io
n

822 © 2021 Citrix Authorized Content

 On-Premise Installation Requirements
Operating System, Software, and Server Access

Operating System Software Server Access

N
ot
• Windows Server 2019 • Microsoft Internet Information • Network access to a Delivery

fo
• Windows Server 2016 Services (IIS) 7.0 Controller Server

rr
• Windows Server 2012 R2 • .NET Framework 4.7.1

es
• Standard, Datacenter, and • ASP.NET 2.0
Server Core options supported

al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• By default, Citrix Director is installed on a Delivery Controller.
• Install Director using the installer, which checks for prerequisites, installs any missing components, sets up the
Director website, and performs basic configuration.
• Installer handles typical deployments. If Director was not included during installation, use the installer to add Director. To
add any additional components, re-run the installer and select the components to install.

823 © 2021 Citrix Authorized Content

 • For information on using the installer, see the installation documentation. Citrix recommends that you install
using the product installer only, not the .MSI file.
• Although a range of .NET Framework versions are supported (as stated above), .NET Framework 4.7.1 is
installed automatically if it is not already installed.
• Remember there is no installation requirements for Citrix Cloud, as the product is available once the Citrix
Virtual Apps and Desktops Service is subscribed to.

N
• Supported browsers for viewing Director:

ot
• Internet Explorer 11 (You can use Internet Explorer 10 only on Windows Server 2012 R2 machines)
• Microsoft Edge

fo
• Firefox ESR (Extended Support Release)

rr
• Chrome

es
Additional Resources:

al
• Director:

e
• 1912 LTSR: System Requirements - Citrix Director:

or
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director.html
• 1912 LTSR:

di
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/system-requirements.html#citrix-director

s tri
but
io
n

824 © 2021 Citrix Authorized Content

 On-Premise Installation
Considerations
Small Scale Deployments

Admin Internet Delivery

• For small scale deployments, install Citrix Explorer Controller with
Director

N
Director on the Delivery Controller.

ot
Enterprise Deployments
• For enterprise deployments, Citrix

fo
recommends a dedicated Director server.

rr
Director Server Delivery
• For high-availability, install two Citrix Director Admin Internet

es
Explorer Controller
servers accessed via a load-balancer.

al
High-Availability Deployments

e
or
Director Server

di
Admin Internet Citrix Delivery

s
Explorer Gateway Controller

tri
Director Server

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• In smaller environments, the Delivery Controller should have capacity to run Director.
• However, as load starts to increase, Director can take away resources from the Delivery Controller.
• To ensure optimal performance inside Director, and ensure proper session brokering performance, separate the Director
role away from Delivery Controller.
• To ensure a highly available Director solution, and to spread load between Director servers, use Citrix Gateway to load
balance between multiple servers.

825 © 2021 Citrix Authorized Content

 Additional Resources:
• Using NetScaler to Load Balance Director:
https://www.citrix.com/blogs/2016/09/06/using-netscaler-to-load-balance-director/

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

826 © 2021 Citrix Authorized Content

 On-Premises Architecture

User Layer Access Layer Control Layer Resource Layer

N
UI
Citrix Director

ot
Authentication
Citrix Application

fo
Internal Users Delivery Management
StoreFront
Server OS Assigned

rr
Delivery Controller Desktop OS
Domain Controller
Director Web
Console

es
Firewall Del. Admin Monitoring
Service Service

al
License Server Random Desktop OS Remote PC

e
Director Web SQL
Citrix Gateway Service Broker Config. Log (Monitoring DB)
External Users Firewall

or
Service Service (Conf Logging DB)
(Site DB)

di
s
Hardware Layer

tri
b ut
Network Wi-Fi Storage Processor Memory Graphics Hypervisor
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Director is more than a management console; it is a full product feature and infrastructure component of Citrix Virtual Apps
and Desktops. That is why most enterprise deployments have a dedicated set of servers just for Director.
• The architecture in Citrix Cloud is similar, but it’s within the Citrix Cloud Control Plane.

Additional Resources:
• Director: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director.html
827 © 2021 Citrix Authorized Content
 Basic Navigation
Citrix Director

• The homepage of Citrix

N
Director is the Dashboard,

ot
which shows events and
performance data from

fo
the last hour.

rr
es
• Most graphs are clickable,
and provide additional

al
relevant data, if clicked.

e
or
• Menu items on the top
lead to different views of

di
Director.

s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The default view when logging on to Director as an administrator is the dashboard. The dashboard contains alerts and a
number of clickable graphs.
• If there are active alerts, the Alerts pane will drop down.

828 © 2021 Citrix Authorized Content

 Points of Interest in
the Dashboard
Citrix Director

• The lower area of the

N
Dashboard displays

ot
information about the

fo
health of required

rr
infrastructure

es
services, like:

al
• Hypervisors

e
• Databases

or
• License Server

di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The lower part of the dashboard contains the operational status for hypervisors, databases, and the License Server.

829 © 2021 Citrix Authorized Content

 Different Views
Citrix Director

The different views of Citrix

N
Director are:

ot
• Dashboard

fo
• Trends

rr
• Filters

es
• Alerts

al
e
• Search

or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Dashboard – Provides an overview of performance and failures for the last hour. This self-updating view can be left open,
so Citrix administrators can quickly see a change in performance of their Site and react accordingly.
• Trends – Provides access to recorded Site metrics for up to a year. Administrators can create a historical report on how
many users have used resources from the Site and which applications are used the most.
• Filters – Functions much like database queries to find specific information about machines, sessions or connections.
Administrators can produce a filtered list of all users with a specific Citrix Workspace app version or running a certain

830 © 2021 Citrix Authorized Content

 application from specific networks.
• Alerts – An interface to define rules for alert conditions. Administrators of specified Delivery Groups can be
notified via email when logon performance drops or a predefined load threshold is exceeded.
• Search – Search for sessions by specifying username, VDA name or endpoint. Help desk users can
interactively search for sessions to offer remote assistance or begin troubleshooting.

Additional Resources:

N
• Site Analytics: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/site-analytics.html

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

831 © 2021 Citrix Authorized Content

 Trends
Citrix Director

Use the Trends view to

N
access historical reports on

ot
session, logon, and
resource performance:

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

832 © 2021 Citrix Authorized Content

 Filters
Citrix Director

The Filters view allows

N
filtering based on:

ot
• Machines
• Sessions

fo
• Connections

rr
• Application Instances

es
Filters provide associated

al
actions, like:

e
• Reset/Power down a VDA
• Log off a session

or
• Send a message to the

di
user

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The filtered views can be filtered by many different criteria. These filters can also be saved for easier access.
• Example: I want to find all sessions that are connected from a legacy Citrix Receiver less than version 4.0.
• Pre-defined filters cannot be edited, but you can save a pre-defined filter as a custom filter and then modify it. Additionally,
you can create custom filtered views of machines, connections, and sessions across all Delivery Groups.

833 © 2021 Citrix Authorized Content

 Additional Resources:
• Citrix Director 7.6: Filters explained:
https://www.citrix.com/blogs/2014/12/17/citrix-director-7-6-filters-explained/
• Monitor deployments - Filter data to troubleshoot failures: 1912 LTSR:
http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/director/monitor-deployments.html

N
ot
fo
rr
es
al
e
or
di
stri
b ut
io
n

834 © 2021 Citrix Authorized Content

 Applications
Citrix Director

• The Applications view

displays application-
based analytics in a
single, consolidated view

N
to help analyze and

ot
manage application
performance efficiently.

fo
rr
• This view provides

es
valuable insight into the
health and usage

al
information of all

e
applications published on

or
the Site.

di
• The default view helps

s tri
identify the top running

b
applications.

ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• This feature requires Delivery Controller(s) Version 7.16 or later and VDAs version 7.15 or later.

Additional Resources:
• Troubleshoot applications:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/troubleshoot-deployments/applications.html

835 © 2021 Citrix Authorized Content

 Lesson Objective Review

Scenario: You are the Citrix Admin and you

are trying to find a report in Director, that will

N
show you the number of sessions connected

ot
to your environment over the past two hours.

fo
Which section do you go to?

rr
es
Trends -> Sessions

al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Using the Trends section of Director will give you access to a vast amount of historical data hosted in the Site database.

836 © 2021 Citrix Authorized Content

 N
Monitor and Interact With User

ot
Sessions

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

837 © 2021 Citrix Authorized Content

 The Director Navigation Experience
Navigation experience is dependent on the level of delegated administrative permissions per
Site.

Full Administrator Experience Help Desk Experience

N
ot
fo
rr
es
al
e
or
di
As delegated Full Administrator, click the Search As delegated Help Desk Administrator, the Search

s tri
button in the upper right corner view is the predefined homepage of Director.

but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• For every administrator that has access to the Dashboard view, the Search view is located in the upper right corner.
• For all administrators that do not have access to the Dashboard view (or Trends and Filters), but have access to certain
Director functions (view Client/Machine/User details page), the Search view automatically becomes the homepage.
• CXD-105: Citrix Virtual Apps and Desktops Help Desk Support provides an in-depth treatment of how Help Desk
Administrators can use Citrix Director and other tools to help provide effective triage and basic troubleshooting for a
number of commonly reported Citrix Virtual Apps and Desktops user issues. This includes numerous troubleshooting

838 © 2021 Citrix Authorized Content

 examples that demonstrate how a Help Desk Admin can use Citrix Director, even with limited permissions, to
determine a root cause for a user issue, or at least to rule out potential root causes and escalate the issue
quickly.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

839 © 2021 Citrix Authorized Content

 Search for a
Session
Citrix Director

To search for a session, the

N
following parameters can

ot
be applied:

fo
• User: The name of the

rr
user

es
• Machine: The name of

al
the VDA

e
• Endpoint: The name of

or
the user’s client device

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The beginning of given name, last name, or logon name can be used to query Active Directory while typing. So the first
few characters from a user’s name are sometimes sufficient to receive a suggestion from Active Directory.
• Suggestions while typing are also available for the machine and endpoint search.
• Matching is always done from left to right, so entering “Tata” would match “Tatarinov”, but “tari” would not.

840 © 2021 Citrix Authorized Content

 View a Session
Citrix Director

• In the default session

N
view, administrators can

ot
perform some session
management tasks and

fo
use the Activity Manager

rr
to:

es
• Stop an application

al
• See a program’s CPU and

e
memory consumption

or
• To switch to a more
detailed view, click on the

di
Details button in the top

s tri
right corner.

but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Applications are normally visibly running in the user’s session, while processes contain tasks running in the background
(normally not visible to the user).

841 © 2021 Citrix Authorized Content

 View a Session's
Connection
Transport Protocol
Citrix Director

• View the transport

N
protocol in use for the

ot
HDX connection type for
the current session in the

fo
Session Details panel.

rr
es
• This information is
available for sessions

al
launched on VDAs

e
Version 7.13 or later.

or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Monitor deployments / Site analytics: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/site-analytics.html

842 © 2021 Citrix Authorized Content

 View Session
Details
Citrix Director

• The detailed session view

N
offers far more

ot
information about the
session of a user:

fo
• Running applications and

rr
processes

es
• VDA data and
performance metrics like

al
disk queue length

e
• Session status, and Citrix

or
Workspace app version
• Applied policies

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The Session view and Detailed Session view are self-updating, but can be updated on demand as well to reflect recent
changes to a user’s session.
• Meaningful names can help a lot while troubleshooting an issue, as the full name of a policy is displayed in the session
details windows.
• What is Disk Queue Length?
• An estimate of requests on the virtual machine’s logical disk that is in service or waiting for service.

843 © 2021 Citrix Authorized Content

 View the HDX
Channels
Citrix Director

• In the User Details view,

N
check the status of the

ot
HDX channels on the
user’s machine in the

fo
HDX panel.

rr
es
• This panel is available
only if the user machine

al
is connected using HDX.

e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• If a message appears indicating that the information is not currently available, wait for one minute for the page to refresh,
or select the Refresh button. HDX data takes a little longer to update than other data.
• HDX channel system reports can be saved to an .xml file. These are used mainly by Citrix Support to troubleshoot issues.

844 © 2021 Citrix Authorized Content

 Additional Resources:
• Run HDX channel system reports: 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/
troubleshoot-deployments/user-issues/hdx-channel-reports.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

845 © 2021 Citrix Authorized Content

 Use Trends to View
Session Data Over
Time
Citrix Director

• Trends view allows to see

N
the historical data for

ot
Number of
Concurrent Sessions.

fo
rr
• Historical trends can be

es
viewed for last 365 days.

al
• Historical data can be

e
viewed for specific

or
Delivery group or for all
Delivery Groups together.

di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Click on Trends view to see the historical data.
• In Trends we can look at historical data for all the sessions, Failures, Logon Performance, Load Evaluator Index, Capacity
management, Machine Usage, Resource Utilization, Custom Reports and Network.

846 © 2021 Citrix Authorized Content

 Switch Between
Sessions
Citrix Director

Use the session selector to

N
switch between multiple

ot
running sessions for a user
or VDA.

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

847 © 2021 Citrix Authorized Content

 Log Off vs Disconnect User Sessions
Director can be used to both log off or disconnect a user from a session

When a session is logged off: When a session is disconnected:

N
ot
Session is no longer visible to the user. Session is no longer visible to the user.

fo
All applications are stopped. All applications continue to run.

rr
License (depending on the license model) is set free. License (depending on the license model) is set free.

es
User Profile is saved back to the profile share. User Profile is still in use on the VDA.

al
Session is shut down. Session keeps running and can be reconnected.

e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• During log off and closure of applications, depending on the OS & application setting, unsaved content might get lost.
• Tasks currently consuming CPU and memory will continue to do so when a session is disconnected.

848 © 2021 Citrix Authorized Content

 Shadow User Sessions

The Shadow feature allows a Delegated Administrator to:

N
• See the same content from the session as the user.

ot
• Interact with the applications inside the session on behalf of the user.
• Chat with the user of a session.

fo
rr
The following requirements must be met for Shadowing:

es
• Special permissions

al
• Network requirements to be met.

e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Depending on local data and privacy laws, using this feature requires consent of the user.
• Some companies consider shadowing a security vulnerability or an invasion of privacy.
• Shadowing Windows OS VDA machines uses Microsoft’s Remote Control feature.
• This requires some configuration before it can be used :
• The VDA needs to be accessible from the help desk agent’s machine via the Remote Control port (default: 3389).
• The person or group accessing a session needs according permission to do so.

849 © 2021 Citrix Authorized Content

 • The remote control feature needs to be enabled during the setup of Director.
• Shadowing Linux VDA machines is available for version 7.16 or later running RHEL 7.3 or Ubuntu Version
16.04 Linux distributions.
• This requires some configuration before it can be used:
• The Linux machine with VDA installed must also have the python-websockify and x11vnc packages
installed.
• noVNC connection to the VDA machine uses the WebSocket protocol. By default, “ws://” WebSocket

N
protocol is used, but for security reasons, Citrix recommends that you use the secure “wss://” protocol.

ot
Additional Resources:

fo
• Shadow users: 1912 LTSR:

rr
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/troubleshoot-deployments/user-

es
issues/shadow-users.html

al
e
or
di
s tri
but
io
n

850 © 2021 Citrix Authorized Content

 Reset a User's Profile
User profiles contain all application settings for a
user.

To reset a user’s profile: User Device

N
1. Administrator issues user profile reset File Server

ot
2. User logs out of all sessions

fo
I. Profile management renames the original

rr
profile. New Profile Copied New
Data Settings

es
II. Profile management creates a new profile for
the user.

al
III. Profile management copies retained data from

e
the

or
original profile to the new profile. Original Profile Original Original
(renamed) Data Settings

di
3. User logs on to new session

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The profile reset function is available only for user profiles managed by Citrix User Profile Management or Microsoft
roaming profiles.
• It is a leading practice to separate user application settings from user generated data by using folder redirection.
• Citrix Profile Management retains and copies folders like My Documents or Pictures to the user profile after resetting the
application settings in the profile. In addition, the original profile is not deleted but just renamed; so, data from this profile
can be recovered if needed.

851 © 2021 Citrix Authorized Content

 • Folder Redirection is important when resetting a Microsoft roaming profile, without folder redirection enabled
the user will lose access to: My Documents, Pictures, Download etc., and it will be a manual process of
copying them from the renamed profile into the new profile.
• In addition to resetting a user profile, an administrator can use Citrix Director to reset the Personal vDisk.
• Remember that starting with XenApp and XenDesktop 7.15, the Personal vDisk (PvD) feature was deprecated
from both CR & LTSR. Customers still using PvD are encouraged to pursue App Layering instead. As long as

N
PvD still functions, Citrix Director can be used to reset the Personal vDisk.

ot
• The VDA needs to be running, but the user will be logged out during the reset procedure.
• Personal vDisks are a very special solution to some problems/scenarios and add an additional layer of

fo
management and overhead to the system. Therefore they should be used only where appropriate

rr
requirements exist.
• Any data on the personal vDisk will be lost if they are not saved elsewhere or backed up. This function should

es
be used with caution.

al
• If a Delegated Admin does not have permissions to reset the Personal vDisk, the menu item will be gray in

e
Director. This administrative permission can be found in the delegated role under Director.

or
• Caution: When you reset the disk, the settings revert back to their factory default values and all data on it is
deleted, including applications. The profile data is retained unless you modified the Personal vDisk default (of

di
redirecting profiles from the C: drive), or you are not using a third-party profile solution.

s
• A Personal vDisk retains any changes a user makes, such as:

tri
• User installed applications & plugins

b
• Windows updates

ut
• Cached profiles

io
• When resetting the Personal vDisk, the VDA will lose all changes and return to its original state.

n
• Delegated Administrators should reset the Personal vDisk, if:
• Data on the personal vDisk is no longer required
• The Personal vDisk is corrupt.
• The VDA is assigned to a new user

852 © 2021 Citrix Authorized Content

 Additional Resources
• Reset a user profile: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/troubleshoot-deployments/user-
issues/reset-user-profile.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

853 © 2021 Citrix Authorized Content

 End an Application or a Process
Within a User Session

• Administrators have the option to terminate a

N
specific application or process inside a

ot
session using Director.

fo
• This is helpful in the following situations:

rr
• The application has stopped responding
• The process is deadlocked or using 100%

es
CPU consistently

al
• Terminating the entire session is not

e
desirable

or
• Avoid terminating system specific processes.

di
• Terminating active processes may cause

s
data loss.

tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The option to kill processes is not new, but it is much more accessible since the feature has been exposed to Director.
• Ensure that all Delegated Admins that have access to Director are aware of the consequences of killing a process.

Additional Resources
• Restore sessions: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/troubleshoot-deployments/user-issues/restore-
session.html
854 © 2021 Citrix Authorized Content
 • Resolve application failures: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/troubleshoot-deployments/user-
issues/application-failures.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

855 © 2021 Citrix Authorized Content

 Send a Message to a User
Session
Citrix Director

• Director provides administrators the

N
option to send messages to users.

ot
• The message will pop-up immediately as

fo
a notification inside the session, and will

rr
always appear in focus.

es
• Can be useful during image maintenance and

al
updates, restarting VDAs, and resolving profile

e
issues.

or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Sending a message to users is extremely helpful when doing maintenance on Citrix environments because it allows us to
quickly notify active users of pending actions.
Additional Resources
• Send messages to users: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/troubleshoot-deployments/user-issues/send-
messages.html
856 © 2021 Citrix Authorized Content
 Lesson Objective Review

Scenario: You are the Citrix Admin and you

have recently demonstrated Director to your
help desk staff.

However, after granting them access, they

N
complain that their permissions inside

ot
Director are limited.

fo
What could be the issue?

rr
es
Delegated Admins with help desk privileges will
only be presented a subset of Director features.

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

857 © 2021 Citrix Authorized Content

 N
ot
Published Apps Analysis

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

858 © 2021 Citrix Authorized Content

 Application Analytics Introduction
Citrix Director

• Application Analytics provides an overall

N
picture of the health and real-time usage of all

ot
published applications.

fo
• Found in the “Applications” view,

rr
administrators can view metrics like the

es
number of instances, backend faults and error
metrics for all published applications.

al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Troubleshoot applications – Application Analytics (available for Delivery Controllers 7.16+): 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/troubleshoot-deployments/applications.html
• Application Analytics in Citrix Director:
https://www.citrix.com/blogs/2017/12/05/application-analytics-in-citrix-director/

859 © 2021 Citrix Authorized Content

 Application Health
Citrix Director

• The health of each published application in a Site can be monitored using the Application Faults and
Application Errors columns in the default view of the Applications section.
• These columns display the aggregated number of faults and errors that have occurred while

N
launching the corresponding application in the last hour.

ot
• The application failure policy settings govern the availability and display of faults and errors.

fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Click the “Application Faults” or “Application Errors” field to see failure details on the “Trends > Application Failures” page
corresponding to the selected application.

Additional Resources:
• Troubleshoot applications – Application Analytics (available for Delivery Controllers 7.16+):
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/troubleshoot-deployments/applications.html

860 © 2021 Citrix Authorized Content

 Application Usage
Citrix Director

• The Instances column displays the usage of

N
applications.

ot
• It indicates the number of application

fo
instances currently running (both connected

rr
and disconnected instances).

es
• To view further details, click

al
the Instances field to see the corresponding

e
Application Instances filter page.

or
• Here, you can select application instances to log
off or disconnect.

di
s tri
but
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Troubleshoot applications – Application Analytics (available for Delivery Controllers 7.16+): 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/troubleshoot-deployments/applications.html

861 © 2021 Citrix Authorized Content

 Application Probing
Citrix Director

• Application probing automates the process of checking the health of published applications in a Site.
• The Probe Result column displays the result of application probing, and if the probe was
unsuccessful, it will show the stage at which the it failed.

N
ot
• Click the probe result link to see more details in the Trends > Application Probe Results page.

fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• You can schedule your application probes to run during off-peak hours across multiple geographies. The comprehensive
probe results can help to troubleshoot issues related to the applications, hosting machine or connection before the users
experience them.

Additional Resources:
• Troubleshoot applications – Application Analytics (available for Delivery Controllers 7.16+): 1912 LTSR:

862 © 2021 Citrix Authorized Content

 https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/troubleshoot-
deployments/applications.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

863 © 2021 Citrix Authorized Content

 Application Probing Setup
Deployment Requirements

N
User accounts/permissions required to run
Prerequisites for Application Probing

ot
Application Probing

fo
• Delivery Controller is version 7.18+. • A unique non-admin StoreFront user account to probe

rr
• Endpoint machines running probe agents are Windows on each endpoint machine.

es
machines with Windows Receiver version 4.8+ or Citrix • User accounts with Windows admin permissions to
Workspace app. install and configure the Citrix Probe Agent on the

al
• Director must support the default form-based endpoint machines.

e
authentication. • A full administrator user account.

or
• StoreFront must have HTTP Basic authentication
enabled.

di
s
tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The StoreFront user account does not have to be an administrator account because probes can run in a non-admin
context.
• The full administrator user account should use the “Full Administrator” Citrix administrators role. Alternatively, a custom
role with the following permissions can be used instead:
• Delivery Group permissions:
• Read-only

864 © 2021 Citrix Authorized Content

 • Director permissions:
• Create\Edit\Remove Alert Email Server Configuration - if the email server is not already configured
• Create\Edit\Remove Probe Configurations
• View Configurations page
• View Trends page
• Reusing existing user accounts for application probing might log off those users’ active sessions.

N
Additional Resources:

ot
• Application probing (available for Delivery Controller 7.18+): 1912 LTSR:

fo
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/troubleshoot-

rr
deployments/applications/app-probing.html

es
al
e
or
di
s tri
b ut
io
n

865 © 2021 Citrix Authorized Content

 Application Probe
Setup
Steps to Deploy

1. Install and configure

N
the Citrix Probe Agent

ot
on endpoint
machine(s)

fo
rr
2. Configure application

es
probing in Citrix
Director

al
e
3. Agent executes

or
application probing

di
4. View probe results in

s
the Applications page

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The Citrix Probe Agent is a Windows executable that simulates the actual application launch by the user through
StoreFront. It tests application launches as configured in Director and reports back the results to Director.
• To successfully install and configure the Citrix Probe Agent:
1. Identify endpoint machines that will execute the application probing.
2. A user account with administrative privileges must be used to install and configure the Citrix Probe Agent on the
endpoint machine(s). The executable is available on the Citrix Downloads page (see Additional Resources).

866 © 2021 Citrix Authorized Content

 3. Start the agent and configure the StoreFront and Director credentials. Configure unique StoreFront users
or each endpoint machine that will be used. The credentials are encrypted and stored securely.
• To configure application probing in Citrix Director:
1. Go to Configuration > Application Probing Configuration
2. Create a probe and fill out the required fields (Name, apps to be probed, endpoints running the probe, and
probe schedule)
• After configuration in Citrix Director, the agent takes 10 minutes before it is ready to start probing. Then, it runs

N
configured probes starting the next hour.

ot
Additional Resources:

fo
• Application probing (available for Delivery Controller 7.18+): 1912 LTSR:

rr
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/troubleshoot-

es
deployments/applications/app-probing.html

al
• Citrix Application Probe Agent (may require a Citrix Account to access):

e
https://www.citrix.com/downloads/citrix-virtual-apps-and-desktops/components/app-probe-agent.html

or
di
s tri
b ut
io
n

867 © 2021 Citrix Authorized Content

 Application Probe
Architecture
StoreFront 2
Application Probe Agent Endpoint
Citrix Virtual Apps and Desktops Site

• The Agent machine(s) 1

retrieve the latest probe

N
config from Director. 4

ot
Citrix Director
Probe Service
• At the scheduled time, 3

fo
the Agent machine(s)

rr
contact StoreFront to

es
fetch the ICA file required

al
for the test app launches.

e
Citrix Monitoring Service Citrix Workspace app for Windows
• The ICA file is run using

or
Citrix Workspace app

di
installed on the endpoint.

s
• The result of the probe is

tri
Monitoring Database
sent to Director.

but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The Application Probe Agent machine(s) fetch the latest configuration every six hours after the initial configuration.

868 © 2021 Citrix Authorized Content

 Application Probe Visibility
Citrix Director

• The Application Probe Results page shows the

N
results of probes run in the last 24 hours by

ot
default.

fo
• The Time Period filter can be adjusted to show

rr
the past 7 days of probe results.

es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Application probing automates the process of checking the health of Citrix Virtual Apps published within a given Site.
• These results are available for review in Citrix Director.
• Application probes can be scheduled to run during off-peak hours and across multiple geographies.
• Comprehensive probe results are a pro-active way to troubleshoot issues related to any applications, hosting machine or
connection, before users experience them.
• Requirements:

869 © 2021 Citrix Authorized Content

 • Delivery Controller runs version 7.18 or later.
• Endpoint machines running probe agents are Windows machines with Citrix Receiver for Windows Version
4.8 or later.
• Citrix Workspace app for Windows requires Version 1808 or later.
• There is no current support for Workspace app for Unified Windows Platform (UWP).
• Director and StoreFront support the default form-based authentication.
• User accounts/permissions required to run Application Probing:

N
• A unique StoreFront user is needed to probe on each endpoint machine.

ot
• The StoreFront user does not be an administrator; the probes can run in a non-admin mode.

fo
• User accounts with Windows administrator permissions to install and configure the Citrix Probe Agent on
the endpoint machines.

rr
• A full administrator user account or a custom role with the following permissions.

es
• Reusing existing user accounts for application probing might log off the users’ active sessions.

al
• Delivery Group permissions:
• Read-only

e
• Director permissions:

or
• Create\Edit\Remove Alert Email Server Configuration - if the email server is not already configured

di
• Create\Edit\Remove Probe Configurations
• View Configurations page

s tri
• View Trends page

b
• Configure Application Probing:

ut
1. Install and configure the Citrix Probe Agent:

io
• The Citrix Probe Agent is a Windows executable that simulates the actual application launch by the user
through StoreFront. The agent tests application launches and reports the results to Director.

n
2. Configure Application Probing in Director:
• Located in Director under Go to Configuration > Application Probe Configuration.
3. Probe execution:
• The agent executes application probing as per the probe configuration it fetches from Director periodically.
• The agent reports the results back to Director via the Monitor database.

870 © 2021 Citrix Authorized Content

 • The agent reports the results back to Director via the Monitor database.
• StoreFront Reachability - configured StoreFront URL is not reachable.
• StoreFront Authentication - configured StoreFront credentials are invalid.
• StoreFront Enumeration - StoreFront Enumerate applications list does not contain the application to be
probed.
• ICA download - the ICA file is not available.
• Application launch – the application cannot be launched.

N
1. View probe results:

ot
• Results can be viewed in the Applications page of Citrix Director.

fo
Additional Resources:

rr
• Application probing – View probe results 1912 LTSR:

es
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/troubleshoot-

al
deployments/applications/app-probing.html

e
or
di
s tri
b ut
io
n

871 © 2021 Citrix Authorized Content

 Built-In Application Filters

• Citrix Director includes various built-in

N
application filters to help administrators see

ot
application instances that meet certain criteria.

fo
• Examples of the built-in application filters

rr
include:

es
• Application type (Hosted on Desktop vs. Installed
on Client)

al
• Associated User

e
• Connection Type

or
• Delivery Group
• Idle Time (hh:mm)

di
• Machine Name

s
• Session State

tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The built-in application filters can be used to help troubleshoot applications and sessions. For example, the idle time
metric can be used to identify instances that are idle beyond a specific time limit.
• Typical use cases for application-based troubleshooting are in the healthcare sector, where employees share application
licenses. There, you must end idle sessions and application instances to purge the Citrix Virtual Apps and Desktops
environment, to reconfigure poorly performing servers, or to maintain and upgrade applications.

872 © 2021 Citrix Authorized Content

 Additional Resources:
• Troubleshoot applications – Real-time application monitoring: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/troubleshoot-
deployments/applications.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

873 © 2021 Citrix Authorized Content

 Create Custom Application Filters
Citrix Director

• Multiple built-in filters can be combined to provide more granularity to the search.
• The custom filters can be saved, so that they do not have to be recreated manually each time.

N
ot
• The saved custom filters for each category (machines, sessions, connections, application instances)
can be found within the “Filters” drop-down menu.

fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Troubleshoot applications – Real-time application monitoring: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/troubleshoot-deployments/applications.html

874 © 2021 Citrix Authorized Content

 Identify Idle Applications
Custom Filter Example

• As the “Filter by” criteria, the Published name

N
(of the application) would be selected as the

ot
first filter.

fo
• Then, Idle Time would be added as a

rr
secondary filter; it can be set to be greater

es
than or equal to a specific time limit to find
instances that have been idle for too long and

al
should be logged off or disconnected by

e
administrators.

or
• At this point, the filter can be saved for reuse

di
so that this combination of parameters can be

s tri
retrieved quickly in the future.

but
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Troubleshoot applications – Real-time application monitoring: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/troubleshoot-deployments/applications.html

875 © 2021 Citrix Authorized Content

 Historical Application Failure
Monitoring
Citrix Director

• The Trends -> Application Failures tab

N
displays historical failures associated with the

ot
published applications on the VDA machines.

fo
• The failures are displayed as Application

rr
Faults or Application Errors based on their

es
severity.
• The Application Faults tab displays failures

al
associated with loss of functionality or data.

e
• Application Errors indicate problems that are not

or
immediately relevant; they signify conditions that
might cause future problems.

di
s
tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Application failure trends are available for the last 2 hours, 24 hours, 7 days, and month for Platinum and Enterprise
licensed Sites. They are available for the last 2 hours, 24 hours, and 7 days for other license types. The application
failures that are logged to the Event Viewer with source “Application Errors” are monitored.
• The grooming retention settings for application failure monitoring, GroomApplicationErrorsRetentionDays and
GroomApplicationFaultsRetentionDays are set to one day by default for both Platinum and non-Platinum licensed Sites.
You can change this setting using the PowerShell command:

876 © 2021 Citrix Authorized Content

 • *Set-MonitorConfiguration -\<setting name\> \<value\>*
• In the Director console, you can filter the failures based on Published Application Name, Process Name or
Delivery Group, and Time Period. The table displays the fault or error code and a brief description of the
failure. The detailed failure description is displayed as a tooltip.
• The Published Application name is displayed as “Unknown” when the corresponding application name cannot
be derived. This typically occurs when a launched application fails in a desktop session or when it fails due to
an unhandled exception caused by a dependent executable.

N
• By default, only faults of applications hosted on Server OS VDAs are monitored. You can modify the

ot
monitoring settings through the Monitoring Group Policies:

fo
• Enable monitoring of application failures
• Enable monitoring of application failures on Desktop OS VDAs

rr
• List of applications excluded from failure monitoring

es
Additional Resources:

al
• Troubleshoot applications – Historical application failure monitoring: 1912 LTSR:

e
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/troubleshoot-

or
deployments/applications.html

di
s tri
b ut
io
n

877 © 2021 Citrix Authorized Content

 Export App Analysis to a File
Citrix Director

• Citrix Administrators can export trends data to

N
generate regular usage and capacity

ot
management reports.

fo
• Historical monitoring data can be exported to

rr
generate reports in CSV, Excel or PDF

es
formats.

al
• This is typically accomplished by using the

e
“Export” button located on each historical

or
monitoring page in the Citrix Director console.

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Reports in PDF and Excel formats contain trends represented as graphs and tables. CSV format reports contain tabular
data that can be processed to generate views or can be archived.
• Director generates the report based on the filter criteria you select prior to generating the report. If you change the filter
criteria, click Apply before you click Export.
• Export of a large amount of data causes a significant increase in memory and CPU consumption on the Director server,
the Delivery Controller, and the SQL servers. The supported number of concurrent export operations and the amount of

878 © 2021 Citrix Authorized Content

 data that can be exported is set to default limits to achieve optimal export performance.
• For more information on supported export limits and error handling, please see the link in Additional
Resources.

Additional Resources:
• Monitor deployments – Export reports: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/site-analytics.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

879 © 2021 Citrix Authorized Content

 App Monitoring Policies

• The Application Failure tab, by default,

N
displays only application faults from Server OS

ot
VDAs.

fo
• This can be modified through the use of Citrix

rr
policy settings.

es
• The feature can be disabled completely by

al
setting “Enable monitoring of application

e
failures” to Disabled.

or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• There are three total Citrix policy settings that can impact application monitoring:
• Enable A monitoring of application failures
• Use this setting to configure application failure monitoring to monitor either application errors or faults (crashes and
unhandled exceptions), or both.
• Disable application failure monitoring by setting the Value to None.
• The default for this setting is Application faults only.

880 © 2021 Citrix Authorized Content

 • Enable monitoring of application failures on Desktop OS VDAs
• By default, failures only from applications hosted on the Server OS VDAs are monitored.
• To monitor Desktop OS VDAs, set the policy to Allowed.
• The default for this setting is Prohibited.
• List of applications excluded from failure monitoring
• Specify a list of applications that are not to be monitored for failure.
• By default this list is empty.

N
ot
Additional Resources:

fo
• Monitoring policy settings – Policies for application failure monitoring:

rr
• 7.15 LTSR: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/policies/reference/virtual-
delivery-agent-policy-settings/monitoring-policy-settings.html

es
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/virtual-delivery-

al
agent-policy-settings/monitoring-policy-settings.html

e
or
di
s tri
b ut
io
n

881 © 2021 Citrix Authorized Content

 VDA Data Points
Citrix Director

• Besides handling VDA machine registrations and brokering new sessions, the Delivery Controller
can also collect monitoring data from the VDA machines.
• This data is stored in the monitoring database and is displayed using Citrix Director.

N
ot
• The collection of this data consumes bandwidth and the retention of the data consumes storage, so
some organizations may elect to disable this via policy.

fo
rr
es
al
e
Registration

or
Site Database
Session Brokering

di
VDA machines Data Collection Delivery Controller

s
tri
Citrix Director

b ut
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Monitoring policy settings – Policies for process and resource monitoring:1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies/reference/virtual-delivery-agent-policy-
settings/monitoring-policy-settings.html

882 © 2021 Citrix Authorized Content

 VDA Data Points
Process Monitoring

• Enable this setting to allow monitoring of

N
processes running on machines with VDAs.

ot
• Statistics such as CPU and memory use are

fo
sent to the Monitoring Service. The statistics

rr
are used for real-time notifications and

es
historical reporting in Director.

al
• The default for this setting is Disabled.

e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Monitoring policy settings – Policies for process and resource monitoring 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies/reference/virtual-delivery-agent-policy-
settings/monitoring-policy-settings.html:

883 © 2021 Citrix Authorized Content

 VDA Data Points – Resource
Monitoring

• Enable this setting to allow monitoring of

N
critical performance counters on machines

ot
with VDAs.

fo
• Statistics such as CPU, memory, IOPs and

rr
disk latency data, use are sent to the

es
Monitoring Service. The statistics are used for
real-time notifications and historical reporting

al
in Director.

e
or
• The default for this setting is Enabled.

di
s tri
but
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Monitoring policy settings – Policies for process and resource monitoring: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies/reference/virtual-delivery-agent-policy-
settings/monitoring-policy-settings.html

884 © 2021 Citrix Authorized Content

 Scalability
Introduction

• The process and resource monitoring metrics can provide valuable insight into the overall scalability

N
of the environment.

ot
• CPU and memory data is pushed to the database from each VDA machine at 5-minute intervals
• Process data (if enabled) is pushed to the database at 10-minute intervals

fo
• IOPS and disk latency data is pushed to the database at 1-hour intervals

rr
• You can modify the default retention settings to suit your needs by using PowerShell commands. This

es
consumes extra storage but can provide more accuracy in the process utilization data.

al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Monitoring policy settings – Policies for process and resource monitoring – Optional configurations: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies/reference/virtual-delivery-agent-policy-
settings/monitoring-policy-settings.html

885 © 2021 Citrix Authorized Content

 Scalability – Resource Data Retention

CPU and memory data is enabled by default. Data retention values are as follows (Premium license):

N
Data Granularity Number of Days

ot
5 Minute Data 1 Day

fo
10 Minute Data 7 Days

rr
Hourly Data 30 Days

es
Daily Data 90 Days

IOPS and disk latency data is enabled by default. The data retention values are as follows(Premium

al
e
license):

or
Data Granularity Number of Days

di
Hourly Data 3 Days

s tri
Daily Data 90 Days

but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• By default, the data will be groomed over time to save on storage space. As a result, after the specified number of days,
the monitoring data will be less detailed unless the granularity is increased.

Additional Resources:
• Monitoring policy settings – Policies for process and resource monitoring: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies/reference/virtual-delivery-agent-policy-
settings/monitoring-policy-settings.html
886 © 2021 Citrix Authorized Content
 Scalability – Resource Data Storage Requirements

With the data retention settings at the defaults, approximately 276 KB of disk space is required to store
the CPU, memory, IOPS and disk latency data for one VDA machine over a period of one year.

N
ot
fo
rr
es
Number of machines Approximate storage required

al
1 276 KB

e
or
1K 270 MB

di
40K 10.6 GB

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Monitoring policy settings – Policies for process and resource monitoring: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies/reference/virtual-delivery-agent-policy-
settings/monitoring-policy-settings.html

887 © 2021 Citrix Authorized Content

 Scalability – Process Data

Process data is disabled by default. It is recommended to enable process data on a subset of machines
on a need basis. The default data retention settings for the process data is as follows:

N
ot
Data Granularity Number of Days

fo
10-minute Data 1 Day

rr
Hourly Data 7 Days

es
If process data is enabled, with the default retention settings, process data would consume

al
approximately 1.5 MB per Desktop OS VDA machine and 3 MB per Server OS VDA machine over a

e
period of 1 year.

or
Number of Approximate storage required Approximate storage required

di
machines (Desktop OS VDA machine) (Server OS VDA machine)

s
tri
1 1.5 MB 3 MB

b
1K 1.5 GB 3 GB

ut
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Monitoring policy settings – Policies for process and resource monitoring:1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/policies/reference/virtual-delivery-agent-policy-
settings/monitoring-policy-settings.html

888 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
How many user accounts with access to

ot
StoreFront are required when using App

fo
Probing?

rr
es
One user account per endpoint will be used to
conduct App Probing tests.

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

889 © 2021 Citrix Authorized Content

 N
Monitor the Machines

ot
Running the VDA

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

890 © 2021 Citrix Authorized Content

 VDA Machine Monitoring Introduction

• The Filters > Machines view in the Director console displays the machines configured in the Site.
• The Server OS Machines tab includes the load evaluator index, which indicates the distribution of
performance counters and tooltips of the session count if you hover over the link.

N
• Click the Failure Reason column of a failed machine to get a detailed description of the failure and

ot
actions recommended to troubleshoot the failure.

fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The failure reasons and the recommended actions for machine and connection failures are available in the Citrix Director
7.12 Failure Reasons Troubleshooting Guide (see Additional Resources below).
• Click on any machine name link to go to that machine’s Machine Details page. The Machine Details page lists the
machine details, infrastructure details, and details of the hotfixes applied on the machine.

891 © 2021 Citrix Authorized Content

 Additional Resources:
• Citrix Director 7.12 Failure Reasons Troubleshooting Guide:
https://docs.citrix.com/en-us/xenapp-and-xendesktop/current-release/downloads/Director-7.12-Failure-
Reasons-Troubleshooting-Guide.pdf
• Troubleshoot machines: 1912 LTSR:
• https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/troubleshoot-
deployments/machines.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

892 © 2021 Citrix Authorized Content

 Real-Time Resource Utilization
Citrix Director

• The Machine Utilization panel within Machine

N
Details displays graphs showing real-time

ot
utilization of CPU and memory.

fo
• In addition, disk and GPU monitoring graphs

rr
are available for Sites with Delivery

es
Controller(s) and VDA versions 7.14 or later.

al
e
or
di
stri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Disk monitoring graphs, average IOPS, and disk latency are important performance measurements that help you monitor
and troubleshoot issues related to VDA disks. The Average IOPS graph displays the average number of reads and writes
to a disk.
• Select Disk Latency to see a graph of the delay between a request for data and its return from the disk, measured in
milliseconds.
• Select GPU Utilization to see percentage utilization of the GPU, the GPU memory, and of the Encoder and the Decoder to

893 © 2021 Citrix Authorized Content

 troubleshoot GPU-related issues on Server or Desktop OS VDAs.
• The GPU Utilization graphs are available only for VDAs running 64-bit Windows with NVIDIA Tesla M60
GPUs and running Display Driver version 369.17 or later.

Additional Resources:
• Troubleshoot machines – Machine-based real-time resource utilization: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/troubleshoot-

N
deployments/machines.html

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

894 © 2021 Citrix Authorized Content

 Monitor the Disk

• Director provides IOPS and disk latency

N
measurements of Server and Desktop OS

ot
VDAs.

fo
• The Machine Utilization panel is extended to

rr
display the real-time average IOPS and disk

es
latency for a selected VDA as graphs.

al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Troubleshoot machines: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/troubleshoot-deployments/machines.html

895 © 2021 Citrix Authorized Content

 Monitor the Disk Over Time
Citrix Director

• Use Historical Machine Utilization to view and

N
export the average IOPS and disk latency

ot
measurements for a selected time period.

fo
• The Trends -> Resource Utilization tab in

rr
Director is extended to display the historical

es
IOPS and disk latency metrics for all VDAs in
the selected Delivery Group.

al
e
• Disk utilization over a period helps in

or
understanding the disk performance and
usage and to plan resource allocation.

di
s tri
but
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Troubleshoot machines: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/troubleshoot-deployments/machines.html

896 © 2021 Citrix Authorized Content

 Monitor Failed Attempts to Connect

• User-friendly Connection and Machine failure descriptions.

• Connection and Machine failures in the Director's Filters page are supported with detailed
descriptions of the possible failure causes and recommended actions.
• This enables administrators to efficiently troubleshoot the connection or machine related failures in

N
the Citrix Virtual Apps and Desktops Site.

ot
fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• From the Desktop OS Machine Failures tab or Server OS Machines tab, select the failure type, Delivery Group, and time
period to view a graph containing more detailed information about the machine failures across your Site.
• For machine failures, failure types are classified as - failed to start, stuck on boot, and unregistered. For Server OS
machines, failures also include machines reaching maximum load.
• For connection failures, failure types are classified into: Client Connection Failures, Configuration Errors, Machine

897 © 2021 Citrix Authorized Content

 Failures, Unavailable Capacity, Unavailable Licenses.
• This feature requires Delivery Controller(s) version 7.12 or later.
• Connection failures over the last 60 minutes. Click the categories next to the total number to view metrics for
that type of failure. In the adjacent table, that number is broken out by Delivery Groups. Connection failures
includes failures caused by application limits being reached. For more information on application limits,
see Applications.

N
• Total failures in the last 60 minutes broken out by Delivery Groups. Failures broken out by types, including

ot
failed to start, stuck on boot, and unregistered. For Server OS machines, failures also include machines
reaching maximum load.

fo
rr
Additional Resources:

es
• What's new (1912 LTSR):
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/whats-new.html

al
• Monitor deployments: 1912 LTSR:

e
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/site-analytics.html

or
• Citrix Director 7.12 Failure Reasons Troubleshooting Guide:

di
https://docs.citrix.com/en-us/xenapp-and-xendesktop/current-release/downloads/Director-7.12-Failure-
Reasons-Troubleshooting-Guide.pdf

s tri
b ut
io
n

898 © 2021 Citrix Authorized Content

 Historical Data

• The Trends view accesses historical trend

N
information for:

ot
• Sessions
• Failures (connections)

fo
• Logon Performance

rr
• Load evaluation
• Capacity Management

es
• Machine Usage

al
• Resource Utilization (per site)
• Application Failures

e
• Probe Results

or
• Custom Results
• Network analysis

di
s
• To locate this information, click

tri
the Trends menu.

but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Administrators can report on recorded performance metrics of a Site reaching up to a year in the past (depending on the
product edition).
• The data can also be exported in PDF, CSV or XLSX format for later processing or archival.
• The different reports available include:
• Sessions: shows the number of peak concurrent sessions for any Delivery Group. Also displays session start times and
duration for selected users.

899 © 2021 Citrix Authorized Content

 • Failures: displays errors relating to VDAs and connections in association with administrative changes made
to the Site database.
• Logon Performance: provides an overview of the duration of each logon for specific Delivery Groups in a
set timespan with a breakdown on how much time is spent in different phases of the logon process, like
group policy application or running logon scripts.
• Load Evaluator Index: shows the load management values used to determine session placement on Server
OS VDAs and breaks them down.

N
• Capacity Management: reveals how many concurrent instances of any published app were running in a set

ot
time period.

fo
• Machine Usage: shows how many VDAs are available and which Delivery Groups they are assigned to.
• Application Failures: The Application Failures tab displays failures associated with the published

rr
applications on the VDAs. By default, only application faults from Multi-session OS VDAs are displayed.

es
• Probe Results: Displays the results of probe for applications that have been configured for probing in the

al
Configuration page. Here, the stage of launch during which the application launch failure occurred is
recorded.

e
• Resource Utilization: Graphs show data for Average CPU, Average Memory, and Peak Concurrent

or
Sessions. The administrator can drill down to the machine, and view data and charts for the top ten

di
processes consuming CPU.

s
• Customized reports: The Custom Reports tab provides a user interface to generate Custom Reports

tri
containing real-time and historical data from the Monitoring database in tabular format.

b
• Network: provides deeper insight into HDX performance metrics, like how many times a client automatically

ut
reconnected, or what latency applied to what session (and when).

io
Additional Resources:

n
• Citrix Director: Trends explained:
• https://www.citrix.com/blogs/2014/09/22/citrix-director-trends-explained/
• Monitor historical trends across a Site: 1912 LTSR:
• https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/site-analytics/trends.html

900 © 2021 Citrix Authorized Content

 Custom Reporting

• The Custom Reports user interface in the Trends tab enables you to create new reports without
having to write OData queries to extract real-time and historical data available in the Monitoring
database.
• You can export custom reports, save and share the corresponding OData queries.

N
ot
• This feature is available in the Platinum Edition of Director deployments and requires Delivery
Controller(s) version 7.12 or later.

fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The Custom Reports tab provides an administrator with the ability to generate Custom Reports.
• The reports are generated containing both real-time and historical data pulled from the Monitoring database in tabular
format.
• Create a new Custom Report query based on machines, connections, sessions, or application instances.
• Apply filter conditions based on fields such as machine, Delivery Group, or time period.

901 © 2021 Citrix Authorized Content

 • Specify additional custom columns required in your Custom Report, if desired.
• Export the report in CSV format for review if needed.
• You can create a new Custom Report query based on a copied OData query. To do this, select the OData
Query option and paste the copied OData query. You can save the resultant query for execution later.
• What is OData? OData or Open Data Protocol is an ISO/IEC approved, OASIS standard that defines a
set of best practices for building and consuming RESTful APIs.

N
ot
Additional Resources:
• Monitor historical trends across a Site (Custom Reports):

fo
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/site-analytics/trends.html

rr
• Monitor deployments: 1912 LTSR:

es
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/site-analytics.html

al
• Troubleshoot machines: 1912 LTSR:

e
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/troubleshoot-
deployments/machines.html

or
di
s tri
but
io
n

902 © 2021 Citrix Authorized Content

 Historical Resource Utilization

• In the Machine Utilization panel, click View

N
Historical Utilization to view the historical

ot
usage of resources on the selected machine.

fo
• The utilization graphs include critical

rr
performance counters:

es
• CPU
• Memory

al
• Sessions

e
• IOPS

or
• Disk Latency

di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The Monitoring policy setting, Enable Process Monitoring, must be set to Allowed to collect and display data in the Top 10
Processes table on the Historic Machine Utilization page. The collection is prohibited by default.
• The CPU and memory utilization, average IOPS, and disk latency data is collected by default. You can disable the
collection by using the Enable Resource Monitoring policy setting.
• To see available machines that you can select to review the Machine Utilization of, under “Filters > Machines > All
Machines”; and then select the machine you want to review from the Machine Name list at the bottom of the page.

903 © 2021 Citrix Authorized Content

 • Or, select the Search button and then select “Search for” > Search for machine (and enter the machine you
want to review), and that will display the Machine Utilization. From there you can review its Historical
Utilization.
Additional Resources:
• Troubleshoot machines – Machine-based historical resource utilization: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/troubleshoot-
deployments/machines.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

904 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
Scenario: You are the Citrix Admin and you

ot
are trying to find a report in Director that will

fo
show the CPU and Memory utilization for all

rr
the machines in a particular Delivery Group

es
for last 7 days. Which section do you go to?

al
Trends > Resource Utilization

e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

905 © 2021 Citrix Authorized Content

 N
ot
Site Specific Common Monitoring

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

906 © 2021 Citrix Authorized Content

 Licensing Status

• License Server display any alerts sent by the

N
License Server and the actions required to

ot
resolve the alerts.

fo
• Requires Citrix License Server Version 11.16
or later.

rr
es
• Delivery Controller displays the details of the

al
licensing state as seen by the Controller, and

e
are sent by the Controller.

or
• Requires Controller for Citrix Virtual Apps 7.6

di
or Citrix Virtual Desktops 7.6 or later.

s
• You can set the threshold for alerts in Studio.

tri
b ut
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• System requirements-Citrix Director1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/system-requirements.html#citrix-director

907 © 2021 Citrix Authorized Content

 Average Logon Duration

• Logon data can be reviewed for the last (2 or

N
24) hours, last week, last month or year.

ot
• The large number, 29s,

fo
indicates the Average Logon Duration for that

rr
specific set of logons at that time interval.

es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Logon data for VDAs earlier than Citrix XenDesktop 7.0 is not included in this average.
• Use Logon Duration data to troubleshoot user logon issues. In the User Details view, the duration is displayed as a
number value below which the time the logon occurred is displayed and a graph of the phases of the logon process.
• As users logon to Citrix Virtual Apps and Desktops, the Monitor Service tracks the phases of the logon process from the
time the user connects from Citrix Workspace app to the time when the desktop is ready to use. The large number on the
left is the total logon time and is calculated by combining the time spent establishing the connection and obtaining a

908 © 2021 Citrix Authorized Content

 desktop from the Delivery Controller with the time spent to authenticate and logon to a virtual desktop. The
duration information is presented in seconds (or fractions of seconds) in the local time of the Administrator’s
web browser.

Additional Resources:
• Monitor deployments: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/site-analytics.html

N
ot
• Diagnose user logon issues: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/troubleshoot-deployments/user-

fo
issues/user-logon.html

rr
es
al
e
or
di
s tri
b ut
io
n

909 © 2021 Citrix Authorized Content

 Site Infrastructure

• The Infrastructure lists the Site’s host resource

N
connection information and Delivery

ot
Controllers.

fo
• From Citrix Hypervisor you can generate

rr
performance alerts on CPU, network

es
I/O, disk I/O usage across specified
thresholds.

al
e
• The default alert repeat interval is 60 minutes

or
and can be configured.

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Monitor deployments:1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/site-analytics.html
• Citrix XenServer 7.1 Administrator's Guide:
https://docs.citrix.com/en-us/xenserver/7-1/downloads/administrators-guide.pdf

910 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
ot
Where can the threshold alerts be set for the

fo
Licensing Status?

rr
es
In Citrix Studio.

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

911 © 2021 Citrix Authorized Content

 N
ot
Alerts and Notifications

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

912 © 2021 Citrix Authorized Content

 Alerts Introduction
Citrix Director

• Alerts enable Citrix administrators to quickly

N
become aware of potential issues with a Citrix

ot
Virtual Apps and Desktops Site.

fo
• Displayed in Director on the Dashboard and other

rr
high level views with warning and critical alert
symbols.

es
• Available for Platinum licensed Sites.

al
• Update automatically every minute.

e
or
• You can also update Alerts on demand.

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Alerts and notifications: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/site-analytics/alerts-notifications.html

913 © 2021 Citrix Authorized Content

 Alerts and Notifications

• The Citrix Director alerting feature:

N
• Sends an email to a user or distribution list when a

ot
preconfigured threshold is reached
* (Requires configuration).

fo
• Prevents support staff from having to manually

rr
monitor Director for alerts.
• User Policy and CPU/Memory alerts are 7.11

es
features.

al
• Can trigger SNMP traps from 7.12.

e
or
di
stri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix alerts are alerts monitored in Director that originate from Citrix components. You can configure Citrix alerts within
Director in Alerts > Citrix Alerts Policy. As part of the configuration, you can set notifications to be sent by email to
individuals and groups when alerts exceed the thresholds you have set up. Configure the notification as emails to
individuals and groups, Octoblu webhooks, and SNMP traps.

914 © 2021 Citrix Authorized Content

 Additional Resources:
• Alerts and notifications: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/site-analytics/alerts-
notifications.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

915 © 2021 Citrix Authorized Content

 Alerts Convention

Warning Critical

N
ot
fo
rr
es
al
e
or
A warning alert (amber triangle) indicates that A critical alert (red circle) shows that the

di
the warning threshold of a condition has been critical threshold of a condition has been

s tri
reached or exceeded. reached or exceeded.

b ut
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Alerts and notifications: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/site-analytics/alerts-notifications.html

916 © 2021 Citrix Authorized Content

 Director Notifications

• As part of the Alert configuration, you can set

N
notifications to be sent by email to individuals

ot
and groups when alerts exceed the thresholds
you have set up.

fo
rr
• Can configure the notification as emails to

es
individuals and groups, Octoblu webhooks,
and SNMP traps.

al
e
• When an alert configured with an SNMP trap

or
triggers, the corresponding SNMP trap
message is forwarded to the configured

di
network listener for further processing.

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Alerts are displayed in Director on the dashboard and other high-level views with warning and critical alert symbols.
• Alerts are available for Platinum licensed Sites.
• Alerts update automatically every minute; you can also update alerts on demand.
• You can configure Citrix alerts to monitor Citrix components within Director in Alerts > Citrix Alerts Policy.
• Citrix alerts support traps of SNMP version 2 and later. Currently, the trap message can be forwarded to one listener.
• This feature requires Delivery Controller(s) version 7.18 or later.

917 © 2021 Citrix Authorized Content

 • You can forward the SNMP traps to SCOM. To do this, configure SCOM with the Delivery Controller to listen to
the trap messages.

Additional Resources:
• Alerts and notifications: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/site-analytics/alerts-
notifications.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

918 © 2021 Citrix Authorized Content

 Alert Considerations

Alerts More Details Alert Sources

N
You can view more detailed information on alerts by Citrix Alerts can originate from various Citrix

ot
selecting an alert from the sidebar, clicking the Go to components, and have historically been displayed
Alerts link at the bottom of the sidebar or by selecting within the Citrix Director UI.

fo
Alerts from the top of the Director page.

rr
es
In the Alerts view, you can filter and export alerts. For As of Director 7.18, Citrix administrators can use Alert

al
example, Failed Server OS machines for a specific Policies directly generated from within Citrix Director.

e
Delivery Group over the last month, or all alerts for a
specific user.

or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• As part of the configuration, you can set notifications to be sent by email to individuals and groups when alerts exceed the
thresholds you have set up.
• You can configure the notification as Octoblu webhooks, or SNMP traps also.

Additional Resources:
• Alerts and notifications: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/site-analytics/alerts-notifications.html
919 © 2021 Citrix Authorized Content
 Built-in Alert Policies

• A set of built-in alert policies with predefined

N
threshold values are available for the Delivery

ot
Groups and Multi-session OS VDAs scope.
• This feature requires Delivery Controller(s) version

fo
7.18 or later.

rr
• You can modify the threshold parameters of

es
the built-in alert policies in Alerts > Citrix Alerts

al
Policy.

e
• These policies are created when there is at least

or
one alert target-a Delivery Group or a Multi-
session OS VDA defined in your Site.

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• In case you upgrade Director and your Site, the alert policies from your previous Director instance are carried over. Built-in
alert policies are created only if no corresponding alert rules exist in the Monitor database.

Additional Resources:
• Alerts and notifications – Built-in alert policies: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/site-analytics/alerts-notifications.html

920 © 2021 Citrix Authorized Content

 Create Alert Policies

• New alerts policies can be created around a

N
specific set of session count criteria.

ot
• The following parameters are required for the

fo
new policy:

rr
• Name of Alert
• Description

es
• One or more conditions that have to be met for the

al
alert to be triggered

e
• Set the re-alert interval
• Set the Scope – for example, set for a specific

or
Delivery Group

di
• In Notification preferences, specify who should be

s
notified by email when the alert is triggered

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• When setting up a condition, Warning values must not be greater than Critical values.
• The re-alert interval means that if the conditions for the alert are still met, the alert is triggered again at this time interval
and, if set up in the alert policy, an email notification is generated. A dismissed alert does not generate an email
notification at the re-alert interval.
• You have to specify an email server on the Email Server Configuration tab in order to set email Notification preferences in
Alerts Policies.

921 © 2021 Citrix Authorized Content

 • Creating a policy with 20 or more Delivery Groups defined in the Scope might take approximately 30 seconds
to complete the configuration. A spinner is displayed during this time.
• Creating more than 50 policies for up to 20 unique Delivery Groups (1000 Delivery Group targets in total)
might result in an increase in response time (over 5 seconds).
• Moving a machine containing active sessions from one Delivery Group to another might trigger erroneous
Delivery Group alerts that are defined using machine parameters.

N
Additional Resources

ot
• Alerts and notifications – Built-in alert policies:1912 LTSR:

fo
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/site-analytics/alerts-

rr
notifications.html

es
al
e
or
di
s tri
but
io
n

922 © 2021 Citrix Authorized Content

 Alert policies conditions

• The conditions are the core part of the custom alert policy. For example, specify Warning and Critical
counts for Peak Connected Sessions, Peak Disconnected Sessions, and Peak Concurrent Total
Sessions.

N
• Find below an examples of an alert category, recommended actions to mitigate the alert, and built-in

ot
policy conditions if defined. The built-in alert policies are defined for alert and re-alert intervals of 60
minutes.

fo
rr
Category Recommendation to mitigate alert Built-in policy conditions

es
al
• Identify the processes or resources consuming

e
CPU • Scope: Delivery Group, Server OS

or
• End the process if necessary (can cause scope
% of CPU Usage
unsaved data to be lost) • Threshold values: Warning – 80%,

di
• If all is working as expected, add additional CPU Critical – 90%
resources in the future.

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Additional conditions include:
• Peak Connected Sessions
• Peak Disconnected Sessions
• Peak Concurrent Total Sessions
• % of CPU usage (shown in chart)
• % of Memory usage

923 © 2021 Citrix Authorized Content

 • Connection failure count (number of connection failures over the last hour)
• ICA Round-trip time (Average)
• ICA Round-trip time (# of sessions that exceed the threshold)
• ICA Round-trip time (% of sessions that exceed the threshold)
• ICA Round-trip time (applied to sessions launched by a specific user)
• Failed Machines (both Desktop OS and Server OS available)
• Average logon duration

N
• Logon duration (for a specified user over the last hour)

ot
• Load Evaluator Index

fo
Additional Resources:

rr
• Alerts and notifications – Alerts policies conditions: 1912 LTSR:

es
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/site-analytics/alerts-

al
notifications.html

e
or
di
s tri
but
io
n

924 © 2021 Citrix Authorized Content

 Configure Alert Policies to Work with SNMP Traps

• When an alert configured with an SNMP trap trigger, the corresponding SNMP trap message is

N
forwarded to the configured network listener for further processing.

ot
• Citrix alerts support traps of SNMP version 2 and later, and required Delivery Controller(s) version

fo
7.12 or later.

rr
• Currently, the trap message can be forwarded to one listener.

es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• To configure SNMP traps, PowerShell cmdlets are used. For information on the specific cmdlets used, please see the link
in Additional Resources.

Additional Resources:
• Alerts and notifications – Configure alerts policies with SNMP traps: 1912 LTSR:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/site-analytics/alerts-notifications.html

925 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
True or False:

ot
Citrix Administrators can use Alert Policies

fo
directly generated from within Citrix Director.

rr
es
True. As of Citrix Virtual Apps and Desktops 7.18

al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

926 © 2021 Citrix Authorized Content

 Lab Exercise Prep

Please Take a Moment and Provision Your Lab

N
For Module 12

ot
fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the
lab exercises.

927 © 2021 Citrix Authorized Content

 N
ot
fo
Optimize Citrix Director Monitoring

rr
With Citrix ADM

es
al
e
or
di
s
tri
b
ut
io
n

928 © 2021 Citrix Authorized Content

 What is Citrix Application Delivery Management (ADM)?

• Citrix Application Delivery Management (ADM) is a virtual appliance that runs as a virtual machine.

N
• Citrix Application Delivery Management (ADM) integrates with Citrix Director to provide network

ot
analysis and performance management.

fo
• The results of this integration gives Citrix Virtual Apps and Desktops Admins:

rr
• Network analysis of HDX Traffic via HDX Insight reports

es
• Historical retention of and real-time assessment provides expanded capabilities to create Trend reports.

al
e
or
di
s tri
b ut
io
n
Key Notes:
• Citrix Application Delivery Management runs as a virtual appliance on supported hypervisors:
• Citrix Hypervisor
• Microsoft Hyper-V
• VMware ESXi
• Linux KVM
• Citrix Application Delivery Management is a centralized management solution that provides Citrix Admins with visibility into

929 © 2021 Citrix Authorized Content

 the traffic running across the Citrix Gateway Product line.
• Citrix Gateway Product line compatible with Citrix Application Delivery Management includes:
• MPX, VPX, SDX, CPX, Citrix Gateway and Citrix SD-WAN
• While the focus of this course is HDX traffic analysis, Citrix Application Delivery Management can analyze any
traffic type across the complete Citrix Gateway product line.
• For more information, consider attending the CNS-319 Citrix course with dedicated time to discovery,
implementation and use of the Citrix Application Delivery Management feature.

N
• Citrix Application Delivery Management, which includes the sub-feature HDX Insight, is based on the popular

ot
industry standard AppFlow solution that is uniquely situated in the application ‘line of sight’ both in the data

fo
center and the branch to provide a 360-degree view for applications, including virtual desktop traffic.

rr
• Fast Failure Analysis: HDX Insight allows administrators to dissect the network data from various angles
including desktop, application, user groups and at the individual user level. This results in a fast root-cause-

es
analysis for customer issues.

al
• Real-time Client/Server Latency Measurements: In addition to TCP level jitter and latency information, HDX

e
Insight provides detailed breakdown of HDX session latency by client, ICA RTT, and by server. These are

or
viewed in real-time or historically on simple dashboards.
• Powerful data correlation between application and network data enables reporting and analysis on

di
applications, the network and users.

s
• When deployed in-line, Citrix Gateway and Citrix SD-WAN detect and dissect ICA connections to provide

tri
complete visibility into the protocol.

b
• HDX Insight provides the ability to drill down to provide visibility and troubleshooting at the user level.

ut
• Moreover, HDX Insight can sort issues by a specific application or server that might be impacting a group of

io
users.

n
• Remember HDX/CGP/ICA is a proprietary protocol, based on virtual channels.
• Part of the virtual appliance is a database to store performance data.

Additional Resources:
• Citrix Application Delivery Management:
https://docs.citrix.com/en-us/citrix-application-delivery-management-software.html

930 © 2021 Citrix Authorized Content

 • Citrix Application Delivery Management 13.0:
https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

931 © 2021 Citrix Authorized Content

 Citrix ADM Setup Process

• When enabled, HDX Insight reports provide

N
Director with additional information:

ot
• The Network tab in the Trends page shows

fo
latency and bandwidth effects for applications,

rr
desktops, and users across your entire

es
deployment.

al
• The User Details page shows latency and

e
bandwidth information specific to a particular

or
user session.

di
s tri
but
io
n
Key Notes:
• In addition to Director, most statistics are also available from the dashboard within the web GUI of Citrix Application
Delivery Management.
• On Director, In the Trends page, the Network tab will give an overview of the network details such as average bandwidth,
latency, client jitter, ICA round trip time and much more.
• There are three selections; Users, Applications and Desktops.

932 © 2021 Citrix Authorized Content

 • Users:
• To quickly analyze the network health, the graph provides a summary showing the average network
metrics per the time selection.
• The list of Users contains a list of users who have accessed the environment within the time period
selected. Metrics such as latency, # of application launches, ICA RTT, Bandwidth, and jitter are provided
on a per user basis.
• Admins are able to drill down on a per user basis for network metrics relevant to that user.

N
• Applications:

ot
• The graph shows an average of the launch duration for the applications and the number of application

fo
launches for the specified time frame.

rr
• The list shows each application, number of launches for that application and the average logon duration

es
specific to that application.
• Admins are able to drill down into each application for additional metrics.

al
• Desktops:

e
• The graph shows an average bandwidth used for the desktops during the specified time frame.

or
• The list shows the user associated with the desktop, session duration, average latency, average ICA
RTT, and average bandwidth used.

di
s
Additional Resources

tri
• Integrate NetScaler MAS with Citrix XenDesktop Director:

b
https://docs.citrix.com/en-us/netscaler-mas/12/deploy-netscaler-mas/integrating-netscaler-mas-with-

ut
drector.html

io
• Monitor historical trends across a Site:

n
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/director/site-analytics/trends.html

933 © 2021 Citrix Authorized Content

 Citrix ADM Benefits to Director
Monitoring
Container Label

Citrix App Delivery

• Setting up Citrix Application Delivery Mgmt. Server

N
Management requires the following steps:

ot
Director Server
1. Download, import, and configure the
Citrix Application Delivery Mgmt. appliance.

fo
2. Configure the appliance to monitor the Citrix

rr
Gateway. Firewall Citrix Firewall StoreFront
Endpoints with Gateway

es
3. Configure Director to integrate with the Citrix Workspace app

HDX Insight feature.

al
• To integrate with Director:

e
Delivery
1. Locate the DirectorConfig command line tool. Controller

or
2. Input the Citrix Application Delivery Mgmt.
connection information.

di
s
VDA

tri
b ut
io
n
Key Notes:
• In the Lab, a preconfigured appliance will be used.
• Step 1: encompasses assigning an IP, subnet mask, gateway and DNS address to the appliance.
• Step 2: can be performed in the Web GUI of the Citrix Application Delivery Management appliance.
• Step 3: requires execution of “C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /confignetscaler” on the Director
server.
• Without step 3, admins would need to pull reports directly from Citrix Application Delivery Management appliance, and this

934 © 2021 Citrix Authorized Content

 would not offer the same flexibility as integrating with Director.
• To Integrate with Director:
1. Navigate to the C:\inetpub\wwwroot\Director\tools on the system in which Director is installed and run the
DirectorConfig command with the parameter /confignetscaler.
2. Specify the Citrix Application Delivery Management FQDN or IP, credentials and connection type.

Additional Resources

N
• Configure network analysis: 1912 LTSR:

ot
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/install-and-configure/hdx-insight.html

fo
rr
es
al
e
or
di
s tri
b ut
io
n

935 © 2021 Citrix Authorized Content

 Citrix ADM Operating Process

Container Label

Citrix App Delivery

1. Citrix Gateway sends AppFlow data for all Mgmt. Server

N
sessions to the Citrix Application Delivery

ot
Director
Management appliance. Server

fo
2. The appliance processes and stores the

rr
data in the internal database. Endpoints with
Firewall Citrix Firewall StoreFront
Gateway

es
Citrix Workspace app
3. Administrators use Citrix Director to report

al
on AppFlow data in addition to monitoring

e
data from the Site database. Delivery
Controller

or
di
s
VDA

tri
b ut
io
n
Key Notes:
• AppFlow is a UDP-based protocol (similar to NetFlow) for transmitting monitoring data related to so called Collectors. The
Citrix App Delivery Management appliance is such a collector.

Additional Resources
• AppFlow - How AppFlow works:
https://docs.citrix.com/en-us/citrix-adc/13/ns-ag-appflow-intro-wrapper-con.html

936 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
ot
Where can the threshold alerts be set for the

fo
Licensing Status?

rr
es
In Citrix Studio.

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

937 © 2021 Citrix Authorized Content

 N
ot
Lab Exercise

fo
rr
Module 12

es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

938 © 2021 Citrix Authorized Content

 Lab Exercise • Exercise 12-1: Log in to Citrix Director
• Exercise 12-2: View the Session Default Page
• Exercise 12-3: View the Sessions Details Page
• Exercise 12-4: Log Off a User Session
• Exercise 12-5: Disconnect a User Session
• Exercise 12-6: Shadow a User Session

N
• Exercise 12-7: Reset a User Profile

ot
• Exercise 12-8: End a Process Within a User Session

fo
• Exercise 12-9: Send a Message to a User Session

rr
• Exercise 12-10: Run a HDX Channel Systems Report

es
• Exercise 12-11: View Alerts and Settings

al
• Exercise 12-12: Use a Built-In Alert

e
• Exercise 12-13: Build a Custom Alert

or
• Exercise 12-14: Trigger the Custom Alert

di
• Exercise 12-15: Integrate Citrix ADM with Director

s tri
• Exercise 12-16: View and Interact with the New Trends Page

b ut
• Exercise 12-17: View and Interact with the New User Details Page
© 2021 Citrix Authorized Content

io
n

939 © 2021 Citrix Authorized Content

 Key Takeaways

• Director is a web-based console used to

manage and monitor the Citrix Virtual Apps
and Desktops deployment.

N
ot
• Director provides visibility into user sessions
and allows for direct access manage.

fo
rr
• Director provides visibility into the Citrix Virtual

es
Apps and Desktops Site Delivery Controllers
and Hypervisor Host connections.

al
e
• Integrate Citrix Application Delivery

or
Management with Director to increase the

di
analysis reporting capabilities within Director to

s
proactively monitor, troubleshoot and analyze

tri
the site.

b
ut
© 2021 Citrix Authorized Content

io
n

940 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Administration

N
ot
Introduction to Supporting and

fo
Troubleshooting Citrix Virtual Apps

rr
and Desktops

es
al
e
Module 13

or
di
s
tri
b
ut
io
n

941 © 2021 Citrix Authorized Content

 Learning Objectives

• Discuss Citrix troubleshooting methods for

N
Citrix Virtual Apps and Desktops

ot
• List common tools for troubleshooting

fo
rr
• Explore the usage of Supportability Packs

es
• Examine Proactive Administration Common

al
Tasks

e
or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

942 © 2021 Citrix Authorized Content

 Introduction to

N
Supporting a Citrix

ot
Virtual Apps and Desktops Site

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

943 © 2021 Citrix Authorized Content

 The Troubleshooting Experience
By Layers

Citrix Cloud

User Layer Access Layer Control Layer Resource Layer

A Citrix Virtual Apps and Desktops deployment

N
has a lot of components, especially for larger Delivery Controller

ot
environments, so troubleshooting can be Internal Users StoreFront
Server OS Assigned
complex.

fo
Desktop OS
Domain Controller

rr
Firewall

es
SQL
Random Desktop OS

al
Firewall Citrix Gateway
External Users

e
License Server

or
Hardware Layer

di
Network WIFI Storage Processor Memory Graphics Hypervisor

s tri
b ut
© 2021 Citrix Authorized Content

io
n

944 © 2021 Citrix Authorized Content

 Support and Troubleshooting
Overview

Finding the right knowledge and tools is key to success when troubleshooting.

N
This module is designed to introduce some of these valuable resources:

ot
• Troubleshooting methodology

fo
• Web resources
• Citrix tools

rr
• Third party tools

es
al
e
or
di
s tri
b
ut
© 2021 Citrix Authorized Content

io
n

945 © 2021 Citrix Authorized Content

 The Citrix Troubleshooting Methodology

The following is a leading practice approach to troubleshooting Citrix Virtual Apps and Desktops.

N
ot
fo
rr
1 2 3 4 5 6
es
al
e
Detect the Understand Recover the Isolate the Fix the Take Proactive
Problem the Problem Service Problem Problem Steps

or
di
s
tri
b ut
© 2021 Citrix Authorized Content

io
n

946 © 2021 Citrix Authorized Content

 Identify Known and Resolved Issues

When troubleshooting an issue, it can be very helpful to determine if the issue is known or already

N
resolved by a hotfix or a workaround.

ot
• Citrix offers many ways of assisting customers, including:

fo
• Citrix Docs

rr
• Citrix Support Knowledge Center
• Citrix Insight Services

es
• Citrix Discussions (support forum)

al
• Citrix Blogs

e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Docs can be navigated to a specific version. It is recommended to begin by identifying any issues documented in
these two sections as this can be a valuable first step in assessing an issue:
• Known issues in this release
• Issues fixed in this release
• The Citrix Support page offers extensive resources to assist in determining and fixing issues:
• Hotfixes

947 © 2021 Citrix Authorized Content

 • CTX articles
• White papers
• Security bulletins
• All Citrix webpages are fully indexed by Google and it is a great search tool for Citrix resources.
• Use “site: Citrix.com” followed by what you are searching for to get Citrix-only hits.
• Citrix Insight Services is a collection of tools used to collect Citrix environment information, provide analysis on
this information and result in tailor recommendations from Citrix.

N
ot
Additional Resources:

fo
• Citrix Docs: https://docs.citrix.com

rr
• Citrix Support Knowledge Center: https://www.citrix.com/support/
• Changes to Citrix Insight Services (CIS) and Customer Uploads: https://support.citrix.com/article/CTX270598

es
• Citrix Secure Portal to upload diagnostic data (requires Citrix account login):

al
https://support.citrix.com/case/manage

e
• FAQ: Citrix Insight Services (CIS): https://support.citrix.com/article/CTX131233

or
• Citrix Discussions (support forum): https://discussions.citrix.com/
• Citrix Blogs: https://www.citrix.com/blogs/

di
s tri
b ut
io
n

948 © 2021 Citrix Authorized Content

 Hotfixes Explained

Currently, hotfixes are available per component and are named accordingly on the download page.

N
Example:

ot
fo
UpsServer 760 WX64 002

rr
DStudio WX86 002

es
760

al
ICAWS 760 WX86 046

e
or
Component Version Operating System Hotfix Number

di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

949 © 2021 Citrix Authorized Content

 General Release
What constitutes a hotfix in General Release?

• The Citrix Life Cycle Maintenance (LCM) Team defines and releases hotfixes for Citrix products.

N
• Access to hotfixes depend on the release status.

ot
• Regression testing of the Hotfixes, in General Releases, have been fully executed by the product

fo
team and can be implemented by all customers.

rr
es
Hotfix Status Customer Impact Access

al
e
or
General Release Affects a wide customer base All customers

di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Installing a hotfix that is in general release is typically “safer” since it has gone through a more strict release process.
• When installing any type of hotfix you should always read the release notes as they contain important information on any
adverse effects the hotfix may have, or if the hotfix has any requirements.

Additional Resources:
• Lifecycle Maintenance Hotfixes - Definitions and Examples: https://support.citrix.com/article/CTX130337

950 © 2021 Citrix Authorized Content

 Limited Release
What constitutes a hotfix in Limited Release?

• Hotfixes, in Limited Release, are typically only meant to solve issues for a small set of customers or a

N
specific usage of the software.

ot
• Limited Release hotfixes typically undergo a lighter and more specific Quality Assurance process and

fo
should be tested thoroughly before implementation in production.

rr
es
Hotfix Status Customer Impact Access

al
e
Affects a smaller number of Customers with a Technical

or
Limited Release customers Relationship Manager, CTPs, and
Partners

di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• A Limited Release hotfix should only be installed if experiencing the exact same issue that the hotfix mitigates.
• A Limited Release hotfix should never be part of routine patch management of the Citrix environment; it should always be
tested separately in a test environment before release to the production environment.
• Implementing a Limited Release may have unforeseen side effects.
• Be sure to read the release notes.

951 © 2021 Citrix Authorized Content

 Where Do I Find
Hotfixes

• All General Release

N
hotfixes for supported

ot
products can be
downloaded from the

fo
Support Knowledge

rr
Center.

es
• Find specific hotfixes by

al
selecting product and

e
version in the drop-down

or
boxes.

di
s
tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Some MyCitrix accounts may not have permission to download all limited hotfixes; typically Partner accounts have more
extensive download permissions.

Additional Resources:
• Citrix Support and Services: https://www.citrix.com/support/

952 © 2021 Citrix Authorized Content

 Citrix Release In Comparison
LTSR vs CR vs Citrix Cloud Updates

• Long Term Service Release • Current Release (CR) • Citrix Cloud Updates
(LTSR)

N
ot
• Long Term Service Release is a • The Current Release of Citrix • Updates are deployed to Citrix
specific support and service Virtual Apps and Desktops is Cloud every two weeks using the

fo
option designed for large designed to deliver new features canary process.

rr
enterprises and organizations that and functionality to customers in
prefer to retain the same base the form of a new version rather • Citrix Cloud consists of two

es
installation for an extended than through patches and identical environments:
• Release A and Release B

al
period. updates.

e
• Benefits: • Benefits: • Updates are applied to one
environment first, and then

or
• Extended Lifecycle with • Quick delivery of new
support for 10 years features customers are migrated over to

di
• Scheduled cumulative • Less patch management this environment in designated
batches.

s
updates • Fast turnaround on

tri
• Highest quality product enhancement requests • Once all customers are moved,

b
releases the remaining environment will

ut
receive the update.

io
n
Key Notes:
• LTSR
• LTSR was created to allow customers to stay on a specific Citrix platform for an extended period of time.
• The support entitlements of the Current Release program states that to be compliant you must continuously keep your
platform updated to the latest product release.
• Issue example: Pharma CustomerA has regulations that state that any new environment must undergo regression
testing for 18 months before the environment can go into production. After four months of testing Citrix Virtual Apps and

953 © 2021 Citrix Authorized Content

 Desktops 7.9, Citrix releases a new version, thus effectively forcing CustomerA to update the environment
and reset the test phase.
• Long Term Service Releases (LTSR) of Citrix Virtual Apps and Desktops are ideal for large enterprise
production environments where you would prefer to retain the same base version for an extended period.
With LTSR, you will have regular access to fixes typically void of new functionality for predictable on-going
maintenance. With each LTSR comes new extended support timelines that let you plan ahead for upgrades
at a pace that’s right for you and your organization.

N
• Extended Lifecycle with support for 10 years - Citrix typically announces a five year mainstream support

ot
lifecycle for each major release, but with LTSR the clock restarts. For a Long Term Service Release, you

fo
will have 5 years of mainstream support and 5 years of extended support (separate contract required).
• Predictable maintenance thanks to scheduled cumulative updates - Citrix will regularly release LTSR

rr
cumulative updates – typically containing only fixes devoid of new features – making it easier to schedule

es
on-going site maintenance and lowering risk to your deployments.

al
• Reduced IT costs with simplified management - Opting to implement a Long Term Service Release of Citrix
Virtual Apps and Desktops will give you access to the highest quality product releases with the most

e
predictable maintenance schedule to streamline your management efforts, reduce uncertainties and

or
mitigate risks, thereby lowering your total cost of ownership.

di
• CR
• Current Releases (CR) of Citrix Virtual Apps and Desktops deliver the latest, most innovative app and

s tri
desktop virtualization features and functionality allowing you to stay on the cutting edge of technology and

b
ahead of your competition.

ut
• Ideal for agile environments where you can rapidly deliver the newest app and desktop virtualization

io
features, including both production and test environments.
• On-going support and maintenance for Current Releases is aligned with the frequent release cycles.

n
Instead of managing new releases and patches independently, with Current Releases you can simply
upgrade to the latest release which includes fixes and new functionality side-by-side.
• Citrix Virtual Apps and Desktops CR versioning is standardized on Version # with Build ####
• For example, if a build releases on August 2019, then the product version would by 7 1908
• The first two places in the build is the last two numbers of the year and the last two places are the two

954 © 2021 Citrix Authorized Content

 number representation of the calendar month of release.
• Citrix Cloud Updates
• Citrix can move Cloud Customers between the two environments freely and without the customer noticing
any difference.
• A move will not be completed until a customer signs out of any administrative consoles, and, this way the
move will not interfere with the administrators work.
• Customers can chose whether to be first movers (opt in) or last movers (opt out), but every customer will be

N
moved and receive the updates eventually.

ot
• If errors are found during the migration, customers will be migrated back to the stabile platform until the

fo
error is resolved.
• Updates are deployed to Citrix Cloud every two weeks using the canary process.

rr
• You may be notified about a pending update and asked to finish your tasks before an update is deployed to

es
your Citrix Cloud account.

al
• You can verify which release platform you are connected to using the browser development tools. Look for
release-a and release-b in the code.

e
• Browser tools can typically be invoked by pressing F12 in your browser.

or
Additional Resources:

di
• Citrix Virtual Apps, Citrix Virtual Apps and Desktops, and Citrix Hypervisor Servicing Options:

s tri
https://www.citrix.com/support/citrix-customer-success-services/citrix-virtual-apps-and-desktops-servicing-

b
options.html

ut
• Citrix Virtual Apps and Desktops 7 1912 Long Term Service Release (LTSR): https://docs.citrix.com/en-

io
us/citrix-virtual-apps-desktops/1912-ltsr.html

n
• Ensure that you are familiar with the Canary process and how it is used in software development.

955 © 2021 Citrix Authorized Content

 Introduction to Citrix Support
Opening a Support Ticket can help to expedite a
solution.

• Citrix Technical Support aims to solve every

N
reported incident.

ot
• Tech support can be reached via phone or by

fo
opening a support case online.

rr
• Citrix recommends reviewing Self help

es
Customer
resources and best practices before opening a

al
support case.

e
• Please refer to the FAQ page for more info.

or
Citrix Support

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Citrix Support and Services: https://www.citrix.com/support/
• Citrix Support FAQ: https://www.citrix.com/support/programs/faqs.html

956 © 2021 Citrix Authorized Content

 Lesson Objective Review

Scenario: You are the Citrix Admin and you

are asked to build a new environment for
hosting a critical pharmaceutical application.
Your boss wants you to ensure that the

N
platform used is supported for at least seven

ot
years.

fo
Which release will you be using?

rr
es
Long Term Service Release.

al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• LSTR is currently in extended support until January 2026.

Additional Resources:
• Product Matrix: https://www.citrix.com/support/product-lifecycle/product-matrix.html

957 © 2021 Citrix Authorized Content

 N
ot
A List of Common Tools

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

958 © 2021 Citrix Authorized Content

 Introduction to Citrix Common
Tools

Citrix is constantly striving to provide excellent

N
support tools enabling administrators to better

ot
troubleshoot their environments, including:

fo
• Custom Event Log views

rr
• Citrix Studio

es
• Citrix Director

al
• Citrix Supportability Pack

e
or
• Citrix Insight Services

di
• Citrix Call Home

s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

959 © 2021 Citrix Authorized Content

 Event Logs
Citrix Views

• All Citrix software components will leverage

N
the Windows Event Log for error logging.

ot
• Event logs can be used to

fo
troubleshoot issues related to the Controllers,

rr
StoreFront, licensing, and VDAs in your

es
environment.

al
• Citrix components provide custom views that

e
are located in the Application and Services

or
node in the Event Viewer.

di
stri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Monitoring the Windows Event Log for unknown or critical events can help to proactively discover issues and allow
administrators to understand event patterns:
• Licensing - Errors in the Event Log dealing with Remote Desktop licensing should be investigated. This might be a
result of the installed Citrix product not being able to contact the Remote Desktop Licensing Server or the Citrix
Licensing Server. If errors in the Event Log are not reviewed, users might eventually be denied access because they
cannot acquire a valid license.

960 © 2021 Citrix Authorized Content

 • Hardware Failure - Any event notification that relates to a hardware failure should be looked at immediately.
Any device that has failed will have an impact on the performance of the system. At a minimum, a hardware
failure will remove the redundancy of the component.
• Security Warnings - Customers should investigate security warnings or audit failure events regarding failed
logons in the security log. This could be an indication that someone is attempting to compromise the
servers.
• Disk Capacity - As the drives of a Windows system reach 90% of capacity, an event error message will be

N
generated. To ensure continuous service, customers should poll these event errors. As the system runs out

ot
of hard disk space, the system is put at severe risk. The server might not have enough space left to service

fo
the requests of users for temporary file storage.
• Application / Service errors - Any event notification that relates to application or services errors should be

rr
investigated.

es
• Citrix errors - All Citrix software components will leverage the Windows Event Log for error logging.

al
• It is important to periodically check the Event Viewer for Citrix related warnings or errors. Warnings or errors
that repeatedly appear in the logs should be investigated immediately, because it may indicate a problem

e
that could severely impact the Citrix environment if not properly resolved.

or
Additional Resources:

di
• Event logs:

s tri
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/monitor/event-logs.html

b
• XenDesktop 7.x – Event Log Messages: https://support.citrix.com/article/CTX138739

ut
• Troubleshooting Virtual Desktop Agent Registration with Controllers in XenDesktop:

io
https://support.citrix.com/article/CTX126992

n
• How to troubleshoot Virtual Delivery Agent (VDA) Registration Issues:
https://support.citrix.com/article/CTX136668
• StoreFront 1912: https://docs.citrix.com/en-us/storefront/current-release.html

961 © 2021 Citrix Authorized Content

 Using the Citrix Virtual Apps and Desktops Management Consoles
Support and troubleshooting session and resource issues usually starts with the use of Studio
or Director

Studio is focused on setup, task management Director is typically more focused on

N
and troubleshooting, such as: monitoring and support tasks, such as:

ot
• Unregistered VDAs • Ending processes and apps for users

fo
• VDA load index • Resetting user profiles and determining

rr
profile size
• VDA Catalog and Delivery Group

es
assignments • Analyzing applied Citrix policies

al
• Citrix Policy Modeling • Analyzing logon duration

e
or
• Shadowing users

di
stri
but
© 2021 Citrix Authorized Content

io
n

962 © 2021 Citrix Authorized Content

 The Citrix Supportability Pack
Introduction

• It is a collection of popular tools to help

N
diagnose and troubleshoot Citrix Virtual Apps

ot
and Desktops products.

fo
• It can be downloaded at

rr
support.citrix.com/article/CTX203082 as a Zip

es
file.

al
• Requires to be logged in using MyCitrix

e
Credentials.

or
• Review the HTML based readme file for

di
installation and usage instructions for each

s
tool.

tri
but
© 2021 Citrix Authorized Content

io
n
CCI Notes:
• Please inform students to download the supportability pack at https://support.citrix.com/article/CTX203082

Key Notes:
• The Supportability Pack is a collection of popular tools (54 in total as of v1.4.0) written by Citrix engineers to help diagnose
and troubleshoot Citrix Virtual Apps and Desktops products. The tools are cataloged by features and components to make
it easier to find and use, and the addition of Supportability Pack Updater since v1.2.0 makes the Pack self-updatable.

963 © 2021 Citrix Authorized Content

 Early versions of the Pack serves as a launch pad for efforts to raise awareness, improve accessibility, and
promote use of internal troubleshooting tools. In subsequent updates of this pack the spotlight will shift to
creation of new tools based on prevalent customer scenarios and your feedback.
• The tools in this pack are not intended to replace system administration features that Citrix Virtual Apps and
Desktops provides for day-to-day system management. This collection of tools are specialized utilities for
advanced troubleshooting in very specific areas
• The Citrix Supportability Pack is downloaded as a .zip file; the .zip file contains an updater function and a web

N
view to get an overview of all the tools. Each section has a link to the online product documentation.

ot
• A sub-folder for each tool is available under the tools folder.

fo
• Installing the Supportability Pack

rr
• If you have an older version of the Supportability Pack on your system, e.g. v1.1.x, we recommend you
completely remove the existing Supportability Pack including all tools and files before downloading the

es
newer version. Since v1.2.x and above provides a new Updater utility, you can use it to keep all tools up to

al
date in the future.

e
• Unzip the Supportability Pack .zip package into a local folder of your choice.

or
• Open the README.HTML file with any web browser and begin exploring the tools catalog.
• Each tool is in its individual folder inside the local directory Tools.

di
• The Updater SupportabilityPackUpdater.exe is in the same directory as README.HTML. Use

s
"SupportabilityPackUpdater.exe /help" to get more info about how to use it.

tri
b
Additional Resources:

ut
• Citrix Supportability Pack: https://support.citrix.com/article/CTX203082

io
n

964 © 2021 Citrix Authorized Content

 VDA Cleanup Utility
Citrix Supportability Pack Example

• It is designed to assist with the following

N
scenarios:

ot
• When errors or unexpected behavior occurs
during or after an upgrade from an earlier version

fo
of the VDA.

rr
• If VDA upgrade is not possible due to feature

es
incompatibility and/or a clean uninstall is required.
• Removes components, files, and registry values of

al
VDA 5.6 onwards.

e
or
di
s
tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The VDA Cleanup Utility can be run in unattended mode if desired using the /silent command line option. C:\>
VDACleanupUtility.exe /silent
• In silent mode, the tool will reboot system automatically. After the reboot, logon to the machine with the same admin user,
the tool will run again automatically.
• Automatic reboot of the system can be suppressed by using /NoReboot command line option. Though it is highly
recommended to reboot the machine before attempting to re-install VDA.

965 © 2021 Citrix Authorized Content

 • C:\> VDACleanupUtility.exe /noreboot
• C:\> VDACleanupUtility.exe /silent /noreboot
• Log files for VDA Cleanup Utility are created in %TEMP%\Citrix\VdaCleanup folder and can be used to track
all uninstall actions and results.

Additional Resources:
• VDA Cleanup Utility: https://support.citrix.com/article/CTX209255

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

966 © 2021 Citrix Authorized Content

 HDX Monitor
Citrix Supportability Pack Example

• Information about available virtual channels for

N
a running session

ot
• Detailed insight into current session settings

fo
• Performance graphs for active virtual channels

rr
in the HDX protocol

es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• HDX Monitor is a free tool provided for download on the Citrix Insight Services website. Users can run the tool inside a
session or admins can use the tool to monitor a session remotely within the domain.
• This version supports Citrix XenDesktop 5.5, 5.6, 7.x, and Citrix Virtual Apps and Desktops 7; and Citrix XenApp 6.5, 7.x.,
and Citrix Virtual Apps 7.
• HDX Monitor does not change the properties of a session and cannot interfere with the session (disconnect, logoff etc.).
• HDX Monitor can export the data to an XML file for later processing.

967 © 2021 Citrix Authorized Content

 • Citrix HDX includes a broad set of technologies that provide a high-definition user experience.
• HDX provides a superior graphics and video experience for most users by default, with no configuration
required. Citrix policy settings that provide the best out-of-the-box experience for the majority of use cases are
enabled by default.
• Use the HDX Monitor tool (which replaces the Health Check tool) to validate the operation and configuration of
HDX visualization technologies and to diagnose and troubleshoot HDX issues.

N
Additional Resources:

ot
• HDX Monitor Tool: https://cis.citrix.com/hdx/download/

fo
• Graphics:

rr
• 1912 LTSR: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/graphics.html
• HDX Monitor 3.x: https://support.citrix.com/article/CTX135817

es
al
e
or
di
s tri
but
io
n

968 © 2021 Citrix Authorized Content

 Receiver Cleanup Utility
Citrix Supportability Pack Example

• Use in the following scenarios:

N
• Errors occur during upgrade from an earlier

ot
version of Receiver.
• Unexpected behavior or performance is

fo
experienced after upgrade from an earlier

rr
Receiver.
• Upgrade is not possible due to feature

es
incompatibility and/or a clean uninstall is required.

al
• Removes components, files, and registry values of

e
Online Plug-in 11.x and newer.
• Is not required and not recommended while

or
upgrading to the Receiver for

di
Windows 4.4 or newer.

s
tri
b
ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The Receiver Clean-Up Utility can be run in unattended mode if desired using the /silent command line option.
• ReceiverLogs folder is created in the location where the utility is run and tracks all uninstall actions and results.
• C:/> ReceiverCleanupUtility.exe /silent
• Although the Receiver Clean-Up Utility will backup Receiver registry keys before deleting them, it is recommended to back
up the registry before running this tool.

969 © 2021 Citrix Authorized Content

 Additional Resources:
• Receiver Clean-Up Utility: https://support.citrix.com/article/CTX137494

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

970 © 2021 Citrix Authorized Content

 Citrix Health Assistant
Citrix Supportability Pack Example

Is a Windows tool which automates the process

N
of checking for the causes of common

ot
configuration issues in a Citrix Virtual Apps and
Desktops environment.

fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• This tool automates a series of health checks to identify possible root causes for common VDA registration and session
launch issues. The tool is graphical UI based but also supports command line commands.
• The tool conducts the following health checks on a VDA, and reports results in the UI as well as in the log file:
• For VDA Registration:
• VDA software installation

971 © 2021 Citrix Authorized Content

 • VDA machine domain membership
• VDA communication ports availability
• VDA services status
• VDA Windows firewall configuration
• VDA communication with each Controller
• VDA time sync with each Controller

N
• VDA registration status

ot
• For Session Launch:

fo
• Session launch communication ports availability

rr
• Session launch services status

es
• Session launch Windows firewall configuration
• XDPing is an older, command-line based tool that also troubleshoots registration and brokering issues in Citrix

al
Virtual Apps and Desktops. It has been superseded by the Citrix Health Assistant, but is still available for

e
download if desired.

or
Additional Resources:

di
• Citrix Health Assistant – Troubleshoot VDA Registration and Session Luanch:

s
https://support.citrix.com/article/CTX207624

tri
• XDPing Tool: https://support.citrix.com/article/CTX123278

b ut
io
n

972 © 2021 Citrix Authorized Content

 CDF Control
Citrix Supportability Pack Example

Is an event tracing controller, geared towards

N
capturing Citrix Diagnostic Facility (CDF) trace

ot
messages that are output from the various Citrix
tracing providers.

fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Various Citrix components contain built in debug trace statements, which leverage the Microsoft Event Tracing for
Windows (ETW) technology. This means that these components are registered as ETW providers, and can be configured
by ETW controllers to start logging their trace statements to a log file.
• CDFControl has been crafted to gather critical troubleshooting data (such as CDF trace and performance data) that
should help when troubleshooting complex Citrix related issues.
• The guide (in the CDFControl Menu under Help) will help you become familiar with all the new features and techniques

973 © 2021 Citrix Authorized Content

 available to help you maximize your use of this application.

Additional Resources:
• CDFControl: https://support.citrix.com/article/CTX111961

N
ot
fo
rr
es
al
e
or
di
s tri
b
ut
io
n

974 © 2021 Citrix Authorized Content

 Citrix Scout
Citrix Supportability Pack Example

Run from a single Delivery Controller to capture

N
key data points and CDF traces for selected

ot
computers, followed by secure and reliable
upload of the data package to Citrix Technical

fo
Support.

rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Scout is a data collection tool that can be used to capture environment data and CDF traces from environments running
Citrix XenDesktop 5.x, Citrix XenApp 6.x and Citrix XenApp and XenDesktop 7.x.
• Scout is pre-installed on all Controllers running 7.5 upwards, and can be found in the Citrix Folder on the start menu.
• Scout must run on a Citrix Delivery Controller machine when capturing product information.

975 © 2021 Citrix Authorized Content

 Additional Resources:
• Citrix Scout: https://support.citrix.com/article/CTX130147

N
ot
fo
rr
es
al
e
or
di
stri
utb
io
n

976 © 2021 Citrix Authorized Content

 Citrix Application Delivery
Management (ADM)

• Is a centralized management solution that

N
provides Citrix Admins with visibility into the

ot
traffic running across the Citrix Gateway
product line.

fo
rr
• Integration of Citrix Application Delivery

es
Management with Citrix Director provides
more granular analysis in monitoring users,

al
apps and desktops, via Citrix HDX.

e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Refer to Module 13 of this course for more information.

977 © 2021 Citrix Authorized Content

 Citrix Call Home

Citrix Call Home is an opt-in data capturing

N
service designed to give Citrix better insight into

ot
product errors and performance issues, allowing
Citrix to proactively analyze and solve issues.

fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Call Home is optional and can be turned off using PowerShell if enabled during install.

Additional Resources:
• About Citrix Call Home: https://www.citrix.com/community/cx/call-home.html
• XenApp and XenDesktop Call Home Technology: https://www.citrix.com/blogs/2015/12/15/citrix-call-home-technology/

978 © 2021 Citrix Authorized Content

 Microsoft Common Tools

Since Citrix Virtual Apps and Desktops is built

N
on top of a Microsoft platform, we can utilize a

ot
number of Microsoft tools for troubleshooting.

fo
• System monitor

rr
• Performance monitor

es
• Network monitor

al
• Command line tools

e
or
• PowerShell

di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

979 © 2021 Citrix Authorized Content

 Microsoft Sysinternals

• Sysinternals is an advanced set of tools from

N
Microsoft to enable IT Professionals to

ot
diagnose and troubleshoot a Windows
environment.

fo
rr
• The Sysinternals Suite consists of more than

es
70 free tools, such as:
• Process Explorer

al
• Process Monitor

e
• ProcDump

or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Process Explorer
• Process Explorer will enable administrators to analyze what is going on behind the scenes in Windows:
• Handle View:
• See the handles that the process selected in the top window has opened.
• DLL View
• See the DLLs and memory-mapped files that the process has loaded.

980 © 2021 Citrix Authorized Content

 • Search View
• Which processes have particular handles opened or DLLs loaded.
• Process Explorer can be used to analyze processes and applications.
• Especially helpful for tracking down DLL version issues and handle leaks.
• Example: You have an application running in your environment that you suspect of memory leaking. Use
Process Explorer to compare a freshly started application against the same application that has been
running for a while; compare the amount of handles and memory consumed by the process.

N
• Process Monitor

ot
• Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, registry, and

fo
process/thread activity.
• Main features include:

rr
• Enhanced filter engine

es
• Extensive process details

al
• Process tree tool
• Process Monitor is the combination of two older tools from Sysinternals: Regmon and Filemon.

e
• Process Monitor will monitor and trace any I/O or registry based activity and allow the admin to search for

or
session ID or username, using filters.

di
• Example: An application is reporting a file system permission issue for a user, and you want to find out
where the application is trying to write and which write operation gets denied.

s tri
• Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, registry and

b
process/thread activity.

ut
• It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an

io
extensive list of enhancements, including rich and non-destructive filtering, comprehensive event
properties such as session IDs and user names, reliable process information, full thread stacks with

n
integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely
powerful features will make Process Monitor a core utility in your system troubleshooting and malware
hunting toolkit.
• ProcDump
• ProcDump is a command-line utility used primarily for monitoring an application for CPU spikes and

981 © 2021 Citrix Authorized Content

 generating crash dumps during a spike that an administrator or developer can use to determine the cause
of the spike.
• Automatic dump triggers include:
• Hung window monitoring
• Unhandled exception monitoring
• Custom performance counter monitoring
• Example: You have implemented a new application that spikes to 100% CPU resources every 15 minutes.

N
• Use ProcDump to create an automated rule for crash dumping the process when it goes to 100%, analyze

ot
the dump with the developers to determine the root cause of the CPU spike.

fo
• Write up to three mini dumps of a process named 'consume' when it exceeds 20% CPU usage for five
seconds:

rr
• C:\>procdump -c 20 -s 5 -n 3 consume

es
Additional Resources:

al
• Process Explorer v16.21: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

e
• Process Monitor v3.50: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

or
• ProcDump v9.0: https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

di
s tri
but
io
n

982 © 2021 Citrix Authorized Content

 More Tools

• There are other third party tools available that

N
are relevant for troubleshooting.

ot
• Wireshark is a free and open source packet

fo
analyzer that can be used to capture network

rr
data for analysis.

es
• Wireshark offers 3 main views:

al
• Packet List
• Packet Details

e
• Packet Data

or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Example: Users on a specific network get randomly disconnected from their sessions. Use WireShark to trace the network
traffic, and apply a filter to look for dropped packets or reset connections.

Additional Resources:
• Wireshark webpage: https://www.wireshark.org/

983 © 2021 Citrix Authorized Content

 Lesson Objective Review
Scenario: You are the Citrix Admin and you
are investigating an issue where a user’s
session does not successfully end after she
closes her last published app.
You have used Task Manager to inspect her

N
hanging session but could not find any

ot
relevant information.

fo
Which tool would you use to get further

rr
details on orphaned processes in the

es
session?

al
Process Explorer

e
or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

984 © 2021 Citrix Authorized Content

 N
Proactive Administration Common

ot
Tasks

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

985 © 2021 Citrix Authorized Content

 Periodic Tasks An Introduction

• Supporting and Troubleshooting tools are needed to maintain a Citrix Virtual Apps and Desktops

N
deployment.

ot
• However, it is equally important to administer the deployment proactively by performing tasks on a

fo
regular basis.

rr
• Proactively administering the deployment will result in a healthier environment less prone to errors

es
and outages.

al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Citrix VDI Best Practices for XenApp and XenDesktop 7.15 LTSR: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
15-ltsr/citrix-vdi-best-practices.html

986 © 2021 Citrix Authorized Content

 How Often Should I Work with my deployment?

• Deployments should be administered daily.

N
• Tasks can be categorized and scheduled as:

ot
fo
Daily Tasks

rr
es
Weekly Tasks

al
e
or
Monthly Tasks

di
s tri
Yearly Tasks

but
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Citrix VDI Best Practices for XenApp and XenDesktop 7.15 LTSR: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
15-ltsr/citrix-vdi-best-practices.html

987 © 2021 Citrix Authorized Content

 Look for Warnings and Alerts

• Review Citrix Director, Windows Performance Monitor, Event Log, and other monitoring software

N
alerts.

ot
• Monitoring the performance of the overall environment should be done daily and is crucial toward

fo
making sure all components are available and performing effectively to ensure users have a high

rr
quality experience.

es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Check for warnings or alerts within Citrix Director, event logs, or other monitoring software. Investigate the root cause of
the alert if any.
• A computer and monitor can be set up to display the Citrix Director dashboard to create a Heads up Display for the Citrix
department. This ensures the status of the environment is clearly visible in real time.

988 © 2021 Citrix Authorized Content

 Additional Resources:
• Citrix VDI Best Practices for XenApp and XenDesktop 7.15 LTSR: https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-15-ltsr/citrix-vdi-best-practices.html

N
ot
fo
rr
es
al
e
or
di
stri
b ut
io
n

989 © 2021 Citrix Authorized Content

 Verify backups of key Citrix components
Daily Tasks

• Citrix components should be backed up daily

N
• Items to be backed up can include, but not limited to:

ot
• Citrix Databases

fo
• User data (user profiles / home folders)
• Application data

rr
• Citrix Hypervisor VM/Pool metadata (or equivalent for other hypervisors)

es
• StoreFront Configuration
• License Files

al
• Dedicated Virtual Desktops

e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• For additional information, please review the Citrix VDI Handbook and Best Practices. A link to the PDF can be found
below in the additional resources section.

Additional Resources:
• Citrix VDI Best Practices for XenApp and XenDesktop 7.15 LTSR: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
15-ltsr/citrix-vdi-best-practices.html

990 © 2021 Citrix Authorized Content

 Backup Citrix Databases
Daily Tasks

• Backups of Citrix Databases should be performed daily

N
• Citrix Databases to be backed up can include or not limited to

ot
fo
• Citrix Virtual Apps and Desktops Databases
• Site Database

rr
• Configuration Logging Database

es
• Monitoring Database
• Citrix Provisioning Database

al
• Coordination with the Database administration team may be required.

e
or
di
stri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• For additional information, please review the Citrix VDI Handbook and Best Practices. A link to the PDF can be found
below in the additional resources section.

Additional Resources:
• Citrix VDI Best Practices for XenApp and XenDesktop 7.15 LTSR: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
15-ltsr/citrix-vdi-best-practices.html

991 © 2021 Citrix Authorized Content

 Test your connections
Daily Tasks

• Environment access testing should be performed daily.

N
• Simulate a connection both internally and externally to ensure desktop and application resources are

ot
available before most users log on for the day.

fo
• Perform access tests with user standard user accounts. Avoid testing with only administrative

rr
accounts.

es
• Access testing can be done throughout the day and may even be automated.

al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• For additional information, please review the Citrix VDI Handbook and Best Practices. A link to the PDF can be found
below in the additional resources section.

Additional Resources:
• Citrix VDI Best Practices for XenApp and XenDesktop 7.15 LTSR: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
15-ltsr/citrix-vdi-best-practices.html

992 © 2021 Citrix Authorized Content

 Verify Registration and Session Availability
Daily Tasks

• The Citrix Administrator is responsible for ensuring users have enough available resources at all

N
times.

ot
• Verify, daily, that the appropriate number of idle desktops and application servers are powered on and

fo
registered with the Delivery Controllers to ensure availability for user workloads.

rr
• Use Trends analytics to determine how many application and desktop resources to have available to

es
support your users.

al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• For additional information, please review the Citrix VDI Handbook and Best Practices. A link to the PDF can be found
below in the additional resources section.

Additional Resources:
• Citrix VDI Best Practices for XenApp and XenDesktop 7.15 LTSR: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
15-ltsr/citrix-vdi-best-practices.html

993 © 2021 Citrix Authorized Content

 Review Hotfixes and Patches
Weekly Tasks

• It is recommended to have consistent and updated versions of Delivery Controllers, Server OS, and

N
Desktop OS virtual machines.

ot
• Review, test, and deploy the latest Citrix hotfixes and ascertain whether the Delivery Controllers and

fo
Server-Based OS/Desktop-Based OS virtual machines require them.

rr
Note: Any required hotfixes should be tested using the recommended testing process prior to

es
implementation in production.

al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• For additional information, please review the Citrix VDI Handbook and Best Practices. A link to the PDF can be found
below in the additional resources section.

Additional Resources:
• Citrix VDI Best Practices for XenApp and XenDesktop 7.15 LTSR: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
15-ltsr/citrix-vdi-best-practices.html

994 © 2021 Citrix Authorized Content

 Verify change control operations
Weekly Tasks

• Change control processes that manage changes throughout a system’s lifecycle are necessary to

N
ensure consistent and accountable performance.

ot
• When available, ensure configuration logging is enabled to track any changes made to the Citrix

fo
environment.

rr
• Verify changes that were made and applied correctly.

es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• For additional information, please review the Citrix VDI Handbook and Best Practices. A link to the PDF can be found
below in the additional resources section.

Additional Resources:
• Citrix VDI Best Practices for XenApp and XenDesktop 7.15 LTSR: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
15-ltsr/citrix-vdi-best-practices.html

995 © 2021 Citrix Authorized Content

 Confirm Your Capacity
Monthly Tasks

• Perform a monthly capacity assessment of the Citrix environment to determine environment utilization

N
and any scalability requirements.

ot
• In addition to the day-to-day monitoring of system-level metrics, performance metrics should be

fo
tracked from a historical perspective to help plan for future growth as more users access the

rr
environment.

es
• Use the Trends view within Citrix Director to track the Citrix Virtual Apps and Desktops deployment

al
over time. These parameters can be leveraged for capacity planning of the Citrix environment.

e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• For additional information, please review the Citrix VDI Handbook and Best Practices. A link to the PDF can be found
below in the additional resources section.

Additional Resources:
• Citrix VDI Best Practices for XenApp and XenDesktop 7.15 LTSR: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
15-ltsr/citrix-vdi-best-practices.html

996 © 2021 Citrix Authorized Content

 Review your Citrix Policies
Yearly Tasks

• A review of Citrix policies should be conducted yearly.

N
• The more policies there are, policy management can become unmanageable.

ot
• Remove any unused or disabled policies.

fo
rr
• Determine whether new policies are required and existing policies need to be updated.

es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• For additional information, please review the Citrix VDI Handbook and Best Practices. A link to the PDF can be found
below in the additional resources section.

Additional Resources:
• Citrix VDI Best Practices for XenApp and XenDesktop 7.15 LTSR: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
15-ltsr/citrix-vdi-best-practices.html

997 © 2021 Citrix Authorized Content

 Assess your Software Version and Requirements
Yearly Tasks

• Perform a yearly review and assess the requirement for new Citrix software releases or versions.

N
• This includes a review of the applications hosted in the sessions as well as a review of the operating

ot
systems hosting these sessions.

fo
• Citrix component software, such as Citrix Virtual Apps and Desktops versioning or VDA versioning

rr
should also be reviewed.

es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• For additional information, please review the Citrix VDI Handbook and Best Practices. A link to the PDF can be found
below in the additional resources section.

Additional Resources:
• Citrix VDI Best Practices for XenApp and XenDesktop 7.15 LTSR: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
15-ltsr/citrix-vdi-best-practices.html

998 © 2021 Citrix Authorized Content

 Assess your Software Use
Yearly Tasks

• Perform a yearly review for the usage of applications outside and within the Citrix environment.

N
• Use Trends to assess the validity of adding additional applications to the Citrix site, removing

ot
applications that are no longer required, or upgrading the applications to the latest version.

fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• For additional information, please review the Citrix VDI Handbook and Best Practices. A link to the PDF can be found
below in the additional resources section.

Additional Resources:
• Citrix VDI Best Practices for XenApp and XenDesktop 7.15 LTSR: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
15-ltsr/citrix-vdi-best-practices.html

999 © 2021 Citrix Authorized Content

 Lesson Objective Review
Scenario: You are a Citrix Admin who was
recently hired to manage an existing Citrix
Virtual Apps and Desktops deployment.
During your initial discovery of the
environment, you learn there are over 500
Citrix Policies.

N
ot
Upon reviewing the Citrix Policies to
determine which ones are in use, which ones

fo
can be retired, and which settings can be

rr
consolidated to save on policy count, you

es
quickly realize that this process should be

al
performed regularly - thus you plan to train

e
your staff on this task.

or
How often should you review your Citrix

di
Policies?

s
tri
Citrix policies should be reviewed every year

b
ut
© 2021 Citrix Authorized Content

io
n

1000 © 2021 Citrix Authorized Content

 Key Takeaways

• The Citrix Troubleshooting Methodology can

assist you in supporting a Citrix Virtual Apps
and Desktops environment.

N
ot
• Citrix provides tools to help you identify known

fo
issues, either during troubleshooting or when

rr
preparing to update the environment.

es
• The Citrix Supportability Packs can be
downloaded to provide use specific tools to

al
support and troubleshoot Citrix Virtual Apps

e
and Desktops.

or
• It is equally important to administer the

di
deployment proactively and perform tasks on a

s
tri
regular basis.

b
ut
© 2021 Citrix Authorized Content

io
n

1001 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Administration On-Premise and In
Citrix Cloud

N
ot
Migrate To Citrix Cloud

fo
rr
es
al
e
Module 14

or
di
s
tri
b
ut
io
n

1002 © 2021 Citrix Authorized Content

 Learning Objectives

• Identify the options and considerations for

N
migration to Citrix Cloud.

ot
• Explore the considerations for deploying Citrix

fo
Cloud Connectors.

rr
• Review the Citrix Cloud Ownership of the

es
deployment as it relates to resource locations.

al
• Explore considerations and the process for

e
migrating to Citrix Cloud.

or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

1003 © 2021 Citrix Authorized Content

 N
ot
Migration Considerations

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

1004 © 2021 Citrix Authorized Content

 MCS Catalogs

• Cannot easily be migrated.

N
• Edit master image to register with Cloud Connectors.

ot
• Create new MCS Catalog and Delivery Group in Citrix Cloud.

fo
rr
• Migrate the users in batches.

es
• Decommission old MCS machines as users are migrated.

al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• From a database perspective, a MCS based Machine Catalog is a complex thing and therefor it cannot be easily migrated,
however the process of creating a new MCS Machine Catalog is fairly simple.
• The only downside to creating new Machine Catalogs is that during the migration, you will use extra hypervisor resources.
• Minimize the impact by migrating users in batches, maybe one department at a time.
• Decommission old MCS machines as users are migrated to ensure capacity for extending the Cloud Hosted Machine
Catalogs.

1005 © 2021 Citrix Authorized Content

 PVS Catalogs
Two easy paths

Same VMs

N
• Create new manual Machine Catalog and Delivery Group in Citrix Cloud.

ot
• Edit VDA configuration in vDisk to register with Cloud Connector.
• Boot target devices on new vDisk version.

fo
New VMs

rr
• Update SDK on PVS servers to support Citrix Cloud.

es
• Edit VDA configuration in vDisk to register with Cloud Connector.
• Use Citrix Virtual Desktops Setup Wizard to deploy new Machine Catalog and VMs.

al
• Create Delivery Group and migrate users.

e
• Decommission old VMs.

or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• When PVS is deployed on-premises it is very easy to migrate the Machine Catalogs to Citrix Cloud.
• If you want to re-use the existing VMs, simply update the vDisk to ensure the VDA software registers with Cloud
Connectors, create a new Machine Catalog in Cloud Studio, point to your existing Device Collection in PVS, and restart
your VDAs to ensure they register successfully. After you have verified registration, create a Delivery Group and publish
resources to users. If you plan to migrate while in production, you may want to enable maintenance mode on one VDA
first, boot this VDA on the new image, define and test the Delivery Group, before booting the rest of the VDAs.

1006 © 2021 Citrix Authorized Content

 • If you want to create new VMs instead of using the existing Device Collection, you can utilize the Citrix Virtual
Desktops Setup Wizard. First deploy the Citrix Cloud Remote SDK on the Provisioning Servers, then update
the VDA software in a copy of your vDisk to register with the Cloud Connectors. Use the wizard to deploy new
VMs and associate them with the new vDisk, create the matching Delivery Groups and decommission the old
VMs.
• Important: When changing the PVS SDK, you will lose the ability to run the Citrix Virtual Desktops Setup
Wizard towards the on-premises Delivery Controllers. The PVS server will still be able to stream existing

N
workloads.

ot
fo
rr
es
al
e
or
di
s tri
but
io
n

1007 © 2021 Citrix Authorized Content

 Policies

• Policies based in Active Directory do not need to be migrated.

N
• Policies in an on-premises Studio must be migrated. There are two methods to migrate:

ot
• Method 1: Manually recreate in Cloud Studio

fo
• Method 2: Convert to AD policies (option to use PoSH or template)

rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Active Directory based Citrix policies does not need to be migrated, rather they can just be bound to a new OU that
contains the VDAs.
• Ensure that you have a plan in place to migrate Studio based policies and to start the process early.
• Policies can be very complex in certain deployments and the process to migrate them may involve manual labor.
• Citrix recommends doing extensive testing after migrating policies to ensure the migration was successful.
• The Export-BrokerDesktopPolicy PowerShell cmdlet can be used to export on-premises Studio policies.

1008 © 2021 Citrix Authorized Content

 Additional Resources:
• How to Export and Import Virtual Desktops Policies Using PowerShell SDK -
https://support.citrix.com/article/CTX136646

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

1009 © 2021 Citrix Authorized Content

 Manual Migration Tasks

• Configure Hosting

N
• Create new Catalogs (MCS or Existing/PVS)

ot
• Create new Delivery Groups

fo
rr
• Publish Apps and Desktop

es
• Configure Delivery Group and Application settings

al
• Configure Zones (if applicable)

e
• Configure Tags (if applicable)

or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Depending on the complexity of your existing on-premises environment, you may need to consider several of the possible
migration tasks.
• Personal vDisk, AppDNA and AppDisks are currently not supported in Citrix Cloud, ensure to follow Citrix Cloud
newsflashes if you rely on these features.

1010 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
ot
Should Active Directory GPO based Citrix

fo
policies be migrated to Citrix Cloud?

rr
es
No, just ensure the GPOs are linked to the
correct OU

al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

1011 © 2021 Citrix Authorized Content

 N
Citrix Cloud Connector

ot
Deployment

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

1012 © 2021 Citrix Authorized Content

 Citrix Cloud Connector vs Delivery Controller

N
ot
Citrix Cloud
Traditional Deployment

fo
Delivery Controller Site Database License Server

rr
Site Database
vs License Server

es
Citrix Gateway Service Workspace

Cloud Deployment

al
Active Directory Delivery Controller
Server

e
Cloud

or
Active Directory
Server Connector

di
Citrix StoreFront VDA
gateway

s
Citrix StoreFront

tri
VDA
Gateway

utb
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The connector itself is actually a collection of Windows services. It's not just one service. It's a variety of different proxies
that connect the components in the resource location: on-premises or public cloud up to the Citrix Cloud.

1013 © 2021 Citrix Authorized Content

 Citrix Cloud
Connector
Installation

• Simple download and

N
install from Citrix Cloud

ot
• No configuration needed

fo
• No user interface

rr
• Install two for automatic

es
updates, redundancy, and

al
load balancing

e
• Option to script install

or
• Do not clone Cloud

di
Connectors

s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Before Install:
• Citrix Cloud Connector installer checks if the machine is domain-joined before actually installing the software.
• Connector needs to be in sync with the UTC time for proper installation and operation.
• Ensure to switch off Enhanced Security Configuration (ESC) during installation.
• The installer cannot run on machine templates cloned across multiple machines.

1014 © 2021 Citrix Authorized Content

 • During Install:
• An initial connectivity check to Citrix Cloud will be performed.
• Prompting for Citrix Cloud administrator user name and password.
• Final connectivity check to ensure connector-to-cloud communication.
• After Install:
• After installation, do not move the machine hosting the Connector into a different domain.

N
• You should enable windows updates on all of your Connectors.

ot
fo
rr
es
al
e
or
di
s tri
but
io
n

1015 © 2021 Citrix Authorized Content

 Citrix Cloud Connector Silent/Automated Installation

• Download Cloud Connector

N
• Run CWCConnector /? to retrieve parameters.

ot
• Sample:

fo
• CWCConnector.exe /q

rr
/Customer:Customer /ClientId:ClientId /ClientSecret:ClientSecret /ResourceLocationId:ResourceLocationId /Accep

es
tTermsOfService:true

al
• Logs:

e
• %LOCALAPPDATA%\Temp\CitrixLogs\CloudServicesSetup
• %ProgramData%\Citrix\WorkspaceCloud\InstallLogs

or
• Script available from Citrix that both downloads and installs Cloud Connector.

di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The blogpost listed below contains a prebuilt script that can download and install the Cloud Connector.
• Silent or automated installation is supported. However, using the same installer for repeated installations over a period of
time is not recommended. Download a new Connector from the site using the instructions on the resource location page.
• The list of supported parameters can be retrieved by running: CWCConnector /?
• /Customer: This is the customer ID available in the console on the API Access page (within Identity and Access
Management). This is required.

1016 © 2021 Citrix Authorized Content

 • /ClientId: Found on the API Access page. This is the secure client ID an administrator can create. This is
required.
• /ClientSecret: Found on the API Access page. This is the secure client secret available via download after a
secure client is created. This is required.
• /ResourceLocationId: This ID can be retrieved on the resource locations page using the ID button. This is
not required.
• /AcceptTermsOfService: Yes. This is required.

N
• A sample command line with all required parameters:

ot
• CWCConnector.exe /q /Customer:Customer /ClientId:ClientId /ClientSecret:ClientSecret

fo
/ResourceLocationId:ResourceLocationId /AcceptTermsOfService:true
• Exit Codes:

rr
• 1603 - An unexpected error occurred.

es
• 2 - A prerequisite check failed.

al
• 0 - Installation completed successfully.
• Command line Installation:

e
• Use Start /Wait CWCConnector.exe /parameter:value in order to examine and potential error code in the case

or
of a failure. This can be done using the standard mechanism of running echo %ErrorLevel% after the

di
installation completes.
• Installation logs can be found here:

s tri
• %LOCALAPPDATA%\Temp\CitrixLogs\CloudServicesSetup

b
• Or within the following consolidated location, after installation:

ut
• %ProgramData%\Citrix\WorkspaceCloud\InstallLogs

io
Additional Resources:

n
• Automated Installation (non-interactive) - http://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-
connector/installation.html
• Automating the Cloud Connector Installation - https://www.citrix.com/blogs/2017/03/15/automating-the-cloud-
connector-installation

1017 © 2021 Citrix Authorized Content

 Citrix Cloud Considerations

• Keep all Cloud Connectors powered on at all times.

N
• Install the Cloud Connector on dedicated machines only.

ot
• Do not upgrade a previously-installed Cloud Connector with a newer version.

fo
rr
• Instead, uninstall the old Cloud Connector and then install the new one.

es
• Enable Windows Update on all Cloud Connectors.

al
• Install at least two Cloud Connectors in each resource location.

e
or
• Citrix recommends installing N+1 Cloud Connectors, where N is the capacity needed to support the infrastructure.

di
• Each Active Directory forest should be reachable by two Cloud Connectors at all times.

s
• Do not move the machine hosting the Cloud Connector into a different domain.

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Important considerations
• Keep all Cloud Connectors powered on at all times to ensure an always-on connection to Citrix Cloud.
• Do not install the Cloud Connector on an Active Directory domain controller or any other machine critical to your resource
location infrastructure. Regular maintenance on the Cloud Connector will perform machine operations that will cause an
outage to these additional resources.
• Do not download or install other Citrix products on the machines hosting the Cloud Connector.

1018 © 2021 Citrix Authorized Content

 • Do not download or install the Cloud Connector on machines that are part of other Citrix product deployments
(for example, Delivery Controllers in a Citrix Virtual Desktops deployment).
• Do not upgrade a previously-installed Cloud Connector with a newer version. Instead, uninstall the old Cloud
Connector and then install the new one.
• Citrix strongly recommends enabling Windows Update on all machines hosting the Cloud Connector.
• Citrix strongly recommends installing at least two (2) Cloud Connectors in each resource location. In general,
the number of Cloud Connectors you should install is N+1, where N is the capacity needed to support the

N
infrastructure within your resource location. This ensures the connection between Citrix Cloud and your

ot
resource location remains intact in the event any single Cloud Connector becomes unavailable.

fo
• Each Active Directory forest you plan to use with Citrix Cloud should be reachable by two Cloud Connectors at
all times.

rr
• After installation, do not move the machine hosting the Cloud Connector into a different domain. If the

es
machine needs to be joined to be a different domain, uninstall the Cloud Connector and then re-install it after

al
the machine is joined to the different domain.

e
Additional Resources:

or
• Cloud Connector Installation - https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/citrix-

di
cloud-connector/installation.html

s tri
b ut
io
n

1019 © 2021 Citrix Authorized Content

 Connection to Citrix Cloud

• All communication between Citrix Cloud and the resource location is handled by Cloud Connector.

N
ot
• The Connector does not need any special SSL/TLS configuration.

fo
• You cannot control which data the Connector sends to Citrix.

rr
• Traffic is HTTPs API Calls and Binary Encoded Message Passing.

es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Make sure the clock on the Cloud Connector server has the correct UTC time. Otherwise, you cannot connect to the
cloud.
• The connection to the internet from your datacenters only requires port 443 to be open for outbound connections.
However, in order to operate within environments containing an internet proxy server or firewall restrictions, further
configuration might be needed.
• Web addresses that need to be contactable to ascertain the services functionality are listed here: http://docs.citrix.com/en-

1020 © 2021 Citrix Authorized Content

 us/citrix-cloud/overview/requirements/internet-connectivity-requirements.html
• All data sent from the Cloud Connector server to Citrix Cloud is encrypted.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

1021 © 2021 Citrix Authorized Content

 Proxy and Firewall Considerations

Citrix Cloud Connector Citrix Cloud Management Console

N
Connection outbound on port 443 Uses browsers’ proxy settings

ot
URL Access: URL Access:
• https://*.citrixworkspacesapi.net • https://*.cloud.com

fo
• https://*.cloud.com • https://*.citrixworkspacesapi.net

rr
• https://*.servicebus.windows.net • https://*.blob.core.windows.net

es
• https://*.apps.cloud.com • https://browser-release-b.azureedge.net
• https://*.blob.core.windows.net • https://*.xendesktop.net

al
• https://*.nssvc.net [If Citrix Gateway Service is enabled]

e
• https://*.xendesktop.net

or
di
s
*See product documentation for full list of URLs that must be reachable.

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The URL for the Cloud Management Console is https://citrix.cloud.com.
• For the management console to operate, it is required that TCP port 443 is open for outbound connectivity.
• If the user is connecting via a proxy server, the management console will operate via the same configuration applied to the
browser.
• The connector requires outbound connectivity on port 443.
• The connector uses Websockets for communication with Citrix Cloud.

1022 © 2021 Citrix Authorized Content

 • Internal Communications:
• VDAs to Cloud Connectors:
• Port 80 Kerberos, both inbound and outbound Traffic between the VDAs and Connectors is encrypted using
Kerberos
message-level security.
• Port 1494 and 2598 inbound if using Citrix Gateway Service

N
• StoreFront Servers to Cloud Connectors:

ot
• Port 80 HTTP inbound if using StoreFront and Citrix ADCs on-premises
• Cloud Connectors to Active Directory domain controllers

fo
• W32Time, RPC Endpoint Mapper, Kerberos password change, RPC for LSA, SAM, Netlogon, LDAP, LDAP

rr
SSL, LDAP GC,

es
LDAP GC SSL, DNS, FRS RPC, Kerberos, SMB
• Cloud Connectors to Hypervisors

al
• See hypervisor documentation for specific ports.

e
or
Additional Resources:
• Internet Connectivity Requirements - http://docs.citrix.com/en-us/citrix-cloud/overview/requirements/internet-

di
connectivity-requirements.html

s tri
but
io
n

1023 © 2021 Citrix Authorized Content

 Citrix Cloud Connector Proxy Support

• During installation Cloud Connector will use browser proxy settings in the context of the installing

N
user.

ot
• At runtime Cloud Connector services run as Local Service.

fo
• Configure proxy support for services using the following command:

rr
• netsh winhttp import proxy source =ie

es
• Restart Cloud Connector VM.

al
• There is no support for auto-detect or PAC scripts.

e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The Connector supports connection to the internet via a web proxy server. Both the installer and the services it installs
need connections to Citrix Cloud. Internet access needs to be available at both these points.
• The installer will use the settings configured for internet connections. If you can browse the internet from the machine then
the installer should also function.
• Services at Runtime:
• The runtime service operates in the context of a local service. It does not use the setting defined for the user (as

1024 © 2021 Citrix Authorized Content

 described above). You need to import the setting from the browser.
• To configure the proxy settings for this, open a Command Prompt window and use netsh
• There is no support for auto-detect or PAC scripts.

Additional Resources:
• Cloud Connector Proxy and Firewall Configuration - https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-
resource-locations/citrix-cloud-connector/proxy-and-firewall-configuration.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

1025 © 2021 Citrix Authorized Content

 Domain Trust Considerations

Citrix Cloud
• Cloud Connectors cannot traverse domain- Citrix Public Cloud

N
Virtual Apps and Desktops
level trusts. Service

ot
Cloud Resource
• If deploying resources in separate domain, Connector
VDAs
Domain

fo
also install Cloud Connectors in user domain. V

rr
P
• Trusts may be required when launching N

es
resources.

al
Cloud User

e
Connector Domain
On-premises Datacenter

or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• If customer does not want to deploy the production domain to the public cloud, a separate domain can be deployed and a
one way trust created.
• Cloud Connector would not be able to traverse back to the user domain in this example.
• To work around, two Cloud Connectors should be deployed in user domain, to ensure that both domains can be integrated
with Citrix Cloud.

1026 © 2021 Citrix Authorized Content

 Multi-Domain
Support

• Each domain with Cloud

N
Connectors deployed will

ot
appear in the Domains
list.

fo
rr
• Citrix Cloud supports

es
multiple domains and
forests.

al
e
• Trust relationships are

or
only required if launching
resources in a different

di
domain or forest.

s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Cloud can support users from any domain or forest where a Cloud Connector is deployed.
• Launching resources in the same domain / forest does not require any trust relationships to be configured.
• When launching resources from another domain or forest trust relationships between the domains / forests must be
configured.
• Azure Active Directory domain services is also supported, from a Citrix Cloud perspective, it is treated similar to a regular
Active Directory.

1027 © 2021 Citrix Authorized Content

 Disable Domain
Support

• The Do not use option

N
disables the ability for

ot
users from this domain to
authenticate to Citrix

fo
Cloud via an exposed

rr
Active Directory.

es
• Helpful if you are

al
deploying Cloud

e
Connectors in domains

or
that you do not want to

di
allow access to Citrix

s
Cloud.

tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The “Do not use” button is a simple way to disable access to Citrix Cloud for all users in a domain where you have
deployed Cloud Connectors.
• For example, a customer may want to host resources in two domains, however only the users from one domain are
allowed access to the resources via Workspace Experience.

1028 © 2021 Citrix Authorized Content

 Define Resource
Locations

• A default resource

N
location:

ot
• Is automatically created.
• Can be renamed.

fo
• There is also the option to

rr
add additional resource

es
locations.

al
e
or
di
stri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The default name of the first resource location is My Resource Location.
• Each resource location is assigned a Unique ID and can be accessed via this ID in scripts for automation.
• When deploying a new Cloud Connector you have the option to deploy to an existing resource location or define new
resource location.
• Cloud Studio will adopt the names of the resource locations for the zones.

1029 © 2021 Citrix Authorized Content

 Remove Citrix Cloud Connectors

• Always uninstall Cloud Connector software before decommissioning a machine.

N
ot
• Orphaned Cloud Connectors might leave Citrix Cloud inoperable.

fo
• Do not move the machine hosting the Cloud Connector into a different domain.

rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• If a running Cloud Connector VM is deleted before the Cloud Connector software is uninstalled, the Cloud Connector will
not be removed from Citrix Cloud. Removing the Cloud Connector registration after the VM is deleted can only be done by
Citrix Support.
• Moving a Cloud Connector to another domain will cause it to lose it’s registration with Citrix Cloud.

1030 © 2021 Citrix Authorized Content

 Additional Resources:
• How to Update an Outdated Cloud Connector - https://support.citrix.com/article/CTX224071

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

1031 © 2021 Citrix Authorized Content

 Update an Outdated Citrix Cloud Connector
What to do, if the Cloud Connector goes into an outdated state.

1 2 3

N
ot
Remove the outdated connector Uninstall the old Cloud Connector Install the latest Cloud
from the resource location in components from the machine Connector components on

fo
Citrix Cloud. (If the machine still exists) the existing machine or a

rr
1. Navigate to the Connectors 1. Browse to Control Panel > new machine.

es
page for the affected Uninstall a Program 1. Logon to Citrix Cloud
resource location 2. Click on the Citrix Cloud

al
2. Browse to the Resource
2. Click on the outdated Cloud Connector application Location page

e
Connector 3. Select Uninstall 3. Add a Cloud Connector

or
3. Select Delete 4. Run the Cloud Connector
installer on the machine

di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• If the Cloud Connector goes into the outdated state, the resource location and individual connector machine will be
marked with an error and a notification will be sent to the Administrator.
• Remove the outdated connector from the resource location in Citrix Cloud.
• Navigate to the Connectors page for the affected resource location
• Click on the outdated Cloud Connector
• Select Delete

1032 © 2021 Citrix Authorized Content

 • Uninstall the old Cloud Connector components from the machine (If the machine still exists)
• Browse to Control Panel > Uninstall a Program
• Click on the Citrix Cloud Connector application
• Select Uninstall
• Install the latest Cloud Connector components on the existing machine or a new machine.
• Logon to Citrix Cloud
• Browse to the resource location page

N
• Add a Cloud Connector

ot
• Run the Cloud Connector installer on the machine

fo
rr
es
al
e
or
di
s tri
b ut
io
n

1033 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
Which ports must be opened in the firewall to

ot
allow the Cloud Connector to communicate

fo
with Citrix Cloud?

rr
es
Port 443 open outbound.

al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

1034 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops

N
with an On-Premises Resource

ot
Location

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

1035 © 2021 Citrix Authorized Content

 Citrix Cloud Ownership Summary

Citrix Cloud Control Plane Citrix Cloud Infrastructure Citrix Cloud VDA

N
Ownership Ownership Ownership

ot
Citrix owns and maintains the Control Depending on the deployment model The VDAs are owned and maintained
Plane, including: selected, the physical location of the by either the end customer or a

fo
• Controllers resource location may vary, including: Service Provider.

rr
• Databases and SQL servers • On-premises (Citrix Hypervisor,
• Studio VMWare, SCVMM) Citrix only hosts and maintains VDAs

es
• Director • Azure in the Secure Browser cloud offering

al
• Workspace • AWS

e
• Citrix Gateway as a Service • Third party cloud vendor
(CloudPlatform)

or
Resource locations are always owned and
maintained by the customer or a partner.

di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Cloud Control Plane Ownership:
• The Control plane includes the components that are setup, maintained and backed-up by Citrix.
• It includes: Delivery Controllers, Databases, Citrix Studio, and Citrix Director.
• Citrix also provides a preconfigured Workspace Store to access the published resources, but the choice to use cloud-
hosted Workspace or an on-premises StoreFront is left with the customer.
• Similarly, to provide remote access, customers can either use the cloud hosted Citrix Gateway as a Service acting as

1036 © 2021 Citrix Authorized Content

 an ICA proxy only or use an on-premises Citrix ADC.
• Citrix Cloud Infrastructure Ownership:
• Citrix provides 99.9% uptime on its Cloud Services.
• The status of the Citrix Cloud Services can be monitored from http://status.cloud.com/.
• The control plane of Citrix Cloud Services resides in public clouds with multiple datacenters across the
globe.
• The backend architecture details of Citrix Cloud are not disclosed to maintain security and integrity of

N
the cloud services.

ot
• Google Cloud is not supported from an MCS or hosting integration perspective.

fo
• However, VDAs can be deployed without image and power management.
• Citrix Cloud VDA Ownership:

rr
• VDAs are workloads where customers install their business specific applications.

es
• These workloads are managed by the customers in on-premises datacenters or public cloud

al
solutions.
• If customers subscribe for Secure Browser service that provides simple and secure remote access to web

e
applications, then the VDAs are also maintained by Citrix.

or
di
s tri
but
io
n

1037 © 2021 Citrix Authorized Content

 Access Layer Ownership
Three Scenarios

Access Layer Scenario 1 Access Layer Scenario 2 Access Layer Scenario 3

Citrix Cloud Citrix Cloud Citrix Cloud

N
Citrix Gateway Workspace Workspace

ot
Service

fo
Customer Managed Customer Managed Customer Managed

rr
es
StoreFront

al
User User
User
Cloud VDA Citrix Cloud VDA Citrix Cloud VDA

e
Connector Gateway Connector Gateway Connector

or
di
Workspace and Citrix ADC Workspace hosted in Citrix StoreFront and Citrix ADC

s
hosted, maintained, and Cloud, Citrix ADC hosted on- hosted on-premises or in the

tri
owned by Citrix. premises. public cloud.

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Customers can either use the cloud hosted Workspace and Citrix ADC or on-premises StoreFront and Citrix ADC.
• Cloud Hosted Workspace and Citrix ADC can be customized to some extent, but their high availability and ongoing
maintenance are managed by Citrix.
• Workspace can be hosted in Citrix Cloud and Citrix ADC on-premises, allowing users to aggregate resources in the
Cloud, but launch them using a local Citrix gateway.
• On-premises StoreFront and Citrix ADC can be customized significantly to allow trusted domains, logon page branding,

1038 © 2021 Citrix Authorized Content

 etc.
• However, these have to be managed and maintained by the customer.

Additional Resources:
• Citrix ADC 12.x Essentials and Citrix Gateway Course Catalog:
http://training.citrix.com/mod/ctxcatalog/course.php?id=1527

N
ot
fo
rr
es
al
e
or
di
stri
but
io
n

1039 © 2021 Citrix Authorized Content

 VDA Registration
The Remote Brokering Provider is the Citrix
Brokering Protocol.

Cloud Connector
• This protocol is used between the machines Remote Broker & Authorization (STA) AD Provider

N
running the VDA and the Delivery Controllers. Citrix ADC Remote HCL

ot
• During the VDA install the ListOfDDC

fo
addresses is configured.

rr
• Here however, configure the Citrix Cloud
Connector addresses.

es
Hypervisors
• The VDAs talk to the connector, which proxies

al
Citrix
all of the traffic up to the Delivery Controllers

e
Gateway Active Directory
Server
that are managed in Citrix Cloud for you.

or
Server OS Desktop OS
VDAs VDAs

di
s
tri
b ut
© 2021 Citrix Authorized Content

io
n

1040 © 2021 Citrix Authorized Content

 Provisioning and Power
Management
Remote Host Control Layer (HCL)
communicates with hypervisors for power
management and provisioning. Cloud Connector
Remote Broker & Authorization (STA) AD Provider
• Citrix Cloud supports on-premises hypervisors.

N
• All communication to the hypervisors are proxied Citrix ADC Remote HCL

ot
by the Remote HCL enabling VM provisioning

fo
from the Citrix Cloud service.

rr
• Citrix Cloud supports public cloud vendors.

es
• When creating hosting connections to public Hypervisors
clouds, the remote HCL service is bypassed and

al
communication with the public cloud vendors API Citrix

e
Gateway Active Directory
take place directly from the Citrix Cloud service. Server

or
Server OS Desktop OS
VDAs VDAs

di
s
tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Virtual Apps and Desktops Hypervisor supported platforms:
• Citrix Hypervisor (formerly known as Citrix XenServer
• Microsoft Azure Resource Manager
• Microsoft System Center Virtual Machine Manager
• VMware vSphere (vCenter + ESXi)
• Amazon Web Services (AWS)

1041 © 2021 Citrix Authorized Content

 • Nutanix Acropolis
• Citrix Virtual Apps and Desktops Service supported platforms:
• Citrix Hypervisor (formerly known as Citrix XenServer
• Microsoft Azure Resource Manager
• Microsoft System Center Virtual Machine Manager
• VMware vSphere (vCenter + ESXi)
• Amazon Web Services (AWS)

N
• Nutanix Acropolis

ot
• Oracle Cloud Infrastructure (OCI)

fo
• The same requirements apply to Cloud Connectors as Delivery Controllers, when connecting to hypervisors:
• VMWare: You need the vCenter certificate installed on your Cloud Connectors

rr
• HyperV/SCVMM: The SCVMM console must be installed on your Cloud Connectors

es
• Citrix Hypervisor: Port 80 communication will work by default, but customers may want to install a certificate

al
on the Citrix Hypervisors to secure the communication.

e
or
di
s tri
but
io
n

1042 © 2021 Citrix Authorized Content

 XML Broker
The Remote Broker Service performs the XML
Broker Functionality

Cloud Connector
• StoreFront talks to the XML Broker: Remote Broker & Authorization (STA) AD Provider

N
• To enumerate the published resources from a
Citrix ADC Remote HCL

ot
Citrix Virtual Apps and Desktops site.
• To determine the least loaded server upon

fo
receiving a launch request from the user.

rr
• This XML broker service on Cloud Connector

es
Hypervisors
acts as a proxy to provide user load index

al
information to the Delivery Controller server in Citrix

e
Citrix Cloud. Gateway Active Directory
Server

or
Server OS Desktop OS
VDAs VDAs

di
s
tri
b ut
© 2021 Citrix Authorized Content

io
n

1043 © 2021 Citrix Authorized Content

 Active Directory Authentication

Cloud Connector
• When resources in the cloud need to Remote Broker & Authorization (STA) AD Provider

N
communicate with Active Directory, the Citrix ADC Remote HCL

ot
communication and requests will be handled
by the AD provider service.

fo
rr
• Usage examples:

es
• Authentication to Cloud Hosted StoreFront or Hypervisors
Citrix ADC

al
• Adding users to Delivery Groups Citrix

e
• Creating Machine Catalogs or adding machines. Gateway Active Directory
Server

or
Server OS Desktop OS
VDAs VDAs

di
s
tri
b ut
© 2021 Citrix Authorized Content

io
n

1044 © 2021 Citrix Authorized Content

 Local Host Cache (LHC)
During an outage, one of the Cloud Connectors
is elected to be the primary broker for the
resource location.

• During normal operations:

Cloud Connector

N
• The Brokering Principal (Citrix Remote Broker

ot
High Availability Service Config Sync Service Remote Broker
Provider Service) on a Cloud Connector accepts
connection requests from StoreFront, and

fo
DB
communicates with Citrix Cloud to connect users

rr
with VDAs that are registered with the Cloud
Connector.

es
• The Citrix Config Synchronizer Service (CSS)

al
checks with the broker in Citrix Cloud Hypervisors

e
approximately every two minutes to see if any StoreFront
configuration changes have been made.

or
Active Directory
• The Citrix High Availability Service is used if a Server

di
configuration change has occurred since the Server OS Desktop OS
VDAs VDAs

s
previous check, the CSS synchronizes (copies) Citrix Gateway

tri
information to a secondary broker on the Cloud

b
Connector.

ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Local Host Cache only works with an on-premises StoreFront deployment. It does not compliment Workspace Experience.
• During an outage, one of the Cloud Connectors is elected to be the primary broker for the resource location.
• This means that capacity might be diminished during an outage, because LHC will only run on one of the Cloud
Connectors at a time.
• Normal operations:
• The Brokering Principal (Citrix Remote Broker Provider Service) on a Cloud Connector accepts connection requests

1045 © 2021 Citrix Authorized Content

 from StoreFront, and communicates with Citrix Cloud to connect users with VDAs that are registered with
the Cloud Connector.
• The Citrix Config Synchronizer Service (CSS) checks with the broker in Citrix Cloud approximately every
two minutes to see if any configuration changes have been made. Those changes could be administrator-
initiated (such as changing a Delivery Group property) or system actions (such as machine assignments).
• If a configuration change has occurred since the previous check, the CSS synchronizes (copies)
information to a secondary broker (Citrix High Availability Service, HA broker in the figure above) on the

N
Cloud Connector. All configuration data is copied, not just items that have changed since the previous

ot
check. The secondary broker imports the data into a Microsoft SQL Server Express LocalDB database on

fo
the Cloud Connector. The CSS ensures that the information in the secondary broker's LocalDB database
matches the information in the site database in Citrix Cloud. The LocalDB database is re-created each time

rr
synchronization occurs.

es
• When an outage happens:

al
• The secondary broker starts listening for and processing connection requests.
• When the outage begins, the secondary broker does not have current VDA registration data, but as soon as

e
a VDA communicates with it, a registration process is triggered. During that process, the secondary broker

or
also gets current session information about that VDA.

di
• While the secondary broker is handling connections, the Brokering Principal continues to monitor the
connection to Citrix Cloud. When the connection is restored, the Brokering Principal instructs the secondary

s tri
broker to stop listening for connection information, and the Brokering Principal resumes brokering

b
operations. The next time a VDA communicates with the Brokering Principal, a registration process is

ut
triggered. The secondary broker removes any remaining VDA registrations from the previous outage. The

io
CSS resumes synchronizing information when it learns that configuration changes have occurred in Citrix
Cloud.

n
Additional Resources:
• Local Host Cache 1912 LTSR - https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/manage-
deployment/local-host-cache.html

1046 © 2021 Citrix Authorized Content

 Lesson Objective Review

What is the name of the Citrix service running

on the Citrix Cloud Connector that is
responsible for communicating with the on-

N
premises hypervisor during virtual machine

ot
power management and provisioning

fo
processes?

rr
es
Citrix Remote HCL

al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

1047 © 2021 Citrix Authorized Content

 Lab Exercise Prep

Please Take a Moment and Provision Your Lab

N
For Module 14

ot
fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the
lab exercise.

1048 © 2021 Citrix Authorized Content

 N
ot
The Migration Process

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

1049 © 2021 Citrix Authorized Content

 Move Citrix Virtual Apps and Desktops to Citrix Cloud
There are many different scenarios to Move to Citrix Cloud

Example Scenarios (to move to Citrix Cloud):

N
• Move Citrix Virtual Apps and Desktops 7 on-premises deployment to Citrix Cloud with an on-premises

ot
resource location (This scenario matches our lab environment) This scenario matches our lab environment.

fo
• Move Citrix Virtual Apps and Desktops Legacy on-premises deployment to Citrix Cloud with an on-

rr
premises 7 resource location

es
• Move Citrix Virtual Apps and Desktops 7 on-premises deployment to Citrix Cloud with public cloud
resource location

al
e
• Move Citrix Virtual Apps and Desktops 7 on-premises deployment, multi-datacenter, multi zone to

or
Citrix Cloud with multiple resource locations
• Includes on-premises and public cloud resource locations, all of one type or a hybrid of both

di
s
• Move Citrix Virtual Apps and Desktops Legacy on-premises deployment, multi-datacenter, multi zone

tri
to Citrix Cloud with multiple resource locations

b
• Includes on-premises and public cloud resource locations, all of one type or a hybrid of both

ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Legacy could be a not current build of Citrix Virtual Apps and Desktops 7 or it could be an older versioned, no longer
supported product, such as XenApp 6.5.
• The next set of pages cover the highlighted scenario on this page. For additional value add, please see below to see two
other classic migration example scenarios in more depth:
• [Point 2 Above] Move Citrix Virtual Apps and Desktops Legacy (specifically XenApp 6.5) on-premises deployment to
Citrix Cloud with an on-premises 7 resource location

1050 © 2021 Citrix Authorized Content

 1.
Create a Citrix Cloud account and purchase the Virtual Apps and Desktops product.
2.
Install 2 Cloud Connectors.
3.
Add the Connectors as XML servers to the existing StoreFront.
4.
In phases, convert the XenApp 6.5 workers to Server OS VDA machines by uninstalling XenApp 6.5 and
installed the latest 7 build VDA. Copy config to cloud.
5. Before decommissioning the XenApp Controllers, change the STA to point to the connectors.
6. Remove the XenApp 6.5 infrastructure.

N
• [Point 3 Above] Move Citrix Virtual Apps and Desktops 7 on-premises deployment to Citrix Cloud with public

ot
cloud resource location

fo
1. Create a Citrix Cloud account and an account with a public cloud provider.
2. Establish VPN or ExpressRoute connectivity and connect AD.

rr
3. Install Cloud Connectors.

es
4. Add the Connectors as XML servers to the existing StoreFront.

al
5. Install a pair of Citrix ADC VPXs.
6. Configure StoreFront Optimal Gateway Routing.

e
7. Use MCS to provision new VDAs in the cloud. (Make sure the VDA version is compatible with the latest

or
Citrix Cloud versions)

di
8. Redirect StoreFront URL to http://customer.xendesktop.net.
9. Decommission old infrastructure, including on-premises connectors (if any).

s tri
10. Application data may be moved to the cloud or connect over VPN.

b
• Remember, Citrix Cloud and Public Clouds are a moving target, subject to frequent changes. Consult with

ut
Citrix Product documentation prior to performing a migration.

io
• Moving Citrix Virtual Apps and Desktops 7 to Citrix Cloud with On-premises
• In this case we are not moving the VDAs out of the on-premises resource location.

n
• First you will create a Citrix Cloud account and subscribe to the Citrix Virtual Apps and Desktops Service.
• Next, install a minimum of two Cloud Connectors within your on-premises datacenter.
• These two Cloud Connectors would then be defined as Delivery Controllers within the existing StoreFront
deployment, allowing StoreFront to aggregate cloud resources as well as their current resource set.
• If you have an on-premises Citrix ADC, define the two Cloud Connectors as STA servers in both Citrix

1051 © 2021 Citrix Authorized Content

 ADC and StoreFront.
• The next step is to start defining the resources in the Citrix Cloud.
• First you will need to create one or more Machine Catalogs to match your design.
• These Machine Catalogs can be created using MCS or PVS or they can be based off of existing VDAs in
your environment, however, the VDAs will need to be configured to register with the Cloud Connectors
instead of the on-premises Delivery Controller.
• Next, create Delivery Groups in Citrix Cloud and manually publish your applications, including migrating any

N
Delivery Group or application specific settings you may have configured.

ot
• Another manual task is to convert Citrix policies into the cloud, if they are AD based it is an easy process

fo
where you can just link them to a new OU, if they are hosted in the on-premises Studio, you can convert
them to AD based policies using the template function. (this will be done in an exercise).

rr
• After testing that the users are successfully able to broker using Citrix Cloud, decommission Delivery

es
Controllers, Director servers and the Citrix Databases.

al
• On-premises PVS cannot obtain licenses from Citrix Cloud at the time of writing this content, so verify
this functionality before decommissioning the Citrix License server.

e
• Moving XenApp 6.5 to Citrix Cloud

or
• After creating the Citrix Cloud account, install the Cloud Connectors.

di
• Install two connectors, point them to the Virtual Apps and Desktops; which will connect your AD to the
cloud.

s tri
• Next, add the connectors as XML servers to the existing StoreFront.

b
• To StoreFront, the connectors will look just like a Virtual Apps or Virtual Desktops farm.

ut
• StoreFront can aggregate the resources from the Virtual Apps and Desktops and your XenApp 6.x

io
environment.
• Some apps can come from one, some apps can come from the other. Users don't have to know.

n
• Next start migrating the Citrix Virtual Apps workers to VDAs in the cloud service.
• One of the great things about the cloud service is that Citrix supports VDAs going back to Server 2008
R2, allowing if needed the ability to reuse the same application images in use with XenApp 6.x as a VDA.
• Just uninstall the XenApp 6.x worker software and install the latest 7 build VDA, and then point it to
the Citrix Cloud.

1052 © 2021 Citrix Authorized Content

 • Once you've moved all of your VDAs over, check the STA.
• That's going to be the STA address on your StoreFront and the STA address on your Citrix ADC.
• If it's pointing to your XenApp 6.x controllers, change that to the Cloud Connectors before you
decommission any XenApp 6.x infrastructure.
• Now that the VDAs are in place XenApp 6.x can be removed, leaving a fully functional environment on
FMA.
• While an in-place upgrade of existing XenApp 6.5 servers is possible, Citrix leading practice is to

N
recommend building a new environment parallel to the existing, this ensures a smoother transition and has

ot
less roll-back complications.

fo
• Moving On-Premise to the Citrix Cloud and Public Cloud
• If already on Citrix Virtual Apps and Desktops 7 with an On-Premise deployment, it may fit current design to

rr
migrate the on-prem environment to the cloud.

es
• Create a Citrix Cloud account. Go to a public cloud vendor, and create a subscription.

al
• Connect that subscription from the public cloud vendor with your on-premises environment.
• This can be done with a VPN like CloudBridge or ExpressRoute.

e
• Next connect to AD. There are a couple of options for Active Directory.

or
• Generally stand up two domain controllers in the region in the cloud; optionally, this deployment could be

di
another site within the existing AD environment.
• Some customers want to create a completely separate forest for the cloud, which is doable.

s tri
• Create a forest in the cloud, create a one-way trust from that forest in the cloud for the resource

b
location back to the on-prem AD for the users accounts, and that will work with the Citrix Virtual Apps

ut
and Desktops.

io
• Next install the Cloud Connectors. In this scenario, though, instead of just installing one pair of cloud
connectors, install two pairs.

n
• Install one pair in the resource location in the cloud and another pair on-premises.
• The reason to install this additional pair for On-premises is to help do a phased migration.
• This pair is just temporary, and can be uninstalled later.
• Add the connectors to StoreFront to expose the apps coming from both, through one StoreFront to the
end users.

1053 © 2021 Citrix Authorized Content

 • Next move the gateway and install a pair of Citrix Gateway VPXs in the cloud.
• StoreFront has a feature called "optimal gateway routing."
• This is really useful in these hybrid scenarios where some apps are on-premises and some apps are in
the cloud.
• When configuring optimal gateway routing, configure multiple gateway addresses in StoreFront.
• Depending on where the VDA is, StoreFront's either going to send it to the Citrix ADC on-prem, if the
VDA is on-prem; or it's going to send it to the Citrix ADC in the cloud, if the workload's actually in the

N
cloud.

ot
• Both Citrix ADCs can be used at the same time from one StoreFront.

fo
• Next, use Machine Creation Services (MCS) with either AWS or Azure provisioning, to create these VMs. If
the VDAs today are on 7.6 or greater, these same images may be reused.

rr
• Citrix Virtual Apps and Desktops Service 7.6 VDAs and up are supported with the cloud service.

es
• Once all the VDAs are moved over, redirect the StoreFront URL, from the existing URL that users are used

al
to typing in, to the URL of the StoreFront that's hosted in the cloud service.
• Now decommission all of the on-premises infrastructure.

e
• Now, the application data is still left on-premises.

or
• It's going to be very application-specific on whether the application data needs to move to the cloud also.

di
• For some workloads, it needs to be next to the applications themselves because it's latency sensitive.
• This will also depend on your latency between the region picked in the cloud and the on-premises

s tri
environment.

b
Additional Resources:

ut
io
• Citrix Virtual Apps and Desktops Service Citrix Cloud Online Documentation: https://docs.citrix.com/en-
us/citrix-virtual-apps-desktops-service.html

1054 © 2021 Citrix Authorized Content

 Example Scenario Moving to Citrix Cloud (Step 1 of 8)
Move Citrix Virtual Apps and Desktops 7 on-premises deployment to Citrix Cloud with an on-
premises resource location

Access Layer Control Layer Resource Layer

1. Create a Citrix Cloud account

2. Install Cloud Connectors

N
StoreFront Delivery Controller Cloud Connector Citrix Studio Studio VDA VDA
On-Premises MCS Created Catalog
Policies
3. Add the Connectors as XML servers to

ot
Site Database

the existing StoreFront

fo
4. Add connectors as STA on Citrix ADC Citrix ADC Delivery Controller Cloud Connector
MS GPMC
GPOs
VDA VDA
Citrix Cloud MCS Created Catalog
and StoreFront

rr
5. Use MCS to provision new VDAs on- On-Premises

es
prem or reuse existing manual VDAs Citrix Cloud

al
6. Create Delivery Group and manually
Citrix Cloud Control Plane
migrate settings to Cloud

e
7. Convert Studio policies to (7a) GPO or 1

or
recreate in (7b) cloud Studio
8. Decommission old Controllers and

di
MCS
Databases

s
Citrix Cloud Account Citrix Cloud Studio Delivery Controller Citrix Cloud
Studio Policies

tri
b ut
© 2021 Citrix Authorized Content

io
n

1055 © 2021 Citrix Authorized Content

 Example Scenario Moving to Citrix Cloud (Step 2 of 8)
Move Citrix Virtual Apps and Desktops 7 on-premises deployment to Citrix Cloud with an on-
premises resource location

Access Layer Control Layer Resource Layer

1. Create a Citrix Cloud account

2. Install Cloud Connectors

N
StoreFront Delivery Controller Cloud Connector Citrix Studio Studio VDA VDA
On-Premises MCS Created Catalog

3. Add the Connectors as XML servers 2 Policies

ot
Site Database

to the existing StoreFront

fo
MS GPMC
4. Add connectors as STA on Citrix Citrix ADC Delivery Controller Cloud Connector GPOs
VDA VDA
Citrix Cloud MCS Created Catalog

rr
ADC and StoreFront
5. Use MCS to provision new VDAs On-Premises

es
on-prem or reuse existing manual Citrix Cloud

al
VDAs
Citrix Cloud Control Plane
6. Create Delivery Group and manually

e
migrate settings to Cloud

or
7. Convert Studio policies to (7a) GPO
or recreate in (7b) cloud Studio

di
MCS
8. Decommission old Controllers and

s
Citrix Cloud Account Citrix Cloud Studio Delivery Controller Citrix Cloud
Studio Policies

tri
Databases

b ut
© 2021 Citrix Authorized Content

io
n

1056 © 2021 Citrix Authorized Content

 Example Scenario Moving to Citrix Cloud (Step 3 of 8)
Move Citrix Virtual Apps and Desktops 7 on-premises deployment to Citrix Cloud with an on-
premises resource location

Access Layer Control Layer Resource Layer

1. Create a Citrix Cloud account

N
2. Install Cloud Connectors StoreFront Delivery Controller Cloud Connector Citrix Studio Studio VDA VDA
On-Premises MCS Created Catalog
3
3. Add the Connectors as XML
Policies

ot
Site Database

servers to the existing StoreFront

fo
MS GPMC
4. Add connectors as STA on Citrix Citrix ADC Delivery Controller Cloud Connector GPOs
VDA VDA
Citrix Cloud MCS Created Catalog

rr
ADC and StoreFront
5. Use MCS to provision new VDAs On-Premises

es
on-prem or reuse existing manual Citrix Cloud

al
VDAs
Citrix Cloud Control Plane
6. Create Delivery Group and manually

e
migrate settings to Cloud

or
7. Convert Studio policies to (7a) GPO
or recreate in (7b) cloud Studio

di
MCS
8. Decommission old Controllers and

s
Citrix Cloud Account Citrix Cloud Studio Delivery Controller Citrix Cloud
Studio Policies

tri
Databases

b ut
© 2021 Citrix Authorized Content

io
n

1057 © 2021 Citrix Authorized Content

 Example Scenario Moving to Citrix Cloud (Step 4 of 8)
Move Citrix Virtual Apps and Desktops 7 on-premises deployment to Citrix Cloud with an on-
premises resource location

Access Layer Control Layer Resource Layer

1. Create a Citrix Cloud account

N
2. Install Cloud Connectors StoreFront Delivery Controller Cloud Connector Citrix Studio Studio VDA VDA
On-Premises MCS Created Catalog

3. Add the Connectors as XML servers 4 Policies

ot
Site Database

to the existing StoreFront

fo
4. Add connectors as STA on Citrix Citrix ADC Delivery Controller Cloud Connector
MS GPMC
GPOs
VDA VDA
Citrix Cloud MCS Created Catalog
ADC and StoreFront

rr
5. Use MCS to provision new VDAs On-Premises

es
on-prem or reuse existing manual Citrix Cloud

al
VDAs
Citrix Cloud Control Plane
6. Create Delivery Group and manually

e
migrate settings to Cloud

or
7. Convert Studio policies to (7a) GPO
or recreate in (7b) cloud Studio

di
MCS
8. Decommission old Controllers and

s
Citrix Cloud Account Citrix Cloud Studio Delivery Controller Citrix Cloud
Studio Policies

tri
Databases

b ut
© 2021 Citrix Authorized Content

io
n

1058 © 2021 Citrix Authorized Content

 Example Scenario Moving to Citrix Cloud (Step 5 of 8)
Move Citrix Virtual Apps and Desktops 7 on-premises deployment to Citrix Cloud with an on-
premises resource location

Access Layer Control Layer Resource Layer

1. Create a Citrix Cloud account

N
2. Install Cloud Connectors StoreFront Delivery Controller Cloud Connector Citrix Studio Studio VDA VDA
On-Premises MCS Created Catalog
Policies
3. Add the Connectors as XML servers

ot
Site Database

to the existing StoreFront

fo
MS GPMC
4. Add connectors as STA on Citrix Citrix ADC Delivery Controller Cloud Connector GPOs
VDA VDA
Citrix Cloud MCS Created Catalog

rr
ADC and StoreFront
5. Use MCS to provision new VDAs On-Premises

es
on-prem or reuse existing manual Citrix Cloud
VDAs

al
Citrix Cloud Control Plane
6. Create Delivery Group and manually

e
migrate settings to Cloud

or
7. Convert Studio policies to (7a) GPO
or recreate in (7b) cloud Studio 5

di
MCS
8. Decommission old Controllers and

s
Citrix Cloud Account Citrix Cloud Studio Delivery Controller Citrix Cloud
Studio Policies

tri
Databases

b ut
© 2021 Citrix Authorized Content

io
n

1059 © 2021 Citrix Authorized Content

 Example Scenario Moving to Citrix Cloud (Step 6 of 8)
Move Citrix Virtual Apps and Desktops 7 on-premises deployment to Citrix Cloud with an on-
premises resource location

Access Layer Control Layer Resource Layer

1. Create a Citrix Cloud account

N
2. Install Cloud Connectors StoreFront Delivery Controller Cloud Connector Citrix Studio Studio VDA VDA
On-Premises MCS Created Catalog
Policies
3. Add the Connectors as XML servers

ot
Site Database

to the existing StoreFront

fo
MS GPMC
4. Add connectors as STA on Citrix Citrix ADC Delivery Controller Cloud Connector GPOs
VDA VDA
Citrix Cloud MCS Created Catalog

rr
ADC and StoreFront
5. Use MCS to provision new VDAs On-Premises

es
on-prem or reuse existing manual Citrix Cloud

al
VDAs
Citrix Cloud Control Plane
6. Create Delivery Group and

e
manually migrate settings to

or
Cloud
6
7. Convert Studio policies to (7a) GPO

di
MCS
or recreate in (7b) cloud Studio

s
Citrix Cloud Account Citrix Cloud Studio Delivery Controller Citrix Cloud
Studio Policies

tri
8. Decommission old Controllers and
Databases

b ut
© 2021 Citrix Authorized Content

io
n

1060 © 2021 Citrix Authorized Content

 Example Scenario Moving to Citrix Cloud (Step 7 of 8)
Move Citrix Virtual Apps and Desktops 7 on-premises deployment to Citrix Cloud with an on-
premises resource location

Access Layer Control Layer Resource Layer

1. Create a Citrix Cloud account

N
2. Install Cloud Connectors StoreFront Delivery Controller Cloud Connector Citrix Studio Studio VDA VDA
On-Premises MCS Created Catalog
Policies
3. Add the Connectors as XML servers

ot
Site Database

to the existing StoreFront

7a

fo
MS GPMC
4. Add connectors as STA on Citrix Citrix ADC Delivery Controller Cloud Connector GPOs
VDA VDA
Citrix Cloud MCS Created Catalog

rr
ADC and StoreFront
5. Use MCS to provision new VDAs On-Premises

es
on-prem or reuse existing manual Citrix Cloud

al
VDAs
Citrix Cloud Control Plane
6. Create Delivery Group and manually

e
migrate settings to Cloud

or
7. Convert Studio policies to (7a)
GPO or recreate in (7b) cloud 7b

di
MCS
Studio

s
Citrix Cloud Account Citrix Cloud Studio Delivery Controller Citrix Cloud
Studio Policies

tri
8. Decommission old Controllers and
Databases

b ut
© 2021 Citrix Authorized Content

io
n

1061 © 2021 Citrix Authorized Content

 Example Scenario Moving to Citrix Cloud (Step 2 of 8)
Move Citrix Virtual Apps and Desktops 7 on-premises deployment to Citrix Cloud with an on-
premises resource location

Access Layer Control Layer Resource Layer

1. Create a Citrix Cloud account 8

N
2. Install Cloud Connectors StoreFront Delivery Controller Cloud Connector Citrix Studio Studio VDA VDA
On-Premises MCS Created Catalog
Policies
3. Add the Connectors as XML servers

ot
Site Database
8
to the existing StoreFront
8

fo
MS GPMC
4. Add connectors as STA on Citrix Citrix ADC Delivery Controller Cloud Connector GPOs
VDA VDA
Citrix Cloud MCS Created Catalog

rr
ADC and StoreFront
5. Use MCS to provision new VDAs On-Premises

es
on-prem or reuse existing manual Citrix Cloud

al
VDAs
Citrix Cloud Control Plane
6. Create Delivery Group and manually

e
migrate settings to Cloud

or
7. Convert Studio policies to (7a) GPO
or recreate in (7b) cloud Studio

di
MCS
8. Decommission old Controllers

s
Citrix Cloud Account Citrix Cloud Studio Delivery Controller Citrix Cloud

and Databases
Studio Policies

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Don’t forget the Secure Ticket Authority (STA) for On-premises Citrix Virtual Apps and Desktops deployments is running
on the Delivery Controllers.
• When migrating to Citrix Cloud and Cloud Connectors, the STA must be reconfigured to use the Cloud Connectors
instead of the Delivery Controllers, prior to decommissioning the old Delivery Controllers.

1062 © 2021 Citrix Authorized Content

 Lesson Objective Review

Before decommissioning the Citrix Virtual

Apps and Desktops on-premises deployed

N
Delivery Controllers, which changes must be

ot
implemented on the Citrix ADC

fo
configuration?

rr
es
The Secure Ticket Authority (STA) should be
configured to point to the Cloud Connectors.

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

1063 © 2021 Citrix Authorized Content

 Lab Exercise Prep

Please Take a Moment and Provision Your Lab

N
For Module 14

ot
fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the
lab exercise.

1064 © 2021 Citrix Authorized Content

 Lab Exercise • 14-1: Log in to a Citrix Cloud Account
• 14-2: Verify Identity and Access Management
• 14-3: Install Citrix Cloud Connector
• 14-4: Test the Cloud Connector
• 14-5: Secure XML Traffic on Citrix Cloud Connector

N
• 14-6: Add the Cloud Connector to StoreFront as the XML Server

ot
• 14-7: Use Citrix Cloud Studio to Create a Host Connection

fo
rr
• 14-8: Use Citrix Cloud Studio to Re-Create the Server OS Machine

es
Catalog

al
• 14-9: Launch On-Premises Resources using Citrix Workspace

e
Experience

or
• 14-10: Use Citrix Cloud Studio to Re-Create the Server OS Delivery

di
Group

s
• 14-11: Power Down the Old On-Premises Site

tri
b
• 14-12: Verify Which Policies Apply to the New Resources Provisioned

ut
© 2021 Citrix Authorized Content in Citrix Cloud

io
n

1065 © 2021 Citrix Authorized Content

 Key Takeaways

• The tasks to migrate to Citrix Cloud depend on

how the settings and configuration of the
existing Site were deployed.

N
ot
• Each Citrix Cloud defined resource location

fo
must have Citrix Cloud connectors.

rr
• Citrix Cloud does not own the resource

es
locations.

al
e
• The migration process is not the same for

or
different scenarios and in all cases, Citrix
leading practice is to check with online Citrix

di
Documentation prior to performing the

s
tri
migration.

b
ut
© 2021 Citrix Authorized Content

io
n

1066 © 2021 Citrix Authorized Content

 Citrix Virtual Apps and Desktops
7 Administration On-Premise
and In Citrix Cloud

N
ot
Citrix Analytics

fo
rr
es
al
e
Module 15

or
di
s
tri
b
ut
io
n

1067 © 2021 Citrix Authorized Content

 Learning Objectives

• Introduce Citrix Analytics

N
• Identify how to setup Citrix Analytics

ot
fo
• Present the dashboards and use of

rr
Citrix Analytics

es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

1068 © 2021 Citrix Authorized Content

 N
ot
Citrix Analytics Introduction

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

1069 © 2021 Citrix Authorized Content

 What is Citrix Analytics?
Product Introduction

• Citrix Analytics is a data collection and data profiling product used to enable Citrix Administrators to support Citrix

N
product deployments through proactive response to threats and performance improvements.

ot
• This data is collected from the following Citrix Products:

fo
rr
es
al
Citrix Citrix
Citrix Citrix Content Citrix
Endpoint Virtual Apps

e
Access Control Collaboration Gateway
Management And Desktops

or
di
stri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Analytics is a growing Citrix Cloud based feature.
• With the release of this course, the products currently supported are:
• Citrix Access Control
• Citrix Content Collaboration
• Citrix Endpoint Management
• Citrix Gateway

1070 © 2021 Citrix Authorized Content

 • Citrix Virtual Apps and Desktops

N
ot
fo
rr
es
al
e
or
di
s
tri
utb
io
n

1071 © 2021 Citrix Authorized Content

 How Does Citrix Analytics Operate?

• Citrix Analytics uses Machine Learning (ML) algorithms to detect elements within deployed Citrix products:

N
• User behavior

ot
• User session troubleshooting

fo
• Operational metrics

rr
• After these ML algorithms identify these data sets, Citrix Analytics aggregates the data and creates a profile.

es
• These profiles provide visibility into user behavior and context, so that Citrix Administrators can more accurately

al
focus their efforts to Citrix product deployment to mitigate threats in the network.

e
or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Analytics Profiles contains information about the users connecting, using or traversing the supported Citrix products.
• Some examples of the information inside of a profile includes:
• Devices
• Files
• Locations
• This data can be used give Citrix Administrators visibility into a user’s logon session to proactively monitor and

1072 © 2021 Citrix Authorized Content

 troubleshoot any issues that arise.
• As a result of this gained visibility, Citrix Administrators can now retune or restructure a deployment to address
these issues.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

1073 © 2021 Citrix Authorized Content

 Citrix Analytics Gathered Data Insights
The data gathered by Citrix Analytics provides insights to assist the Citrix Administrator is identifying
and proactively managing the deployed Citrix products.

• Security Analytics Insight • Performance Analytics Insight • Operations Analytics Insight

N
ot
fo
• Provides visibility into user and • Provides visibility into user • Provides visibility into user

rr
entity behavior. session details. activities, such as websites

es
visited and bandwidth spent.
• Allows the Citrix Administrator • Allows the Citrix Administrator

al
to distinguish between normal to proactively monitor and • Allows the Citrix Administrator

e
user behavior and that of a troubleshoot issues during a to proactively monitor
malicious attacker. session. bandwidth use, and detect

or
threats such as malware or
• Gives visibility into logon

di
phishing sites.
duration and network latency.

s tri
b ut
io
n

1074 © 2021 Citrix Authorized Content

 Citrix Analytics Data Logs

• Citrix product logs are transmitted securely to Citrix Analytics.

N
• Citrix Analytics analyzes the logs and stores them on a customer’s database.

ot
• These logs are retained for a maximum of 396 days, including:

fo
• User risk profiles

rr
• User risk score details
• User risk event details

es
• User watch list

al
• User actions
• User profiles

e
or
• Citrix Analytics deletes the entire customer database after 90 days of expiration of a Citrix Analytics
subscription or trial period.

di
s tri
but
© 2021 Citrix Authorized Content

io
n

1075 © 2021 Citrix Authorized Content

 Citrix Analytics Integration

• Citrix Analytics is a Citrix Cloud based product.

N
• Citrix Analytics can be used with both:

ot
• Citrix Virtual Apps and Desktops On-

fo
Premise/Public cloud deployments

rr
• Citrix Cloud Citrix Virtual Apps and Desktops
Citrix

es
Service subscription. Virtual Apps
And Desktops

al
• On-Premise/Public cloud deployments require a

e
subscription to Citrix Workspace, in order to

or
enable Citrix Analytics

di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

1076 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
ot
What Citrix Cloud pre-requisite must be met to
enable Citrix Analytics with an on-premises Citrix

fo
Virtual Apps and Desktops deployment?

rr
es
A Citrix Workspace subscription in Citrix Cloud.

al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

1077 © 2021 Citrix Authorized Content

 N
ot
Prepare to Use Citrix Analytics

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

1078 © 2021 Citrix Authorized Content

 System Requirements
Citrix Analytics Management Console Access, Integration with Citrix Virtual Apps and Desktops

• Management Console Access • Citrix Virtual Apps and • Citrix Virtual Apps and
Desktops Service in Citrix Desktops On-Premises or in

N
Cloud Public Cloud

ot
• Requires one of the supported web

fo
• Requires subscription to Citrix • Requires Citrix Virtual Apps and
browsers:
Virtual Apps and Desktops service Desktops 7.16 (or later)

rr
• Google Chrome (latest version) deployment
• Receiver or Citrix Workspace App

es
• Mozilla Firefox (latest version) • Receiver or Citrix Workspace App

al
• Microsoft Edge (latest version) • Subscription to Citrix Workspace

e
or
• Internet Explorer (version 11) • Adding the above deployed Site to
Workspace
• Apple Safari (latest version)

di
s tri
b ut
io
n
Key Notes:
• Consult Citrix online documentation for the latest requirements in versions for Receiver and Citrix Workspace App.
• At the time of this course release the versions for HTML5, Chrome, Android, MAC, Windows and etcetera are all listed in
the online documentation with the notes for specific supported features.

Additional Resources:
• System Requirements Online Documentation: https://docs.citrix.com/en-us/citrix-analytics/system-requirements.html

1079 © 2021 Citrix Authorized Content

 How to Enable Citrix Analytics?

1 1

Citrix 1. Sign in to Citrix Cloud

Citrix Administrator Citrix Cloud

2. Get access to Citrix Analytics.

N
https://citrix.cloud.com
• Workspace Premium subscription

ot
• Subscribe to Citrix Analytics
2

fo
3. Log On to Analytics.

rr
Citrix
or
Analytics 4. Setup a Data Source.

es
Workspace Premium

al
Subscription
Subscription

e
3 4 Citrix

or
Virtual Apps
and Analytics

di
s
Citrix Analytics

tri
Management

utb
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Analytics requires a Citrix Cloud account.
• There are three ways to get access:
• Use an existing Workspace Premium subscription
• Subscribe to Citrix Analytics
• Request a Citrix Analytics trial
• After accessing Citrix Analytics, it must be enabled on the supported deployed Citrix products by adding Data Sources.

1080 © 2021 Citrix Authorized Content

 Additional Resources:
• Sign in to Citrix Analytics: https://docs.citrix.com/en-us/citrix-analytics/getting-started/sign-in-to-analytics.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

1081 © 2021 Citrix Authorized Content

 Data Sources
Introduction and Examples

Citrix Analytics Data Source Data Source Examples

N
Introduction

ot
• A Citrix Analytics Data Source is any supported • Citrix Cloud Data Sources include:

fo
Citrix product that is associated with a Citrix • Citrix Access Control

rr
Cloud account. • Citrix Content Collaboration
• Citrix Endpoint Management

es
• After associating a Data Source with Citrix • Citrix Gateway

al
Analytics, the Analytics feature must explicitly be • Citrix Virtual Apps and Desktops

e
enabled in order for Citrix Analytics to process
• On-Premises Data Sources include:
any data.

or
• Citrix Gateway
• Citrix Virtual Apps and Desktops

di
s
tri
b ut
© 2021 Citrix Authorized Content

io
n

1082 © 2021 Citrix Authorized Content

 Enable the Citrix Virtual Apps and Desktops Data Source

• Citrix Analytics automatically discovers a Citrix Virtual Apps and Desktops Service Subscription.

N
• This discovery presents itself to the Citrix Administrator as a Site card within the Citrix Analytics UI page, under Get

ot
Started > Settings > Data Sources.

fo
• To enable Citrix Analytics, use the Site card and click on the Turn On Data Processing button.

rr
• For Citrix Virtual Apps and Desktops on premise or public cloud deployments, subscribe first to either Citrix

es
Workspace Premium or directly to Citrix Analytics.

al
• Any on premise or public cloud deployed Sites that are added to Workspace are automatically discovered by Citrix

e
Analytics just as above.

or
• The process to enable is the same, once the Data Source has been added.

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Additional Resources:
• Add the Citrix Virtual Apps and Desktops Data Source: https://docs.citrix.com/en-us/citrix-analytics/getting-started/virtual-
apps-desktops-data-source.html

1083 © 2021 Citrix Authorized Content

 Citrix Analytics UI
Quick Navigation Tips

• Top Bar

N
• Security: user behavior analytics visibility
• Performance: app performance data visibility

ot
• Operations: network operations data visibility

fo
• Settings Menu

rr
• Access Rules

es
• Access Data Sources
• Audit Log

al
• Will list all events generated on Citrix Analytics

e
or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

1084 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
ot
Which menu option in the Citrix Analytics UI

fo
allows Citrix Administrators to add a data source?

rr
es
Settings menu, under Data Sources.

al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content

io
n

1085 © 2021 Citrix Authorized Content

 N
ot
Types of Analytics

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

1086 © 2021 Citrix Authorized Content

 Three Types of Analytics

Introduction

N
• There are three types of analytics.

ot
• Each is accessible within the top bar of the Analytics UI.

fo
rr
es
al
Security Performance Operations

e
or
di
s
tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Analytics is a growing Citrix Cloud based feature.
• With the release of this course, the products currently supported are:
• Citrix Access Control
• Citrix Content Collaboration
• Citrix Endpoint Management
• Citrix Gateway

1087 © 2021 Citrix Authorized Content

 • Citrix Virtual Apps and Desktops

N
ot
fo
rr
es
al
e
or
di
s
tri
utb
io
n

1088 © 2021 Citrix Authorized Content

 Security Analytics
Threats From Within

• Security officers no longer look to the outside, because users within the network may have internet access and

N
could be a threat to the company from within.

ot
• Security analytics has three dashboards that provide security officers with visibility into user behavior based on

fo
indicators identified across users, endpoints, network traffic and files.

rr
• User dashboard

es
• User access dashboard

al
• App access dashboard

e
• Security officers must monitor and identify events that are potentially suspicious.

or
di
s tri
but
© 2021 Citrix Authorized Content

io
n

1089 © 2021 Citrix Authorized Content

 Security Analytics Terminology

Term Definition

N
ot
Discovered Users Users in the company that have been discovered by Citrix Analytics.
The value Citrix Analytics indicates the level of risk a user poses to the network over a specific period

fo
Risk Score
of time; on a score of 1 – 100.

rr
Determined by user behavior such as the sites they visit and are ranked by High, Medium and Low
Risky Users

es
risk.

al
Help to determine the user’s risk score, by spanning across all data sources and is triggered when
Risk Indicators
user behavior is identified as deviating form normal.

e
or
Watchlist A list of users chosen to watch of potential threats.
Allows the Citrix Administrator to customize and automate the process of applying an action based,

di
Rules
such as disabling a user.

s tri
Enables the Citrix Administrator to respond to suspicious events to prevent them from happening
Actions
again.

b ut
© 2021 Citrix Authorized Content

io
n

1090 © 2021 Citrix Authorized Content

 Security Analytics Dashboards
Three Dashboards

• User Dashboard • User Access Dashboard • App Access Dashboard

N
• Summarizes the number of

ot
risky domains accessed.
• The launching point into user • Summarizes the details of

fo
behavior analysis and threat • Summarizes the volume of domains, URLs and apps

rr
prevention. data uploaded and accessed by users.

es
downloaded by users
• Gives visibility into user-

al
behavior patterns across an
organization.

e
or
• Allows proactive monitoring,
detection and flagging of not-

di
normal behavior.

stri
but
io
n

1091 © 2021 Citrix Authorized Content

 Self-Service Search for Access Data

• Citrix Administrators can use the Self-service Search by clicking on the Event Search button.

N
• Self-service search gives insight into access details of the users in the organization that have access to the Citrix

ot
Access Control Service.

fo
• The self-service search page features include:

rr
• Facets
• Search box

es
• Time Selector

al
• Timeline details
• Event data

e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Use Facets to filter user data.
• Use the search box to enter user queries and filter data.
• Use Time selector to select the time period.
• User Timeline details to view the event graphs.
• Use Event data to view the events.

1092 © 2021 Citrix Authorized Content

 Additional Resources:
• Self-service Search for Access Data: https://docs.citrix.com/en-us/citrix-analytics/security-analytics/self-
service-search.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

1093 © 2021 Citrix Authorized Content

 Operations Analytics
Provides Citrix Administrators with an overview of the number of domains

• Operations Analytics provides an overview of the total number of domains accessed by users in the network.

N
• Gives visibility into the amount of data uploaded or downloaded from each domain.

ot
• Operations Analytics has two dashboards:

fo
rr
User Operations Dashboard App Operations Dashboard

es
al
e
Provides Visibility via: Provides Visibility via:
• Top users by transactions • Top domains by access

or
• Top users by data download volume • Top domains by data download volume
• Top categories by access

di
• Top categories by data download volume

s
tri
b ut
© 2021 Citrix Authorized Content

io
n

1094 © 2021 Citrix Authorized Content

 Audit Logs

Audit Logs Use Activities that Trigger Audit Events

N
• Audit Logs describe audit information for events • When a configuration is added, deleted or

ot
generated on Citrix Analytics. updated the event is written to an audit log

fo
• Audit Logs are retained for the last three months. • Activities that triggers audit events:

rr
• Errors generated
• Audit logs are refreshed every time a new event

es
• Transmission turned on or off
is generated. • Data source added or removed

al
• Rules created

e
• Rules updated
• Rules deleted

or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Audit Logs give Citrix Administrators visibility to review any event on Citrix Analytics.
• Using the Audit log page, data can be filtered using one of the following filters:
• Events
• Events are either system generated or configurations applied by a Citrix Administrator.
• Events can represent errors such as a failed attempt to apply and action or a failed data source.
• By default log viewing displays all events, but the view can be filtered on the type of event targeted.

1095 © 2021 Citrix Authorized Content

 • Date and Time
• Provides the context for when an event occurs.
• Can be filtered for a specific period.
• Events can be viewed for the current day, last seven days, last fifteen days, last month and last three
months.
• Product
• Gives visibility into the aggregated Analytics by product.

N
• Data Source

ot
• The name of the product added as the data source.

fo
• By Admin
• Gives visibility into the Citrix Analytics administrator who performed admin activities.

rr
es
Additional Resources:

al
• Audit Logs: https://docs.citrix.com/en-us/citrix-analytics/managing-citrix-analytics/audit-logs.html

e
or
di
s tri
b ut
io
n

1096 © 2021 Citrix Authorized Content

 Lesson Objective Review

N
ot
What is the retention period of Citrix Analytics

fo
Audit Logs?

rr
es
3 Months

al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

1097 © 2021 Citrix Authorized Content

 Key Takeaways

• Citrix Analytics provides insight on actionable user

N
driven behavior across the network using Key Citrix

ot
Product Systems.

fo
• Citrix Analytics for Citrix Virtual Apps and Desktops

rr
supports both the Citrix Cloud Service and the on

es
premise/public cloud deployments, provided
prerequisites are met.

al
e
• The Citrix Analytics UI has multiple dashboards for

or
giving Citrix Administrators visibility into user
network behavior and how to action defense to

di
comply with security practices.

s
tri
b
ut
© 2021 Citrix Authorized Content

io
n

1098 © 2021 Citrix Authorized Content

 N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

1099 © 2021 Citrix Authorized Content