WHITE PAPER | XenApp 6

www.citrix.com

Smart Auditor 1.3 Installation
and Configuration
XenApp6
2

Table of Contents
Smart Auditor Overview..............................................................................................................................................3
Components ...........................................................................................................................................................3
Communication ......................................................................................................................................................3
Deployment Notes ..................................................................................................................................................3
Provisioning and Cloning .........................................................................................................................................3
Installation .................................................................................................................................................................4
System Requirements .............................................................................................................................................4
SmartAuditor Database .......................................................................................................................................4
SmartAuditor Server ............................................................................................................................................4
SmartAuditor Policy Console ................................................................................................................................4
SmartAuditor Agent.............................................................................................................................................4
SmartAuditor Player ............................................................................................................................................5
Installation Components .........................................................................................................................................5
Database Installation ...........................................................................................................................................5
SmartAuditor Server Installation ..........................................................................................................................7
SmartAuditor Agent........................................................................................................................................... 11
SmartAuditor Player .......................................................................................................................................... 12
Configuration ........................................................................................................................................................... 14
Appendix A Securing with SSL/HTTPS ...................................................................................................................... 15
Appendix B Smart Auditor Player Error .................................................................................................................... 19
Appendix C Creating Policies................................................................................................................................... 20


3

Smart Auditor Overview
This guide is to assist in setting up a Smart Auditor 1.3 deployment with XenApp 6. It is assumed you have a running SQL
2008 Server and XenApp 6 server already running. Four servers and one workstation are used in this guide.
1. DC1.jc.lab Domain Controller and Certificate Authority
2. SQL.jc.lab 2008 SQL Server SP2
3. XA6.jc.lab XA6
4. SA.jc.lab Smart Auditor Server
5. W7.jc.lab Windows 7 Workstation running Online Plugin and Smart Auditor Player
All servers in this guide are running Windows Server 2008 R2.
Components
SmartAuditor Agent A component installed on each XenApp server to enable recording. Responsible for recording
session data
SmartAuditor Server A server that hosts
o The broker An IIS hosted Web Application that handles the search queries and file download requests from
the SmartAuditor player, handles policy administration requests from the SmartAuditor Policy Console, and
evaluates recording policies
o The Storage Manager A windows service that manages the recorded session files received from each
SmartAuditor-enabled computer running XenApp.
Communication
Communication between SmartAuditor components is achieved through IIS and Microsoft Message Queuing (MSMQ).
IIS provides the web services communication link between each SmartAuditor component. MSMQ provides a reliable
data transport mechanism for sending recorded session data from the SmartAuditor Agent to the SmartAuditor server.
Deployment Notes
Configure server certificates for SSL/HTTPS
SQL server requires TCP/IP to be enabled and SQL Server Browser service to be running and Windows
Authentication.
It is recommended to disable session sharing when using SmartAuditor because session sharing for published
applications can conflict with active policies. SmartAuditor matches the active policy with the first published
application that a user opens.
Provisioning and Cloning
If you are planning to use provisioning services with XenApp you must prepare the server with the XenApp Server
Configuration Tool. This tool is included with the installation media, but there is an updated version of the tool that can
be downloaded from http://support.citrix.com/article/ctx124981. This tool will prepare MSMQ to be unique for each
XenApp server so there are no problems with the Message Queuing service.
XenApp 5 can use the XenApp prep tool to configure the server for provisioning and cloning.
Note: Failure to do this step could result in recordings being lost.
4

Installation
SmartAuditor supports multiple configurations. All administration components can be instal led on one server if desired.
This guide will use four servers and one workstation consisting of a SQL server, SmartAuditor Admin server, a XenApp 6
server and a Windows 7 workstation.
System Requirements
SmartAuditor Database
Supported Operating Systems:
Mi crosoft Wi ndows Server 2008 R2
Mi crosoft Wi ndows Server 2003 wi th Servi ce Pack 2
Mi crosoft Wi ndows 2000 wi th Servi ce Pack 4
Requirements:
Mi crosoft SQL Server 2008 (Enterpri se and Express)
Mi crosoft SQL Server 2005 (Enterpri se and Express wi th Servi ce Pack 2)
.NET Framework 3.5
SmartAuditor Server
Supported Operating Systems:
Mi crosoft Wi ndows Server 2008 R2
Requirements:
.NET Framework Versi on 3.5
Mi crosoft Message Queui ng (MSMQ), wi th Acti ve Di rectory i ntegrati on di sabl ed, and MSMQ HTTP support enabl ed
SmartAuditor Policy Console
Supported Operating Systems:
Mi crosoft Wi ndows Server 2008 R2
Mi crosoft Wi ndows 7
Mi crosoft Wi ndows Vi sta
Requirements:
Instal l the Mi crosoft IIS Management Consol e manual l y before i nstal ling the Smart Audi tor Pol i cy Consol e
Mi crosoft IIS Management Consol e
SmartAuditor Agent
Supported Operating Systems
Wi ndows Server 2008 R2 XenApp Server
Requirements:
XenApp 6 Pl ati num
.NET Framework 3.5
5

Mi crosoft Message Queui ng (MSMQ), wi th Acti ve Di rectory i ntegrati on di sabl ed, and MSMQ HTTP support enabl ed.
SmartAuditor Player
Supported Operating Systems
Mi crosoft Wi ndows XP
Mi crosoft Wi ndows Vi sta
Mi crosoft Wi ndows 7
Installation Components
1. SmartAuditor Administration The SmartAuditor administration components are the SmartAuditor Database,
SmartAuditor Server, and SmartAuditor Policy Console.
2. SmartAuditor Agent for Citrix XenApp The SmartAuditor Agent must be installed on a server running XenApp
3. SmartAuditor Player The SmartAuditor Player is installed on one or more workstations for users who view
session recordings.
Database Installation
In this case the database installation will be installed on a 2008 SQL Server SP2 running on Windows Server 2008 R2.
Launch the SmartAuditor Administration setup. On the Select Features screen deselect Citrix SmartAuditor Policy
Console and Citrix SmartAuditor Server. The only component needed is Citrix SmartAuditor Database.

On the Database Configuration screen you must enter the account that will access the database and the Database
Instance.
6


The accessing user account is the name of the SmartAuditor server. This should be in the format as shown in the
installer window domain\<machine-name>$. In this case, the SmartAuditor server will be SA$ and the database is the
hostname of the SQL Server. You could also enter localhost. If a named instance is used, the Database instance should
be in the format hostname\instance-name.
The installation will create the new SmartAuditor database and add the machine account as DB_OWNER.
Domain\machine$ of
Smart Auditor Broker
SQL Server Hostname
7



SmartAuditor Server Installation
Roles - IIS
There are a few prerequisites that must first be installed before running the SmartAuditor Server installation. Open
Server Manager and add the IIS Role. Select the following options:
8


Application Development:
ASP.NET (more components wi l l be automati cal l y sel ect, cl ick add requi red rol es to accept)
Security:
Wi ndows Authenti cati on
Management Tools:
IIS 6 Management Compati bi l ity
o IIS 6 Metabase Compati bi l i ty
o IIS 6 WMI Compati bi l i ty
o IIS 6 Scri pti ng Tool s
o IIS 6 Management Consol e
Roles Application Server
Application server is needed to install the .NET Framework. Select .NET Framework 3.5.1
Features MSMQ
In addition to the IIS role you must install the Message Queuing Feature. Using Server Manager you must add the MSMQ
Feature with the following options:
9


Message Queuing
Message Queuing Server
HTTP Support
You will once again be prompted for additional requirements, accept additional requirements to continue.
Once the prerequisites are installed you can launch the SmartAuditor installation. In this case you will deselect Citrix
SmartAuditor Database from the installation wizard.
10


On the next screen the database instance is the name of your SQL server. If you are using a named instance you must
enter hostname\instance-name.

SQL Server Hostname
11

SmartAuditor Agent
The SmartAuditor Agent should be installed on XenApp servers that you wish to record sessions. You must first install
.NET Framework 3.5 and MSMQ on the XenApp Server. Use the Server Manager to add MSMQ. .NET Framework should
already be installed from the XenApp installation. The agent will be installed on XA6.
Launch the installation wizard and enter the host name of the Smart Auditor server.
Note: You must launch the agent install from the XA6 install wizard rather than browsing for the MSI file direct .

The default installation of SmartAuditor uses HTTPS/SSL to secure communications. At this point SSL is not configured.
To use HTTP, you must deselect SSL in the IIS Management Console.
Open the IIS Management Console and navigate to the SmartAuditorBroker site. Open the SSL settings and uncheck the
box for Require SSL
Later in this guide a Server Certificate will be created to secure traffic is SSL.
12


Open the SmartAuditor Agent properties from the Start Menu and click the Connections tab. Verify the SmartAuditor
Server name is correct and change the SmartAuditor Broker Protocol to HTTP.
SmartAuditor Player
The SmartAuditor Player can be installed on the SmartAuditor server or another workstation in the domain. In this case
the player will be installed on a Windows 7 workstation.
There are no special configurations to install the SmartAuditor player. Click through the wizard until the installation
completes. Once the installation is complete, configure the player to point to the SmartAuditor Server.
Launch the SmartAuditor Player. Select Tools > Options. On the connections tab, enter the hostname for the
SmartAuditor Server and the desired protocol. By default SmartAuditor is configured to use HTTPS/SSL to secure
communications. At this point there is no Certificate so you must select HTTP. The site should already be configured for
HTTP at this point. Later in the guide we will configure server certificates.

Click on the Binoculars to search for recorded and/or live sessions.
13


If you receive the following error it is because you did not grant access rights to view recordings:

Open the SmartAuditor Authorization Console on the SmartAuditor Server. Right click on the Player under Role
Assignments and add your Active Directory Account.

Once added you should see your users/groups populated.

Connect back to your SmartAuditor Player and click the binoculars again. You will now be able to view session
recordings.
14

Configuration
To start using SmartAuditor you have to configure a policy. SmartAuditor uses one active policy. Open the SmartAuditor
Policy Console on the SmartAuditor Server. Enter the Hostname and Protocol for the SmartAuditor Server. At this point
we are still using HTTP for the protocol.

Right click the policy Record everyone with notification to active this policy.

Launch a published application to the XenApp server. You should receive the following notification:

You will now see a live session in the SmartAuditor Player.

15

Appendix A Securing with SSL/HTTPS
In most cases it will be desired to secure the IIS and MSMQ traffic for security reasons. This example will use IIS to
generate a server certificate that will be sent to the domain controller/certificate authority for signing.
Generate the Server Certificate Request
To generate the Server Certificate open the IIS Management Console on the Smart Auditor Server. Click the server name
in the left column.

Double click on Server Certificates.

Under Actions select Create Certificate Request

Use the wizard to create the signing request. The common name should be the FQDN of the Smart Auditor server.
16


Click next and use the defaults and then save the certrequest.txt to the local file system. Open the cert request with
notepad and copy the text.
Open your browser and point to your Certificate Authority. In this case it is http://dc1/certsrv.
1. Click Request a Certificate
2. Click Advanced Certificate Request
3. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request
by using a base-64-encoded PKCS #7 file
4. Paste the certificate request data into the text field
5. Set Certificate Template to Web Server and submi t
6. Download the certificate
Go back to the IIS Management Console and select Complete Certificate Request. Use the certificate that was just
downloaded to the local file system. Enter whatever you wish for the friendly name.
Now that the cert is installed, the binding must be created in the IIS Management Console. Click on the Default Web
Site and then click on Bindings in the Actions column.
Click on Add and select https. Select the certificate that was just created by looking at the friendly name.
17


There should now be two bindings present.

You can now re-enable the setting to require SSL on the Default Website or the Smart Auditor Website.

Launch the Smart Auditor Policy Console again and select HTTPS this time.
18


Go back to the XenApp server and open the Smart Auditor Agent properties. Change the Smart Auditor Broker protocol
and Message Queuing to HTTPS. Be sure to use the FQDN of the Smart Auditor Broker.

The service will restart after making the change.
The Smart Auditor Player should also be configured to use HTTPS at this point. Start a new session and open the Smart
Auditor Player to verify that the recordings are working.

19

Appendix B Smart Auditor Player Error
If you attempt to play a recording from the Smart Auditor Player and get the following error:

You must configure the Smart Auditor Player to accept new client versions. This can be done by editing the following
configuration file.
C:\Program Files\Citrix\Smart Auditor\Player\bin\SmartAudPlayer.exe.config.
There are settings for different client. In this case, just change the windows client to a higher version.
<add key = Windows value=12.1 />
This will allow sessions recorded from the 12.1 plugin to be played. You can increase this value to whatever you like.

20

Appendix C Creating Policies
You may decide that the generic policy to record everything does not fit your organization or requirements well. Polices
can be configured based on users, servers, and applications.
To create a new recording policy, open the Smart Auditor Policy Console.
1. Right click on Recording Policies and select Add New Policy


2. Right click on New policy and click on Add New Rule
3. Select Enable Session Recording with Notification and click Next



4. Check the box for Published Applications and then click the hyperlink for Select Published Applications

21



5. Click on Farms and the click on Add Farms
6. Enter the server name of any XenApp 6 server, in this case (XA6)
7. Click on Connect. The farm should be enumerated
8. Click close and then you should see a list of published applications
9. Add Notepad from the list of applications

22



10. Click OK and then click Finish
11. Right click on the policy and select Activate. You can also rename the policy if desired.
12. Test again by launching a published notepad
Note: A policy can contain many rules, but there can only be one active policy running at a time.