XD7 Document

Citrix XenDesktop 7
Citrix XenDesktop 7
1
Citrix XenDesktop 7
2
Citrix XenDesktop 7
3
Citrix XenDesktop 7
1. Overview
The Citrix XenDesktop 7 provides a unified framework for

developing a virtual desktop and application solution. The
framework provides a foundation to understand the technical
architecture for the most common virtual desktop/application
deployment scenarios.
At a high-level, a virtual desktop solution is based on a unified and

standardized 5-layer model.
1. User Layer Defines the unique user groups and overall
requirements
2. Access Layer Defines how a user group will gain access to their
resources. Focus on secure access policies and desktop/application
stores.
3. Resource Layer Defines the virtual desktops and applications
assigned to each user group
4. Control Layer Defines the underlying infrastructure required to
support the users accessing their resources
5. Hardware Layer Defines the physical implementation of the
overall solution
The XenDesktop 7 details the recommended architecture for the

4
Citrix XenDesktop 7
three most common scenarios:
1. A standardized desktop environment
2. A fully customizable desktop environment
3. Applications
Even though focus is also on these three common scenarios,

XenDesktop 7 supports additional models, including:
1. Remote access to a users physical desktop, explained in
Appendix: Remote PC
2. Improved management of traditional desktops, explained in
Appendix: XenClient
5
Citrix XenDesktop 7
1.1 Conceptual Architecture
When put into practice, the 5-layer virtual desktop model results in a
conceptual architecture like the following:
Based on the conceptual architecture, the following can be

discerned:
o Factory Line users utilize thin clients and directly access the
desktop and app store where they receive a shared desktop based on
Windows 2012, delivered with Machine Creation Services having a
set of pre-installed applications appropriate for their role.
o Engineers, using corporate owned dev ices, directly access a
Windows 7 personal desktop with a standard set of applications and
the ability to install their own applications.
o Executives use multi-form factor devices (smartphones,
tablets, etc) to access the environment remotely through NetScaler
6
Citrix XenDesktop 7
Gateway, which delivers their resources via the store, which are on-
demand apps.
As can be seen, each user group has a specific set of requirements

that XenDesktop 7 delivers, some that goes beyond the traditional
VDI solution, but all integrated into a single architecture.
Note: The three virtual desktop models identified within the

conceptual architecture do not constitute the complete scope of
XenDesktop. Additional virtual desktop models are defined within
the Appendix.
7
Citrix XenDesktop 7
Detailed Architecture
1.2 Assign FlexCast Models
As with physical desktops, it is not possible to meet every user requirement with a single virtual
desktop type. Different types of user need different types of desktop. Some users may require
simplicity and standardization, while others may require high levels of performance and
personalization. Implementing a single desktop virtualization model across an entire organization will
inevitably lead to user frustration and reduced productivity.
Citrix FlexCast offers a complete set of application and desktop virtualization technologies that have
been combined into a single integrated solution. Because each FlexCast model has different
advantages and disadvantages, it is important that the right model is chosen for each user group within
the organization.
There are five FlexCast models available, the advantages and disadvantages of each model are
described below:
Hosted shared With the hosted shared FlexCast model, multiple user desktops are hosted on
a single server-based operating system and provisioned using Machine Creation Services or
Provisioning Services. The hosted shared desktop model provides a low-cost, high-density
solution, however applications must be compatible with a multi-user server based operating
system. In addition, because multiple users are sharing a single operating system, users are
restricted from performing actions that negatively affect other users, for example installing
applications, changing system settings and restarting the operating system. There is also the
potential that a single user could consume an unfair share of resources, which may negatively
affect other users. The hosted shared FlexCast model is provided by Citrix XenDesktop in
combination with Microsoft Remote Desktop Services (RDS).
Hosted VDI The hosted VDI FlexCast model provides each user with a desktop operating
system. Hosted VDI desktops are less scalable than hosted shared desktops because each user
requires their own operating system. However, hosted VDI desktops remove the requirement that
applications must be multi-user aware and support server based operating systems. In addition,
the hosted VDI model provides administrators with a granular level of control over the number
of virtual processors and memory assigned to each desktop. The hosted VDI model is provided
by Citrix XenDesktop, and offers the following sub categories:
Random / Non-Persistent Desktops are based on a single master image and provisioned
using Machine Creation Services or Provisioning Services. Users are dynamically connected to
one of the desktops in the pool each time they logon. Changes to the desktop image are lost upon
reboot.
Static / Non-Persistent Desktops are based on a single master image and provisioned using
Machine Creation Services or Provisioning Services. Users are allocated a virtual desktop on
first access. Once assigned, users will always be connected to the same virtual desktop. Changes
to the desktop image are lost upon reboot.
Static Persistent Desktops are based on a single master image and provisioned using
Machine Creation Services or Provisioning Services. Users are allocated a virtual desktop on
first access. Once assigned, users will always be connected to the same virtual desktop. Changes
to the desktop are stored in a personal vDisk and retained between reboots. Desktops with a
8
Citrix XenDesktop 7
personal vDisk cannot be shared between multiple users; each user requires their own desktop. If
high availability is required, the personal vDisk must be stored on shared storage.
Remote PC Physical desktops that have already been deployed. These desktops must be
managed manually or with 3rd party desktop management tools.
Streamed VHD Desktops are based on a single master image and provisioned using
Provisioning Services. The streamed VHD FlexCast model allows Windows XP, 7 and 8
desktops to be run locally on the users desktop computer. Streamed VHD is a great solution for
high-end workstations because it allows them to leverage local processing power. Streamed
VHD requires a LAN connection to be in place between the desktop and the provisioning servers
and changes to the desktops are lost upon reboot.
Local VM Windows XP, 7, and 8 desktops running locally within a hypervisor. The virtual
desktop image is completely delivered to the hypervisor to allow for offline connectivity. Citrix
XenClient is used to provide the Local VM FlexCast model.
On demand apps The On-Demand Apps FlexCast model does not provide users with a
virtual desktop; instead Windows applications are centralized in the datacenter, and instantly
delivered via a high-speed protocol (requires connection) or streamed (offline support) via
Microsoft App-V.
User Image
Virtual / Desktop to User
FlexCast Model Installed Delivery Access
Physical Ratio
Apps Technology
Hosted shared: Non- Physical /
No MCS / PVS HDX 1 : Many
Persistent Virtual
Random /
Non- No MCS / PVS Virtual HDX 1 : Many
Persistent
Hosted
Static /
VDI:
Non- No MCS / PVS Virtual HDX 1:1
Persistent
Static /
Yes MCS / PVS Virtual HDX 1:1
Persistent
Remote PC Yes Installed Physical HDX 1:1
Streamed VHD No PVS Physical Local 1:1
Virtual
Local VM Yes XC Local 1:1
(XenClient)
Physical /
On demand apps No MCS / PVS HDX 1 : Many
Virtual
The high-level design for a standard virtual desktop solution is fairly straightforward by following
the 5- layer model, which guides an organization to define the user groups before determining how
they will access their resources. Once these aspects are defined, the design is finalized by detailing
how the solution is controlled and managed and how the hardware will support the defined
solution.
9
Citrix XenDesktop 7
2. User Layer
Aligning the user requirements with an appropriate virtual desktop is the initial step in creating a
virtual desk top solution.
Most environments typically have more than one type of user group with different requirements
that must be met. However, even though there are many user groups within an organization, a large
majority often fit into one of the three distinct scenarios, which are identified in the following table:
Users need Users Endpoints Common IT

access to include include location(s) Delivers
include
A Factory line Thin clients Local, trusted Hosted
standardized workers PCs (new and network Shared
desktop Retail clerks old) desktops
Bank tellers Kiosks
environment
Nurses station
users
Call centres
A fully Office Workers Thin clients Local, trusted Personal
customizable Consultants PCs (new and network or VDI
desktop Engineers old) Remote, un- desktop
Laptops trusted network
environment
Applications Road Warriors Tablets Local, trusted On
Executives Smartphone network or Demand
Laptops Remote, un-trusted Apps
network
Most organizations will likely deploy a mixture of fully featured clients as well as thin clients. It is
important to focus on multiple user group attributed in order to best determine the type of endpoint
that should be deployed:
Business
Endpoint Mobility FlexCast Security
Drivers
Agility
Hosted
Better
Local shared
desktop
Thin clients Roaming Hosted VDI High
management
local On demand
Increased
apps
security
Desktop PCs Medium

Local Hosted
10
Citrix XenDesktop 7
shared
Hosted VDI
Remote PC
Roaming
Streamed
local N/A existing
VHD
state
On demand
apps
Better
Local
desktop
Desktop PCs Roaming
Local VM management High
with XenClient local
Increased
Mobile
security
Hosted
Local shared
BYOD
Roaming Hosted VDI
Laptops Work from Low
local Remote PC
anywhere
Remote On demand
apps
Better
Local desktop
Roaming management
Laptops with
local Local VM Increased High
XenClient
Remote security
Mobile Work from
anywhere
Hosted
Local
shared BYOD
Roaming
Tablets Hosted VDI Work from Low
local
On demand anywhere
Remote
apps
11
Citrix XenDesktop 7
3. Access Layer
12
Citrix XenDesktop 7
Providing access to the environment includes more than simply making a connection to a resource.
Providing the proper level of access is based on where the user is located as well as the security
policies defined by the organization.
In most environments, tougher security policies are put into place when users access the
environment from a remote, un-trusted network as compared to a local, trusted network. This often
includes tougher authentication policies (like multi-factor authentication) and greater protocol
protection with encryption and encapsulation.
It is important to note that users might access the environment from different locations, requiring
policies to be intelligent enough to detect and respond appropriately. Based on the locations defined
for each user group, the following are the most common access layer recommendations.
Users connecting from Local, trusted Remote, un-trusted

network network
Authentication Point StoreFront NetScaler Gateway
Multi-factor
Authentication Policy Simple authentication authentication
(username and (username, password
password) and token)
Not applicable
Session Policy Mobile and Non-
Mobile
Session Protocol (Profile) ICA ICA Proxy
Authentication for user groups with a mobility requirement of remote or mobile may occur directly on
StoreFront where required. For example, DMZ security policies may prohibit access from the
NetScaler Gateway to the domain, which is required to support SmartCard client certificate
authentication. Access to StoreFront for authentication may then be delivered via a NetScaler
SSL_BRIDGE virtual server, which provides a conduit for https traffic. Typically, the virtual server
would be hosted alongside a NetScaler Gateway on the same NetScaler configured to provide HDX
Proxy access to the virtual desktop environment. Although such a use case may sometimes be
necessary, the recommended best practice is to authenticate external users via a NetScaler Gateway.
13
Citrix XenDesktop 7
3.1 Pre-Authentication Policy
An optional pre-authentication policy may be applied to user groups with NetScaler Gateway as their
authentication point (this design decision is not applicable for non-NetScaler Gateway authentication
points). Pre-authentication policies limit access to the environment based on whether the endpoint
meets certain criteria through Endpoint Analysis (EPA) Scans.
Pre-authentication access policies can be configured to test antivirus, firewall, operating system, or
even registry settings. These policies are used by XenDesktop to control features such as clipboard
mapping, printer mapping and even the availability of specific applications and desktops. For
example, if a user device does not have antivirus installed, a filter can be set to hide sensitive
applications.
The following figure provides an overview of how multiple policies can be used to customize the
features of a virtualization resource:
14
Citrix XenDesktop 7
3.2 Authentication Policy
Once the authentication point has been identified, the type of authentication must be determined. The
following options are the primary methods available:
3.2.1 StoreFront Supports a number of different authentication methods, although not all are
recommended depending on the user access method, security requirements and network location.
User name and password Requires users to logon directly to the site by entering a user name
and password.
Domain pass-through Allows pass-through of domain credentials from users' devices. Users
authenticate to their domain-joined Windows computers and are automatically logged on when
they access their stores.
NetScaler Gateway pass-through Allows pass-through authentication from NetScaler
Gateway. Users authenticate to NetScaler Gateway and are automatically logged on when they
access their stores.
Smart card Allows users to authenticate using smart cards and PINs through Citrix Receiver
for Windows and NetScaler Gateway. To enable smart card authentication, user accounts must
be configured either within the Microsoft Active Directory domain containing the StoreFront
servers or within a domain that has a direct two-way trust relationship with the StoreFront server
domain. Multi-forest deployments involving one-way trust or trust relationships of different
types are not supported.
3.2.2 NetScaler Gateway The NetScaler Gateway supports several authentication methods. The list
below includes those primarily used in virtual desktop environments. Each may be used individually,
but are often combined to provide multi-factor authentication.
LDAP The lightweight directory access protocol (LDAP) is used to access directory
information services such Microsoft Active Directory. NetScaler Gateway uses LDAP to
authenticate users and extract their group membership information.
RADIUS (token) Remote authentication dial in user service (RADIUS) is a UDP based
network security protocol that provides authentication, authorization and accounting. A network
access server (NetScaler Gateway in this case) forwards credentials to a RADIUS server that
can either check the credentials locally, or check them against a directory service. The RADIUS
server could then accept the connection, reject the connection, or challenge and request a second
form of authentication such as a token.
Client certificate Users logging on to a NetScaler Gateway virtual server can also be
authenticated based on the attributes of a client certificate presented to the virtual server. Client
certificates are usually disseminated to users in the form of smartcards or common access cards
15
Citrix XenDesktop 7
(CACs) that are read by a reader attach to each users device.
The authentication type for a user group is often determined based on security requirements as well as
the authentication point used. The following table helps define the appropriate solution for each user
group based on the level of security required:
Initial Mobility LDAP User Pass- LDAP + LDAP + Token +

Authentication Name and through Token Smartcard Smartcard
Point Password
StoreFront Local &
Roaming Medium Medium High High High
Local
NetScaler
Remote Low N/A High High High
Gateway
3.3 Best Practices:
When not required to adhere to security regulations such as Sarbanes Oxley and users
have to non-sensitive data such as marketing catalogues and email Therefore, LDAP
authentication has to be implemented based on user name and password.
Users need to access the confidential data such as banking transaction records. They
are governed by security regulations such as the Statement on Accounting Standards (SAS) 70
and are required to utilize multi-factor authentication for remote access users. LDAP
authentication has to be implemented based on user name and password along with RADIUS
authentication using tokens.
Users need to access the highly confidential data such as private citizens personal
records. They are subject to regulation by Department of Defense (DOD) security standards.
LDAP authentication has to be implemented based on user name and password, along with
Client Certificate authentication using CAC cards.
3.4 Session Policy

Create sessions policies based on the type of Citrix Receiver used
To identify devices session policies, include expressions such as:
Mobile devices The expression is set to REQ.HTTP.HEADER User-Agent
CONTAINS CitrixReceiver which is given a higher priority than the non-mobile device
policy to ensure mobile devices are matched while non-mobile devices are not.
Non-mobile devices The expression is set to ns_true which signifies that it
should apply to all traffic that is sent to it.
16
Citrix XenDesktop 7
3.5 Session Profile

Each session policy must have a corresponding session profile defined (this design decision is not
applicable for non-NetScaler Gateway authentication points). The session profile defines details
required for the user group to gain access to the environment
4.0 Resource Layer

Users need access to their resources, whether those resources are desk tops or applications. The
configuration of the resources must align with the overall needs of the user groups. In order to align
each resource with each user group, the resource is defined across three separate but integrated layers:
4.1 Image
The first part of the image definition is selecting the right operating system, which is based on the
type of desktop IT delivers to the user as well as the standards for the organization.
Shared Remote Desktop Services: Windows 2012 or Windows 2008R2
Virtual Desktop Infrastructure: Windows 8 or Windows 7
Apps on Demand: Windows 2012 or Windows 2008R2
The second aspect of the image definition is the delivery fabric, which is independent of the
selected operating system. XenDesktop 7 includes two integrated solutions focused on providing
different benefits to an organization. These options are:
Machine Creation Services (MCS): Utilizes the hypervisor and storage
infrastructure (local or shared storage) to create unique, thin provisioned clones of a
master image, which can either be a desktop-based OS or a server-based OS. Due to the
focus on simplicity, MCS requires no extra hardware and utilizes functions within the
hypervisor. Due to the simplicity of MCS, it is the recommended option for
deployments that do not require desktop delivery to physical targets.
Provisioning Services (PVS): Utilizes the network infrastructure to deliver
required portions of an image, just-in-time, to a physical or virtual machine with either a
desktop-based OS or a server-based OS. Although PVS does require additional virtual
servers to host the PVS technology, it can save on storage costs reducing read IOPS
across any hypervisor.
4.2 Application Rationalization
17
Citrix XenDesktop 7
To help reduce complexity as well as overall time required, its important to take the time to
consolidate the list of applications. Start by doing an application assessment.
Consolidated applications should be identified within the application assessment.
The following guidelines will help to ensure that your application list is consolidated appropriately:
Multiple versions Different versions of the same application may have been
identified during the inventory. There are various reasons for this, including an inconsistent
patching or upgrade process, decentralized application management, limited licenses and
situations where users require specific application versions for compatibility with other
applications, macros and document formats. Where possible, work with the application owners
to reduce the number of versions required. The best practice is to standardize on a single
version of each application, typically the latest.
Business applications Applications, which are not required by the business, should be
removed from the application inventory to reduce resource requirements and to help simplify
the overall project. Non-business related applications are typically found in an application
inventory when users have been provided with the ability to install their own applications and
typically include games, communication clients, screen savers, peripheral software and media
players.
Legacy applications The inventory may identify legacy applications that have since
been retired or that are no longer required within the business. These applications may not
have been removed from the desktops because there is no established process to do so or
because there are always more high-priority activities to complete. These applications should
be consolidated during the rationalization stage of the application assessment.
Management applications The antivirus, application delivery, monitoring, inventory,
maintenance and backup applications will be completely re-designed across the organization
during the desktop virtualization project. These applications should also be consolidated during
this stage.
4.3 Applications
The most important aspect of the resource layer is the applications, which is what the users are
trying to access. In order to have a successful application delivery solution, the appropriate
applications must be
Installed: The applications are installed in the master image. Even though this
option can result in a greater number of master images if the application sets between
user groups greatly differ, it is the recommended approach due to its simplicity and
familiarity.
Streamed: The applications are dynamically delivered to the virtual/physical
18
Citrix XenDesktop 7
desktop/server when requested, with a solution like Microsoft App-V. This solution
requires new technology and additional infrastructure, but is the most dynamic option
resulting in the fewest number of master images.
User-based: Many applications are not managed or maintained by IT, and are
considered user-based applications. Due to the small percentage of users who use these
applications, it is not justified to make these applications IT-managed applications.
Users who require user-based applications can either
Receive a personal desktop where they can install and maintain their
own set of applications through XenDesktop Personal vDisk technology.
Seamlessly access applications installed on their physical endpoint
within their virtualized desktop session with the use of Local App Access
policy.
4.4 Application Delivery Method

It is unlikely that a single delivery method will meet all requirements; multiple methods will likely be
required to meet the needs of users within the environment. Furthermore, the methods described above
are viable for application delivery, but they create different effects on the virtual desktop in terms of
operation, resource impact and user experience as shown in the following table:
Installed Installed Streamed Hosted VM Hosted

with PVD App
Description Application Applications Executed RDS-based Non-RDS-
s are are installed locally, but applications based
installed on personal not are installed applications
directly on vDisk (hosted installed. on a server are installed
the OS Disk VDI only) streamed on or desktop on a virtual
first use and machine and
executed executed
remotely remotely
User access Every user Individual Only Only Only
authorized users who authorized authorized authorized
to access have installed users users users
the desktop the
image application
Updates Update to Update to Update to Update to Update to
base OS individual application application application on
image applications profile on hosted virtual
desktop or machine
server
Limitations Operating Applications Application Compatibili Only one
System that start s with ty with HDX
dependencie early in the device multi-user connection to
19
Citrix XenDesktop 7
s (Windows Windows driver or windows, each VM host

8 vs. boot phase those that Windows
Windows 7) (for example, start Server
antivirus) services at Operating
boot System
Resource usage Desktop Desktop Desktop Hosting Hosting
servers or desktop
desktops
The following table provides high-level options for application delivery in a virtual desktop
environment:
Base Wide Use Individual/ Resource Technically

Applications Applications Departmental Intensive Challenging
Description Common Applications Applications Heavy system Complex,
apps/utilities used by large installed by requirements extensive
used by all users groups of users individuals or dependencies, or
department requires
managed specialized
configuration
Example Microsoft Corporate Call Centre, CAD/CAM, Healthcare
Office, Adobe developed Sales developer suite management,
Acrobat, applications. applications business
antivirus management
applications
Preferred delivery Installed on Installed or Installed on Installed or Hosted RDS-
model desktop streamed to Personal vDisk streamed to based application
desktop desktop
4.5 Compatibility
Desktop virtualization typically requires significant changes to be made to an organizations

application delivery strategy. For example, many organizations will take the opportunity to upgrade
their desktop operating system and to simplify management by reducing the number of applications
installed into the base image using techniques such as application streaming and seamless
applications. These are significant changes that require comprehensive compatibility testing.
Important compatibility requirements that may need to be verified include:
Desktop operating system If the application is to be streamed or installed into
a hosted VDI desktop, the application must be compatible with the preferred desktop
operating system.
Server operating system Some applications may be more appropriate for
delivery via a hosted shared desktop or published application. In these situations, the
compatibility of the application must be verified against the chosen server operating
system, for example Microsoft Windows Server 2012 R2.
Application architecture It is important to understand whether the application
includes 16-bit, 32-bit or 64-bit code so that an appropriate operating system can be
20
Citrix XenDesktop 7
selected. 16-bit code cannot be executed on a 64-bit operating system.

Interoperability Some applications may experience complications if they
coexist on the same operating system. Possible causes include shared registry hives, dll
files or INI files as well as incompatible dependencies. Application interoperability
issues should be identified so that appropriate remediation steps can be taken or an
alternative delivery model selected.
Application streaming The use of application streaming helps to simplify
image management by reducing the number of applications installed into the base
image. However, not all applications are suitable for streaming because they may install
device drivers, use COM+ or form part of the operating system. Microsoft App-V
limitations will be covered in greater detail in the next section Decision: Application
Streaming.
Note: Citrix Application Streaming is not supported on operating systems running Windows Server
2012 and higher, or Windows 8 and higher. Microsoft App-V is the preferred technology for
streaming applications. If Citrix Application Streaming is currently being used to stream
applications in XenApp 6.x deployments, it will continue to be supported for those environments.
There are three main techniques that can be used to perform the application compatibility testing
component of the application assessment. The advantages and disadvantages of each approach for
compatibility testing the following table:
Approach Time Cost Complexity Interoperabilit Accuracy

Required y
Manual High Low High Limited Low
Pre- Medium Low Medium Limited Medium
verified
Automated Low Medium Low Yes High
tool
Regardless of the approach used, the compatibility testing results should be captured
Pre-requisites Many applications will depend on certain pre-requisites to

function correctly, for example, the Java Runtime Environment, .Net Framework or a
database driver. All essential pre-requisites should be captured during the application
assessment so that an appropriate image design can be created.
21
Citrix XenDesktop 7
Dependent apps Applications may need to interact with each other to provide
the users with a seamless experience. For example, applications that present
information in a PDF format require a suitable PDF viewer to be available. Capturing
application dependencies will help to ensure that an appropriate image design can be
created.
16-bit code The application assessment should determine whether the
applications include any 16-bit code because they cannot be supported on a 64-bit
operating system. There are three classifications available for 16-bit code in the
application assessment worksheet: yes, no and unknown.
Windows 8 Specify whether the application passed compatibility testing for
Microsoft Windows 8. There are six classifications available for Windows 8 in the
application assessment worksheet: yes no remediation, yes low remediation, yes
medium remediation, yes high remediation, no or unknown.
Windows 7 Specify whether the application passed compatibility testing for
Microsoft Windows 7. There are six classifications available for Windows 7 in the
Windows XP Specify whether the application passed compatibility testing for
Microsoft Windows XP. There are six classifications available for Windows XP in the
Hosted shared desktop supported Specify whether the application passed
compatibility testing for running on RDS-enabled server environments. There are six
classifications available for hosted shared desktop supported in the application
assessment worksheet: yes no remediation, yes low remediation, yes medium
remediation, yes high remediation, no or unknown.
Application streaming Specify whether the application passed compatibility
testing for application streaming. There are three classifications available for
application streaming in the application assessment worksheet: App-V, no, or
Unknown.
It is unlikely that all users require all applications. Certain applications may be required by
departments or a small numbers of users within / across departments. Architects need to determine
the optimal way to deliver applications to users, considering the delivery methods available and the
management requirements for various applications. If a large number of applications will be
delivered to a subset of users, a separate image may be required. If a small number of users require
an application, it can be delivered using an alternative delivery method such as installed on a
personal vDisk or streamed.
22
Citrix XenDesktop 7
4.6 Application Streaming
In some circumstances it may be necessary to stream applications which require isolation due to
compatibility issues with the operating system or other technical issues with the application.
XenDesktop 7 supports Microsoft App-V 5.0 as the preferred technology for streaming applications
to user devices.
Not every application is capable of being of being streamed. Microsoft App-V does not support
application streaming for the following type of applications:
Experience from the Field

Communications A large telephone company delivers the majority of its applications using the
installed on desktop model, with images focused on user segmentation. Applications that are used
by only a few users are installed on personal vDisk to allow customization. Applications that are
used by all users, but need isolation from the pooled desktop image are delivered through Microsoft
App-V.
Energy An energy company installs applications on the base image for the majority of users and
streams departmental applications as required.
Limitation Description
Applications that start services App-V requires a logged in user to initiate the
at boot time launch of an application.
Applications that require device App-V cannot virtualize drivers. It is possible to
drivers bypass the issue and install driver locally on the
target computer.
Some user mode device drivers can be virtualized.
Applications that are required by For example, a program that will initiate a
several applications for command and launch another program. Normally
information or access both programs would be included in the same
suite. However, if this application launches or
initiates commands in several applications it may
not be feasible to include all of the applications in
the same suite.
Applications that are a part of Such as Internet Explorer
the OS
Applications that use COM+ Because COM+ is dynamic and happens at
runtime, the App-V Sequencer is not able to
capture this information.
COM DLL surrogate For example, DLLs that run in DLLhost.exe.
virtualization
23
Citrix XenDesktop 7
4.7 16-bit Legacy Application Delivery

There are three options available for delivering 16-bit applications in a XenDesktop environment:
Deploy a 32-bit desktop operating system A 32-bit desktop operating system
is limited to 4GB of RAM, but that is sufficient to support many of the standard
business applications in use today, as well as support the legacy 16-bit applications.
VM hosted app This is the preferred method for delivering legacy
applications that cannot run in a 64-bit operating system, or run in a RDS-enabled
environment. The 16-bit application is installed on a VM running a 32-bit Windows
operating system and made available as a published application. This solution only
allows one HDX connection to the VM at a time, so it is intended for applications
accessed by few users.
XenApp 5 for Windows Server 2008 (x86) The 16-bit application is installed
on a 32-bit XenApp 5 farm running in parallel with XenDesktop 7. This is a common
configuration for organizations migrating away from older versions of XenApp but
having to support legacy applications during the transitioning period.
4.8 Images
When selecting an operating system for each user group, architects need to consider the needs of
the users and their applications as well as the imaging solution selected. Considerations will include
operating system version, architecture, delivery strategy, appropriate policies and how the users and
images are aligned into different sets of delivery groups and machine catalogs.
Operating System for Images
FlexCast Model Windows 7 Windows Windows Windows

8 Server Server
2008 R2 2012
Hosted shared
VDI: pooled-random
VDI: pooled-static
VDI: pooled with PvD
VDI: dedicated
VDI: existing
24
Citrix XenDesktop 7
VDI: physical / remote PC

VDI: streamed
VDI: streamed with PvD
Streamed VHD

Local VM

On demand apps
VM local apps
4.8.1 Operating System Architecture for Images
A key decision during the XenDesktop design is whether to use a 32-bit (x86) or 64-bit (x64)
version of Windows 7 or Windows 8/8.1. Windows Server 2008 R2 and Windows Server 2012/R2
are 64-bit only.
The primary benefit of a 64-bit operating system is that significantly more physical memory can be
assigned to each desktop - 128GB for Windows XP, 192GB for Windows 7 Professional and
512GB for Windows 8. In contrast, 32-bit operating systems are restricted to 4GB of physical
memory.
One disadvantage from choosing a 64-bit desktop operating system is that 64-bit drivers will be
required. Finding 64-bit drivers can be difficult, especially for older peripherals and software.
However the main disadvantage is that 64-bit operating systems cant support 16-bit applications
and most companies still have some 16-bit applications in use. Even 32-bit applications often
include elements of 16-bit code.
If 16-bit applications are required, consider one of the following approaches:
1. Deploy a 32-bit operating system limited to 4GB of RAM for the majority of users. Provide
power users with a 64-bit operating system so that they can be assigned more than 4GB of RAM.
Note: Windows 8 is available in both 32-bit and 64-bit versions.
2. Deploy a 64-bit operating system for everyone and use Microsoft Windows 2008 x86 with Citrix
XenApp 5.0 to deliver 16-bit applications.
Note: XenApp 5.0 will be the last version of XenApp that supports 32-bit Microsoft Server
(Microsoft Server 2008). Windows 2008 R2 or Windows Server 2012 is required for XenDesktop 7
and are 64-bit only. Mainstream support for Microsoft Server 2008 ends on January 13th, 2015.
Extended support ends on January 14th, 2020. End of life (EoL) for XenApp 5 is also January 13th,
2015. Extended support ends on January 14th, 2020.
3. Deploy a 64-bit operating system and use VM Hosted Apps to deliver 16-bit applications from
32-bit desktop operating systems.
4. Deploy a 64-bit operating system and replace or re-engineer all applications to be 32-bit or 64-
25
Citrix XenDesktop 7
bit.
4.9 Personalization
4.9.1 User Profiles

A users profile plays a critical role in determining how successful the user experience is within a
virtual desktop or virtual application scenario. Even a well-designed virtual desktop solution can
fail if users are frustrated due to lengthy logon times or lost settings.
The user profile solution chosen must align with the personalization characteristics of the user
The following
table compares
the key features Local Roaming Mandatory Hybrid
of each profile
type: Feature
Central Functionality Not Functionality Only When Functionality
management / Available Available configured as Available
roams with user Mandatory
Roaming
User settings are Functionality Functionality Functionality Not Functionality
stored Available Available Available Available
persistently
Granular Functionality Not Functionality Not Functionality Not Functionality
configuration Available Available Available Available
Logon Functionality Not Functionality Not Functionality Not Functionality
performance and Available Available Available Available
stability
enhancements
In order to select the optimal profile type for each user group it is important to understand their
personalization requirements in addition to the FlexCast model assigned.
The following table provides guidance on selecting the optimal user profile type:
Local Roaming Mandatory Hybrid

User setting persistence required (personalization characteristic: basic / complete)
Hosted VDI - Not Viable Not Recommended
random Recommended Recommended
Hosted VDI Recommended Viable Not Recommended
Dedicated / for users who use Recommended for users who use
Static with a single virtual more than one
PVD desktop only virtual desktop
Hosted Not Viable Not Recommended
Shared Recommended Recommended
26
Citrix XenDesktop 7
XenClient Recommended Viable Not Viable

Recommended
User setting persistence not required or not desired (personalization characteristic: none)
Hosted VDI - Recommended Not Viable Not
random Recommended Recommended
Hosted VDI Not Not Recommended Not
Dedicated / Recommended Recommended Recommended
Static with
PVD
Hosted Not Not Recommended Not
Shared Recommended Recommended Recommended
XenClient Not Not Recommended Not
Recommended Recommended Recommended
4.9.2 Folder Redirection

While redirecting profile folders, such as user documents and favorites, to a network share is a
good practice to minimize profile size, architects need to be aware that applications may frequently
read and write data to profile folders such as AppData, causing potential issues with file server
utilization and responsiveness. It is important to thoroughly test profile redirection before
implementation in production to avoid these issues. Therefore, it is important to research profile
read / write activities and to perform a pilot before moving to production. Microsoft Outlook is an
example of one application that regularly performs profile read activities as the user signature is
read from the user profile every time an email is created.
The following table provides general recommendations to help identify the appropriate folders to
redirect:
Folder Local Roaming Mandatory Hybrid

Not Not Not Not
Application Data
Recommended Recommended Recommended Recommended
Not Not
Contacts Recommended Optional
Recommended Recommended
Not Not
Desktop Recommended Optional
27
Citrix XenDesktop 7
Not Not
Downloads Recommended Optional
Recommended
for simplified
Recommende backup /
Favorites d for backup Recommended Optional restore and
purposes data sharing
between
profiles
Not Not
Links Recommended Optional
Recommended
for simplified
Recommende backup /
My Documents d for backup Recommended Optional restore and
purposes data sharing
between
profiles
Recommende
My Music d for backup Recommended Optional Optional
purposes
Recommende
My Pictures d for backup Recommended Optional Optional
purposes
Recommende
My Videos d for backup Recommended Optional Optional
purposes
Not Not
Saved Games Recommended Optional
Not Not
Searches Recommended Optional
Not Not
Start Menu Recommended Optional
4.9.3 Folder Exclusion
Excluding folders from being persistently stored as part of a roaming of hybrid profile can help to
reduce profile size and logon times. By default Windows excludes the Appdata\Local and
Appdata\LocalLow folders, including all subfolders, such as History, Temp and Temporary Internet
Files. In addition, the downloads and saved games folders should also be excluded.
4.9.4 Profile Caching

28
Citrix XenDesktop 7
Local caching of roaming or hybrid user profiles on a server or virtual desktop is default Windows
behavior and can reduce login times and file server utilization / network traffic. With profile
caching, the system only has to download changes made to the profile. The downside of profile
caching is that it can consume significant amounts of local disk storage on multi-user systems, such
as a hosted shared desktop server.
Citrix recommends not deleting locally cached profiles for the following scenarios:
For optimizing logon times
Hosted VDI Dedicated / Existing / Physical
Hosted VDI Static with PVD
Hosted VDI Remote PC
Local VM
For optimizing logoff times
Non-persistent virtual desktops and Hosted Shared Desktop servers, with
reboot on logoff or daily reboot.
Citrix recommends deleting locally cached profiles on logoff for the following scenarios to avoid
the proliferation of stale profiles:
Hosted shared provided by persistent hosted shared desktop servers.
Hosted VDI pooled without immediate reboot on logoff.
Configuring the Delay before deleting cached profiles Citrix policy sets an optional extension to
the delay before locally cached profiles are deleted at logoff. Extending the delay is useful if a
process keeps files or the user registry hive open during logoff. This can also reduce logoff times
for large profiles.
4.9.5 Profile Permissions

For security reasons, administrators, by default, cannot access user profiles. While this level of
security may be required for organizations that deal with very sensitive data, it is unnecessary for
most environments and can complicate operations and maintenance. Therefore, consider enabling
the Add the Administrators security group to roaming user profiles policy setting. The
configuration of this policy should be aligned with the security characteristics of the user groups
captured during the assess phase
4.9.6 Profile Path

Determining the network path for the user profiles is one of the most significant decisions during a
user profile design process. In general it is strongly recommended to leverage a redundant and high
performance file server or NAS device.
There are three topics that must be considered for the profile share:
Performance File server performance will effect logon times. For large virtual
desktop infrastructures, a single file server cluster may not be sufficient to handle periods of
peak activity. In order to distribute the load across multiple file servers, the file server address
and share name will need to be adjusted.
29
Citrix XenDesktop 7
Location User profiles are transferred over the network by means of the SMB
protocol, which does not perform well on high-latency network connections. Furthermore,
WAN connections are typically bandwidth constrained, which can add additional delay to the
profile load process. Therefore, the file server should be located in close proximity to the
servers and virtual desktops to minimize logon times.
Operating system platforms User profiles have a tight integration with the underlying
operating system and it is not supported to reuse a single user profile on different operating
systems or different platforms like 64-Bit (x64) and 32-Bit (x86). Windows 2008 and Windows
Vista introduced a new user profile structure, which can be identified by .V2 profile directory
suffix, which makes older user profiles incompatible with newer operating systems such as
Windows 2012, 7 and 8. In order to ensure that a separate profile is used per platform, the
profile directory has to be adapted.
There are two methods that can be used to address these challenges that are based on Windows
built-in technology:
User object For every user object in Active Directory, an individual profile path, which
contains file server name and profile directory, can be specified. Since only a single profile path
can be specified per user object, it is not possible to ensure that a separate profile is loaded for
each operating system platform.
Computer group policy or system variables The user profile path can also be
configured by means of computer specific group policies or system variables. This enables
administrators to ensure that a user profile is dedicated to the platform. Since computer specific
configurations affect all users of a system, all user profiles will be written to the same file server.
To load balance user profiles across multiple servers dedicated XenDesktop delivery groups
have to be created per file server.
Note: Microsoft does not support DFS-N combined with DFS-R for actively used user profiles. For
more information, please refer to the Microsoft articles:
Information about Microsoft support policy for a DFS-R and DFS-N
deployment scenario
Microsofts Support Statement Around Replicated User Profile Data
When using Citrix Profile Management, a third option is available to address these challenges:
4.9.6.1 User object attributes and variables Citrix Profile Management enables the
administrator to configure the profile path by means of a computer group policy using attributes of
the user object in Active Directory to specify the file server dynamically. In order to achieve this,
three steps are required:
1. Create a DNS alias (for example, fileserver1) which refers to the actual file server
2. Populate an empty LDAP attribute of the user object (for example, l or UID) with the DNS Alias
3. Configure Citrix Profile Management by means of GPO to use a profile path which refers to the
LDAP attribute (for example, If attribute UID is used the profile path becomes
\\#UlD#\Profiles\profiledirectory)
30
Citrix XenDesktop 7
In addition, Citrix Profile Management automatically populates variables to specify the profile path
dynamically based on the operating system platform. Valid profile management variables are:
!CTX_PROFILEVER! Expands to v1 or v2 depending on the profile version.
!CTX_OSBITNESS! Expands to x86 or x64 depending on the bit-level of the
operating system.
!CTX_OSNAME! Expands to the short name of the operating system, for
example Win7
By combining both capabilities of Citrix Profile Management, a fully dynamic user profile path can
be created, which can be load balanced across multiple file servers and ensure profiles of different
operating system platforms are not mixed. An example of a fully dynamic user profile path is
shown below:
\\#UlD#\profiles$\%USERNAME%.%USERDOMAIN%\!CTX_OSNAME!!CTX_OSBITNESS!
4.9.6.2 Citrix Profile Management
4.9.6.2.1 Profile Streaming
With user profile streaming, files and folders contained in a profile are fetched from the user store
(file server) to the local computer when a user accesses them. During the logon process, Citrix
Profile Management immediately reports that the profile load process has completed reducing
profile load time to almost zero.
Citrix recommends enabling profile streaming for all scenarios. If it is desired to keep a local
cached copy of the user profile, it is recommended to enable the Always Cache setting and
configure a size of 0. This ensures that the user profile is downloaded in the background and
enables the system to use this cached copy going forward.
Note: Profile streaming is not required and does not work with the personal vDisk feature of Citrix
XenDesktop. Even if explicitly enabled by means of Group Policy, the profile streaming setting is
automatically disabled
4.9.6.2.2 Active Write Back
By enabling the active write back feature, Citrix Profile Manager detects when an application has
written and closed a file and copies the file back to the network copy of the profile during idle
periods. In scenarios where a single user leverages multiple virtual desktops or hosted shared
desktops simultaneously, this feature can be tremendously beneficial. However, Citrix Profile
Management does not copy any registry changes back to the network, except during an ordered
logoff. As such, there is a risk that the registry and files may get out of alignment on provisioned
systems, where locally cached profile information is wiped upon reboot. Therefore, it is
recommended to disable active write back functionality for non-persistent Provisioning Services or
Machine Creation Services scenarios.
31
Citrix XenDesktop 7
4.9.6.2.3 Configuration Approach
Citrix Profile Management can be configured by means of an .ini file, Microsoft Group Policy
and Citrix Policy (Citrix Profile Management 5.0 only). While each option offers the same
configuration settings, Group Policy is recommended because it allows administrators to perform
Windows and Citrix profile configurations from a single point, minimizing the tools necessary for
profile management.
Note: With Citrix Profile Management 5.0, the desktop type is automatically detected and Citrix
Profile Management policies set accordingly. For more information, please refer to Citrix eDocs -
How automatic configuration works.
4.10 User Policies
Citrix policies provide the basis to configure and fine tune XenDesktop environments, allowing
organizations to control connection, security and bandwidth settings based on various combinations
of users, devices or connection types.
When making policy decisions it is important to consider both Microsoft and Citrix policies to
ensure that all user experience, security and optimization settings are considered. For more
information on specific Windows related policies, please refer to the Microsoft white paper - Group
Policy Settings Reference for Windows and Windows Server, specifically settings related to
Windows Server 2008 R2, Windows 7, Windows Server 2012 and Windows 8. For a list of all
Citrix-related policies, please refer to the Citrix Policy Reference spreadsheet.
4.11 Preferred Policy Engine
With XenDesktop 7 organizations have the option to configure Citrix policies via Citrix Studio or
through Active Directory group policy using Citrix ADMX files, which extend group policy and
provide advanced filtering mechanisms.
Using Active Directory group policy allows organizations to manage both Windows policies and
Citrix policies in the same location, and minimizes the administrative tools required for policy
management. Group policies are automatically replicated across domain controllers, protecting the
information and simplifying policy application.
Citrix administrative consoles should be used if Citrix administrators do not have access to Active
Directory policies. Architects should select one of the above two methods as appropriate for their
organizations needs and use that method consistently to avoid confusion with multiple Citrix
policy locations.
4.12 Policy Integration
32
Citrix XenDesktop 7
When configuring policies, organizations often require both Active Directory policies and Citrix
policies to create a completely configured environment. With the use of both policy sets, the
resultant set of policies can become confusing to determine. In some cases, particularly with
respect to Windows Remote Desktop Services (RDS) and Citrix policies, similar functionality can
be configured in two different locations. For example, it is possible to enable client drive mapping
in a Citrix policy and disable client drive mapping in a RDS policy. The ability to use the desired
feature may be dependent upon the combination of RDS and Citrix policy. It is important to
understand that Citrix policies build upon functionality available in Remote Desktop Services. If
the required feature is explicitly disabled in RDS policy, Citrix policy will not be able to affect a
configuration as the underlying functionality has been disabled.
In order to avoid this confusion, it is recommended that RDS policies only be configured where
required and there is no corresponding policy in the XenDesktop configuration, or the
configuration is specifically needed for RDS use within the organization. Configuring policies at
the highest common denominator will simplify the process of understanding resultant set of
policies and troubleshooting policy configurations.
4.13 Policy Filtering
Once policies have been created, they need to be applied to groups of users and/or computers based
on the required outcome. Policy filtering provides the ability to apply policies against the requisite
user or computer groups. With Active Directory based policies, a key decision is whether to apply a
policy to computers or users within site, domain or organizational unit (OU) objects. Active
Directory policies are broken down into user configuration and computer configuration. By default,
the settings within the user configuration apply to users who reside within the OU at logon, and
settings within the computer configuration are applied to the computer at system startup, and will
affect all users who logon to the system. One challenge of policy association with Active Directory
and Citrix deployments revolves around three core areas:
Citrix specific computer policies Citrix servers and virtual desktops often have computer
policies that are created and deployed specifically for the XenDesktop environment. Applying
these policies is easily accomplished by creating separate OU structures for the servers and the
virtual desktops. Specific policies can then be created and confidently applied to only the
computers within the OU and below and nothing else. Based upon requirements, virtual
desktops and servers may be further subdivided within the OU structure based on server roles,
geographical locations or business units.
Citrix specific user policies When creating policies for XenDesktop there are a number of
policies specific to user experience and security that are applied based on the users connection
to the Citrix environment. However, the users account could be located anywhere within the
Active Directory structure, creating difficulty with simply applying user configuration based
policies. It is not desirable to apply the Citrix specific configurations at the domain level as the
settings would be applied to every system any user logs on to. Simply applying the user
configuration settings at the OU where the Citrix servers or virtual desktops are located will also
33
Citrix XenDesktop 7
not work, as the user accounts are not located within that OU. The solution is to apply a
loopback policy, which is a computer configuration policy that forces the computer to apply the
assigned user configuration policy of the OU to any user who logs onto the server or virtual
desktop, regardless of the users location within Active Directory. Loopback processing can be
applied with either merge or replace settings. Using replace overwrites the entire user GPO with
the policy from the Citrix server or virtual desktop OU. Merge will combine the user GPO with
the GPO from the Citrix server or desktop OU. As the computer GPOs are processed after the
user GPOs when merge is used, the Citrix related OU settings will have precedence and be
applied in the event of a conflict. For more information, please refer to the Microsoft TechNet
article - Understand User Group Policy Loopback Mode.
Active Directory policy filtering In more advanced cases, there may be a need to apply a
policy setting to a small subset of users such as Citrix administrators. In this case, loopback
processing will not work, as the policy should only be applied to a subset of users, not all users
who logon to the system. Active Directory policy filtering can be used to specify specific users
or groups of users to which the policy is applied. A policy can be created for a specific function,
and then a policy filter can be set to apply that policy only to a group of users such as Citrix
administrators. Policy filtering is accomplished using the security properties of each target
policy.
Citrix policies created using Citrix Studio have specific filter settings available, which may be used
to address policy-filtering situations that cannot be handled using group policy. Citrix policies may
be applied using any combination of the following filters:
Filter Name Filter Description Scope

Access control Applies a policy based on access control User settings
conditions through which a client is
connecting. For example, users connecting
through a Citrix NetScaler Gateway can
have specific policies applied.
Citrix CloudBridge Applies a policy based on whether or not a User settings
user session was launched through Citrix
CloudBridge.
Client IP address Applies a policy based on the IPv4 or IPv6 User settings
address of the user device used to connect
the session. Care must be taken with this
filter if IPv4 address ranges are used in
order to avoid unexpected results.
Client name Applies a policy based on the name of the User settings
user device used to connect the session.
Delivery group Applies a policy based on the delivery group User and
membership of the desktop running the computer
session settings
34
Citrix XenDesktop 7
Delivery group type Applies a policy based on the type of User and
machine running the session. For example, computer
different policies can be set depending upon settings
whether a desktop is pooled, dedicated or
streamed.
Organizational unit Applies a policy based on the OU of the User and
desktop running the session. computer
settings
Tag Applies a policy based on any tags applying User and
to the desktop running the session. Tags are computer
strings that can be added to virtual desktops settings
in XenDesktop environments that can be
used to search for or limit access to
desktops.
User or group Applies a policy based on the Active User settings
Directory group membership of the user
connecting to the session.
With the tree-based structure of Active Directory, policies can be created and enforced at any level
in the tree structure. As such, it is important to understand how the aggregation of policies, known
as policy precedence flows in order to understand how a resultant set of policies is created. With
Active Directory and Citrix policies, the precedence is as follows:
Policy Precedence Policy Type

Processed first Local server policies
(lowest precedence)
Processed second Citrix policies created
using the Citrix
administrative consoles
Processed third Site level AD policies
Processed fourth Domain level AD policies
Processed fifth Highest level OU in
domain
Processed sixth and subsequent Next level OU in domain
Processed last (highest precedence) Lowest level OU
containing object
Policies from each level are aggregated into a final policy that is applied to the user or computer. In
most enterprise deployments, Citrix administrators do not have rights to change policies outside
their specific OUs, which will typically be the highest level for precedence. In cases where
exceptions are required, the application of policy settings from higher up the OU tree can be
managed using block inheritance and no override settings. Block inheritance stops settings
35
Citrix XenDesktop 7
from higher-level OUs (lower precedence) from being incorporated into the policy. However, if a
higher-level OU policy is configured with no override, the block inheritance setting will not be
applied. Given this, care must be taken in policy planning, and available tools such as the Active
Directory Resultant Set of Policy tool or the Citrix Group Policy Modeling wizard should be
used to validate the observed outcomes with the expected outcomes.
4.14 Baseline Policy

A baseline policy should contain all common elements required to deliver a high-definition experience
to the majority of users within the organization. A baseline policy creates the foundation for user access,
and any exceptions that may need to be created to address specific access requirements for groups of
users. It should be comprehensive to cover as many use cases as possible and should have the lowest
priority, for example 99 (a priority number of 1 is the highest priority), in order to create the simplest
policy structure possible and avoid difficulties in determining the resultant set of policies. The unfiltered
policy set provided by Citrix as the default policy may be used to create the baseline policy as it is
applied to all users and connections. In the baseline configuration, Citrix policies should be enabled
with default settings in order to clearly identify the policies applied, and to avoid confusion should
default settings change over time.
Citrix Policy templates can be used to configure Citrix policies to effectively manage the end-user
experience within an environment and can serve as an initial starting point for a baseline policy.
Templates consist of pre-configured settings that optimize performance for specific environments or
network conditions. The built-in templates included in XenDesktop are shown below:
Built-in Templates
High definition user experience Includes settings for providin
quality audio, graphics, and v
users.
High server scalability Includes settings for providin
optimized user experience w
hosting more users on a sing
Optimized bandwidth for WAN Includes settings for providin
optimized experience to user
low bandwidth or high latenc
connections.
Security and control Includes settings for disablin
to peripheral devices, drive m
port redirection, and Flash
acceleration on user devices.
For more information on Citrix policy templates, please refer to Citrix eDocs - Manage Citrix Policy Templates.
A baseline policy configuration should also include Windows policies. Windows policies reflect user
specific settings that optimize the user experience and remove features that are not required or desired
in a XenDesktop environment. For example, one common feature turned off in these environments is
Windows update. In virtualized environments, particularly where desktops and servers may be streamed
and non-persistent, Windows update creates processing and network overhead, and changes made by
the update process will not persist a restart of the virtual desktop or application server. Also in many
cases, organizations use Windows software update service (WSUS) to control Windows updates. In
36
Citrix XenDesktop 7
these cases, updates are applied to the master disk and made available by the IT department on a
scheduled basis.
In addition to the above considerations, an organizations final baseline policy may include settings
specifically created to address security requirements, common network conditions, or to manage user
device or user profile requirements:
Security policies Security policies address policy decisions made to enforce corporate
security requirements on the XenDesktop environment. Requirements pertaining to data security
and access can be controlled by the correct application of security policy. Users can be allowed to
read and write to local or removable media, connect USB devices such as storage devices, smart
phones, or TWAIN compliant devices, or cut and paste from the local system based on security
requirements. Organizations can also enforce encryption and authentication requirements through
security related Citrix policies. Architects should consider the most appropriate level of security
and add the policy settings to the baseline policy set, and then address security exceptions through
additional policy sets.
Connection-based policies Connection based policy considerations are used to develop a
policy solution that creates the best user experience based on the network environment through
which end-users access the network infrastructure. Latency and available bandwidth will
determine how to best provide access to audio and video over the HDX connection, providing the
best quality experience based on the available resources. Image quality and compression, audio
quality and video frame rates can be adjusted based on the connection quality to utilize the
bandwidth and network performance appropriately. Multi-stream ICA features can be utilized in
concert with network Quality of Service (QoS) to provide an optimized experience for
multimedia, input and display and printing requirements. As with security policies, architects
should consider the appropriate base network configuration and add the settings to the initial
baseline configuration. Additional network requirements can be dealt with by creating additional
higher-level policies to override baseline configurations.
Device-based policies Device based policy configuration deals with the management of
specific device requirements such as tablets and smart phones within an organization. Citrix has
created a set of policies to optimize the experience of tablets and smart phones when connecting
to XenDesktop environments, allowing these devices to use location services and to customize the
user interface where appropriate.
Multimedia specific features, such as Windows media and Flash redirection will automatically drop
back from client side redirection to server side rendering of media content if the device does not
support it; therefore no specific configuration is required to address these features with tablets, or
with other devices such as thin clients that may not support these features. Another consideration
for device based policy configuration revolves around the security requirements for bring your
own devices (BYOD). These elements, such as the need to allow or prohibit local access to hard
drives or removable devices, should be addressed through security policy settings.
Profile-based policies User profiles play a critical role in determining how successful the user
experience is within a virtual desktop or virtual application scenario. User profile management
can be a key player in mitigating the risks of lengthy logon times or lost settings, providing a
consistent user experience across multiple devices, and providing users with their specific data
and settings in a virtualized environment. With Citrix Profile Management, policies control two
important aspects of user profiles; folder redirection, handled through AD group policy, and Citrix
Profile Management settings through Citrix policy. There is more to configuring Citrix Profile
Management than simply turning the features on via Citrix policy. Architects must consider the
correct folder redirection configuration for their environment, as well as configuring Citrix policy
settings for folder exclusions. Settings for profile streaming and active write back must also be
carefully considered based on the size of the profile and whether the operating system is persistent
37
Citrix XenDesktop 7
or non-persistent. Profile management policies should be included in the baseline policy if they
are to be applied across all users in an organization.
These areas need to be addressed both in the default baseline policy configuration, as well as in any additional policy sets created to
address exceptions or additional needs.
4.15 Profile Management Policy
Ideally, each user group should have the same policy in order to make management and
troubleshooting easier, but different policies can be used if required. The recommended base profile
policy is as follows:
Profile Management Policy Setting

Basic Settings: Enable Profile Management Enabled
Basic Settings: Path to User Store Select path (organization
specific)
Basic Settings: Process logons of local Enabled
administrators
File System: Exclusion list directories See Profile Policy Details
File System: Directories to Synchronize See Profile Policy Details
File System: Files to Synchronize See Profile Policy Details
File System: Folders to Mirror See Profile Policy Details
Profile Handling: Local profile conflict Delete local profile
handling
Streamed User Profiles: Profile streaming Enabled
Folder Redirection: AppData(Roaming) Path
Folder Redirection: Contacts
Folder Redirection: Desktop
Folder Redirection: Documents
Folder Redirection: Downloads
Folder Redirection: Favorites
Folder Redirection: Music
Folder Redirection: Pictures
Folder Redirection: Videos
The final portion of the personalization definition is the assignment of user/computer policies. The
user/computer policy helps define how the session is configured based on the users end point
device, location or accessed resource. Recommended policies are as follows:
Unfiltered: The unfiltered policy is the system-created default policy providing a

baseline configuration for an optimal experience. Each user group receives this policy with
38
Citrix XenDesktop 7
additional policies incorporated to customize the experience based on use case or access
scenario.
Remote access policy - Optimized for WAN: The remote access policy includes
settings to better protect the resources as they will be accessed from remote and potentially
unsecure locations. Applied to all sessions coming through NetScaler Gateway.
Local access policy - High Definition User Experience: The local access policy focuses
on a high quality user experience at the expense of bandwidth, which should be plentiful on a
local connection scenario.
Mobile device policy: The mobile device policy helps improve the user experience for
any user who utilizes a tablet, Smartphone or other small form factor device.
Once defined, each policy must be properly applied to the right set of objects and scenarios.
These policies are applied as follows:
Policy Name Settings or Template Assigned to

Unfiltered Not applicable Not applicable
Remote access Template: Access Control With
policy Optimized for WAN NetScaler Gateway
Local access Template: Access Control Without
policy High Definition User NetScaler Gateway
Experience
Mobile device Mobile Experience User group name
policy Automatic keyboard
display: Allowed
Launch touch-optimized
desktop: Allowed
Remote the combo box:
Allowed
4.16 Profile Policy Details
User Policy Setting

ICA\Printing\Client Printers
Printer properties retention Retained in profile only
Profile Management
Enable Profile Management Enabled
Process Groups Configure groups
Path to User Store UNC Path
Active Write Back Enabled (Persistent desktops)
Process logons of local Enabled
39
Citrix XenDesktop 7
administrators
Profile Management\ Advanced Settings
Delete Redirected Folders Enabled
Directory of MFT Cache Files Local or persistent location
Process Internet cookie files on Enabled
logoff
Profile Management\ File System
Exclusion list directories AppData\Local
AppData\LocalLow
AppData\Roaming\Citrix\PNAgent\AppCache
AppData\Roaming\Citrix\PNAgent\Icon Cache
AppData\Roaming\Citrix\PNAgent\ResourceCache
AppData\Roaming\ICAClient\Cache
AppData\Roaming\Microsoft\Windows\Start Menu
AppData\Roaming\Sun\Java\Deployment\cache
AppData\Roaming\Sun\Java\Deployment\log
AppData\Roaming\Sun\Java\Deployment\tmp
Application Data
Java
Links
Local Settings
Music
My Documents
My Pictures
My Videos
Pictures
UserData
Videos
AppData\Roaming\Macromedia\Flash
Player\macromedia.com\support\flashplayer\sys
AppData\Roaming\Macromedia\Flash Player\#SharedObject
AppData\Roaming
Downloads
Saved Games
Searches
Profile Management\ File System\ Synchronization
Directories to Synchronize AppData\Roaming\Microsoft\Credentials
AppData\Roaming\Microsoft\Crypto
AppData\Roaming\Microsoft\Protect
AppData\Roaming\Microsoft\SystemCertificates
AppData\Local\Microsoft\Credentials
Files to Synchronize (Example Synchronized Files for Microsoft Outlook and
Google Earth)
AppData\Local\Microsoft\Office\*.qat
AppData\Local\Microsoft\Office\*.officeUI
AppData\LocalLow\Google\GoogleEarth\*.kml
Folders to Mirror AppData\Roaming\Microsoft\Windows\Cookies
Profile Management\ Profile handling
40
Citrix XenDesktop 7
Local profile conflict handling Delete local profile

Migration of existing profiles Disabled
Profile Management\ Profile Streamed user profiles
Profile Streaming Enabled (If large profile)
4.17 Microsoft Windows Policy
User Policy
Policy Path Setting Description Applies to
Control Panel\ Enable Disables all control panel programs Server OS,
Prohibit Access to the Desktop OS
Control Panel
Control Panel\ Enable Enables the use of a Screen Saver Server OS,
Personalization\ Desktop OS
Enable screen saver
Control Panel\ Enable Forces the use of the blank Server OS,
Personalization\ Force scrnsave.scr screen saver in Windows Desktop OS
specific screen saver
Control Panel\ Enabled Forces password protection on the Server OS,
Personalization\ screen saver Desktop OS
Password protect the
screen saver
Control Panel\ Enabled X Sets the amount of time in minutes Server OS,
Personalization\ Minutes (default that elapse before the screen saver Desktop OS
Screen saver timeout 15) is activated
Desktop\ Dont save Enabled Prevents users from changing some Server OS
settings on exit desktop configurations such as the
size of the taskbar or the position
of open windows on exit
Desktop\ Hide Enabled Removes the Network Locations Server OS
Network Locations icon from the desktop
icon on desktop
Desktop\ Prohibit user Enabled Prevents users from manually Server OS,
from manually changing the path to their profile Desktop OS
redirecting Profile folders
Folders
Desktop\ Remove Enabled Removes most occurrences of the Server OS,
Recycle Bin icon from Recycle Bin icon Desktop OS
desktop
Start Menu and Enabled Log Off Set Start Menu power button Server OS,
Taskbar\ Change Start functionality to Log Off user Desktop OS
Menu power button
41
Citrix XenDesktop 7
Start Menu and Enabled Removes the Taskbar and Start Server OS
Taskbar\ Prevent Menu settings from Settings on the
changes to Taskbar Start Menu
and Start Menu
settings
Start Menu and Enabled Prevents user from performing Server OS
Taskbar\ Remove and these commands from the Start
prevent access to the Menu or the Windows Security
Shut Down, Restart, screen
Sleep and Hibernate
commands
Start Menu and Enabled Prevents users from connecting to Server OS,
Taskbar\ Remove the Windows Update website. Desktop OS
links and access to
Windows Update
Start Menu and Enabled Removes the network icon from Server OS,
Taskbar\ Remove the Start Menu Desktop OS
network icon from the
Start Menu
Start Menu and Enabled Removes the Run command from Server OS
Taskbar\ Remove Run the Start Menu, Internet Explorer,
menu from the Start and Task Manager
Menu
System\ Prevent Enabled Disables the Windows Registry Server OS,
access to registry Editor Desktop OS
editing tools
System\ Prevent Enabled Prevents users from running the Server OS
access to the interactive command prompt
Command Prompt cmd.exe
System\ Ctrl+Alt+Del Enabled Prevents users from starting Task Server OS

Options\ Remove Task Manager
Manager
System\ Folder Enabled Prohibits redirected shell folders Server OS,
Redirection\ Do not Contacts, Documents, Desktop, Desktop OS
automatically make Favorites, Music, Pictures, Videos,
redirected folders Start Menu and AppData\Roaming
available offline from being available offline
System\ User Profiles\ Citrix, Contacts, Excludes the specified directories Server OS,
Exclude Directories in Desktop, from the Roaming Profile Desktop OS
Roaming Profile Downloads,
Favorites, Links,
Documents,
Pictures, Videos,
Music, Saved
Games, Searches
Windows Enabled Removes all Windows Update Server OS,
Components\ functions Desktop OS
Windows Update\
42
Citrix XenDesktop 7
Remove access to use

all Windows Update
features
Windows Explorer\ Enabled Prohibits deleted files from being Server OS,
Do not move deleted placed in the Recycle Bin. All files Desktop OS
files to the Recycle are permanently deleted.
Bin
Windows Explorer\ Enabled Local Hides local hard drives from My Server OS
Hide these specified hard drives Computer
drives in My
Computer
Windows Explorer\ Enabled Local Prevents access to local hard drives Server OS
Prevent access to hard drives from My Computer
drives from My
Computer
Machine Policy
Policy Path Setting Description Applies to
Internet Communication Enabled Turns off the Windows Server OS,
settings\ Turn off Customer Improvement Desktop OS
Windows Customer Program for all users
Improvement Program
System\ Group Policy\ Merge or Replace Applies alternate user settings Server OS,
User Group Policy when a user logs on to a Desktop OS
loopback processing computer affected by this
mode setting
System\ Power High Performance Specifies a power plan from a Server OS,
Management\ Select an list of available plans. Desktop OS
active power plan
System\ System Restore\ Enabled Turns off Windows System Server OS,
Turn off System Restore Restore features Desktop OS
System\ User Enabled Adds the Administrator Server OS,
Profiles\Add the security group to the users Desktop OS
Administrators security roaming profile path when it is
group to the roaming first created.
users profiles
System\ User Profiles\ Enabled Disables security check for Server OS,
Do not check for user roaming profile folders Desktop OS
ownership of Roaming
Profile folders
Windows Components\ Enabled Turns off AutoPlay for Server OS
AutoPlay Policies\ Turn removable devices.
off AutoPlay
Windows Components\ Enabled Disables ability to reopen the Server OS
Internet Explorer\ Turn users last browsing session
off reopen last browsing
43
Citrix XenDesktop 7
session
Windows Components\ XenApp server Specifies the servers to which Server OS
Remote Desktop security groups RDS will provide licenses
Services\ RD Licensing\
License server security
group
Windows Components\ Per User or Per Specifies the licensing mode Server OS
Remote Desktop Device used by Remote Desktop
Services\ Remote Server
Desktop Session Host\
Licensing\ Set the
Remote Desktop
licensing mode
Windows Components\ Specified servers Specifies the preferred license Server OS
Remote Desktop servers for Remote Desktop
Services\ Remote Services
Desktop Session Host\
Licensing\ Use the
specified Remote
Desktop license servers
Windows Components\ Disabled Specifies whether the Server OS,
Windows Update\ computer system will receive Desktop OS
Configure Automatic automatic updates through the
Updates Windows Update process.
4.18 Folder Redirection Policy
User Policy\Windows Settings\Security Settings\Folder Redirection

Folder Setting Options
AppData (Roaming) Basic Grant User Exclusive Rights: Disabled Move
Contents to new location: Enabled Apply Policy to
Windows 2000, Windows XP, Windows 2003:
Disabled Policy Removal Behavior: Leave
Contents
Contacts Basic Grant User Exclusive Rights: Disabled Move
Contents
Desktop Basic Grant User Exclusive Rights: Disabled Move
44
Citrix XenDesktop 7

Contents
Documents Basic Grant User Exclusive Rights: Disabled Move
Contents to new location: Disabled Apply Policy
to Windows 2000, Windows XP, Windows 2003:
Contents
Downloads Basic Grant User Exclusive Rights: Disabled Move
Contents
Favorites Basic Grant User Exclusive Rights: Disabled Move
Contents
Links Basic Grant User Exclusive Rights: Disabled Move
Contents
Music Follow the
Documents Folder
Pictures Follow the
Documents Folder
Saved Games Basic Grant User Exclusive Rights: Disabled Move
Contents
Searches Basic Grant User Exclusive Rights: Disabled Move
Contents
Start Menu Basic Grant User Exclusive Rights: Disabled Move
Contents
Videos Follow the
Documents Folder
4.19 Machine Catalogs
Machine catalogs are a collection of virtual or physical machines managed as a single entity.
Machine catalogs specify:
45
Citrix XenDesktop 7
The virtual or physical machines available to host applications or desktops or

both
The Active Directory computer accounts assigned to those virtual machines or
computers
The type of virtual machine being allocated (static or random)
The provisioning method used to generate the virtual machine
The operating system installed on the machine
In some cases, the master image that is copied to create the virtual machines
As a catalog is simply a definition of the virtual desktop resources, a single catalog can span across
multiple hosts or hypervisor pools and associated resources such as storage. If a catalog spans
across multiple hosts, it is important to ensure that the hosts have access to the appropriate
templates for cloning and imaging, depending upon the FlexCast model of the desktop being
delivered. Architects will also need to consider the methods used to ensure that the base desktop
image is updated across all hosts within the catalog, as required.
4.20 Delivery Groups

Delivery Groups are collections of machines that specify which user groups can access desktops or
applications. To deliver applications and desktops, Active Directory users or user groups are
assigned to delivery groups. Assigning delivery groups to users can be performed 1:1 or 1 to many,
and delivery groups can span multiple catalogs. This process allows architects to better align their
desktop allocations with unique user requirements. For example, if a developer user group requires
both a corporate desktop for day-to-day operations, and a set of dedicated desktops for
development and testing, these desktops can be assigned from a single delivery group. It is
important that the following items are considered when defining user groups:
Machine catalogs can span multiple hypervisor pools
Users can be assigned to multiple machine catalogs
A machine catalog can be associated with one or more delivery groups
Multiple machine catalogs can reference the same delivery group
A machine cannot be used in more than one delivery group
Delivery groups can be created from multiple machine catalogs with the same
machine characteristics
Mixed delivery groups cannot be created from machine catalogs with multiple
machine types
Delivery groups also allow an organization to setup delegated administration allowing specific
administrators to manage a group of virtual desktops. For example, a delivery group can be setup
for executive use, with a defined set of delegated administrators providing VIP support.
4.21 StoreFront Integration

StoreFront is used to facilitate the delivery of applications and desktops to end user devices. It is an
integral component of XenDesktop that provides a single portal to access desktops and applications
46
Citrix XenDesktop 7
from any device. When creating or editing a delivery group in XenDesktop, StoreFront URLs can
be pushed to the Citrix Receiver on the virtual desktop so that Citrix Receiver can connect to the
store without requiring any user intervention. This is useful when the virtual desktops need access
to XenDesktop server-hosted applications.
When creating or editing a Delivery Group in XenDesktop, there are two options available for
integrating StoreFront:
Automatic StoreFront URLs are pre-configured in XenDesktop. This is the
preferred method since it doesnt require the end user to enter the address of the
StoreFront servers in the environment.
Manually The StoreFront URL is entered manually when Receiver is
launched on the virtual desktop. Administrators may opt for this choice for advanced
users, or those that require access to multiple StoreFront stores, like production and test
& development environments.
Note: This feature is not available to application-only delivery groups.
47
Citrix XenDesktop 7
5.0 Control Layer
Every major design decision made for all user groups in the User, Access and Resource
layers are used as a whole to help design the control components of the overall solution.
The design decisions for each user group are met by incorporating the correct control layer
components, which includes access controllers, delivery controllers and infrastructure
controllers.
5.1 Access Controllers

Access controllers are responsible for providing the connectivity to the resources as
defined by the Access Layer. In order to provide access to the environment for users
who are internal and external, two components are required:
StoreFront: Internal users access a StoreFront store either directly through

Citrix Receiver or via the StoreFront web page. StoreFront not only provides a
complete list of available resources for each user, but it also allows users to favorite
certain applications, which makes them appear prominently. The subscriptions are
synchronized to the other StoreFront servers automatically. Upon successful
authentication, StoreFront contacts the Delivery Controller to receive a list of
available resources (desk tops and/or applications) for the user to select. Redundant
StoreFront servers should be deployed to provide N+1 redundancy where in the event
of a failure; the remaining servers have enough spare capacity to fulfill any user
access requests.
NetScaler Gateway: Remote users access and authenticate to the NetScaler

Gateway, which is located within the networks DMZ. Upon successful validation
against Active Directory, NetScaler Gateway forwards the user request onto
StoreFront, which generates a list of available resources. This information is passed
back to the user through NetScaler Gateway. When a user launches a resource, all
traffic between the user and NetScaler Gateway is encapsulated within SSL en-route
to the virtual resource. Redundant NetScaler Gateway devices should be deployed to
provide N+1 redundancy.
Load Balancers: Based on the N+1 recommendations for many of the control
layer components, it is advisable to have an intelligent load balancing solution in
place, which is capable of not only identifying if the server is available, but also that
the respective services and functioning and responding correctly. Implementing an
internal pair of NetScaler VPX virtual servers can easily accommodate the load
balancing requirements for the solution.
48
Citrix XenDesktop 7
5.2 StoreFront
5.2.1 Web Interface or StoreFront

Web Interface and StoreFront are two different solutions, whose feature sets overlap in many
areas, but also offer a variety of distinct features. Therefore it is very important for
organizations to review the capabilities of each product against their requirements. In
general, it is strongly recommended to build new solutions based on StoreFront, since new
features will not be added to Web Interface and end of life has been announced for Web
Interface. Furthermore it is important to understand that Web Interface does not support
XenDesktop 7 or later.
While StoreFront goes beyond Web Interface in many areas, StoreFront 2.0 does not support
all features of Web Interface. The following tables outline the Web Interface features that are
not currently available in StoreFront:
Area Feature
Deployment options Web Interface on NetScaler (StoreFront
is deployable as an application behind
NetScaler but runs on separate servers)
Authentication Delegated Kerberos authentication
Active Directory Federation Services
(ADFS) 1.0 integration
Account self-service (SSPR)
(reset/unlock with security questions)
Smart card authentication via browser
(native Citrix Receiver required)
Domain pass through authentication via
browser (native Citrix Receiver for
Windows required)
Support for Novell NDS
Anonymous authentication
Other Messaging (user notifications)
Settings per location (IP subnet)
Client proxy settings configuration
Offline Apps (users cannot access offline
applications or App-V sequences through
Citrix Receiver for Web sites. Native
Citrix Receiver is required)
Compact/low graphics mode and
embedding
49
Citrix XenDesktop 7
5.2.2 High Availability of Storefront Servers
If the server hosting StoreFront or the respective web service is unavailable, users will not be
able to launch new virtual desktops, published applications or manage their subscriptions.
Therefore at least two StoreFront servers should be deployed to prevent this component from
becoming a single point of failure. Options include:
DNS round robin Provides rudimentary load balancing across
multiple servers without performing any checks on availability. If one
server fails, only a portion of user requests will be affected.
Windows NLB A Windows service capable of performing
rudimentary checks to verify the server is available but cannot determine
the status of individual services. This can cause users to be forwarded to
StoreFront servers which are not able to process new requests
Citrix NetScaler An intelligent appliance, which is capable of
verifying the availability of the StoreFront service and actively load
balance user requests appropriately.
5.2.3 Security Inbound Traffic

Communications from the web browser or Receiver and StoreFront server include user
credentials, resource sets and session initialization files. This traffic is typically routed over
networks outside the datacenter boundaries or on completely untrusted connections (such as
the Internet). Therefore Citrix strongly recommends that this traffic is encrypted using SSL.
Page 85
Note: By default, Citrix Receiver requires SSL to connect to StoreFront. This means email-
based account discovery or the manual configuration of a StoreFront store in Citrix Receiver
will fail unless a valid and trusted SSL certificate has been imported on to the StoreFront
server and external load balancer (if applicable).
5.2.4 Security Backend Traffic

User credentials are sent between StoreFront and the XenApp Controllers, XenDesktop
Controllers and the App Controller virtual appliance. For example, in a typical session with a
XenDesktop Controller, the StoreFront server passes user credentials to the Citrix XML
Service for user authentication and the Citrix XML Service returns resource set information.
A TCP/IP connection and the Citrix XML protocol are used to pass the information between
50
Citrix XenDesktop 7
the StoreFront server and the XenDesktop site. The XML protocol uses clear text to
exchange all data, with the exception of passwords, which are transmitted using obfuscation.
Recommendation: For Citrix environments with high security requirements, encrypt
StoreFront to XenApp, XenDesktop and App Controller communications. For more
information, please refer to Citrix eDocs
Delivery Controllers
To provide users with desktops and applications, StoreFront must be configured with the IP
address or DNS name of at least one Controller in each XenDesktop site and XenApp farm.
For fault tolerance, multiple controllers should be entered for each site and/or farm specified.
StoreFront will automatically failover to the second server in the list if the first server
becomes unavailable (active/passive). For large infrastructures or environments with a high
logon load an active distribution of the user load (active/active) is recommended. This can be
achieved by means of an industry proven load balancer with built-in XML monitors and
session persistency, such as Citrix NetScaler.
5.2.5 Beacons
Citrix Receiver uses beacon points (websites) to identify whether a user is connected to an
internal or external network. Internal users are connected directly to resources while external
users are connected via Citrix NetScaler Gateway. Citrix Receiver continuously monitors the
status of network connections (for example, link up, link down or change of the default
gateway). When a status change is detected, Citrix Receiver will first check that the internal
beacon points can be accessed before moving on to check the accessibility of external beacon
points. StoreFront provides Citrix Receiver with the http(s) addresses of the beacon points
during the initial connection process and provides updates as necessary.
Specifying at least two highly available external beacons that can be resolved from public
networks so that Citrix Receiver can determine whether users are located behind an Internet
such as in a hotel or Internet caf.
5.2.6 Auto Provisioned Apps (Keywords)

StoreFront displays applications differently to Web Interface. Instead of having all accessible
applications appear on the home screen, first time users are invited to choose (subscribe) to
the applications they want to regularly use after they logon. Before a user can launch an
application, they must first choose which applications should be placed on their home screen.
This approach, deemed Self-Service apps, allows users to restrict the applications that they
see on their home screen to the ones that they use on a regular basis. The applications chosen
by every user for each store are recorded by the subscription store service so that they can be
displayed on the Citrix Receiver home screen from any device that the user connects from
(follow me apps).
51
Citrix XenDesktop 7
6 XenDesktop
A Citrix XenDesktop site groups desktops and applications together to form a single
architectural and management entity. All persistent and dynamic data for the site, including
site configuration, desktop assignments, and session state, is stored in a central site database.
Site-wide functions are spread equally across all XenDesktop Controllers within a site. While
it is possible to assign certain functions to specific controllers, it is not recommended as
XenDesktop is self-optimizing and manual configurations can interfere with the automatic
load balancing and failover mechanisms of XenDesktop.
6.1 Desktop Controllers

The desktop controller sub-layer is responsible for providing the infrastructure components
to support the desktop layer requirements for each user group. Desktop controllers often
include some combination of XenDesktop controllers, Provisioning Services servers and
XenClient Synchronizers.
The controllers manage and maintain the virtualized resources for the environment. The
delivery controllers receive the authentication information from the access controllers and
enumerate a list of resources granted to the user. As users make requests to a resource, the
delivery controller brokers the connection between the user and resource. The
authentication, enumeration and launching process is as follows:
52
Citrix XenDesktop 7
6.2 Number of Sites
There are several factors that must be considered when determining the number of
XenDesktop sites required:
Network XenDesktop Controllers constantly access the site database and regularly
communicate with desktops and servers hosting applications. XenDesktop may exhibit
unexpected behavior if significant levels of latency exist between the XenDesktop
controllers, SQL database, desktop operating systems and server operating systems or when
site communications are interrupted. Therefore, all site components - controllers, desktops,
servers, virtualization hosts and database servers, should be connected by a redundant and
high-speed network.
The following two scenarios demonstrate how the network can affect XenDesktop site
design:
1. Three datacenters connected by a redundant but high-latency network - three
sites:
53
Citrix XenDesktop 7
2. Two datacenters connected by a fast, redundant network and a third datacenter

connected by a high-latency, redundant network two sites:
Implementing a single XenDesktop site spanning multiple datacenters connected by fast,

redundant links helps to reduce management overhead and supporting infrastructure.
However, creating separate sites per datacenter is a safer alternative.
Risk Tolerance Multiple XenDesktop sites can be created to minimize

the impact from a site-wide outage. For example, corruption of the
XenDesktop site database could affect site-wide availability. For many
organizations, the decreased risk from implementing multiple sites outweighs
the additional management overhead and supporting infrastructure required.
Security Although delegated administration is available, high-security

54
Citrix XenDesktop 7
organizations may require complete separation between environments to
demonstrate compliance with specific service level agreements.
6.3 Host Connection Configuration
Host connections allow controllers within a site to access the hypervisor(s) hosting the virtual
desktops or applications. Separate host connections will be required for each XenServer pool,
Hyper-V SCVMM server or VMware vCenter server. For redundancy, XenServer host
connections should have at least one HA server configured and SCVMM servers and vCenter
servers should be highly available.
Host connections define the storage repositories and guest networks that will be used by the
virtual machines. Both Provisioning Services and Machine Creation Services use these
parameters during the desktop creation process to determine which guest network and
storage location should be used. Each host connection can define multiple storage
repositories and a single guest network. Therefore, separate host connections are necessary
for each guest network required.
6.4 XML Service Encryption

In a typical session, the StoreFront server passes credentials to the Citrix XML Service on a
XenDesktop Controller. The Citrix XML protocol uses clear text to exchange all data, with
the exception of passwords, which are transmitted using obfuscation.
If the traffic between the Storefront servers and the XenDesktop Controllers can be
intercepted it will be vulnerable to the following attacks:
Attackers can intercept the XML traffic and steal resource set information
and tickets.
Attackers with the ability to crack the obfuscation can obtain user
credentials.
Attackers can impersonate the XenDesktop Controller and intercept
authentication requests.
For most organizations, the Citrix XML traffic will be isolated on a dedicated physical or
virtual datacenter network making interception unlikely. However, for safety consider using
SSL encryption to send StoreFront data over a secure HTTP connection.
55
Citrix XenDesktop 7
7.0 The process functions as follows:
Step Local Users Remote Users

A user initiates a connection to the StoreFront URL A user initiates a connection to
(443), which can be a virtual address hosted by a load the NetScaler Gateway URL
balancer, and provides logon credentials. This can (443) and provides logon
1
either be done by using a browser or Citrix Receiver. credentials. This can either be
done by using a browser or
Citrix Receiver.
The credentials are validated
2 against Active Directory (389).
NetScaler Gateway forwards

the validated user credentials to
StoreFront, which can be a
3
virtual address hosted by a load
balancer (443).
StoreFront authenticates the user to Active Directory domain (389) it is a member of.
4 Upon successful authentication, StoreFront checks the data store for existing user
subscriptions and stores them in memory.
StoreFront forwards the user credentials to the Delivery Controllers (80 or 443), which
5
could be a virtual address hosted by a load balancer.
6 The Delivery Controller validates the credentials against Active Directory (389).
Once validated, the XenDesktop Delivery Controller identifies a list of available
7
resources by querying the SQL Database (1433).
The list of available resources is sent to StoreFront The list of available resources
(443), which populates the users Citrix Receiver or is sent to StoreFront (443),
browser (80 or 443). which populates the users
8
Citrix Receiver or browser after
passing through NetScaler
Gateway (80 or 443).
A resource is selected from the available list within A resource is selected from the
Citrix Receiver or browser. The request is sent to available list within Citrix
StoreFront (443). Receiver or browser. The
9 request is sent to StoreFront
through NetScaler Gateway
(443).
56
Citrix XenDesktop 7
10 StoreFront forwards the resource request to the Delivery Controller (80 or 443).
The Delivery Controller queries the SQL Database to determine an appropriate host to
11 fulfil the request (1433).
The Delivery controller sends the host and connection information to StoreFront (443).
12
StoreFront creates a launch file, which is sent to the StoreFront requests a ticket
user (443). by contacting the Secure
Ticket Authority (80 or 443),
which is hosted on the
Delivery Controller. The STA
generates a unique ticket for
the user, which is only valid
for 100 seconds. The ticket
identifies the requested
13 resource, server address and
port number thereby
preventing this sensitive
information from crossing
public network links.
StoreFront generates a
launch file, including the
ticket information, which is
sent to the user through
NetScaler Gateway (443).
Citrix Receiver uses the launch file and makes a Citrix Receiver uses the launch
14 connection to the resource (1494 or 2598). file and makes a connection to
the NetScaler Gateway (443).
NetScaler Gateway validates
15 the ticket with the STA (80 or
443)
NetScaler Gateway initiates a
connection to the resource
16
(1494 or 2598) on the users
behalf.
In addition to the authentication, enumeration and launching process, the delivery controllers
manage and maintain the state of the XenDesktop site to help control desktop startups,
shutdowns and registrations. The controllers constantly query and update the Microsoft SQL
Server database with site status, allowing controllers to go offline without impacting user
activities.
Redundant delivery controllers should be configured to ensure availability of the site should a
single controller fail.
57
Citrix XenDesktop 7
7.1 Infrastructure Controllers

In order to have a fully functioning virtual desktop environment, a set of standard
infrastructure components are required. These components include:
Network Services, like DNS and DHCP, for name resolution and IP
address assignment.
Active Directory for user authentication
SQL Server databases for storing all configurations, desktop and current
utilization information. The SQL Server instance should be highly
available to ensure continuous operation.
Citrix licensing server to provide rights to access the environment. A
license server is required for all components within the XenDesktop
architecture, except for NetScaler Gateway, which is manually configured
with a local license file. Because of a 30-day grace period built into the
licensing model, a single license server can be implemented as a VM or
virtual appliance configured for VM-level high availability. A failed license
server can easily be rebuilt and restored from backup within the allotted
30-days without impacting operations of the overall environment.
7.2 Hardware Layer
The hardware layer is the physical implementation of the virtual desktop solution. It includes
decisions on the storage fabric and server footprint, which are often decisions made based on
relationships organizations have with different vendors.
The selection of a type of storage directly impacts the recommend type of server just like the
type of server selected directly impacts the recommended storage.
7.3 Storage Fabric

Storage is often considered one of the most important and complex decisions in a virtual
desktop solution. In addition to impacting the cost of the solution, the selected storage fabric
also impacts the available options for physical server footprint, which is why selecting a
storage solution is the first step in the hardware layer design.
Storage Type Benefits Concerns Appropriate

for
Local Inexpensive Virtual machines are Rack servers
Storage Simple to deploy inaccessible if physical server is
offline
58
Citrix XenDesktop 7
Limited number of disk spindles
(based on server design)
Longer operational processes as
each local store must be
updated
Direct Moderate Failure on DAS array can impact Rack servers
Attached expense multiple physical servers
Storage Virtual machine DAS interconnects consume
migration when valuable space in a blade
physical server is chassis
offline Limited number of connections
to a DAS array
Centralized Shared master Expensive Blade servers
Storage image across Complex
physical servers Often requires storage tiers to
Virtual machine control costs
migration when
physical server is
offline
Simple expansion
Advanced
features to help
offset costs
Regardless of the storage fabric selected, an appropriate amount of storage resources (space
and IOPS) must be available in order to provide an acceptable user experience.
7.4 Server Footprint

At the hardware layer of the virtual desktop design, organizations must decide on the
hardware footprint, which generally is a decision between blade servers and rack servers.
Server Type Benefits Concerns Appropriate

for
Blade Servers Higher density within same Upfront Large
amount of rack space costs are deployments
Consolidated network generally with shared
cabling requiring fewer higher storage
core switch ports Limited
amount of
internal
storage
Rack Servers Large amount of local Greater Large or small
storage power deployments
Adding network capacity requirement with local
simply requires new s storage
network card Uses more
59
Citrix XenDesktop 7
switch ports
Less density
within a rack
8.0 REQUIREMENTS
8.1 Delivery Controller
Supported operating systems:
Windows Server 2012 R2, Standard and Datacenter Editions.

Windows Server 2012, Standard and Datacenter Editions.
Windows Server 2008 R2 SP1, Standard, Enterprise, and Datacenter Editions.
Requirements:
Minimum 4 Core, 8GB RAM (Recommended)
Disk Space: 60GB (including Pagefile).
Microsoft .NET Framework 3.5 SP1 (required on Windows Server 2008 R2
only).
Microsoft .NET 4.0.
Windows PowerShell 2.0 (included with Windows Server 2008 R2) or 3.0
(included with Windows Server 2012 R2 and Windows Server 2012).
Visual C++ 2005, 2008 SP1, and 2010 Redistributable packages. The installer
deploys these automatically. They are also available on the Citrix installation media in
the Support folder.
8.2 Database
60
Citrix XenDesktop 7
Supported Microsoft SQL Server versions for the Site Configuration Database (which initially
includes the Configuration Logging Database and the Monitoring Database):
SQL Server 2012 SP1, Express, Standard, and Enterprise Editions. By default, the
Express edition is installed when installing the Controller.
SQL Server 2008 R2 SP2, Express, Standard, Enterprise, and Datacenter
Editions.
The following database features are supported (except on SQL Server Express Edition, which
supports only standalone mode).
SQL Server Clustered Instances.
SQL Server Mirroring.
SQL Server 2012 AlwaysOn Availability Groups.
Windows authentication is required for connections between the Controller and the SQL Server
database.
8.2.1 CPU 2 Core 8 GB RAM
8.3 Studio
Windows 8.1, Professional and Enterprise Editions.

Windows 8, Professional and Enterprise Editions.
Windows 7 Professional, Enterprise, and Ultimate Editions.
Requirements:
Disk space: 75 MB.
Microsoft .NET Framework 3.5 SP1 (required on Windows Server 2008 R2
only).
Microsoft Management Console 3.0 (included with all supported operating
systems).
Windows PowerShell 2.0 (included with Windows 7 and Windows Server 2008
R2) or 3.0 (included with Windows 8.1, Windows 8, Windows Server 2012 R2, and
Windows Server 2012).
8.4 Director
61
Citrix XenDesktop 7

Requirements:
Disk space: 50 MB.
Microsoft .NET Framework 4.0. The installer deploys this automatically. It is also
available on the Citrix installation media in the Support\DotNet4 folder.
Microsoft Internet Information Services (IIS) 7.0 and ASP.NET 2.0. If these are
not already installed, you are prompted for the Windows Server installation media, then
they are installed for you.
Supported browsers for viewing Director:
o Internet Explorer 11, 10, and 9 (compatibility mode in Internet Explorer
10 is not supported)
For Internet Explorer 10, compatibility mode is not supported. You must use the
recommended browser settings; otherwise, you cannot access Director. When you
install Internet Explorer 10, accept the default to use the recommended security
and compatibility settings. If you already installed the browser and chose not to
use the recommended settings, go to Tools > Internet Options > Advanced >
Reset and follow the instructions.
o Firefox
o Chrome
8.5 Virtual Delivery Agent (VDA) for Windows Desktop OS
Windows 8.1, Professional and Enterprise Editions.

Windows 8, Professional and Enterprise Editions.
Windows 7 SP1, Professional, Enterprise, and Ultimate Editions.
The installer automatically deploys the following requirements, which are also available on the
Citrix installation media in the Support folders:
(For Windows 7 SP1 systems only.) Microsoft .NET Framework 3.5 SP1 - if
using the command-line interface, you must install this manually before installing the
VDA.
Microsoft .NET Framework 4.0.
62
Citrix XenDesktop 7
Microsoft Visual C++ 2010 Runtime (32-bit or 64-bit, depending on platform).
Remote PC Access uses this VDA, which you install on physical office PCs.
You cannot install a XenDesktop 7.1 VDA on a machine running Windows XP or Windows
Vista; however, you can install an earlier Virtual Desktop Agent version on those operating
systems, if needed
8.6 Virtual Delivery Agent (VDA) for Windows Server OS

The installer automatically deploys the following requirements, which are also available on the
Citrix installation media in the Support folders:
(For Windows 2008 R2 SP1 systems only.) Microsoft .NET Framework 3.5 SP1 -
if using the command-line interface, you must install this manually before installing the
VDA.
Microsoft .NET Framework 4.0.
Microsoft Visual C++ 2005, 2008, and 2010 Runtimes (32-bit and 64-bit).
The installer automatically installs and enables Remote Desktop Services role services, if they
are not already installed and enabled.
Microsoft Media Foundation be installed on the machine where you install the VDA. If the
machine does not have Media Foundation installed, the multimedia acceleration features will not
be installed and will not work.
The Print Spooler Service is enabled by default on the Windows server. If you disable this
service, you cannot successfully install a VDA for Windows Server OS. Therefore, ensure that
this service is enabled before installing a VDA.
8.9 Host
Supported platforms:
XenServer.
o XenServer 6.2
o XenServer 6.1
63
Citrix XenDesktop 7
o XenServer 6.0.2
VMware vSphere. No support is provided for vSphere vCenter Linked Mode
operation.
o VMware vSphere 5.1 Update 1
o VMware vSphere 5.0 Update 2
System Center Virtual Machine Manager - Includes any version of Hyper-V that
can register with the supported System Center Virtual Machine Manager versions.
o System Center Virtual Machine Manager 2012 R2
o System Center Virtual Machine Manager 2012 SP1
o System Center Virtual Machine Manager 2012
The following Host and storage technology combinations are supported for Machine Creation
Services and runtime Active Directory account injection into VMs. Combinations marked with
an asterisk (*) are recommended.
Host Local Disks NFS Block Storage Storage

Link
XenServer Yes Yes * Yes No
VMware ESX Yes (no vMotion or Yes * Yes No

dynamic placement)
Hyper-V Yes No Yes * (requires No

Cluster Shared
Volumes)
8.10 Other
StoreFront requires 2 GB of memory and Recommended to have 100GB of Hard

disk space. StoreFront 2.0 is the minimum version supported with this version of
XenDesktop.
This XenDesktop version requires Citrix License Server 11.11. The Citrix
License Server requires 40 MB of disk space. See the licensing documentation for full
system requirements.
Universal Print Server - Supported operating systems (the Controller includes the
Universal Print Server functionality; you need only install the Universal Print Server on
your print servers):
64
Citrix XenDesktop 7
o Windows Server 2008 R2 SP1
o Windows Server 2008 32-bit
The Microsoft Group Policy Management Console (GPMC) is required if you
store Citrix policy information in Active Directory rather than the Site Configuration
Database. For more information, see the Microsoft documentation.
You can install the Receiver for Windows when installing a VDA provided on the
XenDesktop installation media. For system requirements information on other platforms,
see the Receiver for Windows documentation.
The Receiver for Linux and the Receiver for Mac are provided on the
XenDesktop installation media. See their documentation for system requirements.
When using Provisioning Services with this version of XenDesktop, the
minimum supported Provisioning Services version is 7.0.
When using Access Gateway versions earlier than 10.0 with this version of
XenDesktop, Windows 8.1 and Windows 8 clients are not supported.
65
Citrix XenDesktop 7
9.0 Remote PC
Citrix Remote PC provides the flexibility associated with VDI, where users can work from
any location or on any device, without the upfront hardware, storage and licensing costs.
Remote PC utilizes the same underlying infrastructure required to support XenDesktop 7,
except that no additional hardware is required to support the desk tops because the desk top
still exists on the users physical endpoint, which is depicted in the following diagram.
9.1 Architecture
Remote PC essentially provides a secure, remote access solution to the users physical
desktop, whether that location is a meeting room within the same building, a home office or
at a conference halfway around the world.
Users need access Users include Endpoints Common IT

to include location(s) Delivers
include
Their physical Office Managers Tablets Local, trusted Remote PC
desktop Office Workers Smartphones network or
Laptops Remote, untrusted
Home PC network
Remote PC utilizes the following components:

NetScaler Gateway to provide secure, remote access to the users phys
ical desk top
66
Citrix XenDesktop 7
StoreFront to provide the users with a list of resources, which includes
their physical desktop
Desktop Delivery Controller to enumerate and connect users to the
appropriate desktop
Database server to store the configuration and connec tion information
for the user and desk top
License server to provide the necessary access license to the users
desktop
67
Citrix XenDesktop 7
10.0 XenClient
Citrix XenClient extends the benefits of desktop virtualization to corporate laptops so users
can work from anywhere and at any time, whether they have slow, intermittent or no network
access. In addition, with Citrix XenClient, IT is better able to manage and secure the
distributed desktop environment while continuing to use a traditional endpoint device, like
corporate laptops or desktops.
As XenClient requires a minimal infrastructure, the costs associated with a XenClient
solution are significantly lower than traditional VDI solutions.
XenClient provides a solution for IT to better manage desktops that cannot be centralized due
to connectivity limitations or datacenter server and storage costs. Based on the user
requirements and configuration, a user can either receive a standard desktop with limited
personalization or a completely personal desktop experience utilizing Personal vDisk
technology.
Users need access Users include Endpoints Common IT Delivers

to include location(s)
include
A personalized Road Warriors Laptops Remote locations XenClient
local desktop with limited
connectivity
A standard local Retail clerks Desktops Training centers XenClient
desktop Bank Tellers Distributed offices
68
Citrix XenDesktop 7
Lab students
XenClient utilizes the following components:

NetScaler Gateway to provide secure, remote acc ess to Synchronizer
Synchronizer to deliver and manage the distributed local virtual machines
Database server to store the configuration and delivery information for
the user and desk top
license to the users desktop License server to provide the necessary
69
Citrix XenDesktop 7
Glossary
1. www.citrix.com
2. http://support.citrix.com/proddocs/topic/xendesktop/cds-xendesktop-71-
landing-page.html
3. http://support.citrix.com/product/xd/v7.1/
4. http://support.citrix.com/article/CTX139331
5. http://support.citrix.com/article/CTX136547
70

XD7 Document

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

XD7 Document

Uploaded by

Copyright:

Available Formats

Citrix XenDesktop 7

The Citrix XenDesktop 7 provides a unified framework for

At a high-level, a virtual desktop solution is based on a unified and

The XenDesktop 7 details the recommended architecture for the

Even though focus is also on these three common scenarios,

1.1 Conceptual Architecture

Based on the conceptual architecture, the following can be

As can be seen, each user group has a specific set of requirements

Note: The three virtual desktop models identified within the

1.2 Assign FlexCast Models

Users need Users Endpoints Common IT

Desktop PCs Medium

Users connecting from Local, trusted Remote, un-trusted

Session Protocol (Profile) ICA ICA Proxy

3.1 Pre-Authentication Policy

3.2 Authentication Policy

(CACs) that are read by a reader attach to each users device.

Initial Mobility LDAP User Pass- LDAP + LDAP + Token +

3.3 Best Practices:

3.4 Session Policy

3.5 Session Profile

4.0 Resource Layer

4.2 Application Rationalization

Consolidated applications should be identified within the application assessment.

Streamed: The applications are dynamically delivered to the virtual/physical

4.4 Application Delivery Method

Installed Installed Streamed Hosted VM Hosted

s (Windows Windows driver or windows, each VM host

Base Wide Use Individual/ Resource Technically

Desktop virtualization typically requires significant changes to be made to an organizations

selected. 16-bit code cannot be executed on a 64-bit operating system.

Approach Time Cost Complexity Interoperabilit Accuracy

Pre-requisites Many applications will depend on certain pre-requisites to

4.6 Application Streaming

Experience from the Field

4.7 16-bit Legacy Application Delivery

Operating System for Images

FlexCast Model Windows 7 Windows Windows Windows

VDI: physical / remote PC

4.8.1 Operating System Architecture for Images

If 16-bit applications are required, consider one of the following approaches:

Note: Windows 8 is available in both 32-bit and 64-bit versions.

4.9.1 User Profiles

Local Roaming Mandatory Hybrid

XenClient Recommended Viable Not Viable

4.9.2 Folder Redirection

Folder Local Roaming Mandatory Hybrid

4.9.3 Folder Exclusion

4.9.4 Profile Caching

4.9.5 Profile Permissions

4.9.6 Profile Path

4.9.6.2 Citrix Profile Management

4.9.6.2.1 Profile Streaming

4.9.6.2.2 Active Write Back

4.9.6.2.3 Configuration Approach

4.10 User Policies

4.11 Preferred Policy Engine

4.12 Policy Integration

4.13 Policy Filtering

Filter Name Filter Description Scope

Policy Precedence Policy Type

4.14 Baseline Policy

4.15 Profile Management Policy

Profile Management Policy Setting