CMB-300-2I-en-StudentManual-SoftLayer-v04 (Rétabli)

Deploy and Manage Citrix
XenApp/XenDesktop 7.15
Citrix Course CMB-300-2I

April 2018
Version 3.0
2
Table of Contents
Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture ..................................... 17
Understanding the Architecture of XenApp and XenDesktop ....................................................................................... 19
Overview .................................................................................................................................................................. 19
XenApp vs XenDesktop ........................................................................................................................................... 19
XenApp and XenDesktop Architecture Overview ...................................................................................................... 20
User Layer ............................................................................................................................................................... 20
Citrix Receiver ......................................................................................................................................................... 21
Access Layer ........................................................................................................................................................... 21
Citrix NetScaler ........................................................................................................................................................ 22
Citrix StoreFront ...................................................................................................................................................... 22
Discussion Question ................................................................................................................................................ 22
Control Layer ........................................................................................................................................................... 22
Delivery Controller .................................................................................................................................................... 22
Machine Creation Services ...................................................................................................................................... 23
Citrix Provisioning Services ...................................................................................................................................... 23
Resource Layer ....................................................................................................................................................... 23
XenApp and XenDesktop Virtualization Technologies ............................................................................................... 24
Virtual Delivery Agent ............................................................................................................................................... 24
Applications ............................................................................................................................................................. 24
Hosted Applications ................................................................................................................................................ 24
Local Application Access ......................................................................................................................................... 25
Server OS Machines ................................................................................................................................................ 26
Desktop OS Machines ............................................................................................................................................. 27
Remote PC Access ................................................................................................................................................. 28
Streamed VHD ........................................................................................................................................................ 29
Citrix Profile Management ........................................................................................................................................ 29
Policies .................................................................................................................................................................... 30
Personal vDisk ......................................................................................................................................................... 30
Management Layer .................................................................................................................................................. 30
Citrix Studio ............................................................................................................................................................. 31
Citrix Director ........................................................................................................................................................... 31
Hardware Layer ....................................................................................................................................................... 31
Hypervisor ............................................................................................................................................................... 32
XenApp and XenDesktop Sites ................................................................................................................................ 32
Ports ........................................................................................................................................................................ 32
Infrastructure Components ...................................................................................................................................... 33
Reinforcement Exercise: XenApp and XenDesktop Components ............................................................................. 36
Definition Matching .................................................................................................................................................. 37
Reinforcement Exercise: Identifying Components .................................................................................................... 38
Module 2: Hypervisor Considerations and Setup .......................................................................... 41

Hypervisor Considerations and Setup .......................................................................................................................... 43
Overview .................................................................................................................................................................. 43
Lab Environment Overview ...................................................................................................................................... 43
Installing the Hypervisor ........................................................................................................................................... 43
To Install XenServer ................................................................................................................................................. 44
Installing the Hypervisor Management Console ........................................................................................................ 47
To Install XenCenter ................................................................................................................................................. 47
5
Connecting the Management Console to the Hypervisor ......................................................................................... 48
To Connect XenCenter to the XenServer Host ......................................................................................................... 48
Configuring the Hypervisor ...................................................................................................................................... 49
Configuring the Virtual Networks .............................................................................................................................. 49
To Configure an External Network ........................................................................................................................... 50
Creating a Resource Pool ........................................................................................................................................ 51
To Create a New Resource Pool in XenServer ......................................................................................................... 51
Configuring an ISO Library ....................................................................................................................................... 52
To Configure an ISO Library for XenServer .............................................................................................................. 52
Configuring Virtual Disk Storage .............................................................................................................................. 53
To Configure Virtual Disk Storage ............................................................................................................................ 53
Applying Updates and Hotfixes ................................................................................................................................ 55
To Upload and Apply a XenServer Hotfix ................................................................................................................. 55
Creating Templates ................................................................................................................................................. 56
Creating the Virtual Machine .................................................................................................................................... 57
Troubleshooting Hypervisor Setup Issues ................................................................................................................ 57
Troubleshooting: Managing and Monitoring Hypervisors .......................................................................................... 58
Module 3: Setting Up Infrastructure Components ......................................................................... 59

Setting Up the Infrastructure Components .................................................................................................................. 61
Overview .................................................................................................................................................................. 61
Setting Up the Domain Controller ............................................................................................................................ 62
Configuring Active Directory Domain Services ......................................................................................................... 62
Troubleshooting AD DS Installation Issues ............................................................................................................... 63
Creating Organizational Units ................................................................................................................................... 63
Adding Users and Groups ....................................................................................................................................... 64
Configuring Policies Using Group Policy .................................................................................................................. 64
Securing Service Accounts ...................................................................................................................................... 65
Setting Up the Dynamic Host Configuration Protocol ............................................................................................... 65
Configuring DHCP ................................................................................................................................................... 65
Troubleshooting DHCP Installation Issues ................................................................................................................ 65
Setting Up A Certificate Authority ............................................................................................................................ 66
Setting Up the File Server ........................................................................................................................................ 66
Configuring Folder Redirection ................................................................................................................................. 66
Setting Up the Microsoft KMS License Server ......................................................................................................... 67
Setting Up SQL Server 2012 .................................................................................................................................. 67
Creating the Computer and Service Accounts for SQL Server 2012 ........................................................................ 67
To Create Computer and Service Accounts for SQL Server 2012 ........................................................................... 67
Installing SQL Server 2012 ...................................................................................................................................... 68
To Install SQL Server 2012 ...................................................................................................................................... 68
Configuring SQL Server and the Windows Firewall .................................................................................................. 69
To Configure SQL Server and the Windows Firewall to Accept Inbound Connections ............................................. 69
Setting Up SQL Server Mirroring .............................................................................................................................. 71
6
Installing the SQL Server Witness ............................................................................................................................ 71
Configuring SQL Server Mirroring ............................................................................................................................ 72
To Configure SQL Server Mirroring .......................................................................................................................... 72
Troubleshooting SQL Server Issues ......................................................................................................................... 75
Installing Anti-Virus Software .................................................................................................................................... 75
Setting up the DMZ ................................................................................................................................................. 75
Module 4: Setting Up Citrix Components ..................................................................................... 77

Setting Up Citrix Components ..................................................................................................................................... 79
Overview .................................................................................................................................................................. 79
Architecture ............................................................................................................................................................. 79
Setting Up the Citrix License Server ........................................................................................................................ 80
Installing the Citrix License Server ............................................................................................................................ 81
To Install the Citrix License Server ........................................................................................................................... 81
Troubleshooting License Server Issues .................................................................................................................... 82
Allocating, Downloading, and Adding a License File ................................................................................................ 83
To Allocate, Download, and Import a License File ................................................................................................... 83
Adding License Administrators ................................................................................................................................ 85
To Add a License Administrator ............................................................................................................................... 85
Configuring Licensing Alerts .................................................................................................................................... 86
To Configure Licensing Alerts .................................................................................................................................. 86
Moving from XenApp 7.6 to XenDesktop 7.6 ........................................................................................................... 87
Setting Up the Delivery Controller ............................................................................................................................ 87
Installing the First Controller ..................................................................................................................................... 88
To Install the First Controller .................................................................................................................................... 88
Configuring a Site .................................................................................................................................................... 90
To Configure a Site .................................................................................................................................................. 90
Editing Connection and Resource Settings .............................................................................................................. 92
To Edit Connection and Resource Settings ............................................................................................................. 92
Connecting to Resources ........................................................................................................................................ 93
Troubleshooting Studio ............................................................................................................................................ 93
Adding Delegated Administrators ............................................................................................................................ 94
Administrators .......................................................................................................................................................... 94
Roles ....................................................................................................................................................................... 94
Scopes .................................................................................................................................................................... 95
To Add a Delegated Administrator ........................................................................................................................... 95
Setting Up a Second Controller ............................................................................................................................... 96
To Install a Second Controller .................................................................................................................................. 96
Joining a Controller to a Site .................................................................................................................................... 97
To Join a Controller to an Existing Site .................................................................................................................... 98
Setting Up the Citrix Universal Print Server .............................................................................................................. 98
Installing the Universal Print Server .......................................................................................................................... 99
To Install the Universal Print Server .......................................................................................................................... 99
Discussion Question .............................................................................................................................................. 100
Configuring the Universal Print Server .................................................................................................................... 100
To Configure the Universal Print Server ................................................................................................................. 100
Creating Printers .................................................................................................................................................... 101
To Create Printers ................................................................................................................................................. 101
Setting Up StoreFront ............................................................................................................................................ 102
7
StoreFront Components ........................................................................................................................................ 102
StoreFront Communication .................................................................................................................................... 103
Installing Citrix StoreFront ...................................................................................................................................... 103
To Install StoreFront .............................................................................................................................................. 104
Requesting and Installing a Certificate on StoreFront ............................................................................................. 105
To Create and Install a Certificate on StoreFront ................................................................................................... 105
Creating and Configuring a Store ........................................................................................................................... 106
To Configure a Store ............................................................................................................................................. 106
To Configure Authentication Methods .................................................................................................................... 107
Enabling End Users to Change Their Passwords ................................................................................................... 107
To Enable End Users to Change Their Passwords ................................................................................................. 107
Creating a Store for Unauthenticated (Anonymous) Users ..................................................................................... 108
To Create a Store for Anonymous User Access ..................................................................................................... 108
Managing Delivery Controllers ................................................................................................................................ 109
Setting Up a Second StoreFront Server ................................................................................................................. 109
To Install a Second StoreFront Server ................................................................................................................... 109
StoreFront Management Console .......................................................................................................................... 111
Setting Up Receiver ............................................................................................................................................... 111
Configuring DNS for Email-Based Account Discovery ............................................................................................ 112
To Configure a Service Location Locator Record for Email-based Account Discovery ........................................... 112
Installing and Configuring Receiver ........................................................................................................................ 113
To Install and Configure Receiver .......................................................................................................................... 114
Troubleshooting Receiver ...................................................................................................................................... 115
Troubleshooting: Managing StoreFront .................................................................................................................. 115
Reinforcement Exercise: Using the Receiver for Web Site ...................................................................................... 116
Module 5: Setting Up XenApp and XenDesktop Resources ........................................................ 117

Setting Up XenApp and XenDesktop Resources ....................................................................................................... 119
Overview ................................................................................................................................................................ 119
Architecture Overview ............................................................................................................................................ 119
Resources ............................................................................................................................................................. 120
Preparing the Master Image Virtual Machine .......................................................................................................... 121
Creating the Master Image .................................................................................................................................... 122
Setting Up a Server OS Master Image ................................................................................................................... 122
Using a Virtual IP Address ..................................................................................................................................... 122
Installing and Configuring the Virtual Delivery Agent ............................................................................................... 122
To Install and Configure the VDA on a Server OS Master Image ............................................................................ 123
Installing and Configuring Third-Party Applications ................................................................................................ 125
To Install Third-Party Applications .......................................................................................................................... 125
Installing Anti-Virus Software .................................................................................................................................. 126
Troubleshooting Virtual Delivery Agent Issues ........................................................................................................ 126
Setting Up a Desktop OS Master Image ................................................................................................................ 126
Installing and Configuring the Virtual Delivery Agent ............................................................................................... 126
To Install and Configure the VDA on a Desktop OS Master Image ......................................................................... 127
Creating a Machine Catalog .................................................................................................................................. 129
Using Machine Creation Services .......................................................................................................................... 129
Creating a Machine Catalog for Server OS and Hosted Applications ..................................................................... 130
To Create a Machine Catalog for Server OS and Hosted Applications ................................................................... 130
Creating a Machine Catalog for Desktop OS Machines ......................................................................................... 132
To Create a Desktop OS Machine Catalog ............................................................................................................ 132
Creating a Delivery Group ...................................................................................................................................... 134
8
Securing Connections ........................................................................................................................................... 135
To Create a Delivery Group to Provide Hosted Applications .................................................................................. 136
Creating a Delivery Group for Anonymous User Access ........................................................................................ 137
To Create a Delivery Group for Anonymous User Access ...................................................................................... 138
Organizing Applications in Folders ......................................................................................................................... 138
To Organize Applications in Folders ....................................................................................................................... 139
To Create a Delivery Group to Provide Desktops ................................................................................................... 139
Troubleshooting XenApp and XenDesktop Resource Issues .................................................................................. 141
Troubleshooting: Managing Desktops and Applications ......................................................................................... 141
Reinforcement Exercise: Adding Machines and Delivery Groups ........................................................................... 142
Module 6: Setting Up and Managing Policies and Profiles .......................................................... 143

Setting Up and Managing Policies and Profiles .......................................................................................................... 145
Overview ................................................................................................................................................................ 145
Policy Precedence (Studio vs. Group Policy Objects) ............................................................................................. 146
Installing the Group Policy Management Feature ................................................................................................... 146
Creating Policies Using Studio ............................................................................................................................... 147
Unfiltered Policy ..................................................................................................................................................... 147
Using a Policy Template in Studio .......................................................................................................................... 147
Citrix Policy Extensions .......................................................................................................................................... 147
To Create a Policy from a Template ....................................................................................................................... 148
To Create a Policy Using Studio ............................................................................................................................ 148
Applying a Policy Using Studio .............................................................................................................................. 149
To Apply a Policy ................................................................................................................................................... 149
Editing a Policy Using Studio ................................................................................................................................. 149
To Edit a Policy ...................................................................................................................................................... 150
Prioritizing Policies Using Studio ............................................................................................................................ 150
To Prioritize a Policy .............................................................................................................................................. 150
To Create a Computer Template in Studio ............................................................................................................ 151
Exporting a Policy Template Using Studio ............................................................................................................. 151
To Export a Policy Template .................................................................................................................................. 151
Importing a Policy Template Using Studio ............................................................................................................. 151
To Import a Policy Template .................................................................................................................................. 152
Creating Policies Using Group Policy ..................................................................................................................... 152
Creating and Applying a Group Policy Object ........................................................................................................ 153
To Create a GPO ................................................................................................................................................... 153
Editing a Group Policy Object ................................................................................................................................ 153
To Edit a Policy ...................................................................................................................................................... 153
Running the Resultant Set of Policy ....................................................................................................................... 154
To Create a Resultant Set of Policy Using the Group Policy Management Console ............................................... 154
Using a User Template with Group Policy .............................................................................................................. 155
To Use a User Template ........................................................................................................................................ 155
Importing a Policy Template with Group Policy ...................................................................................................... 156
To Import a Policy Template .................................................................................................................................. 156
Exporting a Policy Template with Group Policy ...................................................................................................... 157
To Export a Policy Template .................................................................................................................................. 157
Prioritizing a Policy Using Group Policy .................................................................................................................. 157
To Change the Priority of a Policy .......................................................................................................................... 157
Configuring Remote Assistance ............................................................................................................................. 158
To Configure Remote Assistance Permissions ....................................................................................................... 158
Troubleshooting: Managing Policies ....................................................................................................................... 159
Setting Up Citrix Profile Management .................................................................................................................... 160
Managing End-User Profiles ................................................................................................................................. 160
To Configure the Profile Management Settings ...................................................................................................... 161
Reinforcement Exercise: Working with Policies ...................................................................................................... 163
9
Module 7: Managing Printing Through Policies ........................................................................... 165
Managing Printing ...................................................................................................................................................... 167
Overview ................................................................................................................................................................ 167
Print Management Process ................................................................................................................................... 167
Default Printing Behavior ........................................................................................................................................ 167
Configuring Client Printing ..................................................................................................................................... 168
Modifying Client Printer Auto-Creation ................................................................................................................... 168
To Modify Client Printer Auto-Creation Behavior .................................................................................................... 169
Adding Session Printers ......................................................................................................................................... 170
To Add Session Printers ........................................................................................................................................ 170
Managing Printer Drivers ........................................................................................................................................ 171
Automatic Installation of In-Box Printer Drivers ...................................................................................................... 171
To Configure the Automatic Installation of Printer Drivers ....................................................................................... 172
Configuring Printer Driver Mapping and Compatibility ............................................................................................ 172
To Configure Printer Driver Mapping and Compatibility ......................................................................................... 173
Universal Printer Driver ........................................................................................................................................... 173
Controlling Universal Printing Behavior ................................................................................................................... 174
Optimizing Print Job Routing ................................................................................................................................. 174
Optimizing Printing Performance ............................................................................................................................ 175
To Configure Printing Optimization ........................................................................................................................ 176
Setting Up and Managing the Universal Print Server .............................................................................................. 177
To Set Up and Manage the Universal Print Server ................................................................................................. 177
Troubleshooting: Managing Printing ....................................................................................................................... 178
Reinforcement Exercise: Managing Printing ........................................................................................................... 178
Module 8: Setting Up and Managing Provisioning Services ........................................................ 181

Setting Up and Managing Provisioning Services ........................................................................................................ 183
Overview ................................................................................................................................................................ 183
MCS versus PVS ................................................................................................................................................... 183
Provisioning Services Architecture ......................................................................................................................... 184
Setting Up a Provisioning Services Server ............................................................................................................. 185
Creating a Service Account for Provisioning Services ............................................................................................ 185
Creating a Share for the Store ............................................................................................................................... 185
To Create the Share for the Store .......................................................................................................................... 186
Write Cache Considerations .................................................................................................................................. 187
Creating Windows Firewall Exceptions ................................................................................................................... 188
Installing Provisioning Services .............................................................................................................................. 189
To Install Provisioning Services .............................................................................................................................. 189
Granting Database Permissions ............................................................................................................................. 192
To Grant Database Permissions to the Service Account ........................................................................................ 192
Installing the Provisioning Services Console ........................................................................................................... 193
To Install the Provisioning Services Console .......................................................................................................... 193
Configuring Boot from Network ............................................................................................................................. 194
To Configure DHCP (Options 66 and 67) for PXE Booting ..................................................................................... 194
Setting Up a Second Provisioning Services Server ................................................................................................ 195
To Configure a Second Provisioning Services Server ............................................................................................. 195
Configuring the Bootstrap File for High Availability ................................................................................................. 198
To Configure the Bootstrap File for High Availability ............................................................................................... 198
Configuring the Master Target Device .................................................................................................................... 199
Creating the Master Target Device ........................................................................................................................ 199
Installing the Virtual Delivery Agent ......................................................................................................................... 200
Creating the vDisk ................................................................................................................................................. 200
10
To Convert the Hard Drive of the Master Target Device to a vDisk ........................................................................ 200
To Create the Target Device Template .................................................................................................................. 202
Setting the vDisk Mode ......................................................................................................................................... 203
To Set the vDisk Mode .......................................................................................................................................... 204
Assigning a vDisk to a Target Device ..................................................................................................................... 204
To Assign a vDisk to a Target Device .................................................................................................................... 204
Creating the Machine Catalog ............................................................................................................................... 205
To Create the Machine Catalog ............................................................................................................................. 205
Creating the Delivery Group ................................................................................................................................... 206
To Create the Delivery Group ................................................................................................................................ 207
To Update a vDisk ................................................................................................................................................. 208
Promoting Updated Versions ................................................................................................................................. 209
To Promote Updated vDisk Versions ..................................................................................................................... 209
VHD Chain of Differencing Disks ............................................................................................................................ 210
Merging VHD Differencing Disks ............................................................................................................................ 210
To Merge VHD Differencing Disks .......................................................................................................................... 211
Troubleshooting: Provisioning Services .................................................................................................................. 211
Reinforcement Exercise: Creating BDM Target Devices ......................................................................................... 211
Module 9: Managing and Monitoring Sessions, Sites and End Users with Director ..................... 213
Managing and Monitoring Sessions, Sites, and End Users with Director ................................................................... 215
Overview ................................................................................................................................................................ 215
Director Overview .................................................................................................................................................. 215
To Monitor an End-User Session ........................................................................................................................... 216
To Access Director ................................................................................................................................................ 216
Monitoring within the Director Dashboard .............................................................................................................. 216
Monitoring Infrastructure ........................................................................................................................................ 217
To Monitor the Infrastructure ................................................................................................................................. 217
Monitoring Connected Sessions ............................................................................................................................ 217
To Monitor Connected Sessions ............................................................................................................................ 217
Monitoring Logon Duration Averages ..................................................................................................................... 218
To Monitor Logon Duration Averages .................................................................................................................... 218
Monitoring Machine and End-User Connection Failures ......................................................................................... 218
Monitoring and Managing End-User Sessions ....................................................................................................... 219
Viewing End-User Sessions ................................................................................................................................... 219
To View End-User Sessions ................................................................................................................................... 219
Searching for an End User ..................................................................................................................................... 219
To Search for an End User .................................................................................................................................... 220
Monitoring End-User Applications .......................................................................................................................... 220
To Monitor End-User Applications ......................................................................................................................... 220
Monitoring End-User Machine Processes .............................................................................................................. 221
To Monitor End-User Machine Processes .............................................................................................................. 221
Managing an End User's Machine Power Status ................................................................................................... 221
To Manage an End User's Machine Power Status ................................................................................................. 221
Enabling or Disabling Maintenance Mode .............................................................................................................. 222
To Enable or Disable Maintenance Mode ............................................................................................................... 222
Resetting an End-User Profile ................................................................................................................................ 222
To Reset an End-User Profile ................................................................................................................................ 223
Monitoring HDX Channels ...................................................................................................................................... 223
To Monitor HDX Channels ..................................................................................................................................... 223
Sending a Message to an End User ...................................................................................................................... 224
To Send a Message to an End User ...................................................................................................................... 224
Shadowing an End-User Session .......................................................................................................................... 225
To Shadow an End-User Session .......................................................................................................................... 225
Disconnecting an End-User Session ...................................................................................................................... 226
To Disconnect an End-User Session ..................................................................................................................... 226
Logging an End User Off ....................................................................................................................................... 227
11
To Log an End User Off ......................................................................................................................................... 227
Monitoring Historical Trends .................................................................................................................................. 228
To Monitor Historical Trends .................................................................................................................................. 228
Troubleshooting: Managing Sites, Sessions, and End Users with Director ............................................................. 228
Reinforcement Exercise: Using Director ................................................................................................................. 229
Module 10: Setting Up Netscaler ................................................................................................ 231

Setting Up NetScaler ................................................................................................................................................. 233
Overview ................................................................................................................................................................ 233
To Import the NetScaler Gateway VPX .................................................................................................................. 234
Creating the NetScaler VM .................................................................................................................................... 235
Performing the Initial NetScaler Configuration ........................................................................................................ 235
To Perform the Initial Configuration of the First NetScaler ...................................................................................... 235
Configuring NTP .................................................................................................................................................... 237
To Synchronize the Time on the NetScaler ............................................................................................................ 237
Configuring NetScaler High Availability ................................................................................................................... 238
Setting Up DNS ..................................................................................................................................................... 238
To Configure DNS A Records for the NetScaler .................................................................................................... 239
Creating Certificates for NetScaler ......................................................................................................................... 239
Creating a Wildcard Certificate for Internal Resource Access ................................................................................. 240
To Create a Wildcard Certificate for the Domain .................................................................................................... 240
Creating a Certificate Signed by a Third-Party Certificate Authority ........................................................................ 242
To Create a Public Certificate for the NetScaler ..................................................................................................... 243
Load Balancing StoreFront Servers ....................................................................................................................... 244
To Load Balance StoreFront Servers ..................................................................................................................... 245
Configuring NetScaler for Remote Access ............................................................................................................. 247
To Create a Service Account for LDAP Authentication and the Security Group for Remote Access ...................... 247
Configuring Active Directory Integration ................................................................................................................. 249
To Configure Active Directory Integration with NetScaler ....................................................................................... 249
Modifying StoreFront to Integrate with NetScaler ................................................................................................... 250
To Modify StoreFront to Work with NetScaler ........................................................................................................ 251
Creating Beacons .................................................................................................................................................. 252
To Create a Beacon Point ..................................................................................................................................... 252
Enabling Remote Access to the Store ................................................................................................................... 253
To Enable Remote Access to the Store ................................................................................................................. 253
Propagating Settings to the StoreFront Server Group ............................................................................................ 253
To Propagate the StoreFront Settings ................................................................................................................... 254
Configuring ICA Proxy ........................................................................................................................................... 254
To Configure the NetScaler for ICA Proxy .............................................................................................................. 255
Configuring Pre-Authentication Policies ................................................................................................................. 256
Enabling XML Service Trust ................................................................................................................................... 256
Configuring NetScaler for Email-Based Account Discovery .................................................................................... 256
To Configure NetScaler for Email-Based Account Discovery ................................................................................. 256
Testing Access through NetScaler ......................................................................................................................... 257
To Test External Access to the Environment .......................................................................................................... 257
12 .
Citrix Hands-on Labs
What are Hands-on Labs?
Hands-on Labs from Citrix Education allows you to revisit, relearn, and master the lab exercises covered during the course.
This offer gives you 25 days of unlimited lab access to continue your learning experience outside of the classroom.
Claim introductory pricing of $500 for 25 days of access. Contact your Citrix Education representative or
purchase online here.
Why Hands-on Labs?
Practice outside of the classroom You'll receive a fresh set of labs, giving you the opportunity to recreate and master
each step in the lab exercises.
Test before implementing Whether you're migrating to a new version of a product or discovered a product
feature you previously didn’t know about, you can test it out in a safe sandbox
environment before putting in live production.
25 days of access Get unlimited access to the labs for 25 days after you launch, giving you plenty of time
to sharpen your skills.
Certification exam preparation Get ready for your Citrix certification exam by practicing test materials covered by lab
exercises.
Mark Owner
Secure Computing®, SafeWord® Secure Computing Corporation
SecurID® Security Dynamics Technologies, Inc.
Java®, JavaScript® Sun Microsystems, Inc.
Toolwire® Toolwire
VMWare®, ESX Server® VMware, Inc.
Other product and company names mentioned herein might be the service marks, trademarks or registered trademarks of
their respective owners in the United States and other countries.
Credits
Instructional Designer: John Spina, Karla Stagray, Neetu Arora
Product Specialist: Evin Safdia
Graphic Artist: Tyler Fromma, Andres Mungarrieta, Veronica Fuentes
Product Managers: Amit Ben-Chanoch
Editor: Kathryn Morris
Translation Project Manager: Tanya Brice
Publication Services: Dustin Clark, Adrianna Cournoyer
CCI Enablement: Christy Vega
Subject Matter Expert: Jeff Apsley, Justin Apsley, Allen Furmanski, Dave Gunn,
James Hsu, David Jimenez, Arnd Kagelmacher, Christopher
Rudolph, Stacy Scott, Mark Simmons, Elisabeth Teixeira
1
Module 1
Understanding the XenApp

and XenDesktop 7.6
Architecture
18
Understanding the Architecture of XenApp and
XenDesktop
Overview
Citrix XenApp and XenDesktop deliver Windows applications and desktops as secure mobile services. With XenApp and
XenDesktop, IT can mobilize the business, while reducing costs by centralizing control and security for intellectual property.
Users can self-select applications from an easy-to-use application store that is accessible from tablets, smartphones, PCs, Macs,
and thin clients.
HDX technologies enable XenApp and XenDesktop to deliver a user experience that is optimized for different user devices, as
well as network conditions. XenApp and XenDesktop are built on an architecture that offers simple yet powerful
configuration options, along with operations management and cloud-style automation and scalability.
At the end of this module you will be able to:
• Identify the architecture and components of a XenApp and XenDesktop solution
• Explain the role of:
• Citrix Receiver
• Citrix NetScaler
• Citrix StoreFront
• Delivery Controller
• Machine Creation Services (MCS)
• Provisioning Services (PVS)
• Virtual Delivery Agent (VDA)
• Citrix Profile Management
• Hypervisor
• Discuss the responsibilities of the different XenApp and XenDesktop components.
Module timing: Approximately 2 hours
XenApp vs XenDesktop
XenApp and XenDesktop share a common architecture; where one or more Delivery Controllers are used to broker user
connections to sessions. Users connect to XenApp and XenDesktop sessions using the Citrix HDX protocol (formerly known
as ICA).
Sessions are hosted on physical or virtual machines running the Citrix Virtual Delivery Agent (VDA). The VDA can be
installed on both Server OS and Desktop OS machines. The operating system on which you can run the VDA and the type of
sessions supported is dependent upon whether you bought XenApp or XenDesktop. The following table identifies the type of
machines and sessions available per product edition.
VDA Chart XenApp XenApp XenApp XenDesktop XenDesktop XenDesktop

Advance Enterprise Platinum VDI Enterprise Platinum
Server OS X X X X X
Machines
Desktop OS X X X
Machines
Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture 19

Session XenApp XenApp XenApp XenDesktop XenDesktop XenDesktop
Chart Advance Enterprise Platinum VDI Enterprise Platinum
Server OS X X X X X
Hosted Desktop
Server OS X X X X X
Hosted
Applications
Desktop OS X X X
Desktop
Desktop OS X X X X
Applications
*XenDesktop VDI does not support the use of physical machines.

Additional features and FlexCast models become available in the editions as you move from left to right in the table. For a
complete list of features, see the XenDesktop 7.6 and XenApp 7.6 Features and Entitlement document at
http://www.citrix.com/go/products/xendesktop/feature-matrix.html.
XenApp and XenDesktop Architecture Overview

During this module we will explore the components that comprise a XenApp and XenDesktop solution. The following
diagram depicts a XenApp and XenDesktop solution and the associated components. This means that customers who
purchase only XenApp will not have all of the features presented in this course, such as for example in this graphic, the VDI
Hosts.
User Layer
The user layer contains Citrix Receiver, regardless of whether the end user is connecting from an internal or external device.
20 Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture

Citrix Receiver
Citrix Receiver is installed on end-user devices to provide end users with quick, secure, self-service access to documents,
applications, and desktops from any end-user device, including smartphones, tablets, and PCs. Receiver provides on-demand
access to Windows, Web, and Software as a Service (SaaS) applications.
Access Layer
The access layer contains the components that provide end-user access to the environment: Citrix NetScaler and StoreFront.
NetScaler provides secure access and intelligent load balancing for StoreFront, Delivery Controller, and other infrastructure
components.
Internal end-user devices connect from the user layer to the access layer using Citrix StoreFront.
In a Citrix-recommended implementation, external end-user devices connect first through Citrix NetScaler - and often a
firewall and perimeter network - and then through StoreFront to access resources.

Citrix NetScaler
NetScaler is an integrated Web application delivery controller that slashes server and bandwidth requirements, while cutting
the cost of delivering enterprise applications. NetScaler functions as an application accelerator through caching and HTTP
compression. It also provides advanced management using layer-4 through layer-7 load balancing and content switching
functions. NetScaler also includes application security using a Web application firewall. NetScaler offloads applications and
Web servers to ensure application availability, increased security through SSL, and server consolidation. It reduces the cost of
ownership of Web application delivery and optimizes the end-user experience.
Citrix StoreFront
Citrix StoreFront delivers a powerful, self-service Windows applications store to provide a single, simple, and consistent
aggregation point for all IT user services. Users may subscribe to applications, desktops, or data services from multiple devices
and have access to those services from all devices for a seamless and simple experience.
StoreFront requires 2 GB of memory. StoreFront 2.0 is the minimum version supported by XenApp and
XenDesktop. For more information about StoreFront requirements, see Citrix Support at
http://www.citrix.com/support.
Discussion Question
What type of solution are you using for external access?
Control Layer
The Control Layer is home for the various controllers and infrastructure components required for managing and delivering
virtual desktops and hosted applications. Within the control layer, decisions surrounding the management and maintenance
of the overall solution are addressed. The control layer is comprised of access controllers, delivery controllers, and
infrastructure controllers. Once an end-user connection moves past the access layer, Citrix StoreFront communicates with the
Delivery Controller in the control layer.
Delivery Controller
Installed on servers in the datacenter, the Delivery Controller consists of services that communicate with the hypervisor to
distribute applications and desktops, authenticate and manage end-user access, and broker connections between end users and
their virtual desktops and applications. The Controller manages the state of the desktops, starting and stopping them based on
demand and administrative configuration. Each site has one or more delivery controllers.
Supported operating systems for the Delivery Controller include:

• Windows Server 2012 R2, Standard, and Datacenter Editions.
• Windows Server 2012, Standard, and Datacenter Editions.
• Windows Server 2008 R2 SP1, Standard, Enterprise, and Datacenter Editions.
Requirements for the Delivery Controller include:
• 100 MB of disk space.
• Microsoft .NET Framework 3.5 SP1 (required on Windows Server 2008 R2 only).
• Microsoft .NET 4.0.
• Windows PowerShell 2.0 or 3.0.
• Visual C++ 2005, 2008 SP1, and 2010 Redistributable packages. The installer deploys these automatically.
Machine Creation Services

Machine Creation Services (MCS) is a collection of services that run on the Delivery Controller to generate multiple clone-like
machines from a single virtual machine serving as the primary image. The Machine Creation Service communicates with the
hypervisor and creates the desired number of machines using storage-based snapshot technologies, while the Citrix AD
Identity Service generates the computer accounts within Active Directory.
MCS can create machines based on a Server OS and Desktop OS.
Citrix Provisioning Services

Citrix Provisioning Services (PVS) uses network-based streaming technology to deliver the operating system for both single-
user virtual-desktops and multi-user, server-based resources. Citrix Provisioning Services allows a single vDisk to be used to
deliver a consistent virtual desktop across the environment and to simplify image management and maintenance.
XenApp and XenDesktop require PVS version 7.0 or later. Provisioning Services for Server OS is included with
XenApp and XenDesktop Enterprise and Platinum editions. Provisioning Services for Desktop OS is included with
XenDesktop VDI (not including physical desktops), Enterprise and Platinum editions.
Resource Layer
The resource layer contains the end user's virtual desktop and applications and is subdivided into three components:
applications, operating system image, and personalization. The personalization component contains the user profile, policies,
and personal vDisk.

XenApp and XenDesktop Virtualization Technologies
Different types of end users need different types of processing environments. Some end users may require simplicity and
standardization, while others may require high levels of performance and personalization. Implementing a single virtualization
model across an entire organization may lead to end-user frustration and reduced productivity. Instead, organizations need to
identify the functionality that is required and understand the technical differences between the various processing
environments and the virtualization components that provide that environment.
Virtual Delivery Agent

The Virtual Delivery Agent (VDA) must be installed on any server or desktop-based operating system that will be used to
deliver applications or desktops to the user. The VDA enables end user connections to the desktops and applications, installs
software for profile management and printing services, and extends the applicable group policy settings.
The VDA for Windows Desktop OS supports Windows 8, Windows 8.1, and Windows 7 SP1 machines.
The VDA for Windows Server OS supports Windows 2012, Windows 2012 R2 and Windows 2008 R2 SP1 machines.
Applications
You can install applications on Server OS or Desktop OS machines in your XenApp and XenDesktop environment. Once
installed, these applications can be made available and delivered to end users.
Hosted Applications
With the Hosted Applications model, end users may not be provided with a virtual desktop; instead Windows applications are
centralized in the datacenter and instantly delivered through a multi-channel protocol. Hosted applications can be provided to
connected end users or configured to use Microsoft App-V technology to stream to end users for offline use. The Citrix
version of application streaming, is not supported in XenDesktop 7.6.

Hosted applications on a Desktop OS were formerly known as VM Hosted Apps. Hosted applications on a Server
OS were formerly known as published applications.
Discussion Question
How can end users access hosted applications?
Local Application Access
With the Local Application Access model, end users are provided with a Server OS machine or Desktop OS machine
delivered full screen. The end user has locally installed applications on the endpoint that they want to use within their virtual
desktop. Local Application Access allows you to make those locally installed applications available on the virtual desktop and
in the Start menu even when the desktop is running in locked-down full-screen mode. When the end user launches a local
application in the virtual desktop, the application window appears in the desktop session window even though it is actually
running on the endpoint. This is ideal for use-cases where desktops are being delivered full-screen and end users want to
simultaneously work with local applications like iTunes, CD burning software, video conferencing software, games, and more.
To use Local Application Access, Citrix Receiver must be installed. Local Application Access is enabled by default in Citrix
Receiver. In addition, you must enable Local Application Access using the Allow Local App Access (HDX) policy and apply it
to the Server OS and Desktop OS machines. Local Application Access is disabled by default in XenApp and XenDesktop.
Once enabled, you must deliver the local applications using a Delivery Group in Studio.
Discussion Question
What is an advantage of providing Local Application Access to end users rather than installing the applications on the virtual
desktop?

Server OS Machines
A Server OS machine was formerly known as a published desktop in Citrix XenApp 6.5. With the Server OS machine model,
multiple desktop sessions are hosted on a single server-based operating system. The Server OS machine model provides a low-
cost, high density solution. Applications must be compatible with a server-based operating system. In addition, because
multiple users are sharing a single operating system end users are restricted from performing actions which may negatively
affect other end users, for example installing applications, changing system settings, and restarting the operating system.
Discussion Question
How can end users access Server OS machines?

Desktop OS Machines
With the Desktop OS machine model, each end user is provided with a full desktop operating system, which provides
administrators with a granular level of control over the number of virtual processors and memory assigned to each desktop.
Desktop OS machines can be delivered as:
• RandomDesktops, which are based on a single master image and provisioned using Citrix Machine Creation Services or
Citrix Provisioning Services. End users are dynamically connected to one of the desktops in the pool each time they log
on. Changes to the desktop image are lost when the machine is restarted.
Desktop OS machines are delivered on a first-come, first served basis. An end user may get a different desktop
each time they log on.
• StaticDesktops, which are based on a single master image and provisioned using Citrix Machine Creation Services or
Citrix Provisioning Services. End users are administratively assigned a virtual desktop or are allocated a virtual desktop
on first access. Once assigned, end users will always be connected to the same virtual desktop. Changes to the desktop
image are lost when the machine is restarted unless persistent write cache or Personal vDisk is implemented. If high
availability/persistence of the end user's desktop personalization settings is required, use Static with Personal vDisk
Desktops.
• Static with Personal vDiskDesktops are based on a single master image and provisioned using Citrix Machine Creation
Services (MCS) or Provisioning Services (PVS). End users are administratively assigned a virtual desktop or are allocated
a virtual desktop on first access. Once assigned, end users will always be connected to the same virtual desktop. Changes
to the desktop are stored on a Personal vDisk and retained between restarts. Desktops with a Personal vDisk cannot be
shared between multiple end users; each end user requires their own desktop. If high availability/persistence of the end
user's desktop personalization settings is required, the Personal vDisk must be stored on shared storage.
• Existing refers to virtual desktops created from a manual build, a hypervisor template, cloning, or third-party tools. They
are not created using Citrix Machine Creation Services (MCS) or Citrix Provisioning Services (PVS). These desktops must
be managed manually with third-party desktop management tools.

Discussion Question
How can end users access Desktop OS machines?
Remote PC Access
With Remote PC Access, end users are provided access to their physical workplace computers or laptops remotely using the
Citrix HDX protocol. This allows businesses to quickly benefit from a flexible work style without implementing virtual
desktops. Remote PC Access can be used as a stepping stone towards a full XenDesktop virtualization implementation. When
a company is ready, an established Remote PC Access environment can be converted to a full XenDesktop virtualization
infrastructure. Specialized physical computers such as CAD workstations, video editors, and high-security devices that need
physical FOBs for licensing and classified content are perfect candidates for Remote PC Access.
Discussion Question
What do you need to install on the endpoint to enable Remote PC Access?
What do you need to install on the office PC to enable Remote PC Access?
What do you need to configure for the Delivery Controller to enable Remote PC Access?

Streamed VHD
With the Streamed VHD model, Provisioning Services provides desktop workloads based on a master image (either shared or
private) for each hardware type. In shared mode, changes to desktops are lost upon startup.
The Streamed VHD model allows any desktop workload to be run locally on the endpoint hardware. Streamed VHD is a
great solution for high-end hardware because it allows an existing corporate investment in high-end hardware to be used as
an asset in the XenDesktop environment. Streamed VHD requires a LAN connection between the desktop and the server
running Provisioning Services. The Provisioning Services server can be physical or virtual. If you only have one Provisioning
Services server, make it a physical Provisioning Services server. If all end user hardware is similar, then you can use a
common VHD. Each VHD must be customized to match the hardware of the endpoint.
Discussion Question
The Streamed VHD model allows you to use the computing power of the endpoint while still using desktop virtualization. In
order to use this computing power, what must the desktop image contain?
Citrix Profile Management

Citrix Profile management provides an easy, reliable, and high-performance way to manage end-user personalization settings
in virtualized or physical Windows environments. Citrix Profile management allows end users to customize and retain their
virtual and physical desktops, applications, and server settings. Managed through Citrix policies or GPOs, Profile management
can provide a central point of configuration and control to give a consistent experience regardless of which machine hosts the
end-user session.

Policies
Citrix policies are the most efficient method of controlling connection, security, and bandwidth settings. You can create
policies for specific groups of end users, devices, or connection types. Each policy can contain multiple settings and different
settings from policies can be merged. Any conflicts between settings are resolved using a system of priorities.
Personal vDisk
With the personal vDisk feature, you can manage pooled and streamed desktops from a single image while offering end users
the flexibility to install applications and change personal settings. This feature is available on XenDesktop only.
Unlike traditional Virtual Desktop Infrastructure (VDI) deployments involving pooled desktops, where end users lose their
customizations and personal applications when the administrator alters the base virtual machine, deployments using personal
vDisks retain those changes. This means administrators can easily and centrally manage their base virtual machines while
providing end users with a customized and personalized desktop experience.
Personal vDisks provide this separation by redirecting all changes made on the end user's virtual machine to a separate disk -
the personal vDisk - attached to the end user's virtual machine. The content of the personal vDisk is blended at runtime with
the content from the base virtual machine to provide a unified experience. In this way, end users can still access applications
provisioned by their administrator in the base virtual machine.
Personal vDisks have two parts, which use different drive letters and are by default equally sized. The first part comprises
C:\Users, which contains the end user's data, documents, and profile. By default this uses drive P: but you can choose a
different drive letter when you use Studio to create a catalog with personal vDisks. The second part is comprised of a Virtual
Hard Disk (.vhd) file, which contains all other user items, for example applications that are installed in C:\Program Files.
Management Layer
The management layer contains all of the consoles and utilities used to configure and manage the XenApp and XenDesktop
components.
• Studio
• Director
• StoreFront Console
• Provisioning Services Console
• Hypervisor console
• License Administration Console
• Optional third-party consoles

Citrix Studio
Citrix Studio is the management console that enables you to configure and manage your deployment, eliminating the need for
separate management consoles for managing delivery of applications and desktops. Studio provides various wizards to guide
you through the process of setting up your environment, creating your workloads to host applications and desktops, and
assigning applications and desktops to end users.
Supported operating systems for Studio include:
• Windows 8.1 Professional and Enterprise Editions.
• Windows 8 Professional and Enterprise Editions.
• Windows 7 Professional, Enterprise, and Ultimate Editions.
• Windows Server 2012 R2, Standard and Datacenter Editions.
• Windows Server 2012, Standard and Datacenter Editions.
Requirements for Studio include:
• Microsoft .NET Framework 3.5 SP1 (required on Windows Server 2008 R2 only).
• Microsoft Management Console 3.0.
• Windows PowerShell 2.0 or 3.0.
Citrix Director
Citrix Director is a web-based tool that enables IT support and Help Desk teams to monitor a XenApp and XenDesktop
environment, troubleshoot issues before they become system critical, and perform support tasks for end users.
Supported operating systems for Director include:
• Windows Server 2012 R2, Standard and Datacenter Editions.
• Windows Server 2012, Standard and Datacenter Editions.
Requirements for Director include:
• Microsoft .NET Framework 4.0.
• Microsoft Internet Information Services (IIS) 7.0 and ASP.NET 2.0. If these are not already installed, you are prompted
for the Windows Server installation media, then they are installed for you.
Supported browsers for viewing Director include:
• Internet Explorer 9 and 10
Compatibility mode in Internet Explorer 10 is not supported.
• Firefox
• Chrome
Discussion Question
The Delivery Controller, Studio, and Director can be installed on which operating systems?
Which tools does your organization use (or plan to use) for monitoring your XenApp and XenDesktop environment?
Hardware Layer
The Hardware Layer is responsible for the physical devices required to support the entire solution including servers, and
storage devices. A key component of the Hardware Layer is the hypervisor.

Hypervisor
A hypervisor is a thin layer of software that allows you to share physical resources of a device amongst multiple virtual
machines. XenApp and XenDesktop supports several hypervisors, including:
• Citrix XenServer using Citrix XenCenter
• Microsoft Hyper-V using Microsoft System Center Virtual Machine Manager (SCVMM)
• VMware ESX using VMware vCenter
After the authentication process is completed, the Delivery Controller contacts the Microsoft SQL database to discover the
machines and applications available to the user.
The available machines and applications can be hosted on either physical or virtual machines. If the machines are virtual, then
they reside within the hypervisor. Every machine -- physical or virtual -- must have the Virtual Delivery Agent installed.
Discussion Question
What are the benefits of hosting virtual machines within a hypervisor as opposed to physical machines? What hypervisor does
your organization use?
XenApp and XenDesktop Sites

In XenApp and XenDesktop, the Delivery Site is the highest level item in the configuration. The Delivery Site is comprised of
the Controller and other core management components, the virtual delivery agents, host connections, (if used), plus the
machine catalogs and any Delivery Catalogs you create and manage. Sites make applications and desktops available to groups
of users. A Site does not necessarily correspond to geographical location, although it can. The Site is defined in a SQL
database that needs to be available at all times to each Delivery Controller within the deployment.
Ports
The following is a summary of the ports used by the components we have discussed throughout this module.

For more information about the ports used in a XenApp and XenDesktop environment, see Citrix article
CTX101810 at http://support.citrix.com.
Infrastructure Components
A XenApp and XenDesktop implementation is only as good as the configuration of the infrastructure components on which
it is built. It is important that anyone tasked with deploying XenApp and XenDesktop in an environment understand the
purpose of each component in that infrastructure as it relates to XenApp and XenDesktop and understands how the
configuration of the infrastructure components affect the XenApp and XenDesktop implementation.
During this course, you will build an environment, similar to that shown in the following graphic, to produce a
pilot implementation of XenApp and XenDesktop for the Children's Charitable Hospital (Training). The pilot
implementation will configure hosted applications, Server OS machines, and Desktop OS machines for the
Accounting, Human Resources, and IT departments at the hospital. To accomplish this, you must set up not only
the Citrix components and resources, but configure the infrastructure that will support the deployment.
The following infrastructure components play a key role in the XenApp or XenDesktop solution:

Component Explanation
Domain Controller The domain controller is a Windows server on which the
Active Directory Domain Services role is installed. Its role in
a XenApp and XenDesktop solution is to maintain
information about the objects (OUs, servers, groups, policies,
and end users) in the domain and authorize and authenticate
access to the domain. To ensure that the domain controller
service is highly available in your XenApp or XenDesktop
solution, you should configure at least two servers to serve as
domain controllers and both servers should be configured
with static IP addresses.
DNS The DNS server role can be installed on the domain

controller in a domain. Its role in a XenApp and XenDesktop
solution is to resolve computer names to the IP addresses
assigned to the computers. This allows communications to be
sent to the IP address of the computer when the computer
name is entered. To ensure DNS is highly available in your
XenApp or XenDesktop solution, you should configure at
least two servers with the DNS server role.
DHCP The DHCP server role can be installed on a Linux or

Windows server. Its role in a XenDesktop solution is to
manage the IP addresses and provide them automatically to
the computers in the environment that do not have them
statically assigned. DHCP can also be used by the
Provisioning Server component used by XenDesktop. To
ensure that the DHCP service is highly available in your
XenApp and XenDesktop solution, you should configure at
least two servers with the DHCP server role.
Certificate Authority The Certificate Authority role can be installed on a Windows

server. Its role in a XenApp and XenDesktop solution is to
issue digital certificates that validate the identity of a
computer. In a XenApp and XenDesktop solution, an
internal Certificate Authority can be used to issue digital
certificates to components behind the firewall. Components
located in the DMZ and outside the domain should use
digital certificates provided by an external Certificate
Authority. To ensure that the Certificate Authority is highly
available, you should configure your Certificate Authority as
a cluster.
Deploying multiple Certificate Authorities instead of

clustering the Certificate Authorities only provides
redundant enrollment services. It does not allow for
recovery of the certificates in the event of a single node
failure.
File Server A file server is a network accessible server that provides a

centralized location for storing data files. Its role in a
XenApp and XenDesktop solution is to host end-user profiles
and the redirected folders for end-users' data in the
environment. To ensure that your end users' profiles, data
files, and redirected folders are highly available, you should
configure at least two servers to serve in the file server role
through a DFS share or optimally through a file server
cluster.

SQL Server The SQL Server is a relational database and management
system that can be installed on a Windows server. Its role in
a XenApp and XenDesktop solution is to store the Site,
configuration logging, and monitoring data for the
implementation. By default, XenApp and XenDesktop create
the required database on the SQL Server.
SQL Server Express cannot be configured for high

availability, so you should install and configure a full
SQL Server edition for use with XenApp and
XenDesktop.
To ensure that the XenApp and XenDesktop database is

highly available, two SQL Servers and a witness should be
configured for mirroring, or two or more SQL Server 2012
R2 servers should be configured to use the Always On
functionality.
Storage Storage is required to store the VMs, ISOs, vDisks, Personal

vDisks, and write cache in your XenApp and XenDesktop
implementation. Types of storage include:
• Local: Storage on the hard drive of a system
• Shared: Storage that is network accessible
Both types of storage are required to implement XenApp and
XenDesktop. Storage is made available to the implementation
through the hypervisor. To ensure that storage is highly
available, use the best practices for the hypervisor and storage
vendors to implement and manage the storage.
Hypervisor A hypervisor is responsible for low-level tasks such as CPU

scheduling and memory isolation for VMs. The hypervisor
abstracts the hardware from the VMs. XenApp and
XenDesktop can run on a Citrix XenServer, Microsoft Hyper-
V (through System Center Virtual Machine Manager), or
VMware hypervisor platform. To ensure that your XenApp
and XenDesktop implementation is highly available, you
should configure the selected hypervisor on more than one
server and configure your VMs to be agile.
Agile means that VMs can be moved from host to host.
(Optional) Key Management Services (KMS) License Server The KMS License Server provides a way to automatically
activate volume license editions of Microsoft products
removing the need for end users to provide licensing
information or to connect to a Microsoft activation server.
This is important in a XenApp and XenDesktop environment
because desktops are provisioned on demand. A KMS Client
License is embedded in Microsoft products.
Installing individual licenses on VMs and Multiple

Activation Key (MAK) is another way to activate
Microsoft product licenses. With MAK licensing,
computers running Microsoft software are required to
connect to a Microsoft activation server at least once.
MAK licensing is not supported by XenApp and
XenDesktop 7.5 when using MCS. The KMS License
Server service can be placed on a server that provides
other services in the environment.

Endpoints An endpoint is any device that the end user touches and can
support the use of the Citrix Receiver or the Receiver for
Web site to access XenApp and XenDesktop resources. This
includes PCs, Macs, laptops, servers, and mobile devices
running a variety of operating systems. Endpoints can be
located inside the network or be external to the network.
Print Server A print server is a server that accepts print jobs from
networked computers for one or more printers. In addition,
it queues the print job and sends it to the correct print device
in the network. This enables multiple computers to use a
printer and eliminates the need for each computer to have a
printer physically attached to it. To ensure that the print
server function is highly available in your XenApp and
XenDesktop solution, you should configure at least two print
servers in a cluster.
A print server may need to be restarted in order to

restart the Print Spooler. Therefore, the Windows Print
Services role should not be installed on a server that
must be always available.
Demilitarized Zone (DMZ) or Perimeter Network The DMZ is an area between two firewalls, one firewall
protects the internal network and the other firewall protects
the DMZ from the external network. Some XenApp and
XenDesktop components are located in the DMZ and others
are located in the internal network.
StoreFront can be deployed in either the internal

network or the DMZ.
To ensure the security of your internal network, you should

consult with a security expert when configuring your DMZ.
This course will take you through the steps required to set up a basic infrastructure to host a XenApp and
XenDesktop implementation. To ensure the security and the performance of your implementation, follow
Microsoft guidelines, your corporate guidelines, your customized XenApp and XenDesktop Design document, and
the advice of a security professional before rolling your implementation out to a production environment.
Discussion Question
In the lab environment, you will use a single firewall that places the internal, DMZ, and external networks on different
network interfaces. This configuration is not optimal for a production environment. What are some weaknesses of this
solution and how might you improve the security?
Reinforcement Exercise: XenApp and XenDesktop Components

In this module, you learned how to:
• Identify the architecture and components of a XenApp and XenDesktop solution
• Explain the role of:
• Citrix Receiver
• Machine Creation Services (MCS)

• Provisioning Services (PVS)
• Virtual Delivery Agent (VDA)
• Citrix Profile management
• Hypervisor
• Discuss the responsibilities of the different XenApp and XenDesktop components
Definition Matching
Match each of the following terms with its correct description.
Time to complete: Approximately 5 minutes
• Citrix Receiver
• Hypervisor
• Personal vDisk
Term Description
Provides end users with quick, secure, self-service access to

documents, applications, and desktops from any end-user
device.
Functions as an application accelerator and also provides

advanced management using load balancing, content
switching, and application security.
A thin layer of software that allows you to share physical

resources of a device amongst several virtual machines.
A feature in XenDesktop that allows end users to install

applications and change their desktop settings, while
retaining the single image management of pooled and
streamed desktops.
A self-service, Windows application store that provides a

single aggregation point for all IT user services.
Communicates with the hypervisor to distribute applications

and desktops, authenticates and manages end-user access,
and brokers connections between end users and their virtual
desktops and applications.
• Citrix Director
• Citrix Profile management
• Machine Creation Services
• Citrix Provisioning Services
• Citrix Studio
• Virtual Delivery Agent

Term Description
A Web-based tool that enabled IT support to monitor a

XenApp and XenDesktop environment, troubleshoot issues,
and perform support tasks for end users.
Allows you to manage end-user personalization settings in a

virtualized or physical Windows environment.
A collection of services that run on the Delivery Controller to

generate clone-like machines from a single virtual machine
serving as the primary image.
Uses a vDisk image to provision virtual machines.
A management console that enables you to configure and

manage your XenApp and XenDesktop implementation.
Enables virtual machines to register with a Delivery

Controller.
Reinforcement Exercise: Identifying Components

Match each of the following terms with its correct description.
• Desktop OS machines
• Server OS machines
• Hosted Applications
• File Server
• SQL Server
• Demilitarized Zone
• Citrix Delivery Controller
• Citrix Director
Term Description
Supports the use of static desktops with a Personal vDisk.
Provides desktop sessions to multiple end users from a single

server.
Uses the processing power of Server OS and Desktop OS

machines to run.
Stores redirected folders and end-user profiles.
Stores the Site, Configuration, and Monitoring data for

XenApp and XenDesktop.
Contains the NetScaler appliances.

Term Description
Starts and stops desktops based on demand and

administrative controls.
Provides monitoring and support capabilities for XenApp

and XenDesktop.
• Citrix Studio
• Citrix Receiver
• Citrix Provisioning Services
• Machine Creation Services
• Personal vDisk
• Virtual Delivery Agent
• Hypervisor
Term Description
Provides the management interface for XenApp and

XenDesktop.
Delivers virtual desktops and applications to end users.
Uses a vDisk image to provision virtual machines.
Uses a master desktop image to create virtual machines.
Stores an end-user's customizations and installed applications

and is associated with a virtual machine.
Enables virtual machines to register with the Delivery

Controllers.
Abstracts the hardware from the virtual machines.

40
2
Module 2
Hypervisor Considerations
and Setup
42
Hypervisor Considerations and Setup
Overview
A hypervisor allows multiple operating systems to run as virtual machines (VMs) on a single physical host. A hypervisor is
installed on a host computer that is dedicated entirely to the task of running the hypervisor and hosting VMs. It works by
allocating the resources of the host computer to the VMs running on it. The management console used to manage the
hypervisor can be installed on any system with a supported operating system. The management console allows you to create
VMs, take VM disk snapshots, and manage VM workloads.
Using a hypervisor rather than installing XenApp and XenDesktop components directly on physical hardware limits your
exposure to hardware failure and reduces the cost of deploying the solution. This cost reduction is the result of reduced
power consumption, increased utilization of existing hardware, fewer required servers, and decreased space and cooling
requirements. In addition, management becomes streamlined and efficient because you are managing the pool as a single unit
rather than managing each system separately.
The hypervisor should be the first component configured in the environment so that most or all of the components in the
environment can be virtualized.
XenApp and XenDesktop can be used with Microsoft Hyper-V, Citrix XenServer, or VMware vSphere. Citrix
XenServer will be the virtualization platform used during this course, but any of the supported hypervisors could
have been used.
After completing this module, you will be able to:

• Install XenServer.
• Install and configure the XenCenter management console.
• Configure XenServer.
• Create a virtual machine template.
Module timing: 1.5 hours
Lab Environment Overview

The lab environment virtual machines are running Windows Server 2012R2 and Windows 8.1. As a class pre-requisite
students are expected to have experience installing and configuring these operating systems.
Many of the labs performed in this class require you to use XenCenter, the management console for XenServer, to create and
manage XenApp and XenDesktop virtual desktop machines.
This module contains 8 simulations that walk you through installation and management tasks on XenServer. Your instructor
will demonstrate and explain how to access these simulations. As you scroll within the courseware to a section that has a
simulation, it will begin with a hyperlink to the simulation.
Some labs rely on a WinServer2012R2_template that can be used to create a sysprepped Windows Server 2012R2 VM.
Before you begin, you must access the Citrix lab environment and start the following VM's:
• DomainController-1 = On
• All other machines = Off
Installing the Hypervisor

When you install a hypervisor on a bare-metal box, the hypervisor software installs a kernel. It installs a Linux kernel for
vSphere and XenServer and a Windows kernel for Hyper-V. The appropriate hypervisor tools (XenServer Tools, and VMware
Tools) need to be installed on the virtual machines to allow them to communicate optimally with the hardware and the
control domain. Hyper-V has its hypervisor tools (Integration Services) built into Microsoft Windows. The following graphic
illustrates this point.
Module 2: Hypervisor Considerations and Setup 43

• Hardware-assist virtualization technologies are built into many central processing unit (CPU) chips
manufactured by both Intel and AMD. With hardware-assist virtualization, the guest operating system on the
virtual machine does not require modifications in order to have direct access to the server resources.
Hardware assist must be enabled through the BIOS on the host for XenServer.
• Paravirtualization allows a guest operating system, such as Windows, to communicate with the hypervisor.
This direct communication improves performance and is enabled by installing paravirtualization tools such as
XenServer Tools or VMware Tools on the virtual machines.
Regardless of the hypervisor selected to support your XenApp and XenDesktop implementation, the installation basics are the
same. First, verify that the hardware and software requirements are met by the system on which you plan to install the
hypervisor. Second, make sure that you carefully follow the instructions to properly install and configure the hypervisor.
All hypervisors are composed of the following components:
• Hardware Layer contains the physical server components, including memory, CPU, and disk drives.
• Hypervisor is a thin layer of software that runs on top of the hardware. The hypervisor provides an abstraction layer that
allows each physical server to run one or more virtual machines, effectively decoupling the operating system and its
applications from the underlying hardware.
• Control Domain manages the network I/O and storage I/O of all virtual machines. The control domain is a Linux virtual
machine for vSphere and XenServer, with higher priority to the hardware than other guest operating systems. In Hyper-
V, the control domain is embedded in the hypervisor and is provided by the base installation of the server operating
system when the Hypervisor role is added to the base operating system.
• Guest Operating System is the operating system that is installed on the virtual machines hosted by the hypervisor.
• Linux Virtual Machines are accessed through the control domain, while CPU and memory are accessed through the
hypervisor directly to the hardware.
• Windows Virtual Machines use paravirtualized drivers to access storage and network resources through the control
domain. XenServer is designed to use the hardware virtualization of Intel VT- or AMD-V-enabled CPUs.
To Install XenServer
XenServer is pre-installed in the lab environment. To experience installing XenServer to support a XenApp and
XenDesktop implementation, we have provided an Installing XenServer exercise below. Click the following link
and use the steps in this course to complete the exercise:
• Installing XenServer Exercise
You can access a list of all simulated exercises from the Student Resource Kit module located in this course.
1. Insert the XenServer installation media in the drive of the computer and start the installation program.
44 Module 2: Hypervisor Considerations and Setup

During the XenServer installation, you will not be able to use a mouse to navigate.
Proceed to the next step since this has been competed within the simulation.
2. Select the Keymap layout for the installation and then press Enter.
Verify that [qwerty] us is highlighted, press the spacebar, and then press Enter twice.
3. Determine if a device driver needs to be loaded.

Press Enter on the Welcome to XenServer Setup screen to continue to install XenServer without loading additional
device drivers.
4. Read and respond to the End User License Agreement (EULA).

Press the Left arrow key to select Accept EULA and then press Enter.
If the server does not have Hardware Assist enabled in the BIOS, an error message will appear after you accept
the EULA. You can continue with the installation, but XenServer will have limited functionality until
Hardware Assist is enabled.
5. Specify the storage to use, whether the storage should be optimized for XenApp and XenDesktop, and then press Enter.
a. Verify that sda-20 GB [ATA VBOX HARDDISK] is selected.

b. Press the Down arrow key to highlight Enable thin provisioning (Optimized storage for XenApp and
XenDesktop).
c. Press the spacebar to select Enable thin provisioning (Optimized storage for XenApp and XenDesktop).
d. Press Enter twice.
Thin Provisioning optimizes the utilization of available storage for XenApp and XenDesktop end users and
enables local caching to work properly.
6. Select the installation media source and then press Enter.

Press the spacebar to select Local media as the installation source and then press Enter twice.
Select Local media if you are installing XenServer from a CD. Select HTTP, FTP, or NFS if you are installing
XenServer using PXE. When Local media is selected, the installer will check the repository.
7. Determine if Supplemental Packs will be installed and then press Enter.

Press the Right arrow key to select No and then press Enter.
This step is only displayed if you selected Local media during the previous step. If you selected HTTP, FTP, or
NFS, you must configure networking so that the installer can connect to the XenServer installation media files
on the network.
8. Determine if the integrity of the installation media should be verified before beginning the installation and then press
Enter.
Press the Up arrow key to select Skip verification and then press Enter twice.
If you select Verify installation source, the MD5 checksum of the package is calculated and checked against the
known value. Verification may take a few minutes.

9. Specify the password to set for the root account on the XenServer and then press Enter.
a. Type Password1 in the Password field and then press Enter.

b. Type Password1 in the Confirm field and then press Enter.
c. Press the Down arrow key and then press Enter.
10. Specify how networking should be configured, set up the primary management interface, and then press Enter.
You can get an IP address automatically using Automatic configuration (DHCP) or specify it yourself using
Static configuration.
a. Press the Down arrow key to highlight Static configuration and then press the spacebar.
b. Press the Down arrow key to move to the IP Address field, type 192.168.10.24, and then press Enter.
c. Type 255.255.255.0 in the Subnet mask field and then press Enter.
d. Type 192.168.10.1 in the Gateway field and then press Enter.
e. Press the Down arrow key and then press Enter.
11. Specify the host name and DNS configuration and then press Enter.
a. Type xs1 in the Hostname field and then press Enter.

b. Type 192.168.10.3 in the DNS Server 1 field and then press Enter.
c. Press the Down arrow key twice and then press Enter.
To be part of a pool, XenServer hosts must have static IP addresses or be DNS addressable. When using
DHCP, ensure that a static DHCP reservation policy is in place. If you want to manually specify the host
name, use a short host name and not the fully qualified domain name (FQDN). Typing an FQDN may cause
external authentication to fail. At least one DNS server address must be specified. Adding a second and third
DNS address will ensure that XenServer can find other machines on the network based on their names if the
first DNS server is unavailable.
12. Select the geographical area and then press Enter.
Press the Down arrow key to select America for the time zone and then press Enter twice.
13. Select the city and then press Enter.

Type L, press the Down arrow key to select Los Angeles, and then press Enter twice.
14. Specify how you would like the server to determine local time and then press Enter.
Press the Down arrow key to select Manual time entry for the system time and then press Enter twice.
NTP (Network Time Protocol) requires an NTP server on the network. If you select Using NTP, you must
provide the address of the NTP server in your network. If your network does not have an NTP server, you
should select Manual time entry.
15. Press the Left arrow key to select Install XenServer and then press Enter.
16. Set the local time and date and then press Enter.
Press the Down arrow key to select OK and then press Enter to accept the default settings for the local time and date.
17. Press Enter when the installation completes to restart the server.
The XenServer Configuration screen appears once the server restarts.
Discussion Question
What is the minimum number of physical computers required for a redundant XenServer implementation?

Installing the Hypervisor Management Console
Hyper-V, XenServer, and vSphere hypervisors are command-line based software programs. Each of these hypervisors has a
management console that can be installed on a separate system to configure the hypervisor, create and configure virtual
machines, and monitor the resources available to the hypervisor.
The management console is a GUI that allows you to see multiple settings at once. It should be used for daily maintenance
tasks and for tasks that are performed on an as-needed basis. Tasks that must be repeated on a regular basis should be
scripted to use the command-line interface instead of the management console for the hypervisor. For example, you can
create a script that takes a snapshot of a live running machine and then exports it as a backup. You can then run the script as
a scheduled task to create regular backups of a machine without shutting it down. Scripting is enabled by the XE command-
line interpreter, which is installed wherever you install the XenCenter management console. For a comprehensive list of
commands that can be used for scripting, see Appendix A in the XenServer Administrator's Guide which is available from
http://docs.citrix.com
To Install XenCenter
You can install XenCenter on any computer that has access to the servers running the XenServer hypervisor and has
Microsoft .NET Framework 3.5.1 installed on it. In this exercise, you will install XenCenter on a Windows 8.1 system called
MyLaptop.
XenCenter is pre-installed in the lab environment. To experience installing XenCenter to support a XenApp and
XenDesktop implementation, we have provided an Installing XenCenter exercise below. Click the following link
and use the steps in this course to complete the exercise:
• Installing XenCenter Exercise
1. Insert the XenServer installation media in the drive of the computer that has Microsoft .NET 3.5.1 installed on it and
start the installation program.
Proceed to the next step.
2. Click the File Explorer (folder icon) on the taskbar.

3. Select the drive containing the XenServer installation media.
Click CD Drive (G:) XenServer-6.1.0.
4. Double-click the client_install folder.

5. Double-click the XenCenter Windows Installer file.
6. Click Next in the Welcome to Citrix XenCenter Setup Wizard screen.

7. Specify the folder where you want to install XenCenter, determine if XenCenter should be installed for all users of the
system or just the currently logged on user, and then click Next.
Click AllUsers and then click Next to accept the default installation location.
8. Click Install to begin the installation.

9. Click Finish to close the Citrix XenCenter Setup Wizard after the installation completes.
Discussion Question
Why should you secure the XenCenter management console for your hypervisor? How can you secure the management
console?
Connecting the Management Console to the Hypervisor

Before you can begin using the console, you must first configure it to communicate with the hypervisor that you will be
managing and add a license for the hypervisor. Every time you launch the console, you must reconnect the console to the
hypervisor unless you choose to save the settings. The settings can be saved with or without a password.
To Connect XenCenter to the XenServer Host

XenCenter is pre-configured in the lab environment. To experience configuring XenCenter to connect to a
XenServer, we have provided a Connecting to XenServer exercise below. Click the following link and use the steps
in this course to complete the exercise:
• Connecting to XenServer Exercise
1. Open XenCenter and log on to the Student Management Console and launch XenCenter.
2. Open Citrix XenCenter.
a. Click Start on the lower-left corner of the screen.

b. Click Citrix XenCenter.
3. Click Add New Server.

4. Type the host name or IP address of the XenServer host in the Server field.
Type 192.168.10.24 in the Server field and then press Enter.
5. Press Tab and then type the user name for the administrator account on the server.
Proceed to the next step to accept the default user name.
6. Press Tab and then type the password for the administrator account.
Type Password1 in the Password field and then press Enter.
7. Click Add.
The XenServer environment will appear in the console and storage is automatically configured on the local
disk of the host. If XenServer is installed on additional servers, you can add them to the XenCenter console
using these steps.
8. Close the XenCenter window.

Click the X in the upper-right corner of the XenCenter window.

Discussion Question
The management console for your hypervisor and the computer it was installed on are not available to you. What other
options are available to you to manage the hypervisor environment?
Configuring the Hypervisor

Hyper-V, XenServer, and vSphere hypervisors are highly customizable. For example, you can configure:
• The network interfaces used by the hypervisor.
• A library to host the ISO resources available to the VMs.
• The virtual disk storage used by the VMs.
• Templates for virtual machines.
Configuring the Virtual Networks

A virtual network provides flexibility to satisfy changes in security and application requirements quickly and efficiently. For
example, when someone needs a new virtual machine (VM) or application, you can add a new virtual network that can isolate
the VM from other VMs in the environment.
A virtual network consists of three pieces:
• Physical interface (PIF) is the physical network interface card for each host.
• Virtual interface (VIF) is a server-side software object that is a virtual representation of a computer network interface. A
virtual machine connects to a virtual interface to provide network connectivity to other virtual machines and the physical
network.
• Network the control domain (DOM0) is used to bridge multiple virtual interfaces to a physical interface. Some
hypervisors refer to this as a virtual switch.
Each of these three pieces has their own universally unique identifier (UUID). The UUID allows you to refer to the specific
object you want to act upon. For example, you can take a VIF and attach or unattach it using a script that references its
UUID. When typing the UUID in XenServer, you can type the first few characters and then press the Tab key to complete it.
NIC bonding is another network task that can be performed at the physical layer of the network. It combines one or more
NICs connected to the same physical network.

When you bond multiple NICs, a new virtual NIC is created. This is the bond master, and the bonded NICs are known as the
NIC subordinates. The NIC bond can then be connected to a network to allow virtual machine traffic and server management
functions to take place across that bond.
There are two NIC bonding modes:
• Active-active mode provides load balancing of virtual machine traffic across the physical NICs in the bond. If one NIC
within the bond fails, all of the network traffic on the host is automatically routed over the second NIC.
• Active-passive (active-backup) mode provides hot-standby capability. Only one NIC in the bond is active; the inactive
NIC becomes active if and only if the active NIC fails.
A XenServer with its management interface on a bonded network will have limited pool functionality. For example, the
"create a pool" and "join a pool" tasks will not be permitted. To get past this issue, you can temporarily attach the
management interface to a non-bonded network. Perform the management tasks and then reconnect the management
interface to the bonded network. This restriction also applies to management interfaces attached to tagged VLANs.
To Configure an External Network

XenServer is pre-configured in the lab environment. To experience configuring virtual networks for XenServer, we
have provided an Adding a New Network exercise below. Click the following link and use the steps in this course
to complete the exercise:
• Adding a New Network Exercise
1. Log on to the system hosting XenCenter.


3. Select the XenServer host in XenCenter to which you want to add a network.
Verify that xs1 is highlighted in the left column under XenCenter.
4. Click the Networking tab.
XenServer automatically manages NICs as needed based on the related network, virtual interface, server
network, and bond configuration. You can view the available NICs, configure NIC bonds, and dedicate NICs
to a specific function from the NICs tab.
5. Click Add Network.

6. Select the type of network to add and then click Next.
Verify that External Network is selected and then click Next.
7. Specify the name of the new network and then click Next.
Type Network2 in the Name field, press Enter, and then click Next.
8. Select the network interface to be used by the new network.

Select NIC 1 from the NIC field.
9. Select a number to use for the VLAN on the network.

Accept the default value of 1 in the VLAN field.
10. Select the appropriate MTU value for your network.

Accept the default value of 1500 for the MTU.

Maximum transmission unit (MTU) identifies the maximum number of bytes of data the protocol can pass in
a packet. The larger the MTU the more efficient the throughput. The default MTU size for Ethernet is 1500.
11. Select Automatically add this network to new virtual machines.

12. Click Finish and then verify that the new network on VLAN 1 appears in the list.
Discussion Question
A database application has recently emerged from the pilot phase. After the rollout to the production environment, end users
began complaining about slow access to the database. What should the administrator do to address this issue?
Creating a Resource Pool

A resource pool of hosts (also known as a cluster in vSphere and a cloud in Hyper-v). When combined with shared storage or
local storage, a pool or cluster enables VMs to be created or started on one host and then dynamically moved to another host
in the pool or cluster, if the original host fails. This functionality in XenServer and vSphere is called High Availability (HA).
In Hyper-V this functionality is called HA Protection.
To Create a New Resource Pool in XenServer

XenServer is pre-configured in the lab environment. To experience configuring a new pool for XenServer, we have
provided a Creating a XenServer Pool exercise below. Click the following link and use the steps in this course to
complete the exercise:
• Creating a XenServer Pool Exercise


There are two XenServer hosts available in XenCenter. You are going to create a pool so VMs running on
these hosts can be dynamically moved from one host to the other.
3. Click New Pool in the XenCenter toolbar.

4. Type a name for the new pool.
Type Pool1 in the Name field and then press Enter.
5. Select a server in the Master field.

Verify that xs1 is selected as the Master.
6. Select one or more servers to place in the new pool from the Additional members list.
All available XenServer hosts are listed. If a host is not listed, it may be because it does not satisfy one or more
of the pool joining requirements.

Select xs2 as a member.
7. Click Create Pool to create the new pool.

8. Double-click the newly added pool to view the pool members.
Double-click Pool1.

Discussion Question
What is required to implement a pool or cluster of hosts for a hypervisor environment?
Configuring an ISO Library

An ISO is a disk image of a CD or DVD. An ISO library is a type of storage repository. It is used to store CD/DVD images in
the ISO format. Storing ISOs in a library makes them administratively accessible to any VM. An ISO library can be added
anytime to create a virtual collection of installation media. CD/DVD images in the ISO library can be shared and accessed by
VMs hosted by the hypervisor. An ISO library can be created as a:
• Network File System (NFS) share, which uses the Linux/Unix NFS protocol to share files and folders on the network.
• Common Internet File System (CIFS) share, which uses the Windows CIFS protocol to share files and folders on the
network. A CIFS share is only available to Hyper-V and XenServer hypervisors.
The share must be pre-created prior to creating the storage repository and all .ISO files must be at the root of the share. ISOs
stored in subfolders will not be enumerated and therefore cannot be seen.
To Configure an ISO Library for XenServer

XenServer is pre-configured in the lab environment. To experience configuring an ISO library for XenServer, we
have provided a Creating an ISO library exercise below. Click the following link and use the steps in this course to
• Creating an ISO Library Exercise


3. Select the XenServer host to which you want to attach the new storage repository.
Verify that xs1 is selected.
4. Click New Storage in the XenCenter toolbar to open the New Storage Repository wizard.
5. Select the type of ISO library you want to create and then click Next.
Select Windows File Sharing (CIFS) and then click Next.
6. Type a name for the new storage repository in the Name field.
Type My-ISOs in the Name field and then press Enter.

7. Type a description or allow XenCenter to automatically generate the description for the storage repository and then click
Next.
Click Next to allow XenCenter to automatically generate the description.
8. Type the location of the share in the Share Name field.

Type \\WIN-V06KOCR56GO\ISO_Library in the Share Name field and then press Enter.
9. Determine if different credentials should be used to connect to the share.
Different credentials may be necessary if the host instance does not have the necessary rights to the network
share.
a. Select Use different user name.

b. Type Administrator in the User name field and then press Enter.
c. Type Password1 in the Password field and then press Enter.
10. Click Finish to create the ISO storage repository.

11. Click the My-ISOs storage repository in the left pane of the XenCenter window.
12. Click the Storage tab to view the ISO files store in the share addressed by the storage repository.
Discussion Question
You can perform Detach, Forget, and Destroy operations on a storage repository. What do each of these operations do and
when might you use each?
Configuring Virtual Disk Storage

Virtual disk storage is used to store the virtual disks used by the VMs. You can create additional virtual disk storage if
external storage is available. In Hyper-V virtual disk storage is referred to as a store; in vSphere it is called a data store; in
XenServer it is called a storage repository. You can set virtual disk storage up during the initial installation of the hypervisor
or at any time after the installation. If you create the virtual disk storage after installation, you must shut down the VMs and
move them manually to the storage. If you are using the most current version of a hypervisor, storage motion is available (this
allows a VM to be moved from local to external storage while the VM is active) but this operation can be time consuming.
To Configure Virtual Disk Storage

XenServer is pre-configured in the lab environment. To experience configuring additional virtual disk storage for
XenServer, we have provided a Adding Virtual Storage below. Click the following link and use the steps in this
course to complete the exercise:
• Adding Virtual Storage Exercise


3. Select the XenServer host to which you want to attach the new storage repository.
Verify that xs1 is selected.
4. Click New Storage to open the New Storage Repository wizard.

5. Select the type of virtual disk storage you want to attach to your host and then click Next.
Verify that NFS VHD is selected and click Next.
• NFS VHD storage repository stores VM images as thin-provisioned VHD format files on a shared NFS
target. Existing NFS servers that support NFS V3 over TCP/IP can be used as a storage repository for
virtual disks. NFS storage repositories can be shared, allowing any VMs with their virtual disks in an NFS
VHD storage repository to be migrated between servers in the same resource pool. Because virtual disks
on NFS storage repositories are created as sparse, you must ensure that there is enough disk space on the
storage repository for all required virtual disks to grow as they are used.
• Software iSCSI storage repository uses a shared Logical Volume Manager on a SAN attached LUN over
iSCSI. iSCSI is supported using the open-iSCSI software iSCSI initiator or by using a supported iSCSI
Host Bus Adapter (HBA).
• Hardware HBA storage repository connects to Fibre Channel (FC), Fibre Channel over Ethernet (FCoE),
or shared Serial Attached SCSI (SAS) LUNs via an HBA. Prior to configuring a Hardware HBA storage
repository, you need to expose the LUN because the wizard will automatically probe for and display a list
of all available LUNs found.
• StorageLink storage repository uses an existing Network Appliance (NetApp), Dell EqualLogic storage
infrastructure, or Citrix StorageLink Gateway (CSLG) to access a range of different storage systems.
Dynamic multipathing support is available for Software iSCSI and Hardware HBA storage repositories. By
default, multipathing uses round-robin mode load balancing, so traffic will be active on both routes
during normal operation. You can enable and disable storage multipathing in XenCenter using the
Multipathing tab in the Properties of the server.
6. Type a name for the new storage repository in the Name field.
Use the default name provided.
7. Type a description or allow XenCenter to automatically generate the description for the storage repository and then click
Next.
Click Next to allow XenCenter to automatically generate the description.
8. Type the location of the share in the Share Name field or click Scan if you would like to re-attach an existing storage
repository.
Type WIN-V06KOCR56GO:/NFS_Share in the Share name field and then press Enter.
9. Determine if any advanced options should be applied to the storage repository.

Do not specify any advanced options and then proceed to the next step.
The advanced options available are based on the type of virtual disk storage selected.
10. Determine if a new storage repository will be created or an existing storage repository will be reattached and then click
Finish.
Verify that Create a new SR is selected and then click Finish.
11. Verify that the new storage repository is listed in the left pane of the XenCenter window.
Verify that NFS virtual disk storage is listed.


Discussion Question
With which types of storage can you use a High Availability (HA) solution? The following is a list of different storage options
and their benefits:
• Local Disk - inexpensive
• Fibre Channel - expensive
• iSCSI Hardware - expensive
• iSCSI Software - inexpensive
• NFS-based - inexpensive, easily managed, preferred for XenServer implementations
• StorageLink - only in XenServer
Applying Updates and Hotfixes

To ensure optimal performance, stability and security, you should keep your operating systems, applications, and Citrix
components up to date. It is important to remember that all updates and hotfixes must be tested in a test environment prior
to rolling them out to a production environment. Once you decide to roll updates out to the production environment, ensure
that you apply them consistently across the components in the environment.
Updates come in many forms: service packs, hotfix rollup packs, security fixes, and general public hotfixes. Read the release
notes for the update to determine the criticality of the update and the applicability of the update to your environment to
determine whether or not to install it.
When applying an update to XenServer, you should:
• Log on as a user with full access permissions.
• Update all hosts in a pool within a short period of time. Begin with the pool master. Running a pool with mixed versions
of XenServer hosts is not supported.
• XenCenter will restart each host automatically before applying the update file, so move all VMs off of the host before
beginning the update. You can do this manually using the command line interface (CLI), or you can use the host-
evacuate command. If you are using the CLI to apply the updates, you will have to restart the hosts manually before the
update.
• Empty the CD/DVD drives of any virtual machine which will be suspended.
• Disable high availability for the resource pool. Be careful if the pool master is offline.
To Upload and Apply a XenServer Hotfix

XenServer is pre-configured in the lab environment. To experience applying a hotfix to XenServer, we have
provided an Applying an Update exercise below. Click the following link and use the steps in this course to
• Applying an Update Exercise
Follow these steps to open the Applying an Update exercise in the Student Resource Kit:


3. Click Tools > Check for Updates in the XenCenter menu bar.
4. Select the required update from the list and then click Download & Install to start the download process and perform
pre-checks on the servers.
Select XS61E017 and then click Download & Install.
5. Click Next to continue once all pre-checks have been resolved.

6. Determine if post-update tasks should be performed automatically or manually and then click Install update.
Verify Automatically perform post-update tasks after the update has been applied is selected and then click Install
update.
7. Click Finish when the update process is completed.

8. Click Close to close the Check for Updates window.
Updates that are applied to a XenServer host can be viewed in the General tab of the host. If you opted to
manually perform the post-update tasks, you should complete those tasks at this time.

Discussion Question
What is the difference between a hotfix, a rollup/service pack, and a feature pack?
Creating Templates
A virtual machine (VM) is a software container that runs on a host and behaves as if it were a physical computer itself. VMs
consist of a guest operating system, CPU, memory (RAM), networking resources, and software applications. All of the
information about the virtual machine is stored in an image file.
A template is a virtual machine encapsulated into a base image file and makes it possible to rapidly create new VMs. In
XenServer, once a VM is converted to a template, it cannot be reverted. This limitation does not apply to Hyper-V or
vSphere.
The template creation process allows you to pre-create a library of base images from which new virtual machines can be
created very quickly without reinstalling the operating system or other applications. Templates can be created at any time.
When templates are used to create VMs, the VMs have increased consistency and reliability across the environment.
Steps required to create a template include:
1. Create a virtual machine.
2. Install the operating system.
3. Install updates and fixes.
4. Install the hypervisor tools.
5. Run Sysprep on VM running a Windows operating system.
6. Convert to template.
Control Function
Send Ctrl+Alt+Del Sends the Ctrl+Alt+Del sequence to the VM to access the
Windows Security screen.
Alt+Shift+U Undock or redock (separate or join console screen).
Ctrl+Alt Toggle full-screen mode.
Scale Scale the VM windows to fit inside the console window.
DVD Drive Select an ISO image to insert into the DVD drive for the
selected VM.
Switch to Remote Desktop/Switch to Default Desktop Toggle between VNC connection and RDP connection.
Using RDP to connect can improve the performance of the
user interface.

Discussion Question
Why do you need to Sysprep a VM before converting it into a template? And, why do you need to shut down the VM before
you convert the VM into a template?
Creating the Virtual Machine

A virtual machine (VM) is a software only representation of a computer. It is configured with one or more virtual CPUs,
virtual memory, virtual network interface cards and one or more virtual disks. After the VM is created, an operating system
and applications can be installed on the virtual machine as if it were a physical computer.
In order to gain full support of all the features running a VM on a hypervisor, a set of hypervisor tools must be installed.
Hypervisor tools provide high performance drivers that significantly improve disk and network performance for XenServer
and vSphere VMs.
Without tools installed graceful lifecycle operations such as shutdown and reboot are unavailable from the
hypervisor consoles
You can find out if XenServer Tools are installed on a VM by looking at the Virtualization state field on the General tab for
the VM. Valid states include:
State Definition
Optimized (version x installed) The most up-to-date version of XenServer Tools is installed
XenServer tools not installed XenServer Tools are not currently installed on the VM. You
can click the status field to install the latest version from the
XenServer Tools ISO.
Tools out of date (version x installed) The VM has a version of XenServer Tools installed from an
earlier XenServer release.
Although it is common for many organizations to compartmentalize XenApp and XenDesktop away from the hypervisor
team, in such cases it is equally common for the XenApp and XenDesktop administrators to be tasked with VM creation for
Citrix using the hypervisor management console.
There are several steps to creating a VM that is ready for production use. It is acceptable to use templates to assist with this
process. A hypervisor template may come in one of three forms: Standard, Complete or Custom. Standard templates are built
in to the hypervisor management console and contain pre-defined parameters to assist with the initial VM configuration.
Complete templates are typically downloaded from a third party and include the fully configured VM settings with the OS
installed and any third party applications. Custom templates are more commonly used because they were once virtual
machines.
For Example, if a company needs to create multiple Windows Server 2012R2 VMs, a common method would be to create a
custom template from a machine which has undergone sysprep. By doing this, each new machine built from the custom
template would have the operating system already installed and the machine prepared for final configuration.
Troubleshooting Hypervisor Setup Issues

The following table provides resolutions for hypervisor setup issues.
Issue Resolution
VMs can communicate with each other but not with the • The VMs have private or cross-private networks. Attach
hypervisor. a network to the VM that can communicate with the
hypervisor.
• The DHCP service is offline and the VMs are configured
for DHCP. Turn the DHCP service on.

Issue Resolution
The management console does not connect to the host. • Use ping to test the connectivity between the XenCenter
computer and the XenServer host. If the ping fails,
correct the network settings.
• Ensure that:
• The host name or IP address of the XenServer host
is correctly specified.
• The administrator credentials for the XenServer host
are correctly specified.
The option to install XenServer Tools on a virtual machine is XenServer Tools are already installed on the virtual machine.
unavailable.
You receive a fatal error message when attempting to run the The VM is corrupted. This error message is designed to
Sysprep tool. prevent the deployment of a corrupted VM. You cannot
correct the problem within the VM, you must recreate the
VM.
Troubleshooting: Managing and Monitoring Hypervisors
Issue Resolution
Memory statistics are not displayed for a virtual machine. Confirm that the necessary hypervisor tools are installed on
the virtual machine.
XenServer - Disk space is not reclaimed after deleting a XenServer 5.5 Update 1 and later
snapshot. 1. Retrieve the UUID of the VM (virtual machine)
2. Run coalesce-leaf-u<UUID of virtual machine>. This
command suspends the virtual machine, initiates the
reclamation process, and resumes the virtual machine.
For more information about how to reclaim disk space

from deleted XenServer snapshots, see Citrix article
CTX123400 at http://support.citrix.com.
Hyper-V - Virtual machines are missing from the Hyper-V Configure real-time scanning within anti-virus software to
Management Console. exclude:
• Default and custom virtual machine configuration
directories
• Default and custom virtual hard disk drive directories
• Snapshot directories
• Vmms.exe and Vmwp.exe files

3
Module 3
Setting Up Infrastructure
Components
60
Setting Up the Infrastructure Components
Overview
The infrastructure on which Citrix components will be installed plays a key role in the success of a XenApp and XenDesktop
implementation. At a minimum, the infrastructure components required are:
• Domain Controller
• Domain Name Services (DNS) server
• Dynamic Host Configuration Protocol (DHCP) server
• Certificate Authority (CA)
• File Server
• SQL Server
• Microsoft Licensing (RDS/KMS/MAK)
You may need to install and configure additional components to support your specific organizational needs.
• Understand the role of Active Directory and DNS to support a XenApp and XenDesktop environment.
• Understand how Dynamic Host Configuration Protocol (DHCP) plays a role in a XenApp and XenDesktop environment.
• Understand the role of a Certificate Authority to secure a XenApp and XenDesktop environment.
• Understand how file servers can be leveraged in a XenApp and XenDesktop environment.
• Set up and configure SQL Server mirroring.

Before you begin, to access the Citrix lab environment these machines must be in the following state:
• Roles: AD, DNS, DHCP, CA, FS

• Notes: Active Directory domain is Training.lab. DHCP, DNS, and CA are configured. The file server is
used to contain some lab resources such as licenses or ISOs.
• SQL Server -1 = On
• Notes: SQL Server 2012 is installed.
• SQL Server-2 = On
• SQL Server-Witness = On
Module 3: Setting Up Infrastructure Components 61

Setting Up the Domain Controller
At least one domain controller must exist in an environment before XenApp and XenDesktop can be configured. Domain
controllers are used to store and manage settings that enforce authentication, authorization, auditing and accounting. All
infrastructure servers should be joined to a domain.
A Server running Active Directory functions as a domain controller and relies on a properly configured DNS. With DNS
installed the Domain controller provides both domain name resolution services as well as directory services.
A domain controller should be a dedicated server. Do not install any XenApp and XenDesktop component or SQL
Server on a domain controller.
You should install and configure multiple domain controllers in a XenApp and XenDesktop environment. When multiple
domain controllers exist, they synchronize their information and provide high availability to optimize Active Directory
functionality.
Discussion Question
XenApp and XenDesktop can be used with domain controllers running which versions of Windows Server?
Configuring Active Directory Domain Services

Administrators can use Active Directory Domain Services (AD DS) to organize elements of a network such as end users,
computers, and other devices into a hierarchical containment structure. This structure includes: the Active Directory forest,
domains in the forest, and organizational units (OUs) in each domain. When you want to create a new forest, domain, or
additional domain controller in an existing domain, install AD DS on the server.
The AD DS role should be added before any XenApp and XenDesktop components are installed in the environment. As part
of the AD DS role installation, you should configure DNS. DNS is a service that translates domain names into IP addresses in
an environment.
Once the AD DS role is installed, the name of the server should not be changed. Doing so could be problematic
and could impact the performance of the domain controller for up to 24 hours.
Discussion Question
Why should you use Active Directory Domain Services with XenApp and XenDesktop?
62 Module 3: Setting Up Infrastructure Components

Troubleshooting AD DS Installation Issues
The following table identifies common AD DS installation issues and resolutions.
Issue Resolution
After installing the domain controller VM, you do not see There may be critical alerts that need to be attended to
the Promote this server to domain controller link in Server before the link appears. Click the red flag in Server Manager
Manager. to view the alerts and get additional information.
The installation of roles and features fails. • Click the red flag in the Server Manager window to view
messages. Reinstall the roles and features again using
Server Manager after all critical alerts have been
addressed.
• Ensure that all the required source files are on the server.
You cannot add servers to the domain. • The installation of the AD role has not completed.
• The administrator account being used to add the servers
to the domain does not have domain administrator
rights.
Creating Organizational Units
Organizational units are Active Directory containers into which you can organize end user accounts, groups, computers, and
other organizational units. An organizational unit cannot contain objects from other domains. OUs are the smallest unit to
which you can assign Group Policy settings. All required OUs have been pre-created in our lab environment.
This graphic shows the organizational units configured for use in the lab environment.
A well-designed organizational unit structure (OU) is an important piece for a XenApp and XenDesktop environment.
Discussion Question
What are some benefits of using OUs?

Adding Users and Groups
A group is a collection of end user and computer accounts, contacts and other groups that can be managed as a single unit.
End user accounts and computers that belong to a particular group are referred to as group members. Once end user
accounts and groups are created in Active Directory, they can be granted or denied access to services, desktops, and
applications. When assigning permissions to resources, assign them to groups rather than individual end-user accounts. If you
assign permissions to groups, assignments are updated automatically when you add or remove end-user accounts from the
group. When permissions are assigned to groups, enumeration is more efficient than when they are assigned to individual
end-user accounts and objects.
Discussion Question
When providing end users with access to resources, why is it better to specify groups rather than individual end-user
accounts?
Configuring Policies Using Group Policy

Policies can be set and applied using the Microsoft Group Policy Management Console. Group Policy Objects (GPOs) are
created to hold policies and settings which will be applied to end users or computers. The GPOs are then linked to either the
domain, organizational unit (OU) or site.
You should use GPOs linked to the domain mainly for policies that must be applied to all end users and
computers in order to comply with corporate security policies, industry-specific best practices, or general security
best practices.
The majority of GPOs will be linked to OUs rather than directly to the domain. The policy then will apply only to the end
users or computers within that OU or any child OUs. Policies are inherited from the parent of an object. All OUs, by default,
inherit GPOs linked to the domain as the domain is the parent of all OUs.
GPOs are the most efficient and consistent method of controlling connection, security, and bandwidth settings. You can
create them for specific groups of end users, devices, or connection types. Each GPO can contain multiple settings.
Citrix HDX policies can be managed through both Group Policy Objects in Microsoft Windows or within the Citrix Studio
console in XenApp and XenDesktop. The console or tool you use depends on whether you have the appropriate permissions
to manage GPOs, where policies will be stored, and how policies will be maintained. Using Group Policy Objects is usually
preferred over creating policies in Citrix Studio when it is organizationally possible to do so.

Discussion Question
By default, how often does Active Directory refresh Group Policies for computers and end users?
Securing Service Accounts

A service account is a machine account used by a server, service, or program. Once a service account is created, it should be
secured to prevent service outages caused by security policies being applied to a service account inappropriately and from
creating a larger attack surface for your network. Your organization can set a password change policy for service accounts, but
procedures should be put in place to change passwords in a way that does not cause service outages.
The Training Service Accounts group that the following policy will be applied to has already been created in the
lab environment.
Discussion Question
John configured a GPO to "Allow log on locally" and then applied it to the Everyone group. Kelly configured a GPO to "Deny
log on locally" and then set it for the Service Accounts group. What effect will these group policies have on the Everyone and
Service Accounts groups?
Setting Up the Dynamic Host Configuration Protocol

All devices in the XenApp and XenDesktop environment require an IP address in order to communicate with other resources
in the environment. You can manually configure each device with an IP address, but the task quickly becomes unmanageable
as devices enter and leave the environment. To facilitate the distribution of IP addresses to new devices in the environment
and to reclaim IP addresses from devices no longer in the environment, you can configure the Dynamic Host Configuration
Protocol (DHCP).
DHCP automatically provides a unique IP address to each device in the network from a pool of IP addresses. Each IP address
distributed by DHCP is leased for a period of time to that device. When the lease period expires, the IP address is
automatically returned to the pool. In our lab environment, you are assigning all infrastructure components a static IP
address. DHCP will be used to provide internal endpoints and virtual desktops with IP addresses.
DHCP can be implemented as a Linux appliance or added as a role on a Windows server. With the exception of the DNS
role, domain controllers should no host other roles.
Configuring DHCP
After the DHCP service is installed, you must configure it. Configurations can include setting up one or more scopes and
scope or server options. The range of IP addresses that are available to be leased is called a scope. One scope should be set up
for each subnet in the environment.
Troubleshooting DHCP Installation Issues

The following table identifies DHCP installation issues and resolutions.
Issue Resolution
All end users are experiencing slow start times. Check the DNS entries for errors.
IP address conflicts appear. Determine if a statically assigned IP address is not properly

excluded from the scope or if someone has statically assigned
an IP address that has already been assigned to another
server.

Setting Up A Certificate Authority
You can use certificates from a public or private Certificate Authority (CA) to secure the communications in your XenApp
and XenDesktop deployment.
You should use a:
• Public Certificate Authority:
When communications need to be secured between the internal network and an external network, a public certificate
must be requested and purchased from a public CA such as VeriSign. An external or public certificate should be acquired
before remote access to the environment is configured. When a public certificate is used, the following occurs:
• The public CA issues the certificate.
• The certificate is installed on an externally-accessible service or Web server.
• The certificate is used by the externally-accessible service or Web server to secure its communications.
• The client makes sure the certificate is authentic by verifying it was legitimately issued by a CA it trusts.
• Private Certificate Authority:
When communications need to be secured within the internal network, a private CA can be implemented by installing
the Certificate Authority role on a server in the environment.
Installing the Active Directory Certificate Services role allows you to add the Certification Authority and the Certification
Authority Web Enrollment features that are part of your public key infrastructure (PKI) and bind the public key with the user
identity for the digital certificate.
Discussion Question
What two components are required for SSL encryption?
How does the client determine whether to trust the server certificate?
Which kind of certificate would need to be installed to allow for communication between an internal endpoint and
StoreFront?
Setting Up the File Server

A file server provides a central location on your network where you can store your end-users’ intellectual property. Shares can
be created to allow end users to share files with other end users across your network. When end users require an important
file such as a project plan, they can access the file stored on the file server from a XenApp and XenDesktop resource.
In a XenApp and XenDesktop environment, file servers are often used to store user data and profiles. File servers may also be
used to store PVS vDisks when using PVS as an image management solution.
Discussion Question
What tools can you use to centrally manage the file servers in your environment?
Configuring Folder Redirection

Active Directory allows folders, such as the Application Data or Documents folder to be saved (redirected) to a network
location. Folder redirection is not a default setting. It must be configured in a policy prior to managing the end users’ profiles.
End user files are typically stored in the end user profile. Folder redirection allows administrators to redirect the path of a
specific user data to a new location. The location can be a folder on the local endpoint or on a network file share. Thus the
contents of those folders are stored in the designated location and not included within the end user profile, which reduces its
size. Depending on the version of Active Directory in use, the specific folders that can be redirected vary.
Citrix leading practice is to use folder redirection in conjunction with Citrix profile management to deliver
optimally sized user profiles and providing access to all user data.

Discussion Question
What must the administrator consider when setting up folder redirection?
What does the $ do when added to the folder redirection path?
Setting Up the Microsoft KMS License Server

A Key Management Server (KMS) is used to centralize the activation of licenses for Microsoft products in a local network.
This makes it easier to manage licenses by connecting to one license server versus connecting each computer in the network
to Microsoft. A single KMS host can support an unlimited numbers of KMS clients; however, Microsoft recommends
deploying a minimum of two KMS hosts for failover.
In this class, the lab machines point to a central and hidden preconfigured KMS License Server.
Setting Up SQL Server 2012

SQL Server is a relational database engine. The primary function of a SQL Server is to store and retrieve structured data as
requested. A SQL Server can manage multiple databases. XenApp and XenDesktop stores Site, configuration logging, and
monitoring data in a dedicated SQL Server database, by default. The XenApp and XenDesktop configuration logging and
monitoring information can be moved to separate databases after the initial configuration is completed.
SQL Server Express can be installed during the XenApp and XenDesktop installation for use with pilot implementations of
XenApp and XenDesktop. However, a full edition of SQL Server should be installed for use in a production environment.
Regardless of the edition selected for use, you cannot configure XenApp and XenDesktop (create a Site) until SQL Server is
installed.
Creating the Computer and Service Accounts for SQL Server 2012
You can create the computer accounts required by the Primary, Mirror, and Witness SQL Servers prior to joining them to the
domain. This removes the need to move the computers into the correct OU at a later time. In addition, during the installation
of SQL Server 2012, you will be asked to provide the name of the account that will be used to access the database engine. If
you create the service account prior to the installation, you will not need to change the account after the installation is
completed.
To Create Computer and Service Accounts for SQL Server 2012

The following steps are provided for informational purposes only and are not to be performed in the lab
environment.
1. Log on to a domain controller with domain administrator credentials to create the computer and service accounts that
will be used with SQL Server.
2. Click Tools in Server Manager and then click Active Directory Users and Computers.
3. Browse to the OU hosting the SQL Servers.
4. Right-click the OU and then select New > Computer to create a new computer account within the OU.
5. Name the computer account and then click OK.
Doing this now will prevent you from having to go back to the domain controller after joining the SQL Server
to the domain in order to move the computer account into the proper OU.
6. Browse to the OU hosting the service accounts.

7. Repeat Steps 4 through 6 to create computer accounts for the other SQL Servers.
8. Right-click the OU and then click New > Group to create a SQL security group.
9. Name the group and then click OK.

10. Right-click the newly created OU.
11. Click New > User to create a new account.
12. Type the account name and user logon name and then click Next.
13. Type the password in the Password and Confirm password fields.
14. Set the password requirements and then click Next.
15. Click Finish.
The password you set should be a strong, and relatively randomized password. You should not allow accounts
with non-expiring passwords to log on locally. Windows Server 2008 R2 and 2012 R2 can be used to create
managed service accounts where the passwords are automatically changed. For further information, see
http://technet.microsoft.com/en-us/library/jj128431.aspx. In addition, Windows Server 2012 R2 added the ability
to create group managed service accounts. For more information, see http://technet.microsoft.com/en-
us/library/hh831782.aspx.
16. Right-click the newly created service account and then click Add to a group.
17. Type the group names to which this account will be a member and then click Check Names.
18. Click OK.
Adding the account to the service accounts group is what will prevent the service account from being used to
log on locally because you created a Group Policy Object that disallows log on locally to that group.
Installing SQL Server 2012

You can install SQL Server 2012 using the Installation Wizard or the command line on a dedicated server. A SQL Server
should be configured to be highly available because no new users can connect to the environment if connectivity to the
database is lost. This configuration requires that multiple SQL Servers be installed in the environment. You can configure SQL
Server 2012 to use mirroring, clustering, or Always On. In our lab environment, you will configure SQL Server 2012 to use
mirroring.
To Install SQL Server 2012

environment.
1. Create a Windows Server 2012 R2 virtual machine using the Creating a VM steps covered previously.
2. Insert the ISO file for Microsoft SQL Server 2012 into the DVD drive.
3. Click the File Explorer (file folder) icon in the taskbar.
4. Click Computer.
5. Double-click the CD Drive containing the installation media and then click Yes in the User Account Control message.
6. Click Installation in the left column of the window and then click New SQL Server stand-alone installation or add
features to an existing installation.
7. Ensure that the Setup Support Rules run successfully and then click OK.
Verify that the bar is green with a message: Operation completed - 0 Failed.
8. Type the product key and then click Next.
The customer must purchase a product license.
9. Read and respond to the license agreement.

10. Ignore the warning in the Product Updates page and then click Next.

This message appears if you do not have Internet access.
11. Wait for the setup files to be installed, review the Setup Support Rules page, and then click Next.
12. Verify that SQL Server Feature Installation is selected and then click Next.
13. Select Database Engine Services >SQL Server Replication >Management Tools - Basic, and then click Next.
14. Click Next on the installation Rules page.
15. Click Next on the Instance Configuration page.
16. Click Next on the Disk Space Requirements page.
17. Click the entry under Account Name for SQL Server Database Engine service and then select Browse to change the SQL
Server Database server to use the new SQL Server service account.
18. Type the name associated with the newly created service account, click Check Names, and then click OK.
19. Type the appropriate password for the SQL Server service account in the Password column for the SQL Server Database
Engine and then click Next.
20. Click Add and then type the names of the SQL Server administrators.
21. Click Check Names and then click OK.
22. Click Next in the Database Engine Configuration page.
23. Click Next in the Error Reporting page.
24. Click Next in the Installation Configuration Rules page.
26. Wait for the installation to finish and then click Close.
This may take several minutes.
27. Close the SQL Server Installation Center.

28. Click Eject to eject the installation media.
29. Repeat these steps to configure the Mirror and Witness SQL Servers.
Discussion Question
Does SQL Server need to be installed before you install XenApp and XenDesktop?
Configuring SQL Server and the Windows Firewall

Firewalls help prevent unauthorized access to computer resources. However, if a firewall is turned on but configured
incorrectly, attempts to connect to the SQL Server might be blocked. To allow communications with the SQL Server through
a firewall, you must configure the firewall for each server that is running SQL Server. The easiest way to do this is to apply a
GPO to the OU hosting the SQL Servers in the environment. This eliminates the need to open the inbound ports on each
SQL Server.
To Configure SQL Server and the Windows Firewall to Accept Inbound

Connections
The following steps are provided for informational purposes only and do not need to be performed in the lab
environment, because the firewalls are already turned off. However, students without this experience are
encouraged to perform this exercise.
1. Start the primary SQL Server.

Right-click SQLServer-1 and then click Start.

2. Log on to the SQL Server using domain administrator credentials.
Log on to SQLServer-1 using the Training\Administrator and Password1 credentials.
3. Click the Windows Start button.

4. Type SQL Server Configuration Manager
5. Click SQL Server Configuration Manager.
6. Click the arrow to the left of the SQL Server Network Configuration node and then click Protocols for MSSQLSERVER.
7. Verify that TCP/IP is enabled and then double-click TCP/IP.
8. Click the IP Addresses tab, note the TCP Port that is set, click Cancel, and then close the SQL Server Configuration
Manager.
9. Log on to the domain controller using domain administrator credentials.
Log on to DomainController-1 using the Training\Administrator and Password1 credentials, if not already logged
on.
10. Click Tools in the Server Manager and then click Group Policy Management.
11. Browse to the OU hosting the SQL Servers.
Double-click Forest: Training.lab > Domains > Training.lab > Training Servers > SQL.
12. Right-click the OU and then click Create a GPO in this domain, and Link it here.
Right-click the SQL OU and then click Create a GPO in this domain, and Link it here.
13. Type a name for the GPO and then click OK.
Type Windows Firewall - SQL Rules in the Name field and then click OK.
14. Right-click the newly created policy and then select Edit.
Right-click Windows Firewall - SQL Rules and then click Edit.
15. Double-click Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with
Advanced Security > Windows Firewall with Advanced Security > Inbound Rules.
16. Right-click Inbound Rules and then click New Rule.
17. Click Port and then click Next.
18. Specify the ports that will be used to communicate with the SQL Server and then click Next.
Verify that TCP is selected, type 1433, 5022 in the Specific local ports field, and then click Next.
Port 1433 is for regular SQL Server communications and Port 5022 is for mirroring.
19. Verify that Allow the connection is selected and then click Next.
20. Click Next in the Profile page to apply this rule to the Domain, Private, and Public firewall profiles.
21. Type SQL in the Name field and then click Finish.
22. Right-click Inbound Rules and then click New Rule to configure a rule that allows inbound Windows file sharing.
This inbound rule will be useful when you set up SQL Server Mirroring later on.
23. Click Predefined, click File and Printer Sharing in the Predefined field and then click Next.
24. Click Next on the Predefined Rules page.
25. Click Finish.
26. Close the Group Policy Management Editor and the Group Policy Management Console.
27. Log on to the first SQL Server using domain administrator credentials.
Log on to SQLServer-1 using the Training\Administrator and Password1 credentials, if not already logged on.

28. Move the mouse pointer to the bottom-right corner of the taskbar to display the Charms bar.
29. Select Search, type cmd, and then press Enter to open a command prompt window.
You can also open a command prompt window by selecting the Start icon, typing cmd or command, and then
pressing Enter.
30. Type gpupdate /force and then press Enter to force an update.
31. Type exit and then press Enter to close the command prompt window.
Discussion Question
Is it a good practice to disable the Windows firewall on a SQL Server?
Setting Up SQL Server Mirroring

Mirroring the SQL Server database is a solution for creating redundancy of XenApp and XenDesktop settings. By mirroring
the database, you are ensured that, if the active database server fails, the mirrored SQL Server will be available to replace it.
This automatic failover process happens in a matter of seconds, so that end users are generally unaffected.
Mirroring requires a primary SQL Server, a secondary SQL Server, and a SQL Server witness. Mirroring is an active/passive
arrangement. All activity takes place on the primary SQL Server. In the event of a primary failure, the secondary SQL Server
assumes the primary role. The witness determines when a failure occurs. Mirroring does not protect data integrity - only the
database engine is protected. If data corruption occurs, the preferred method of recovery is rollback. Therefore, it is
imperative to follow appropriate backup procedures for the SQL Server database.
Installing the SQL Server Witness

To support the mirroring of a SQL Server database, three SQL Servers are required. Two of the servers contain a copy of the
XenApp and XenDesktop database. The third server is known as the witness and does not contain the XenApp and
XenDesktop database. The sole purpose of the witness is to monitor the health of the primary and secondary SQL Servers.
The witness determines when to initiate an automatic failover. Microsoft calls this configuration mirrored with high-safety.
The primary and secondary SQL Servers rely on the witness to determine which is the primary and which is the secondary
(mirror).

A SQL Server Witness can be installed using the procedure for installing SQL Server 2012. A SQL Server Witness
is already installed in the lab environment.
Discussion Question
Does the SQL Server Witness need to use the same version and edition of SQL Server as the mirroring partners?
Configuring SQL Server Mirroring

In order for SQL Server mirroring to work, you must first make a backup of the primary database and restore it on the
secondary SQL Server. This ensures that both SQL Servers contain the same database structure. Once they are configured,
they will synchronize the database. This synchronization takes place in a transactional manner. Any change made to the
primary database is synchronized to the secondary database immediately.
To configure database mirroring:
• The principal and mirror server instances must exist and be running the same edition of SQL Server.
• A recent backup of the principle database must be available to restore to the mirror database.
• The same domain user account must exist for all server instances.
You can choose to use a database on a separate server. If you intend to use an external database created manually,
that is, one that is not created using Studio, ensure that the database administrator uses the following collation
setting when creating the database: Latin1_General_100_CI_AS_KS (where Latin1_General varies depending on
the country; for example Japanese_100_CI_AS_KS). If this collation setting is not specified during database
creation, subsequent creation of the XenApp and XenDesktop service schemas within the database will fail, and an
error similar to "<service>: schema requires a case-insensitive database" appears (where <service> is the name of
the service whose schema is being created).
To Configure SQL Server Mirroring

1. Start the primary SQL Server if it is not already running.
2. Start the secondary SQL Server if it is not already running.
3. Start the SQL Server Witness.
4. Switch to the primary SQL Server.
5. Log on to the primary SQL Server using domain administrator credentials.
Log on to the SQL Server-1 VM using the Training\Administrator and Password1 credentials, if you are not already
logged on.
6. Click the Windows Start button.

7. Type SQL Server Management Studio.
8. Right-click SQL Server Management Studio and then click Run as administrator.
9. Specify the name of the SQL Server in the Server name field and then click Connect.
Verify that SQL-1 is in the Server name field and then click Connect to connect to the local database instance. If the
connection to SQL-1 fails, verify that the SQL Server Management Studio was launched as an administrator. If the
connection continues to fail, reboot the SQL-1 server
10. Right-click the Databases node and then click New Database.
11. Type a name for the database in the Database name field.
Ensure there are no spaces in the database name as it may cause issues with Citrix Director
Type CitrixMainSite in the Database name field.

12. Click Options in the left pane.
13. Select the Latin1_General_100_CI_AS_KS for the Collation and then click OK.
Ensure that you select the correct Collation option. Many of the options are very similar. If you accidentally
choose the wrong collation for the lab environment, the Delivery Controller Site will not be able to use the
database. You will need to go through this procedure again, because the database will be mirrored but may be
unusable.
14. Expand the Databases node.

15. Right-click the database and then click Tasks > Back Up.
Right-click CitrixMainSite and then click Tasks > Back Up.
Click View > Refresh if the database does not appear.
16. Verify that Full appears in the Backup type field and then click OK.
17. Wait for the backup process to complete and then click OK.
18. Copy the SQL backup file from the Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Backup
folder on the first SQL Server (Primary) to the backup SQL Server (Mirror).
If the Windows Firewall is enabled, firewall exceptions need to be added to the SQL Servers either manually or
through a GPO to grant this access. This has already been done for the lab environment. Ensure that the
SQLServer-2 VM is running before continuing with this exercise.
a. Click the File Explorer icon in the taskbar of SQLServer-1.

b. Browse to C:\ Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Backup.
c. Right-click the CitrixMainSite.bak file and then click Copy.
d. Click the right side of the Address field at the top of the window, replace C:\with \\SQL-2\C$\ and then press
Enter.
e. Right-click and then click Paste.
f. Close the window.
19. Click the Connect menu in the Object Explorer of the Microsoft SQL Server Management Studio and then click
Database Engine.
20. Type the name of the backup SQL Server in the Server name field and then click Connect.
Type SQL-2 and then click Connect.
21. Right-click Databases under the backup SQL Server instance and then click Restore Database.
Right-click Databases under the SQL-2 instance and then click Restore Database.
22. Select Device and then click the ... button to the right of the Device field.
23. Click Add, browse to the backup file, and then click OK.
Click Add, click CitrixMainSite.bak, and then click OK.
24. Click OK in the Select backup devices window.

25. Verify that the check box in the Restore column is selected.
26. Click Options in the left pane, select RESTORE WITH NORECOVERY in the Recovery state field and then click OK.
Ensure that you select RESTORE WITH NORECOVERY before you click OK. Failure to do so will result in
errors later in the procedure in the lab environment.
27. Click OK in the message when the restore successfully completes.

28. Right-click the database you want to mirror on the primary SQL Server and then select Tasks > Mirror.
Right-click CitrixMainSite under the SQL-1 instance and then click Tasks > Mirror.

29. Click Configure Security.
30. Click Next on the first screen.
31. Verify that Yes is selected and then click Next on the Include Witness Server screen.
32. Verify that Witness server instance is selected and then click Next on the Choose Servers to Configure screen.
33. Click Next on the Principal Server Instance screen to accept the defaults for the primary (principal) SQL Server.
SQL-1 is the principal SQL Server.
34. Click Connect to the right of the Mirror server instance field to connect to the SQL Server that will be the mirror.
SQL-2 is the mirror SQL Server.
35. Click Connect on the Connect to Server dialog and then click Next in the Configure Database Mirroring Security wizard
to proceed.
An error will appear at the bottom of the wizard. This is normal.
36. Click the Witness server instance drop-down and then click Browse for more.
Ensure that SQLServer-Witness is running before continuing with the next step in this exercise.
37. Type the name of the SQL Server that will be the witness and then click Connect.
Type SQL-W and then click Connect in the Connect to Server window.
38. Click Next in the Configure Database Mirroring Security wizard.

39. Type the name of the SQL service account in the Principal, Witness, and Mirror fields in the Service Accounts screen and
then click Next.
Type Training\SQLAcct1 in each of the fields and then click Next.
This service account was pre-created for you in the lab environment.
40. Review the settings and then click Finish.

41. Click Close when the configuration of the endpoints is completed.
42. Click Start Mirroring in the Database Properties message and then click OK.
If you receive an error stating that SQL-1 cannot be reached on port 5022, delete the database for SQL-1 and
SQL-2 and start again with Step 10 in this procedure.
The SQL Server witness must remain running after mirroring is configured. The databases may become
inaccessible if the server is shut down.
Discussion Question
Why is SQL Server mirroring a better high-availability solution for the Site database than using the high-availability feature of
the hypervisor?

Troubleshooting SQL Server Issues
The following table identifies SQL Server issues and resolutions.
Issue Resolution
You cannot connect to the database engine. Verify that the SQL database is configured to accept remote
connections. To correct this issue:
• Use SQL Server Management Studio, open the properties
for the local server, click Connections and then verify
that TCP Port 1433 is open for SQL traffic on the
firewall.
• Open Windows Firewall Advanced Security to verify or
create an Inbound rule for the SQL Server ports.
• Verify that the settings contained in the DSN file are
appropriate and that the DSN file is not corrupted. If the
file is corrupted, recreate the DSN file or copy the DSN
file from a server that can connect to the database.
You receive an error stating that the primary SQL Server Delete the SQL Server mirror database and start again by
cannot be reached on port 5022. right-clicking Databases under the mirror SQL Server
instance and then click Restore Database. Continue to follow
the steps to configure the mirror database.
Installing Anti-Virus Software

You should install anti-virus software to detect and remove computer viruses from your corporate environment. Computing
resources are often subjected to malicious code that can negatively impact normal operations. Anti-virus should be installed
where appropriate and the anti-virus signatures should be updated regularly. You should select an anti-virus software
application that is appropriate for the computing resource. In addition, you should configure the anti-virus software for
appropriate inclusions and exclusions in anti-virus scans. The configuration of an anti-virus software solution is beyond the
scope of this course. Refer to a security specialist to ensure that your environment is properly protected.
Discussion Question
You installed anti-virus software on all of the infrastructure servers in your environment and now performance is slow and
the operating systems on the servers are having reliability problems. What can you do to correct the problem?
Setting up the DMZ

A Demilitarized Zone (DMZ) is a buffer between the trusted (internal) environment and the untrusted (external)
environment. Its primary purpose is to protect the production environment from outside threats. The DMZ typically consists
of two firewalls separated by a private subnet. The objects placed in the DMZ, such as NetScaler, need to be hardened and
they must not contain any corporate intellectual property.
The configuration of the DMZ is beyond the scope of this course. Refer to a security specialist to ensure that your
implementation is properly protected.
Discussion Question
Which services might be appropriate for deployment in the DMZ?

76
4
Module 4
Setting Up Citrix
Components
78 .
Setting Up Citrix Components
Overview
Once the non-Citrix infrastructure components required by XenApp and XenDesktop are in place, you can begin to
implement the Citrix components.
By the end of this module, you will be able to:
• Install and configure the Citrix License Server.
• Install and configure Citrix Delivery Controller, Citrix Studio, and Citrix Director.
• Install and configure the Citrix Universal Print Server.
• Install and configure Citrix StoreFront.
• Install and configure Citrix Receiver.

Before you begin, to access the Citrix lab environment these machines must be in the following state:
At the beginning of this module, the VMs should be in following the states:
• FileServer-1 = On
• SQLServer-1 = On
• SQLServer-Witness = On
• All other VMs = Off
Architecture
XenApp and XenDesktop relies on the following Citrix components to provide server-hosted desktops and applications, and
desktop-hosted desktops and applications to end users.
• Citrix License Server stores and manages the license files for all components within the XenApp and XenDesktop
architecture with the exception of NetScaler components, which require the license files to be installed directly on them.
• Delivery Controller consists of services that communicate with the hypervisor to distribute applications and desktops,
authenticate and manage user access, and broker connections between end users and their virtual desktops and
applications.
• Studio is the management console used to set up and administer a XenApp and XenDesktop implementation.
• Director is a Web-based tool that enables IT support and Help Desk teams to monitor an environment, troubleshoot
issues before they become critical, and perform support tasks for end users.
Module 4: Setting Up Citrix Components 79

• Universal Print Server extends universal printing support to network printers.
• StoreFront provides authentication and resource delivery services for users of Citrix Receiver. StoreFront uses a local
configuration data file to keep track of end users' application subscriptions, shortcut names, and locations so end users
have a consistent experience from all of their endpoints.
• Receiver provides end users with access to hosted applications and virtual desktops.
The Citrix components rely on the following infrastructure components that were installed during the last module:
• SQL Server stores the configuration data for the XenApp and XenDesktop Site and its resources.
• Hypervisor hosts all virtual machines in the environment as well as the resources provided to end users.
• Active Directory provides authentication, authorization, and auditing for all components within the environment.
The following components and resources will be configured in future modules:
• Provisioning Services(PVS) creates virtual disks (vDisks) from a Master Target Device. PVS uses PXE, DHCP, BDM and
the Stream Service to provide vDisks to target devices. PVS supports both virtual target devices and physical target
devices.
• Machine Creation Services(MCS) is a collection of services that work together to create virtual desktops from a master
image. MCS provides many of the same single-image management benefits as Provisioning Services, but works directly
on the storage managed by the hypervisor, without the need to use PXE or BDM to start a target device.
• Hosted applications are the applications that are installed on a Server OS machine or Desktop OS machine and made
available to users of Citrix Receiver.
• Server OS machines are virtual desktops running a Windows Server operating system.
• Desktop OS machines are virtual desktops running a Windows workstation operating system.
• NetScaler is an appliance that provides a wide range of functions including: load balancing, proxy service, and endpoint
analysis.
Discussion Question
The network onto which XenApp and XenDesktop is placed must be resilient, robust, and reliable. You can configure all
components perfectly and still have a failed implementation if the network doesn't meet the needs of the environment. What
constitutes a resilient, robust and reliable network?
Setting Up the Citrix License Server

The Citrix License Server manages the Citrix licenses for Citrix products, except for Citrix NetScaler. Each time a Citrix
product starts up, it opens a connection to the license server and checks out a startup license. The license server can be
installed on a physical server or a virtual server. A Citrix License Server can reside on server that hosts other roles or on a
server completely dedicated to storing and managing Citrix licenses.
At this time, the Citrix License Server VPX is not supported for use with XenApp and XenDesktop. This may
change in the future. Refer to www.citrix.com for further information.
Citrix licenses are stored in a file that must be added to the license server. The license file is initially acquired from My
Account on the www.citrix.com Web site or by using Citrix Studio.
All components must be configured to communicate with the license server. This communication is configured from the
Citrix product. The default port for communication is 27000. The license server then uses the vendor daemon with a default
port of 7279 to deliver the license. The License Administration Console communicates with the Citrix License Server on port
8082. All ports can be configured from within the License Administration Console. After a license is installed for use with
XenApp and XenDesktop, all license management is done through the Web-based License Administration Console or Citrix
Studio.
The License Administration Console lets you manage and monitor your Citrix licenses. The availability of a license is
determined by the number of available licenses on the license server when a session is requested. If a license is not available,
the session is denied.
80 Module 4: Setting Up Citrix Components

You can track license usage using the Licensing node in Citrix Studio or the EdgeSight License Server Monitoring
tool which provides license reporting and is a free download from the
www.citrix.com/downloads/licensing/components Web site. This tool works for all products regardless of the
product edition.
Citrix licensing can be configured in the License Administration Console or Citrix Studio to use a license that supports:
• Concurrent licensing: Checks a license out when an end user requests a session and checks the license back in when the
end user logs off or disconnects from the session. A concurrent license is not tied to a specific end user. License
consumption is based on:
• If a single end user is running multiple sessions on a single endpoint, a single license is consumed.
• If a single end user is running sessions on multiple endpoints, multiple licenses are consumed.
• User/Device licensing: Checks a license out for a device when an end user makes a connection and keeps the license for
90 days after the end user ends the session on the device. License consumption is based on:
• If a single end user is running multiple sessions on a single endpoint, a single license is consumed (User licensing
model).
• If a single end user is running multiple sessions on multiple endpoints, a single license is consumed (User licensing
model). A licensed end user requires a unique user ID, such as an Active Directory entry. When assigned to an end
user, the license allows the end user to connect to the desktops and applications with multiple endpoints, such as a
desktop computer, laptop, netbook, smartphone, or thin client concurrently.
• If multiple end users are running multiple sessions from a single endpoint, a single license is used (Device licensing
model). A licensed device requires a unique device ID and is authorized for use by any end user to access desktops
and hosted applications. This licensing model can be used for shared devices, such as in a classroom or hospital
because it allows an unlimited number of end users per device.
The license server determines how to minimize license consumption based on whether the licenses installed are
User/Device or Concurrent and how the environment is configured. For example, with concurrent licensing, load
balancing of the license server can affect license consumption, as can multiple product editions in the
environment. For a detailed description of how the various license models work, see the "Types" topic under
Licensing Your Product on the http://docs.citrix.com Web site.
Installing the Citrix License Server

The Citrix License Server can be installed using the software on the XenApp and XenDesktop installation media or
downloaded from www.citrix.com. The license server software should be installed before any other XenApp and XenDesktop
component. This allows you to point the Delivery Controller to the license server during the installation and initial
configuration. If the license server software is not installed prior to the installation of XenApp and XenDesktop, a trial license
can be selected and used for up to 30 days.
Citrix products store a replica of the licensing information from the license server, including the number and type of licenses.
Citrix products and the license server exchange "heartbeat" messages every five minutes to indicate to each other that they are
still up and running. If the product and the license server fail to send or receive heartbeats, the product lapses into the
licensing grace period and the product licenses itself through cached information. The Citrix products continue operations as
if they were still in communication with the license server. Citrix products update their grace period information every hour.
High availability of the license server can be accomplished with clustering. Clustering the license server allows users to
continue working during failure situations without interrupting access to critical applications. When the active node in a
cluster-enabled license server suffers from hardware failure, failover occurs automatically. Resources are available again in a
few seconds to a few minutes. If clustering will be used, you should register the name of the cluster, not the individual names
of the servers when allocating the license on the My Account site or in Citrix Studio. Another way to provide high availability
for the license server is at the hypervisor layer. For more information about clustering license servers, see the "Clustered
license servers" topic on the http://docs.citrix.com Web site.
To Install the Citrix License Server

1. Start the license server VM.
Right-click CitrixLicenseServer-1 in XenCenter, click Start, and then click the Console tab.

2. Log on to the license server with domain administrator credentials.
Log on to CitrixLicenseServer-1 using the TRAINING\Administrator and Password1 credentials.
3. Insert the XenApp and XenDesktop media in the DVD drive.

Select XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field.
4. Click the File Explorer icon in the taskbar and then click This PC.
5. Double-click CD Drive (D:) to start the installation wizard.
If the installation wizard does not start, double-click AutoSelect.
6. Click Start in next to XenDesktop.

7. Click Citrix License Server under Extend Deployment on the right.
Select I have read, understand, and accept the terms of the license agreement and then click Next.
9. Click Next on the Core Components screen to accept the default installation location setting.
10. Select the method to use for port configuration.
Verify that Automatically is selected on the Firewall page and then click Next.
You should select Automatically, if you are using the default ports for communication with your license server.
If you are using custom ports, select Manually. Changing the licensing port after licenses are installed might
cause the "No such product or vendor exists: CITRIX" message to appear on the License Administration
Console dashboard instead of the installed licenses.
11. Click Install and wait for the installation to complete.
12. Click Finish.
13. Eject the XenApp and XenDesktop media from the DVD drive.
Troubleshooting License Server Issues

The following table provides resolutions for Citrix License Server issues.
Issue Resolution
The license server will not start or an upgrade of the license Run the License Server Configuration tool from C:\Program
server fails. Files\Citrix \Licensing\LS\resource\LSPostConfigTool.exe. If
the License Server Configuration tool fails for any reason,
uninstall and reinstall the license server.
The installation fails when localized characters are used in Accept the default installation path or use only ASCII
the installation path. alphabetic characters for the installation path.
The 30-day free trial license is the only license available. Verify that a license for the product edition has been added
to the license server. Accept the trial license and then use
Studio to change the license information after installation.
A read-only administrator receives the following message in Have a full license administrator log on and access the
Studio after the Citrix License Server software is uninstalled License node in Studio to initiate a trust with the new license
and then reinstalled: "You do not have permissions to server.
perform this operation."

Issue Resolution
Newly added licenses are not appearing in the License Do one of the following:
Administration Console. • Re-read the license file using the Vendor Daemon
Configuration tab in the License Administration
Console.
• Restart the Citrix Licensing Service on the license server.
• Restart the license server.
Allocating, Downloading, and Adding a License File

After you install the licensing components, you are ready to obtain your Citrix license files from My Account on the
www.citrix.com Web site or Citrix Studio. You can generate a license file, download it to the license server, and then import
the license file using the License Administration Console, Citrix Studio, or a web browser.
Before allocating a license, you need the following information:
• The license code. You can find this code on the XenApp and XenDesktop installation media pack, in an email you
receive from Citrix, or from the Subscription Advantage Management-Renewal-Information system (SAMRI).
• Your user ID and password for My Account on the www.citrix.com Web site. You can register for this password on the
Web site.
• The name of the server on which you installed the licensing software. The entry field for this name is case-sensitive, so
ensure that you copy the name exactly as it appears on the server. You can find the license server host name and Ethernet
address in the License Administration Console in the Administration area on the System Information tab. You can also
run the hostname command at a command prompt on the license server.
• The number of licenses you want to include in the license file. You do not have to download all of the licenses you are
entitled to at once, if you are using My Account from the www.citrix.com Web site. If you are using Citrix Studio to
allocate the licenses, you must allocate all licenses in the file at one time in this version of XenApp and XenDesktop. For
example, if your company purchases 100 licenses, you can choose to allocate and download only 50 at this time if you are
using My Account. At a later date or time, you can allocate the rest in another license file. You can have more than one
license file. This cannot be done from Citrix Studio.
To Allocate, Download, and Import a License File

A Citrix License Server is preconfigured for use in the lab environment with licenses already allocated to it. To
experience allocating, downloading and adding a license file from My Account, we have provided a Downloading,
Allocating, and Importing License Files exercise below. Click the following link and use the steps in this course to
• Downloading, Allocating, and Importing License Files Exercise
1. Click My Account (Log in) in the upper-right corner of the www.citrix.com Web site page.
2. Click Create Account.
Use the mouse to move between fields in this exercise.
3. Click Create Customer Account.
If your company already has an account, you would use the existing account rather than create a new one.
4. Complete the form to create an account and then click Continue.

The form has been completed with generic information. Click Continue.

5. Create a new Login ID and password and then click Continue.
Verify that CitrixStudent is in the Login ID field, type Password1 in the New Password and Confirm Password fields,
and then click Continue.
6. Click Activate and Allocate Licenses under the Licensing heading on the page.
7. Click the Single Allocation tab.
If you currently have available licenses, they will appear within the Activate and Allocate Licenses tab.
8. Type the license code into the Enter license code field and then click Continue.
Type CTXLF-12345-67890-12345-67890 and then click Continue.
9. Click Continue on the Host Name Warning Page.
Not all licenses for Citrix products are allocated based on the host name of the license server.
10. Type the case-sensitive name of the Citrix License Server that will host the license in the Host ID field.
Type LS-1 into the Host ID field.
Make sure that students do not type CLS-1 as the host name. CLS-1 is the host name of the Citrix License
Server that the students created in the lab environment, but is not the host name used in this exercise.
11. Click the Quantity/Available field, type the license quantity, and then click Continue.
Click the Quantity/Available field, type 5, and then click Continue.
You can always come back to reallocate and re-download your licenses should they become corrupt, lost, or
you need to specify a different allocation of your licenses using the Reallocate and Redownload tabs from My
Account on the www.citrix.com Web site.
12. Verify that the information is correct and then click Confirm.
13. Click OK in the message stating that the allocation was successful.
14. Click Download.
15. Click the down arrow next to Save and then click Save as.
The name of the license file can be changed, but the contents within the file cannot be changed without
corrupting the license file.
16. Click Save in the Save As window to download the license file to the Downloads folder.
17. Click Log Out in the upper-right corner of the window.
18. Close the browser window.
19. Click the Start button on the bottom-left corner of the screen.
20. Type Citrix License and then click the Search icon.
21. Click Citrix License Administration Console.
22. Click Administration in the upper-right corner of the License Administration Console.
23. Log on as a license administrator.
Type TRAINING\Administrator in the User Name field, Password1 in the Password field, and then click Submit.
24. Click Vendor Daemon Configuration in the lower-left corner of the License Administration Console.
25. Click Import License.
26. Click Browse to the right of the License File from Your Local Machine field to browse to the recently downloaded license
file.

27. Select the recently downloaded license file and then click Open.
Select FID_15.lic in the Downloads folder and then click Open.
28. Click Import License.

29. Click OK.
In order to view the active licenses within the dashboard, you must restart the license server or reread the
license file.
30. Verify that the licenses have been allocated.

Click Dashboard and then click Citrix XenDesktop Enterprise\Concurrent.
31. View the allocated licenses and then click X in the upper-right corner of the window to close the dashboard.
Discussion Question
When downloading the license for the first time from My Account on the www.citrix.com Web site, you are asked to allocate
the licenses. What does allocate mean?
Adding License Administrators

A default administrator account is created during the installation of the License Administration Console. To delegate license
administration to other users, you need to configure accounts on the license server using the License Administration Console.
The License Administration Console can use License Administration users, local Windows users and groups, and Active
Directory users and groups. The Simple License Service used by the License Administration Console can use local Windows
users and groups as well as Active Directory users and groups.
Active Directory users and groups are part of an Active Directory/network authentication system. To support
Active Directory users and groups, the license server must be a member of a Microsoft Active Directory domain.
To Add a License Administrator

1. Start the management system VM.
Right-click StudentManagementConsole-1 in XenCenter, click Start, and then click the Console tab.
The StudentManagementConsole-1 (SMC-1) is a system specifically set up in the lab environment for you to
use to administer components in the environment. In the real-world, it is more realistic that administrators
use an endpoint to administer their environments than to log on directly to the servers in the environment.
2. Log on to the management system using domain administrator credentials.

Log on to Student Management Console-1 using the TRAINING\Administrator and Password1 credentials.
3. Double-click the Mozilla Firefox icon on the desktop.

4. Type the FQDN and port number of the License Administration Console into the Address field and then press Enter to
access the License Administration Console.
Type cls-1.training.lab:8082 in the Address field and then press Enter.
5. Click Administration in the upper-right corner of the console.

6. Log on to the License Administration Console using the credentials you used to install the Citrix License Server software.
Log on using the TRAINING\Administrator and Password1 credentials.

If you are in a domain, the account of the end user who installed the license server is automatically added as
the administrator. If you were logged on with a different account when you installed the Citrix License Server,
you must either use that account to log on to the console to create new administrators or any account that is a
member of the BUILTIN\Administrators group (including the Domain Admins Security group).
7. Click User Configuration.

8. Click New User.
You should not include a backslash for a locally managed administrator (for example, tester1\). If you do, you
will be unable to delete that account.
9. Select a role for the new Citrix License administrator.

Select Domain Administrator in the Role field.
10. Type the name of an end user or group in the User name field in the form of domain\username or domain\group and
then click Save.
Type TRAINING\Admin2 and then click Save.
11. Verify that the new account appears on the User Configuration page.
12. Click Log Out on the top right of the License Administration console.
Discussion Question
What steps are required to recover from a catastrophic failure of the license server?
Configuring Licensing Alerts

A licensing alert can be set to notify an administrator when an important event concerning Citrix licensing occurs. There are
two types of alerts: critical and important. All alerts are triggered at one minute intervals except the Vendor Daemon alert
which is triggered immediately. You can set alerts for Subscription Advantage expiration, license expiration, Vendor Daemon
has stopped, and concurrent license usage. For example, an important alert for concurrent license usage can be set to 90%,
and a critical alert can be set to 98% consumption.
Alerts and license usage are displayed on the first page of the License Administration Console. By default, to view
information on the first page of the License Administration Console, you do not need log on credentials. You can
change this behavior and require log on.
To Configure Licensing Alerts

1. Log on to the management system using domain administrator credentials.
Log on to Student Management Console-1 using the TRAINING\Administrator and Password1 credentials, if not
already logged on.
2. Double-click the Mozilla Firefox icon on the desktop.

3. Type the FQDN and port number of the License Administration Console into the Address field and then press Enter to
access the License Administration Console.
Type cls-1.training.lab:8082 in the Address field and then press Enter.
4. Click Administration in the upper-right corner of the console.
If the Log On screen does not appear, click Log Out at the top of the console and then click Administration.

5. Log on to the License Administration Console using Citrix License administrator credentials.
Log on to the License Administration Console using the TRAINING\Admin2 and Password1 credentials.
6. Click Alert Configuration on the left side of the console.

7. Select an alert to display on the Dashboard, determine the threshold you want to set to trigger the alert, and then click
Save.
Select Concurrent threshold exceeded, set the alert to 80%, and then click Save.
8. Deselect an alert to remove it from the Dashboard and then click Save.
Deselect Overdraft license issued and then click Save in the lower-right corner of the console.
9. Click Dashboard in the upper-right corner of the console to view the Dashboard.
10. Click Citrix Start-up License|Server to expand and view the license.
The alerts, if any, will be displayed in the left pane of the console.
11. Click the yellow triangle to view the Important alerts.
There should not be any alerts at this time because you do not have any Citrix products installed.
12. Click the red circle to view the Critical alerts.

13. Click the X in the upper-right corner of the License Administration Console to close the window.
You can shut down the CitrixLicenseServer-1 VM to free up lab environment resources. You will be using a
centralized license server in the classroom.
Moving from XenApp 7.6 to XenDesktop 7.6

XenApp and XenDesktop now share a unified architecture. This makes it possible to simply upload a license to move an
implementation from:
• An edition of XenApp 7.6 to another.
• An edition of XenDesktop 7.6 to another.
• An edition of XenApp 7.6 to an edition of XenDesktop 7.6.
Once the license is uploaded and the edition is selected, all of the features available in the edition become available to the
administrator.
Setting Up the Delivery Controller

The Delivery Controller (Controller) is responsible for managing end user access, load balancing connections, and optimizing
connections. The Delivery Controller relies on Machine Creation Services (MCS) to create multiple VMs from a single virtual
image.
XenApp supports Server OS-based applications and desktops. XenDesktop supports Server OS-based applications
and desktops and Desktop OS-based applications and desktops along with other FlexCast models. The installation
media for XenDesktop contains options for installing XenApp 7.6 or XenDesktop 7.6. The installations are the
same with the exception of branding. The licenses you upload determine the features and functions available to
you. For example, if you choose to install XenApp 7.6 and then upload XenDesktop licenses, your installation will
be XenDesktop.
The Controller:
1. Receives authentication requests from end users and queries Active Directory.
2. Interacts with the database to retrieve the list of resources for the end user.

3. Communicates with StoreFront to make the resources available for selection.
4. Receives requests from the end user to access a resource.
5. Load balances the request for a resource.
6. Prepares the resource to be delivered to the end user via the hypervisor.
7. Sends load balancing information to StoreFront, where a connection file is created.
8. Prepares the VM for connection.
9. Retrieves the client license and issues it to the started resource.
10. Monitors the connection state throughout the duration of the session.
The Controller provides the following services:
• Communicates with the hypervisor to distribute hosted applications and virtual desktops.
• Manages connection options using Delivery Groups.
• Manages virtual desktops, hosted applications, and Remote PC Access through machine catalogs.
• Manages the power state of VMs.
To provide high availability so that end users can continue to access and use their resources in the event of a Controller
failure, you should configure more than one Controller per site.
To add a Controller, you need the securityadmin or db_owner database server role permission for the XenApp
and XenDesktop database.
Installing the First Controller

During the installation of the first Controller, you can point to a database server or install a SQL Server Express instance.
After the Controller is installed, it must be configured using Studio. You will install Studio on this VM later in this module.
The license server should be installed before the Controller is installed. This will simplify the registration of the
Controller with the license server.
To Install the First Controller

1. Right-click the Controller VM, click Start, and then click the Console tab.
Right-click Controller-1, click Start, and then click the Console tab.
2. Log on to the Controller using domain administrator credentials.

Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials.
3. Insert the XenApp and XenDesktop installation media into the DVD drive.
6. Click Start on next to XenDesktop.

7. Click Delivery Controller.
8. Read and respond to the licensing agreement.

9. Specify the components to install and then click Next.
Deselect License Server and StoreFront and then click Next.
If you are deploying a Proof of Concept or small implementation that will not grow, you can install the
Controller, Studio, and Director on the same server.
10. Specify whether or not to install Microsoft SQL Server 2012 Express or Remote Assistance and then click Next.
Deselect Install Microsoft SQL Server 2012 SP1 Express, verify that Install Windows Remote Assistance is selected,
and then click Next.
Microsoft SQL Server 2012 Express does not need to be installed on the server because we will be using a
mirrored instance of SQL Server 2012. If a SQL Server installation was not available in the environment, SQL
Server Express could be selected and installed automatically from the installation media. Windows Remote
Assistance is selected for installation because you are installing Director on this server. Director can be used by
Help Desk personnel to assist end users, so Windows Remote Assistance is needed.
11. Select the port configuration method to use and then click Next.
Verify that Automatically is selected and then click Next.
If the Controller will use the default ports for communications, select Automatically. If the Controller will use
alternate port assignments, select Manually to configure the ports after the installation.
12. Review the installation summary and then click Install.
Based on the components that are selected for installation in the lab environment and the number of VMs
running, you can expect the installation to take approximately 15 minutes.
13. Wait for the installation to complete, deselect Launch Studio, and then click Finish.
14. Click Eject to the right of the DVD drive field to eject the media from the drive.
15. Click Tools at the top of the Server Manager window and then click Internet Information Services (IIS) Manager to
begin the process of requesting and installing a certificate on the first Delivery Controller.
16. Click the name of the Delivery Controller in the left pane.
Click C-1 in the left pane.
17. Respond to the Internet Information Services (IIS) Manager message.

Click No.
18. Double-click Server Certificates in the center pane under the IIS heading.
19. Click Create Domain Certificate in the Actions pane on the right.
20. Specify the appropriate distinguished name properties and then click Next.
a. Use the following information:

• Common name: c-1.training.lab
• Organization: Training
• Organizational Unit: IT
• City/locality: Ft Lauderdale
• State/province: Florida
• Country/region: US
b. Click Next.
The Common name must match the FQDN that will be used to access the Site.

21. Click Select, select the Certificate Authority, and then click OK.
Click Select, select training-AD-CA, and then click OK.
22. Type a friendly name for the certificate and then click Finish.
Type c-1.training.lab and then click Finish.
23. Double-click Sites > Default Web Site in the left pane.
24. Click Bindings in the right pane.
25. Click Add and then select https in the Type field.
26. Select the newly created certificate from the SSL certificate field, click OK, and then click Close.
Select c-1.training.lab in the SSL certificate field, click OK, and then click Close.
27. Close the Internet Information Services (IIS) Manager.
Discussion Question
How are Virtual Delivery Agents (VDAs) notified of available Controllers?
Configuring a Site
A Site is the management scope for a XenApp and XenDesktop environment and encompasses all of the components needed
for the deployment of XenApp and XenDesktop. All management is done at the Site level. All administrators are configured
at the Site level. A Site must be named during the configuration phase of the first Controller. Components contained in a Site
must be able to communicate with each other and are managed by the Controller.
Studio is the GUI interface used to manage the Site. During the configuration of the Site, you configure communications
between the Controller, Citrix License Server, database, and the hosting environment. Studio can be installed on the
Controller, on an administrator's desktop, on a Server OS machine, or made available as a hosted application.
To Configure a Site
1. Log on to the VM hosting Studio using domain administrator credentials.
Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials, if not already logged on.
2. Open Studio.
Click Start, type Studio and then click Citrix Studio.
Studio will open automatically at the end of the Controller installation by default, if Studio was selected for
installation.
3. Click Deliver applications and desktops to your users.

4. Verify that A fully configured, production-ready Site (recommended for new users) is selected.
5. Type a Site name and then click Next.
Type MainSite in the Name your Site field and then click Next.
Semantically, the Site name should make sense in the context of the overall architecture or be relevant to the
groups or Controller residing on the Site.
6. Type the database server location and the name of the database in the appropriate fields.
Type sql-1.training.lab in the Database server location field and verify that CitrixMainSite appears in the Database
name field.
7. Click Test connection.

An information message will appear at this point because you created the database during the SQL mirroring
exercise and the database is empty. This is the expected behavior and is okay.
8. Click OK in the message.

9. Click Close and then click Next.
10. Type the License Server IP address, host name, or FQDN and then click Connect.
Type Licenses.citrixvirtualclassroom.com in the License server address field and then click Connect.
You are not using the CitrixLicenseServer-1 VM during this class to provide licenses for XenApp and
XenDesktop. Instead, you are connecting to an external license server to provide the licenses.
11. Select Connect me and then click Confirm.

12. Select the proper license and then click Next.
Select Citrix XenDesktop Platinum: User/Device and then click Next.
13. Select the Connection type (hypervisor).

Select Citrix XenServer.
14. Type the Connection address.

Type the IP address of the XenServer management interface in the http://xxx.xxx.xxx.xxx format. To locate this IP
address, navigate to the host in XenCenter and then click the Networking tab. Locate the IP of the Management
interface in the IP Address Configuration table.
It is recommended that HTTPS connections be used to communicate with XenServer. HTTPS prevents the
XenServer password from being transmitted over the network in plain text. Certain tools are able to read plain
text user names and passwords in HTTP (unencrypted) network packets, which creates a security risk for
users. A certificate is not installed on the XenServer host in the lab environment.
15. Type the user name and password for the host connection.
Type the user name and password provided by the instructions at the beginning of the lab.
16. Specify a name for the connection.

Type XenServer in the Connection name field.
17. Determine which provisioning tool will be used to create VMs for XenApp and XenDesktop and then click Next.
Verify that Studio tools (Machine Creation Services) is selected and then click Next.
18. Type a name for the virtualization settings in the Enter a name for the Resources field, select the desired networks for the
VMs to use, and then click Next.
Type XenApp and XenDesktop Network in the Enter a name for the Resources settings field, select Internal, verify
that all other networks are deselected, and then click Next.
19. Select the storage device and type of storage to use.

Select Local from the storage devices drop down list. Verify that Local Storage is selected.
When Shared and NFS virtual disk storage are selected, you can specify whether or not IntelliCache will be
used to reduce the load on the shared storage device. This option is not valid for Local storage. To learn more
about IntelliCache, see http://support.citrix.com/article/CTX129052.
20. Determine where Personal vDisks will be stored and then click Next.
Verify that Use same storage for virtual machines and Personal vDisk is selected and then click Next.
21. Determine if App-V publishing will be used, specify the appropriate information, and then click Next.
Verify that No is selected on the App-V Publishing page and then click Next.

22. Click Finish.
You can expect the Site configuration to take approximately 10 minutes because the primary and mirror
database schemas are being created for the new Site.
23. Verify that a green check mark appears next to Step 1 and then click the Test site configuration button.
24. Click Show report to review the test results.
25. Close the Site Configuration Testing Report and then click Close.
Some warnings may appear. The warnings will not affect the lab environment, but should be addressed in a
real-world implementation. In our database, Read Committed Snapshot is disabled. This means that the
database engine will not modify information in the database while a transaction is reading that information.
When Read Committed Snapshot is enabled, versioning is used to allow reading and writing of the
information at the same time.
Editing Connection and Resource Settings

Resource settings are the connection information used by your XenApp or XenDesktop Delivery site to communicate with the
underlying hypervisor technology.
You can improve the performance of a XenApp or XenDesktop site, by further optimizing the Delivery site connection to the
host for XenServer, vSphere, and Hyper-V. After you specify the host connection in Citrix Studio, you can use the properties
to modify the connection settings.
The connection settings allow you to specify the maximum number of simultaneous actions, simultaneous Personal Storage
inventory updates, and the number of actions per minute that can occur on a host connection.
For more information about connection settings and connection throttling, see http://docs.citrix.com/en-us/xenapp-
and-xendesktop/7-6/xad-connections.html.
To Edit Connection and Resource Settings

2. Open Studio.
3. Edit the Hosting connection settings.
a. Click Hosting.
b. Verify XenServer is selected.
c. Click Edit Connection in the Actions pane.
4. View the options to improve the performance of the XenApp and XenDesktop Delivery site by enhancing the connection
throttling settings.
Click the Advanced tab.
5. Click Cancel.
Citrix recommends that you only adjust these advanced connection properties under the guidance of a Citrix
Support representative.

Connecting to Resources
Site outages and interruptions in communications between the Delivery Controller and the site database can result in resource
availability issues for users. Connection leasing enables Delivery Controllers to continue to broker users to sessions in the
event the site cannot communicate with the site database. This connection brokering relies on a cache on each Delivery
Controller. User sessions brokered for the last two weeks are cached on the Delivery Controller.
Connection leasing is not a database redundancy solution. Citrix recommends that XenApp and XenDesktop implementations
use SQL mirroring or clustering to protect and provide failover for the site database. Connection leasing is a XenApp and
XenDesktop feature that supplements a SQL Server high availability solution.
In most large deployments, connection leasing will likely never be used because the SQL clustering options will
prevent the loss of connection to the site database.
Example: An end user has accessed Microsoft Word within the last two weeks, but has not accessed Microsoft PowerPoint.
During the site outage, the connection leasing feature allows the Delivery Controllers to broker that user’s request to
Microsoft Word, but not to Microsoft PowerPoint, because Microsoft PowerPoint is not in the cache. Connection leasing is
enabled by default and is limited to user sessions accessing server-hosted applications, server desktops and static (assigned)
desktops; it is not supported for random (pooled) desktops. Connection leasing can be turned on or off using the PowerShell
SDK or the Windows registry.
When the Delivery Controller enters into lease connection mode during a database connection failure:
• Studio, Director and the PowerShell console cannot be used.
• Workspace control is not available, so users will not be automatically reconnected to disconnected sessions.
• If new sessions are created just before the database becomes unavailable, users may not be able to access the resources in
those sessions if the Delivery Controllers did not have a chance to sync with the database.
• Users roaming from an external to internal HDX connection may not be able to reconnect to a session established from a
different network.
• Power managed, powered off static (assigned) desktops remain unavailable until the database connection is restored.
• New sessions will not prelaunch and session lingering timeouts are not used.
• Server-based connections are routed to the most recently used VDA, and all server-based load balancing is ignored.
• Only VDAs that are 7.6 minimum version are supported.
For more information about connection leasing, see http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-

connection-leasing.html.
Discussion Question
When might you consider adding an additional Controller to the environment?
Troubleshooting Studio
The following table identifies resolutions for issues related to Studio.
Issue Resolution
There is a delay when starting Studio. Verify that there is an Internet connection prior to starting
Studio. If no connection is available, you must disable the
Authenticode signature checking feature as described in
http://support.citrix.com/article/CTX120115.
Studio sometimes shows completed tasks as "In progress." This issue is cosmetic and can be ignored if you are certain
that the task has been completed. You should not restart
Studio if a long-running task is genuinely active because it
will cause the task to remain in an incomplete state.

Adding Delegated Administrators
The default administrator is the account that was used to install the Controller and configure the Site. To avoid configuration
frustration, you should always use a domain account, rather than a local account to install the Controller and configure the
Site. This ensures that the same account can be used with each component in the XenApp and XenDesktop environment,
such as the license server, Provisioning Services, hosting environment, and SQL Server database.
You cannot create an administrator account using Studio. Instead you use Studio to assign administrative privileges to users
and groups created in Active Directory. You should only assign administrative privileges to those users and groups that
require them and you should avoid compromising Site security by providing excessive privileges. This will help to improve
security and reduce incorrect configurations within the environment.
This assignment of administrative privileges provides a delegated administration model to offer the flexibility that matches
how your organization wants to delegate administration activities, using role- and object-based control. Delegated
administration accommodates deployments of all sizes and allows you to configure more permission detail as your
deployment grows in complexity. Delegated administration uses three concepts: administrators, roles and scopes.
You should keep the number of simultaneous administrator using studio to a minimum to avoid overwriting each other's
configuration changes. The "last write wins" concept applies to changes to the database.
You can remove administrative privileges for one administrator, but that administrator account may also be a member of a
group that was assigned those privileges. As a result, the account still has those privileges.
Administrators
An administrator represents an individual person or a group of people identified by their Active Directory account. Each
administrator is associated with one or more role and scope pairs, which allows organizations to delegate responsibility based
on the administrator's role and function.
Roles
Roles represent a job function with defined permissions. XenApp and XenDesktop have the following built-in roles:

• Full Administrator: Can perform all tasks and operations. A Full Administrator is always combined with the All scope.
• Machine Catalog Administrator: Can create and manage machine catalogs and provision the machines into them. This
role can manage base images and install software, but cannot assign applications or desktops to end users.
• Delivery Group Administrator: Can deliver applications, desktops, and machines; can also manage the associated
sessions and application and desktop configurations such as policies and power management settings.
• Host Administrator: Can manage host connections and their associated resource settings. This role cannot deliver
machines, applications, or desktops to end users.
• Help Desk Administrator: Can view Delivery Groups and manage their sessions and machines. Can see the machine
catalog and host information for the Delivery Groups being monitored, and can also perform session management and
machine power management operations for the machines in those Delivery Groups.
• Read-only Administrator: Can read all objects in specified scopes as well as global information, but cannot change
anything.
Scopes
Scopes represent a collection of objects. Scopes are used to group objects in a way that is relevant to your organization.
Objects can be in more than one scope; you can think of objects being labeled with one or more scopes. There is one built-in
scope: 'All,' which always contains all objects. The Full Administrator role is always paired with the All scope.
To Add a Delegated Administrator

2. Open Studio.
3. Expand Configuration in the left pane and then click Administrators, Delegated Administration welcome screen appears
click Close to continue.
4. Click Create Administrator in the right pane.
5. Click Browse and then type the name of the user or group to be added in the Enter the object name to select field.
Click Browse and then type HelpDesk into the Enter the object name to select field.
Only one user or group can be added at a time.
6. Click Check Names and then click OK.

7. Select a scope and then click Next.
Select All for the scope and then click Next.
If you create a new scope, refresh the console so new administrators can create a new connection or resource
without encountering an error. If the console is not refreshed, the new connection/hosting scope will not be
available to new administrators.
8. Select the role and then click Next.

Select Help Desk Administrator and then click Next.
9. Verify that Enable Administrator is selected and then click Finish.
Discussion Question
The administrator account used to install the Controller and configure the Site has Full Administrator privileges. What
happens if you delete that account from Studio?

Setting Up a Second Controller
A second Controller is required for high availability of the XenApp and XenDesktop environment. Because the second
Controller is joining an existing Site, and is being added to the existing database, database configuration is minimal during
the installation. The second Controller can be installed at any time after the first Controller is configured. Once installed, any
instance of Studio can be used to manage multiple Controllers for a Site.
To Install a Second Controller

1. Right-click the second Controller VM, click Start, and then click Console.
Right-click Controller-2, click Start, and then click Console.
2. Log on to the second Controller using domain administrator credentials.

6. Click Start next to XenDesktop.

7. Click Delivery Controller.
9. Specify the components to install and then click Next.

Deselect License Server and StoreFront and then click Next.
If you are deploying a Proof of Concept or small implementation that will not grow, you can install the
Controller, Studio, and Director on the same server.
10. Specify whether or not to install Microsoft SQL Server 2012 Express or Windows Remote Assistance and then click Next.
Deselect Install Microsoft SQL Server 2012 SP1 Express, verify that Install Windows Remote Assistance is selected,
and then click Next.
Microsoft SQL Server 2012 Express does not need to be installed on the server because you already have a
mirrored instance of SQL Server 2012. The same database must be used for both the first Controller in the
environment and all subsequent Controllers in the environment. If Windows Remote Assistance was selected
for installation on the first Controller, it must be selected for all subsequent Controllers to ensure that it is
available to Director.
11. Select the port configuration method to use and then click Next.
If the Controller will use the default ports for communications, select Automatically. If the Controller will use
alternate port assignments, select Manually to configure the ports after installation completes.

13. Wait for the installation to complete, deselect Launch Studio, and then click Finish.
15. Click Tools at the top of the of the Server Manager window, select Internet Information Services (IIS) Manager to
begin the process of requesting and installing a certificate on the second Delivery Controller server.
16. Click the name of the Delivery Controller in the left pane.
Click C-2 in the left pane.

Click No.
19. Click Create Domain Certificate in the right pane.

• Common name: c-2.training.lab
b. Click Next.
Type c-2.training.lab and then click Finish.
23. Double-click Sites > Default Web Site in the left pane.
26. Select the newly created certificate in the SSL certificate field, click OK, and then click Close.
Select c-2.training.lab in the SSL certificate field, click OK, and then click Close.
Joining a Controller to a Site

By default, the configuration phase of a Controller takes place immediately after the installation of the Controller. In some
instances, you may want to move a Controller from one Site to another, such as from a test Site to a production Site. In this
case, you only need to rerun the Configuration utility (this task), not reinstall the Controller. When you run the
Configuration utility you have the opportunity to create a new Site (new database), or join an existing Site (existing database).
As a best practice, you should locate each Controller VM on a different physical hypervisor hosts for high
availability purposes.

To Join a Controller to an Existing Site
This procedure assumes that you installed Studio on each Controller in the environment.
1. Log on to the second Controller with domain administrator credentials.

2. Click Start, type Studio, and then click Citrix Studio.

3. Click Connect this Delivery Controller to an existing Site.
4. Type the FQDN of the first Controller and then click OK.
Type c-1.training.lab and then click OK.
5. Click Yes when prompted to update the database automatically.

6. Select Controllers from the Configuration node in the left pane of Studio.
7. Verify that both Controllers are listed.
Verify that C-1.training.lab and C-2.training.lab are listed.
You can shut down the Controller-2 and SQLServer-2 VMs to free up lab resources.
Discussion Question
You added multiple Controllers to your implementation, but discover that you do not need all of them. You decide to use the
Remove Controller option in Studio to remove the extra Controllers. What impact will this have on the remaining
implementation and on the removed Controllers?
Setting Up the Citrix Universal Print Server

The Citrix Universal Print Server extends XenApp and XenDesktop universal printing support to network printing. The Citrix
Universal Print Server eliminates the need to install numerous non-native printer drivers on the virtual desktops and on the
servers that host desktops and applications.
The Universal Print Server includes a client component and a server component:
• The client component (Universal Print Client) is installed on the resources hosting desktops and applications and on the
objects located in a Machine Catalog that provide network printers that use the Universal Printer Driver. The client
component is installed during the installation of the Virtual Delivery Agent on the resource.
• The server component (Universal Print Server) is installed on each Windows print server that provisions session network
printers and uses the Universal Printer Driver for the session printers (regardless of whether or not the session printers
are centrally provisioned).
To configure the Universal Print Server:
1. Install the Universal Print Client software.
2. Install the Universal Print Server software.
3. Configure a policy to enable the use of the Universal Print Server. The policy can be a local policy or a group policy.

After the Universal Print Server components are installed and policy settings are configured, an end user can add and
enumerate network printers through the Windows Print Provider and Citrix Print Provider interfaces. The Citrix Print
Provider does not support client-side rendering.
Installing the Universal Print Server

The Universal Print Server must be installed on the print servers in the environment. During the installation of the Universal
Print Server, the Print and Document Services role is installed on the server as are runtime libraries and client-side
extensions. The client-side extensions are required to retrieve and configure Universal Print Server policy settings. You should
not attempt to install the Universal Print Server on a server on which XenApp and XenDesktop components are installed
because the components are already installed.
To Install the Universal Print Server

1. Start the Citrix Universal Print Server VM.
Right-click UniversalPrintServer-1 in XenCenter, click Start, and then click Console.
2. Log on to the Citrix Universal Print Server VM using domain administrator credentials.
Log on to Universal Print Server using the TRAINING\Administrator and Password1 credentials.

7. Click Universal Print Server.
9. Determine where the Citrix Universal Print Server will be installed and then click Next.
Click Next to accept the default location.
. Module 4: Setting Up Citrix Components 99

10. Click Install and then wait for the installation to complete.
11. Click Finish.
12. Eject the XenApp and XenDekstop media from the DVD Drive.
Click Eject to the right of the DVD Drive 1 field to eject the media from the drive.
Discussion Question
What is the maximum number of concurrent print streams allowed when using the Universal Print Server?
Configuring the Universal Print Server

The Universal Print Server provides simplified print management to allow network printing from any device by provisioning
network session printers. If you want to change the values for the Universal Print Server policy settings specified below, you
can add them to a policy. If the settings are not included in a policy, the default settings will be used.
• Universal Print Server enable (default=disabled) (Computer Configuration)
• Universal Print Server data stream (CGP) port (default=Port 7229) (Computer Configuration)
• Universal Print Server web service (HTTP/SOAP) port (default=SOAP port 8080) (Computer Configuration)
• Universal Print Server print stream bandwidth limit (default=0 kilobits per second which means unlimited bandwidth)
(User Configuration)
You must include the Universal Print Server enable setting in a policy to enable the use of the Universal Print
Server.
To Configure the Universal Print Server

1. Log on to a VM that is hosting Studio with domain administrator credentials.
2. Click Tools in Server Manager and then click Group Policy Management.
The Group Policy Management Console may be behind the Server Manager window.
3. Browse to the OU that contains the virtual desktops.

Double-click Forest: training.lab > Domains > training.lab > Training Virtual Desktops.
You can determine which OU contains the virtual desktops using Active Directory Users and Computers on
the domain controller.
4. Right-click the OU containing your virtual desktops and then click Create a GPO in this domain, and Link it here.
Right click the Training Virtual Desktops OU and then click Create a GPO in this domain, and Link it here.
5. Type a descriptive name in the Name field and then click OK.
Type Enable and configure Universal Print Server Service and then click OK.
6. Right-click the newly created GPO and then click Edit.

Right-click Enable and configure Universal Print Server Service and then click Edit.
7. Double-click Computer Configuration > Policies > Citrix Policies.

8. Click Edit and then click the Settings tab to add settings to the unfiltered policy.
9. Select Printing in the Categories field.

10. Click Add to the right of the Universal Print Server enable setting.
11. Select Enabled with fallback to Windows' native remote printing in the Value field and then click OK.
The Universal Print Server is disabled by default. When you enable Universal Print Server, you choose
whether to use the Windows Print Provider if the Universal Print Server is unavailable. After you enable the
Universal Print Server, a user can add and enumerate network printers through the Windows Print Provider
and Citrix Print Provider interfaces.
12. Click OK in the Edit Policy window.
13. Close the Group Policy Management Editor and Group Policy Management windows.
Discussion Question
To which OU must the Universal Print Server policy be applied?
Creating Printers
You can use the Print Management utility to automatically discover and create printers that are on the same subnet as the
Universal Print Server. Once the printers are discovered, you can configure the printers by installing the printer drivers,
setting up the print queues and sharing the printers.
Printers are already created in the lab environment, but will not work because there are no printer devices in the
environment. You can verify which printers exist in the lab environment using the following steps:
1. Log on to Universal Print Server using the TRAINING\Administrator and Password1 credentials.
2. Click Tools > Print Management in the Server Manager.
3. Select Printers in the left pane and then verify that the following network printers exist:
• Accounting (HP Color LaserJet Enterprise cm4549 MFP PCL6 Class Driver)
• Color Laser Printer (HP Color LaserJet 1600 Class Driver PCL6)
• Human Resources (HP Color LaserJet CP4005 PCL6 Class Driver)
• Microsoft XPS Document Writer
4. Close the Print Management window.
To Create Printers
environment.
1. Log on to the Citrix Universal Print Server using domain administrator credentials.
2. Click Tools in the Server Manager window and then click Print Management.
3. Expand Print Servers, right-click the Universal Print Server, and then click Add Printer.
4. Select the printer installation method and then click Next.
5. Click Next on the Printer Driver page.
6. Select a printer manufacturer in the left column, a printer in the right column, and then click Next.
7. Type a name for the printer in the Printer Name and Share Name fields and then click Next.
8. Click Next in the Printer Found page.
9. Click Finish.
Discussion Question
You want to automatically add the network printers through discovery, but the Print Management utility is not available.
What must you do to add printers?

Setting Up StoreFront
StoreFront is a front-end web server responsible for authenticating end users and aggregating desktop and application
resources from one or more XenApp and XenDesktop sites through access to a store using any endpoints running Citrix
Receiver on Android, iOS, OS X, Linux, Windows, Windows Mobile, Windows RT or Receiver for Web sites. When an end
user’s credentials have been validated, the authentication service hands al subsequent interactions to ensure that the end user
only needs to log on once.
StoreFront uses centralized enterprise stores to deliver desktops, applications and other resources to end users on any
endpoint. If Citrix Receiver is not installed on the endpoint, end users can download Citrix Receiver using the Receiver for
Web site. By default, the Receiver for Web site attempts to determine whether Citrix Receiver is installed on Windows and
MAC OS X systems. If a suitable client cannot be detected, end users are prompted to download and install Citrix Receiver.
StoreFront records details of end user’s application subscriptions, plus associated shortcut names and locations in a local
configuration data file on the StoreFront server. When an end user accesses a store, the application synchronization feature
automatically updates the subscribed applications to match the configuration stored in the StoreFront local configuration data
file to ensure that end users have a consistent experience across all their endpoints. When multiple StoreFront servers are
configured, the local configuration data file on each StoreFront server is automatically synchronized to contain the same
information and does not require any administration.
When planning your StoreFront deployment, Citrix recommends the following considerations:
• Host StoreFront on a dedicated instance of IIS. Installing other web applications on the same IIS instance as StoreFront
could have security implications for the overall StoreFront infrastructure.
• Use HTTPS to secure communication between the StoreFront and end user devices.
• StoreFront servers must reside within the same Microsoft Active Directory forest as the XenApp and XenDesktop Servers
hosting end user resources. All the StoreFront servers in a group must reside within the same domain. To enable smart
card and user certificate authentication, end user accounts must be configured within the Active Directory forest
containing the StoreFront Servers.
• Implement multiple StoreFront servers to ensure high availability if the primary server hosting StoreFront fails.
• Configure the external load balancer, (such as Citrix NetScaler) to fail over between the servers to ensure end users have
uninterrupted access to their applications and desktops.
StoreFront Components
StoreFront consists of several components and are described in the following section:
• StoreFront Server - The StoreFront server records details of end-user application subscriptions locally along with
associated shortcut names and locations. When an end user accesses a store, the application synchronization feature
automatically updates the subscribed applications on the end-user device to match the configuration stored on the
StoreFront server. The credentials are later retrieved by the Store Service to authenticate to XenApp and XenDesktop,
ensuring that the end user has a consistent experience across all devices.
StoreFront requires a minimum of 2 GB of storage space on the StoreFront server.
• Authentication Service - The StoreFront authentication service authenticates end users to XenApp and XenDesktop sites.
When an end user's credentials have been validated, the authentication service handles all subsequent interactions to
ensure that the user only needs to log on once. The credentials are stored using built-in Windows security features.
• Store - The store retrieves end-user credentials from the authentication service to authenticate end users to the
components providing the resources. The store also enumerates and aggregates the resources currently available from
XenApp and XenDesktop sites and the Delivery Controller (SaaS applications). End users access the store through Citrix
Receiver or a Receiver for Web site.
• Receiver for Web site - This site enables end users to access stores through a Web page. Furthermore, this site can verify
the version of Receiver installed locally on the end-user device and guide the end user through an upgrade or installation
procedure if required. In scenarios where Receiver cannot be locally installed, an HTML 5-based Receiver will be used.

StoreFront Communication
1. An end user enters a username and password into Receiver, which is then sent to the StoreFront server. End users may
skip this step if pass-through authentication is configured.
2. The authentication service of StoreFront retrieves the end-user credentials and validates them with a domain controller.
The StoreFront server must be a member of the same Active Directory forest as the end-user account and the accessed
resources.
3. StoreFront retrieves the end user's application subscriptions locally and loads them into memory.
4. StoreFront forwards the end-user credentials as part of an XML query to the XenApp and XenDesktop Delivery
Controller.
5. The Delivery Controller validates the end-user credentials with a domain controller.
6. After a successful validation, the Delivery Controller checks which resources have been published for this end user within
its SQL Server database.
7. The Delivery Controller sends an XML response to StoreFront, which contains all resources available for the end user
from the XenApp and XenDesktop site.
8. StoreFront sends the list of available resources including the existing subscriptions to Citrix Receiver or displays them in
the Receiver for Web site.
Discussion Question
What advantages does StoreFront offer in place of Web Interface?
Where is the physical location of the StoreFront server on your network?
Installing Citrix StoreFront

StoreFront is typically installed on an IIS server and can be installed using the XenApp and XenDesktop installation media.
StoreFront and its prerequisites can also be installed from a command line. StoreFront should be installed after a Site is

configured but before end users are given access to the environment. StoreFront can be located in the DMZ or the internal
network if NetScaler Gateway (formerly known as Access Gateway) is installed between the end user and the StoreFront.
To Install StoreFront
1. Right-click the Citrix StoreFront VM, click Start, and then click Console.
Right-click StoreFrontServer-1, click Start, and then click Console.
2. Log on to Citrix StoreFront using domain administrator credentials.

Log on to StoreFrontServer-1 using the TRAINING\Administrator and Password1 credentials.

7. Click Citrix StoreFront.
9. Determine where StoreFront will be installed and then click Next.

10. Select the firewall rule configuration method to use and then click Next.
If the StoreFront will use the default ports for communications, select Automatically. If the StoreFront will use
12. Wait for the installation to complete.

13. Deselect Open the StoreFront Management Console and then click Finish.
If you decide to open the StoreFront Management Console, and you receive an Add Snap-in error, click
Cancel in the End Snap-in message and the console will open. Do not click End Now because it will close the
console.
14. Eject the XenApp and XenDekstop media from the DVD Drive.
Click Eject to the right of the DVD Drive 1 field to eject the media from the drive.
Discussion Question
Do the StoreFront servers need to be a member of the same domain as the Controllers?

Requesting and Installing a Certificate on StoreFront
You should use HTTPS between the end user device and the StoreFront. This is accomplished using a certificate. The
certificate should be installed on the StoreFront server before any end users are given access to the environment. Server
certificates are used for machine identification and transport security in StoreFront. If you decide to enable ICA file signing,
StoreFront can also use certificates to digitally sign ICA files.
Authentication services and stores each require certificates for token management. StoreFront generates a self-signed
certificate when an authentication service or store is created. Self-signed certificates generated by StoreFront should not be
used for any other purpose.
To Create and Install a Certificate on StoreFront

1. Log on to the StoreFront server using domain administrator credentials.
Log on to StoreFrontServer-1 using the TRAINING\Administrator and Password1 credentials, if not already logged
on.
2. Click Tools in the Server Manager window and then click Internet Information Services (IIS) Manager.
3. Click the name of the StoreFront server in the left pane.
Click SFS-1 in the left pane.

Click No.

• Common name: sfs-1.training.lab
b. Click Next.
8. Click Select, select your Certificate Authority, and then click OK.
Type sfs-1.training.lab and then click Finish.
10. Double-click Sites >Default Web Site in IIS Manager.

Select sfs-1.training.lab in the SSL certificate field, click OK, and then click Close.

Discussion Question
XenApp and XenDesktop 7.6 does not support the use of SSL Relay to secure communications between StoreFront servers
and the Controllers. What other option is available to secure those communications?
Creating and Configuring a Store

StoreFront requires that you create a store to provide resources to end users. To create a store, you must identify and
configure communications with the servers providing the resources that you want to make available in the store. You will
then have the option to configure remote access through NetScaler.
When a store is configured, a URL is assigned to it. End users can access the resources in the store using the Receiver for
Web site or by using a Receiver that is installed on the endpoint (not a browser).
StoreFront allows you to create as many stores as needed for a particular group of end users or to group together a specific set
of resources. For Example, you can create one store for Engineering and another store for Sales
StoreFront automatically establishes a trust relationship between each configured store and the authentication service. Each
store that is configured requires its own local configuration data file on the StoreFront Server. When multiple StoreFront
servers are configured for a store, each local configuration data file is replicated among all StoreFront servers.
To Configure a Store
1. Log on to the StoreFront server using domain administrator credentials.
Log on to the StoreFront Server-1 VM using the TRAINING\Administrator and Password1 credentials, if not
already logged on.
2. Click Start, type StoreFront, and then click Citrix StoreFront to access the StoreFront console.
3. Click Create a new deployment.
4. Verify that the URL for the StoreFront server is correct for your deployment and then click Next.
Verify that https://sfs-1.training.lab appears in the Base URL field and then click Next.
It may take a few minutes for the deployment to be created.
5. Specify a name for the store and then click Next.

Type Store-1 in the Store name field and then click Next.
6. Add the XenDesktop, XenApp, and XenMobile 9.0 Enterprise (AppController) deployments that will provide the
resources that you want to make available in the store and then click Next.
a. Click Add and then type XenApp and XenDesktop in the Display name field.
b. Verify that XenApp 7.5 (or later), or XenDesktop is selected.
c. Click Add, type c-1.training.lab and then click OK.
d. Click Add, type c-2.training.lab, and then click OK.
e. Verify that HTTPS is selected as the Transport type.
f. Click OK and then click Next.
7. Configure the remote access and then click Create.

Verify that None is selected and then click Create.
You have not yet set up the NetScaler component, so at this stage you are not setting up remote access. Based
on the components that are selected for configuration in the lab environment and the number of VMs
running, you can expect the configuration to take approximately 10 minutes.
8. Click Finish.
9. Click Stores in the left pane of the StoreFront console and then verify that the store was successfully created.

Click Cancel if the End Snap-in window appears.
Click Stores and then verify that Store-1 appears in the center pane.
Discussion Question
How do you create a Receiver for Web site?
To Configure Authentication Methods

1. Log on to the StoreFront virtual machine using domain administrator credentials.
Log on to the StoreFrontServer-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
2. Click Start, type StoreFront, and then click Citrix StoreFront.

3. Select the Authentication node..
4. Click Add/Remove Methods within the Actions pane.
5. Specify the access methods that you want to enable or disable for your end users.
Select the following methods:
• User name and password
• Domain pass-through
6. Click OK.
Enabling End Users to Change Their Passwords

You can perform this task to enable end users accessing stores with explicit domain credentials to reset their expired
passwords when logging on. When this setting is enabled, end users who cannot log on because their passwords have expired
are redirected to the Change Password dialog box. StoreFront then contacts the domain controller to reset the end-user
password.
To Enable End Users to Change Their Passwords

1. Log on to the StoreFront virtual machine using domain administrator credentials.

3. Click Yes on the User Account Control window if it appears.
4. Select the Authentication node.

5. Click Manage Password Options in the Actions pane.
6. Select the appropriate option.
Select At any time.
7. Click OK.

Creating a Store for Unauthenticated (Anonymous) Users
Delivery Groups can be configured for use with both authenticated and unauthenticated (Anonymous) users. To support both
types of users accessing sessions using XenApp or XenDesktop, you must create separate stores for the authenticated users
and the unauthenticated users in StoreFront.
Stores created for unauthenticated users do not support remote access through NetScaler Gateway.
Unauthenticated user support is specific to certain industries such as education and medical institutes and is not a
feature recommended for general use.
To Create a Store for Anonymous User Access

1. Log on to the primary StoreFront server using domain administrator credentials.
2. Click Start, type StoreFront, and then click StoreFront.

3. Click Yes on the User Account Control window, if it appears.
4. Select the Stores node and then click Create Store for Unauthenticated Users.
5. Click Next in the Information screen.
6. Specify the store name and the click Next.
Type Anonymous Store and then click Next.
7. Click Add on the Delivery Controllers page.

8. Type the name of the Delivery Controller.
Type Delivery Controller as the display name.
9. Select XenApp 7.5 (or later), or XenDesktop.

10. Click Add.
11. Type the server name or IP address of a Delivery Controller in the environment.
Type c-1.training.lab.
12. Click OK and then click Add.

13. Type the server name or IP address of another Delivery Controller in the environment.
Type c-2.training.lab.
14. Click OK.

15. Select the types of connections from the Transport type list that StoreFront will use to communicate with the Delivery
Controllers.
Verify HTTPS is selected to use an secure connection.
16. Specify the port for StoreFront to use for connections to the XenApp or XenDesktop site.
Verify that 443 is specified in the Port field.
17. Click OK.

18. Click Create. It may take several minutes to create the store.
19. Click Finish.
20. Click Stores in the left pan of the StoreFront console and then verify that the store was successfully created.
Click Stores and then verify Anonymous Store appears in the center pane.

Discussion Question
The Citrix Broker Service runs on each Controller in the environment. You should secure data sent over the connection using
HTTPS or make other arrangements to secure connections to the store. To secure Citrix Broker Service on the Controllers,
what must be configured?
Managing Delivery Controllers

StoreFront has the capability to aggregate several independent infrastructures, like legacy XenApp farms as well as XenApp
and XenDesktop sites, to seamlessly present all available resources to users from any of these infrastructures in a single
unified location for access.
When adding sites and farms to StoreFront, it is best practice to add at least 2 Delivery Controllers or XML Brokers (Legacy
XenApp) for each site and farm. This ensures that no controller is a single point of failure.
Setting Up a Second StoreFront Server

For high availability, you should install more than one StoreFront server in an environment. Multiple StoreFront servers are
members of a single server group. A server group is the management container located and configured in the StoreFront
console. An authorization code is required from the authorizing server in order to add additional StoreFront servers to
existing StoreFront deployments. The authorizing server is the first StoreFront server configured for the Site. The
authorization code can be obtained from the StoreFront console on the first StoreFront server.
To Install a Second StoreFront Server

1. Right-click the second StoreFront VM, click Start, and then click Console.
Right-click StoreFrontServer-2, click Start, and then click Console.
2. Log on to the second StoreFront server using domain administrator credentials.


7. Click Citrix StoreFront.
9. Determine where StoreFront will be installed and then click Next.

10. Select the firewall rule configuration method to use and then click Next.
If the StoreFront will use the default ports for communications, select Automatically. If the StoreFront will use

12. Wait for the installation to complete.

13. Deselect Open the StoreFront Management Console and then click Finish.
15. Click Tools at the top of the of the Server Manager window, and then click Internet Information Services (IIS)
Manager to begin the process of requesting and installing a certificate on the second StoreFront server.
16. Click the name of the StoreFront server in the left pane.
Click SFS-2 in the left pane.

Click No.

• Common name: sfs-2.training.lab
b. Click Next.
The Common name must match the FQDN that will be used to access the site.
Type sfs-2.training.lab and then click Finish.
23. Double-click Sites > Default Web Site.

Select sfs-2.training.lab in the SSL certificate field, click OK, and then click Close.

28. Log on to the first Citrix StoreFront VM using domain administrator credentials.
Switch to the StoreFrontServer-1 and log on using the TRAINING\Administrator and Password1 credentials, if not
already logged on.
30. Right-click Server Group in the left pane and then click Add Server.
31. Record the authorizing server and authorization code.

This code will be typed into the StoreFront console on the second Citrix StoreFront server to join it to the
server group. To assist in entering the code, you can launch notepad from server desktop the lab XenCenter is
running on; copy and paste the code into notepad; copy and paste into the field for StoreFrontServer-2.
32. Leave the Add Server screen containing the authorizing server and authorization code open until the second server has
successfully joined the server group.
This window will automatically close when the server joins and the propagation of the configuration data is
completed.
33. Return to the second Citrix StoreFront VM.

Switch to the StoreFrontServer-2 VM.
35. Click Join existing server group in the Welcome to StoreFront screen.
36. Type the authorizing server and authorization code noted earlier into the appropriate fields in the Join Server Group
window and then click Join.
Type SFS-1 in the Authorizing server field, type the code you wrote down into the Authorization code field, and then
click Join.
37. Wait for the "Join Server Group" task to complete.
Based on the number of VMs actively running, you can expect the join task to take approximately 10 minutes.
38. Click OK in the "Joined Successfully" message on the second Citrix StoreFront server.
39. Return to the first Citrix StoreFront server.
Switch to the StoreFrontServer-1 VM.
40. Click OK in the message.
Discussion Question
When you add additional StoreFront servers to a deployment, where should you manage those additional servers?
StoreFront Management Console

After the initial configuration of StoreFront, other tasks that enable you to manage your deployment become available in the
StoreFront management console. This console gives you the following access:
• Stores - Create, configure, and manage stores.
• Receiver for Web - Create and configure a Web-based point of access for end users.
• Citrix NetScaler Gateway - Configure NetScaler connection settings.
• Server Groups - Customize StoreFront server groups.
• Beacons - Manage beacon points for external and internal access.
• Authentication - Configure the authentication process for the StoreFront site.
Setting Up Receiver
Citrix Receiver is a universal software client that provides secure, high-performance delivery of virtual desktops and hosted
applications.
Citrix Receiver provides:
• Simple, self-service access to virtual desktops, hosted applications, and IT services.
• High-definition user experience (HDX) on any network or device.

• Instant updates to end users with IT control and visibility.
• Easier management of enterprise data, applications, desktops, and SaaS applications through secure, centralized
deployment to any endpoint.
In order for users to make use of the HDX (ICA) features at the endpoint, a Receiver must be installed. If Receiver is not
installed, then the HTML 5 proxy can be used and the HDX features will be between the StoreFront and the desktop or
hosted application only. HDX features are enabled in policies. HTML 5 must be enabled in StoreFront for the Receiver for
Web Site in order to use it.
The process for end-user connections is:
1. When end users connect from inside your network or a remote location and install Receiver, they provide their email
address or the StoreFront URL.
2. Receiver then queries the appropriate DNS server, which responds with the StoreFront or NetScaler URL. The URL
depends on whether end users connect from the internal network or a remote location.
3. Users then log on to Receiver with their user name, password, and domain.
4. If end users connect from a remote location, NetScaler provides the StoreFront URL to Receiver.
5. Receiver gets the account information from StoreFront. If end users connect through NetScaler, the appliance performs
single sign-on to StoreFront. If more than one account is available, end users receive a list of accounts from which to
choose.
6. When end users log on to an account, a list of resources appear in Receiver. End users can then select resources to add to
their Receiver or open a resource that was already added to their Receiver.
To enable email-based account discovery for internal end users connecting directly to StoreFront, you must install
a valid server certificate on the StoreFront server. The full chain to the root certificate must also be valid.
Configuring DNS for Email-Based Account Discovery

You can configure email-based account discovery to enable internal end users who install Citrix Receiver on an endpoint to
set up their accounts by providing their email addresses. During the initial configuration process, Citrix Receiver prompts end
users to enter either an email address or a server URL. When an internal end user enters an email address, Citrix Receiver
contacts the DNS server for the domain specified in the email address to obtain a list of available stores from which the end
user can select.
To enable Citrix Receiver to locate available stores on the basis of end users' email addresses, you must configure Service
Location (SRV) locator resource records for StoreFront on your DNS server. As a fallback, you can also deploy StoreFront on
a server named "discoverReceiver.domain," where domain is the domain containing your end users' email accounts. If no SRV
record is found in the specified domain, Citrix Receiver searches for a machine named "discoverReceiver" to identify a
StoreFront server.
To Configure a Service Location Locator Record for Email-based Account

Discovery
Log on to Domain Controller-1 using the TRAINING\Administrator and Password1 credentials.
At this time, email-based account discovery cannot be used by remote end users.
2. Click Tools in Server Manager and then click DNS.

3. Browse to your domain in the Forward Lookup Zones in the left pane of DNS Manager.
Double-click AD > Forward Lookup Zones and then click training.lab.
4. Right-click the forward lookup zone for your domain and then click Other New Records.
Right-click training.lab and then click Other New Records.

5. Select Service Location (SRV) and then click Create Record in the Resource Record Type screen.
6. Type _citrixreceiver in the Service field.
7. Type _tcp in the Protocol field.
8. Type the port number used by StoreFront in the Port number field.
Type 443 in the Port number field.
9. Specify the fully qualified domain name (FQDN) of the StoreFront server (to support end users in the local network
only).
Type sfs-1.training.lab in the Host offering this service field.
You are specifying the FQDN of the first StoreFront server.
10. Click OK.
The StoreFront FQDN must be unique and different from the NetScaler virtual server FQDN. Using the same
FQDN for StoreFront and the NetScaler virtual server is not supported. Citrix Receiver requires that the
StoreFront FQDN is a unique address that is only resolvable from endpoints connected to the internal
network. If this is not the case, Receiver for Windows users cannot use email-based account discovery.
11. Select Service Location (SRV) and then click Create Record in the Resource Record Type dialog box.
12. Type _citrixreceiver in the Service field.
13. Type _tcp in the Protocol field.
14. Type the port number used by StoreFront in the Port number field.
Type 443 in the Port number field.
15. Specify the fully qualified domain name (FQDN) of the StoreFront server (to support end users in the local network
only).
Type sfs-2.training.lab in the Host offering this service field.
16. Click OK.

17. Click Done.
18. Close the DNS Manager window.
Installing and Configuring Receiver

End users who want to access XenApp and XenDesktop resources can use Citrix Receiver to access those resources. During
the installation of the VDA on a desktop machine, you have the option to install Receiver. End users that will not be using a
desktop machine can install Citrix Receiver on their endpoints to access resources such as hosted applications.
Citrix Receiver for Windows can be installed in the following ways:
• By an end user downloading the CitrixReceiver.exe package from Citrix.com or your download site and then running the
package. During the installation, the end user can set up an account using an email address, a server URL, or by
downloading a provisioning file.
• From Receiver for Web site. During the installation, the end user can set up an account using an email address, a server
URL, or by downloading a provisioning file using the Activate option.
This installation method does not provide automatic updates.
• Using an Electronic Software Distribution (ESD) tool. During the installation, the user can set up an account using an
email address, a server URL, or by downloading a provisioning file using the Activate option.
When an email address is specified, Receiver contacts the StoreFront server associated with the email address and then
prompts the end user to log on and continue the installation. When a server URL is specified, Receiver is configured to point
to that server and then prompts the end user to log on and continue the installation. Once the end user provides their

credentials in Receiver, Receiver is configured for use by that end user on the endpoint. If additional end users log on to the
endpoint, they will need to configure Receiver for their use. This can be done using the Receiver for Web site.
To Install and Configure Receiver

The following procedure is being performed on an internal endpoint to demonstrate email-based account discovery. Email-
based account discovery cannot be performed from an external endpoint at this time.
1. Right-click the internal endpoint, click Start, and then click Console.
Right-click Endpoint-Internal in XenCenter, click Start, and then click Console.
2. Log on to the internal endpoint using domain user credentials.

Log on to EndPoint-Internal using the TRAINING\HRUser1 and Password1 credentials.
You do not need administrator credentials to install Citrix Receiver unless Receiver will be configured to use
pass-through authentication. In addition, each end user that logs on to an endpoint must configure Receiver in
order to use it.
3. Insert the XenApp and XenDesktop installation media in the DVD drive.
5. Right-click CD Drive (D:) to click Citrix Receiver and Plug-ins > Windows > Receiver.
6. Double-click CitrixReceiver.
7. Click Install on the Welcome screen.
8. Click Add Account in the Installed successfully screen to configure Receiver using an email address.
9. Type the end user's email address or the URL of the StoreFront server in the Enter your work email or server address
field and then click Next.
Type hruser1@training.lab and then click Next.
10. Click Continue in the Add Account message.

11. Determine if you want Receiver to optimize your access.
Click Yes.
12. Click Finish.

14. Log on to Receiver using the end user's account credentials.
Log on to Receiver using the TRAINING\HRUser1 and Password1 credentials.
15. Click the + sign in the left portion of the Receiver window to view the applications that are available in the store.
You will add applications to the store in the next module.
16. Click the down arrow to the right of the user name at the top of the Receiver window and then click Log Off.
17. Close the Receiver window.
Click the X in the corner of the Receiver window to close it.
You can also shut down the EndPoint-Internal VM to save lab resources.

Discussion Question
Can you make a connection from an endpoint to a XenApp and XenDesktop resource without a Receiver installed on the
endpoint?
Troubleshooting Receiver
The following table identifies resolutions for Citrix Receiver issues.
Issue Resolution
Receiver for Windows end users cannot log on to stores Open a PowerShell command prompt and run the following
using pass-through authentication, even though the domain command on the Delivery Controller servers: Set-BrokerSite -
pass-through authentication method is enabled in the TrustRequestsSentToTheXmlServicePort $True
StoreFront authentication service.
Receiver for HTML5 is not available to end users. • Enable Receiver for HTML5 in StoreFront and propagate
the settings to all StoreFront servers in the environment.
• Ensure that a supported browser is being used.
Supported browsers include Internet Explorer version 10,
Safari version 6, Chrome version 23, and Firefox version
17.)
Troubleshooting: Managing StoreFront
Issue Resolution
Receiver for Windows end users cannot log on to stores To resolve this issue, run the command Set-BrokerSite -
using pass-through authentication, even though the domain TrustRequestsSentToTheXmlServicePort $True from a
pass-through authentication method is enabled in the Windows PowerShell command prompt on the server
StoreFront authentication service. hosting the XenApp and XenDesktop Delivery Controller.
Changes to the configuration of the StoreFront server group In multiple server deployments, use only one server at a time
are not propagating. to make changes to the configuration of the server group.
Ensure that the StoreFront management console is not
running on any of the other StoreFront servers in the
deployment. Once complete, propagate your configuration
changes to the server group so that the other servers in the
deployment are updated.
StoreFront cannot join a server group. Ensure that you are not using Group Policy to prevent the
addition of new members to the local administrator group.
When you add a new server to a server group, StoreFront
service accounts are added as members of the local
administrator group on the new server. These services
require local administrator permissions to join and
synchronize with the server group.
After upgrading multiple StoreFront servers the stores, sites Ensure that you upgrade your StoreFront servers sequentially.
and services have become unusable. Upgrading multiple StoreFront servers in parallel is not
supported and can cause configuration mismatches that lead
to this issue.
StoreFront supports Windows event logging for the authentication service, stores, and Receiver for Web sites. Any
events that are generated are written to the StoreFront Application log, which can be viewed using the Event
Viewer under either Applications and Services Logs > Citrix Delivery Services or Windows Logs > Application.
For more information about event logging, see Citrix product documentation at http://docs.citrix.com.

Reinforcement Exercise: Using the Receiver for Web Site
During this exercise, you will not be given step-by-step instructions for performing the task. Instead, you are asked
to use what you have just learned to complete it. This exercise is designed to take your newly gained knowledge
and stretch it to determine if you can apply that knowledge to perform a task you've never done before. In most
instances the default value/choice will be the best choice, but we encourage you to explore and try things out. If
you have a question or get stuck, ask the instructor or a fellow student for assistance.
Now that you know how to:
• Install and configure the Citrix License Server.
• Install and configure Citrix Delivery Controller, Citrix Studio, and Citrix Director.
• Install and configure the Citrix Universal Print Server.
• Install and configure Citrix StoreFront.
• Install and configure Citrix Receiver.
You are ready to try your hand at using the Citrix Receiver for Web Site to install Citrix Receiver.
Approximate time to complete: 20 minutes
You just finished setting up your Citrix infrastructure components in the Training environment. When you configured the
store in StoreFront, it automatically created a Receiver for Web site. You want to test its ease of use and use it to install Citrix
Receiver on another Windows 8.1 system in your environment to determine if it is a better option than using the XenApp
and XenDesktop installation media.
Here is what you need to do:
1. Log on to the domain controller and use Active Directory Users and Computers to identify an Administrator account
and a non-administrator account that you can use for this exercise.
All user accounts use Password1.
2. Log on to the StoreFront-1 server using an administrator account.

3. Open the StoreFront console to discover the URL for the Receiver for web site.
4. Log on to the StudentManagementConsole-1 VM with an administrator account.
5. Use Internet Explorer to access the Receiver for Web site.
6. Install Citrix Receiver from the Receiver for Web site.
7. Configure Citrix Receiver using the server address (FQDN) of the StoreFront server for the selected user account. Do
not use an email address.
If you receive an SSL error within Internet Explorer, this can be safely ignored.

5
Module 5
Setting Up XenApp and

XenDesktop Resources
118
Setting Up XenApp and XenDesktop Resources
Overview
XenApp and XenDesktop provide desktops and hosted applications to endpoints in a secure and reliable fashion. To do this,
the XenApp and XenDesktop resources need to be configured appropriately and tested. High availability also needs to be
addressed at the resource level. Good planning minimizes risks associated with a single point of failure and improperly scaled
environments.
• Configure a master image for Server OS machines and hosted applications.
• Configure a master image for Desktop OS machines and hosted applications.
• Create a machine catalog for hosted applications installed on Server OS machines.
• Create a machine catalog for Desktop OS machines.
• Create a Delivery Group to deliver hosted applications.
• Create a Delivery Group to deliver desktops.
All of these resources will be configured using Machine Creation Services.
• Controller-1 = On
• StoreFrontServer-1 = On
• StudentManagementConsole-1 = On
• UniversalPrintServer-1 = On
Architecture Overview
The following diagram depicts the functions and communications of the Delivery Controller within a XenApp and
XenDesktop deployment.
Module 5: Setting Up XenApp and XenDesktop Resources 119

Windows authentication is required for connections between the Controller and the SQL Server database.
The Delivery Controller contacts the hypervisor to confirm availability of the virtual machines and applications that will be
presented to an end user.
The Delivery Controller communicates with Active Directory to validate end-user credentials.
Studio and Director communicate with the Delivery Controller to manage and configure the site.
Once an end user's session has connected to a StoreFront server, the Delivery Controller can present the end user with a list
of resources from the physical network or from a supported hypervisor.
Resources
XenApp and XenDesktop provide a variety of virtualization models that can be used to provide the end-user with access to
virtual desktops and hosted applications. XenApp and XenDesktop virtualization models include:
• Server OS machines and hosted applications are provided via Remote Desktop Services (formerly Terminal Services) on
a Windows Server operating system. Remote Desktop Services allows multiple user sessions to be hosted on a single
system.
• Desktop OS machines and hosted applications are provided on virtual machines running a workstation operating
system.
• Remote PC Access provides direct access to any physical PC located in the environment. Installing the Virtual Delivery
Agent on the office PC enables it to register with the Delivery Controller. In addition, it manages the HDX (ICA)
connection between the machine and endpoints. The Citrix Receiver running on the endpoint provides access to all of the
applications and data on the office PC. An end user can be provided access to more than one physical PC or a
combination of physical PCs and virtual desktops.
120 Module 5: Setting Up XenApp and XenDesktop Resources

This graphic shows that the information from Active Directory is used to create the Delivery Groups, which are
then used to determine which end users will be allowed to use the machines. The Master Images (VMs) contain
the resources (desktops and hosted applications) that will be delivered to end users. These VMs are used by MCS
or PVS to create the machines in a machine catalog. The machine catalog is then used by the Delivery Group to
provide resources to end users.
Discussion Question
You want to provide four applications to over 50 end users, but you do not want to provide those end users with a desktop.
In addition, you want to run and deliver the applications from only two systems. Which XenApp and XenDesktop
virtualization model should you implement to meet these requirements?
Preparing the Master Image Virtual Machine

XenApp and XenDesktop uses a master image (in VHD format) to create the machines that will be delivered to end users.
The master image virtual machine contains the operating system and applications (resources) that will be delivered to end
users. The master image can be prepared from a physical or virtual machine. To prepare the master image, you should:
• Optimize the hard drive.
• Delete end-user specific information.
• Update the operating system and applications installed on the master image to the current standard.
• Install all required drivers.
• Install the appropriate XenApp and XenDesktop tools (such as Virtual Delivery Agent, HDX 3D Pro Virtual Desktop
Agent, P2V, or V2V).
You should only install the HDX 3D Pro Virtual Desktop Agent if the master image has a desktop OS
installed on it and the image will have access to a Graphical Processing Unit (GPU). You should install the
P2V (Physical to Virtual) tool if you are converting a physical machine to a virtual machine image. You
should install the V2V (Virtual to Virtual) tool if you are converting a Xen-based virtual machine to a Citrix
XenServer virtual machine.
• Install core applications that are appropriate for general distribution and that the majority of users of the machines
created from the image will need. Examples include anti-virus and alternate browsers.
• Install the Citrix Receiver and plug-ins that are needed such as the Microsoft App-V plug-in if applications will be
streamed to the VDA on the machine.

Creating the Master Image
You should keep the number of master images in the environment to a minimum to reduce administrative overhead. If the
requirements of the end users are different, it may warrant creating separate master images. Application requirements are not
enough of a reason to create a separate master image. Application requirements can be met using hosted applications.
Installing Locales and Language Packs is not the best method for the localization of your master image. It is best
to create a separate master image for each language group. That way, the operating system, applications, and data
match the selected language group.
The operating system in the master image is used to provide:

• A Windows Server environment for Server OS machines, hosted applications, or Server OS machines with hosted
applications. Applications can be tested using AppDNA to determine compatibility with the operating system and the
multi-user nature of the master image.
• A Windows Desktop environment to provide Desktop OS machines, hosted applications, or Desktop OS machines with
hosted applications.
Make sure that you configure the amount of hard disk space in the master image to allow sufficient room for the
operating system, applications, and updates. The amount of hard disk space allocated is difficult to change later.
Remember that the amount of write cache space needed is equal to the amount of empty space on the master
image. Specifying a large empty disk space can cause problems with your storage. For example, in Provisioning
Services, if a master image has 100 GB of free space, and you deploy it to 1000 end users, you will need 1000
multiplied by the free space just for the write cache. Machine Creation Services has a differencing disk and an
identity disk for each end user and also scales using the same formula.
Discussion Question
You created a master image and used it to create a machine catalog consisting of 100 machines. One of your co-workers
deleted the master image from the hypervisor. What will be the effect of this deletion on the XenApp and XenDesktop
environment?
Setting Up a Server OS Master Image

Some of your master images will be based on a Windows Server operating system. These images will be used to deliver Server
OS machines and server-based hosted applications. A master image must exist before a machine catalog can be created.
Using a Virtual IP Address

Virtual IP and virtual loopback allow XenApp and XenDesktop administrators hosting application sessions on Server OS
machines running Server 2008 R2 and later to host IP dependent applications. By default, each application running on a
Server OS machine shares the IP address of that machine.
The virtual IP address feature allows you to provide a unique and unused IP address to an application session running on a
Server OS machine. The virtual loopback feature allows you to assign a session an IP address from the localhost 127.0.0.1
range. These features are implemented using Citrix policies and are independent; you do not have to enable both.
In larger environments, depending upon the class of network and the number of devices and applications
supported, it may be possible to run out of unique IP addresses.
Applications that might require the use of the virtual IP and virtual loopback features for addressing, licensing, and
identification, include CRM and Computer Telephone Integration (CTI). For more information about virtual IPs and virtual
loopback, see http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-deliver-virtual-ip.html.
Installing and Configuring the Virtual Delivery Agent

The Virtual Delivery Agent (VDA) is required on all Server OS master images. The VDA enables connectivity to the Server
OS machine from any endpoint that has Citrix Receiver installed. The Virtual Delivery Agent enables the Server OS machine
to register with Delivery Controllers and manage the HDX (ICA) connection between the Server OS machine and the

endpoint. HDX (ICA) technology supports the communication and collaboration tools and high-quality multimedia that end
users need to work productively. It examines screen activity and determines how best to display responses, graphics and
media, and whether to render locally or remotely in real-time.
In addition, when the Virtual Delivery Agent is installed on a Server OS machine, the Remote Desktop Services role is
installed and the Remote Desktop Session Host is activated. This allows you to host multiple end-user sessions for desktops
and hosted applications on a single server. The Virtual Delivery Agent should be installed prior to any applications being
installed on the server.
Remote Desktop Services (RDS formerly known as Terminal Services) is not required on the servers running the
Delivery Controller role, because these servers do not host HDX connections. The Server OS machine in XenApp
and XenDesktop catalogs running the VDA must have RDS installed. Remote Desktop Licenses are required.
The VDA is configured to discover the Delivery Controllers during the installation of the VDA.
The HDX 3D Pro VDA is not available for installation on a Server OS operating system.
To Install and Configure the VDA on a Server OS Master Image

The installation steps for installing a VDA on a Server operating system are different than those used to install the
VDA on a Desktop operating system.
1. Right-click the master Windows 2012 R2 VM, click Start, and then click the Console tab.
Right-click Win2012R2Master, click Start, and then click the Console tab.
2. Log on to the VM on which you want to install the VDA using domain administrator credentials.
Log on to Win2012R2Master using the TRAINING\Administrator and Password1 credentials.
3. Insert the XenApp and XenDesktop installation media in the DVD drive.
4. Click the File Explorer icon on the taskbar.

5. Click This PC.
7. Click Start next to XenDeskop.

8. Click Virtual Delivery Agent for Windows Server OS.
9. Select Create a Master Image and then click Next.
10. Determine if Citrix Receiver will be installed and then click Next.
Verify that Citrix Receiver is selected and then click Next.
11. Choose your Delivery Controller.

Select Do it manually, type c-1.training.lab, click Test Connection and then click Add. Type c-2.training.lab and
then click Add. Click Next.
12. Select the features you want to install and then click Next.
Verify that all features are selected and then click Next.

Features include:
• Optimize performance: Enables or disables optimization for VDAs running in a VM on a hypervisor.
VM optimization includes disabling offline files, disabling background defragmentation, and reducing the
Event Log size. For more information about the optimization tool, see CTX125874. You should not enable
this option for Remote PC Access.
• Use Windows Remote Assistance: Enables or disables Windows Remote Assistance for use with Director.
When this feature is enabled, Windows automatically opens TCP port 3389 in the firewall (even if you
choose to open firewall ports manually on the next wizard page).
• Use Real-Time Audio Transport for audio: Enables or disables the use of UDP for audio packets.
Enabling this feature can improve audio performance.
13. Determine how the firewall ports will be configured and then click Next.
These are the ports used by the VDA. If the VDA will use alternate port assignments, select Manually to
configure the ports after installation completes.
14. Review the installation settings and then click Install.
You can change the settings by clicking the Back button.
15. Click Close and then wait for the master image to restart.
The machine will restart automatically after a few seconds and the VDA will be configured. Do not eject the
XenApp and XenDesktop media from the DVD drive. Doing so will cause the installation of the VDA to be
incomplete and result in desktops created from the image to fail to register.
16. Wait while the VM updates.
This will take approximately 5 minutes.
17. Log on to the VM on which you installed the VDA using domain administrator credentials to complete the configuration
of the VDA.
18. Wait while the prerequisites and selected core components are installed and initialized.
19. Verify that Restart machine is selected and then click Finish.
20. Wait while the VM restarts.
21. Log on to the VM using domain administrator credentials.
Click Eject to the right of the DVD Drive 1 field to remove the XenApp and XenDesktop media.

Installing and Configuring Third-Party Applications
Install any third-party applications or tools that you want to include in the master image. These applications may include:
Windows applications, antivirus software, electronic software distribution agents, configuration services, Windows Update
software, and more.
You should virtualize applications to significantly reduce the number of master images you need to support the
end users in the environment and to reduce the administrative overhead required to support multiple master
images when application updates need to be installed.
When configuring the applications, you should ensure that you use settings appropriate for the end users and the machine
type, as these configurations will be propagated to end users from the master image. Compatibility testing should be
conducted before you install any application on a master image that will be released to the production environment.
To Install Third-Party Applications

1. Log on to the VM that will be used as the master image using domain administrator credentials.
2. Click Desktop.
3. Insert the ISO image of the third-party application into the DVD drive.
Select Microsoft_Office_2010_Professional_SP1_English.iso in the DVD Drive 1 field.
5. Double-click CD Drive (D:).
If the installation wizard does not start, double-click setup.

Select I accept the terms of this agreement and then click Continue.
7. Determine which applications to install on the master image.
Be aware that if you select a Standard install, all Microsoft Office applications will be installed which requires
additional disk space as well as the time to complete the download and installation.
Click Customize and then do the following:

a. Click the down arrow to the left of Microsoft Access and then click Not Available.
b. Click the down arrow to the left of Microsoft InfoPath and then click Not Available.
c. Click the down arrow to the left of Microsoft OneNote and then click Not Available.
d. Click the down arrow to the left of Microsoft Outlook and then click Not Available.
e. Click the down arrow to the left of Microsoft Publisher and then click Not Available.
f. Click the down arrow to the left of Microsoft SharePoint Workspace and then click Not Available.
g. Click the down arrow to the left of Microsoft Visio Viewer and then click Not Available.
h. Click the down arrow to the left of Office Shared Features and then click Not Available.
i. Click the down arrow to the left of Office Tools and then click Not Available.
Microsoft Excel, Microsoft PowerPoint, and Microsoft Word will be the only applications installed on the
master image.
8. Click Install Now.

You can expect the installation to take approximately 15 minutes.
9. Click Close when the installation is completed.
The operating system and applications installed on the master image should be licensed before the master
image is used to create a machine catalog. Once armed, you do not need to rearm Microsoft Office or
Microsoft Windows if you are using XenServer 6.1, XenServer 6.2, vSphere, or SCVMM with Machine
Creation Services.
10. Click Eject next to the DVD drive field to eject the ISO image.
Installing Anti-Virus Software

Antivirus software is a common sense, generally accepted requirement in most corporate environments. Once you have
determined which anti-virus platform you will standardize upon, install the anti-virus software on the master image. You
should configure anti-virus software with the appropriate inclusions to and exclusions from anti-virus scans. This topic is
beyond the scope of this class and you should consult with the proper security specialist in your company to ensure machines
are properly protected.
Discussion Question
You are providing desktops to four end-user groups in your environment. Each of the end user groups requires a set of
common applications. In addition each end user group requires that a set of job-specific applications be available to them
from their desktop. How many master images will you need to create to support the four end-user groups?
Troubleshooting Virtual Delivery Agent Issues

The following table identifies VDA configuration issues and resolutions.
Issue Resolution
The VDA installation stops responding. Check behind the VDA installation window to see if an error
message is halting the installation. If an error message is
present, address the issue in the error message and then click
OK in the error message to continue installing the VDA.
A common error is "Printer - The arguments are

invalid". This error message appears when the Print
Spooler Service is not started. The VDA requires the
Printer Spooler Service to be running. You can
manually start the Print Spooler Service or wait for it to
start.
Setting Up a Desktop OS Master Image

Some of your master images will be based on a Windows Desktop operating system and will be used to provide Desktop OS
machines and hosted applications to end users. The steps for Desktop OS master images are similar to the steps used to create
Server OS master images.
Installing and Configuring the Virtual Delivery Agent

The VDA is required on all Desktop OS master images. The VDA enables connectivity to the Desktop OS machine from any
endpoint using Citrix Receiver. The VDA enables the Desktop OS machine to register with the Delivery Controllers and
manage the HDX (ICA) connection between the Desktop OS machine and the endpoint. The VDA is configured to discover
the Delivery Controllers during the installation of the VDA.

You cannot upgrade the Virtual Desktop Agents running on Windows XP or Windows Vista operating systems to
XenDesktop 7 Virtual Delivery Agents. You must upgrade these VDAs to the Windows XP or Windows Vista
version provided by the installer, or upgrade them using XenDesktop Version 5.6 Feature Pack 1.
There are two different VDAs available for installation on a Desktop operating system: Standard VDA and HDX 3D Pro
VDA. The HDX 3D Pro VDA allows the desktop to take advantage of the Graphical Processing Unit on the hardware
running the virtual desktop.
To Install and Configure the VDA on a Desktop OS Master Image

1. Right-click the master Windows 8.1 VM, click Start, and then click the Console tab.
Right-click Win8Master, click Start, and then click the Console tab.
2. Log on to the VM on which you want to install the VDA using domain administrator credentials.
Log on to Win8Master using the TRAINING\Administrator and Password1 credentials.
3. Click Desktop on the Start screen and then click the File Explorer icon on the taskbar.
You may need to complete the mini tutorial before you are allowed to click the Desktop icon.
4. Click This PC.

Click XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field.

8. Click Virtual Delivery Agent for Windows Desktop OS.
9. Verify that Create a Master Image is selected and then click Next.
10. Determine which version of the Virtual Delivery Agent should be installed and then click Next.
Verify No, install the standard VDA is selected and then click Next.
The HDX 3D Pro VDA should not be installed in the lab environment.
11. Determine if Citrix Receiver will be installed and then click Next.
Verify that Citrix Receiver is selected and then click Next.
12. Choose your Delivery Controller.
a. Select Do it manually, type c-1.training.lab, click Test Connection and then click Add. Type c-
2.training.lab and then click Add. Click Next.
13. Select the features you want to install and then click Next.
Select Personal vDisk, verify that all features are selected, and then click Next.

Features include:
• Optimize performance: Enables or disables optimization for VDAs running in a VM on a hypervisor.
VM optimization includes disabling offline files, disabling background defragmentation, and reducing
Event Log size. For more information about the optimization tool, see CTX125874. You should not enable
this option for Remote PC Access.
• Use Windows Remote Assistance: Enables or disables Windows Remote Assistance for use with Director.
When this feature is enabled, Windows automatically opens TCP port 3389 in the firewall (even if you
choose to open firewall ports manually on the next wizard page).
• Use Real-Time Audio Transport for audio: Enables or disables the use of UDP for audio packets.
Enabling this feature can improve audio performance.
• Personal vDisk: Retains the single image management of static (Machine Creation Services) and streamed
(Provisioning Services) Desktop OS machines while allowing users to install applications and change
desktop settings. If Personal vDisk is selected, the Personal vDisk Update tool must be the last thing run
on the master image before the master image is used to create a machine catalog.
14. Determine how the firewall ports will be configured and then click Next.
These are the ports used by the VDA. If the VDA will use alternate port assignments, select Manually to
configure the ports after installation completes.
15. Review the installation settings and then click Install.

16. Wait while the prerequisites and selected core components are installed and initialized.
17. Verify that Restart machine is selected and then click Finish.
The machine will restart automatically after a few seconds and the VDA will be configured. Do not eject the
XenApp and XenDesktop installation media from the DVD drive. Doing so will cause the installation of the
VDA to be incomplete and desktops that are created from the image will fail to register.
18. Wait while the VM starts.

19. Log on to the VM using domain administrator credentials.
Log on to Win8Master using the TRAINING\Administrator and Password1 credentials.
Click Eject to the right of the DVD Drive 1 field to remove the XenApp and XenDesktop media.
21. Install the desired applications on the master image.

Do not install any applications in the class.
22. From the Start screen, type Update, and then click Update Personal vDisk. Click the Update Inventory button and be
sure to leave the box selected during the progress so the machine shuts down when finished.
This step is only necessary if Personal vDisk was selected in Step 13. Failure to run the Update Personal vDisk
tool when Personal vDisk is selected will result in a desktop that cannot be accessed by end users. It will take
approximately 10 minutes for the Personal vDisk inventory update to complete. If you plan to make additional
changes to the master image, you can wait and run the Update Personal vDisk tool later. If you forgot to select
the Personal vDisk option, you can enable it by running the Update Personal vDisk tool in the VM.
Discussion Question
What is meant by the term registration?

Creating a Machine Catalog
A machine catalog is a collection of virtual machines or physical machines managed as a single entity.
Machine catalogs are used to specify the virtual or physical machines available to host applications, desktops or both. Each
machine in a catalog has a unique machine account in active directory. Machine catalogs specify the type of machine allocated
such as static or random. Each catalog is also categorized by the machine provisioning method. Machine provisioning
methods include Machine Creation Services, Provisioning Services and Existing. All machines in a catalog must run the same
operating system. Depending upon the machine provisioning method, the machine catalog may also specify the master image
used to create the machines.
Citrix leading practice is to use MCS or PVS for centralized image management and resource savings for creating
and managing catalogs.
The first step to creating most machine catalogs is creating first the master machine. Each catalog requires its own master
machine. The master machine is the fully configured golden image that is used to create the machine catalog. You can update
a machine catalog and all its virtual machines by updating the master image.
After the machine catalog is created, a Delivery Group is created to organize the desktops or applications or both from a
catalog for a group of end users. The results of the delivery group populate the end user store with icons that reflects the
assigned resources for which the user has permission.
Using Machine Creation Services

Machine Creation Services (MCS) is a collection of services that work together to create virtual desktops from a master
desktop image on demand, optimizing storage utilization and providing a pristine virtual desktop to end users every time they
log on.

MCS creates two disks for every machine that is generated from the master image. The two disks are an Identity Disk and a
Differences Disk.
The Identity Disk contains the virtual machine's presence within Active Directory. It deals with the relationship between the
machine and the Active Directory database. The Differences disk holds changes made to the base image within the session. As
all machines are spawned from one snapshot, their uniqueness is written into the Differences disk as opposed to the base
image.
Creating a Machine Catalog for Server OS and Hosted Applications

The machine catalog type defines the hosting infrastructure for desktops and applications, and the level of control that end
users have over their environment. Server OS machines can provide a Windows Server desktop and hosted applications that
are shared by a large numbers of end users. Machine catalogs based on a Server OS can provide desktops that are:
• Allocated to end users on a per-session, first-come, first-serve basis.
• Deployed on standardized machines.
Machine catalogs based on a Server OS can also be used to provide hosted applications that:
• Are available to end users through Citrix Receiver.
• Run on the Server OS machine.
• Use App-V to stream the application to the VDA on the Server OS machine.
To Create a Machine Catalog for Server OS and Hosted Applications

1. Shut down the master image VM for the Server OS and then click Yes to confirm the shutdown.
Right-click the Win2012R2Master VM, click Shut Down, and then click Yes.
2. Wait for the icon to turn red.

3. Log on to the VM that is hosting Studio using domain administrator credentials.
You must log on to the VM hosting Studio with a domain administrator account if you plan to use XenApp
and XenDesktop to create the Active Directory computer accounts for the machines in the catalog.
4. Click Start, type Studio, and then click Citrix Studio. Click Cancel if the End Snap-in window appears. Click Close on
Delegated Administration welcome screen.
5. Select the Machine Catalogs node in the left pane.
6. Click Create Machine Catalog in the right pane.

If this is the first machine catalog you have created, the Machine Catalog node will not be visible until you
have completed one of the initial configuration tasks presented when you first start Studio.
7. Click Next on the Introduction page.
You can avoid seeing this page when creating additional machine catalogs by selecting Don't show this again.
8. Select the type of machine catalog you want to create and then click Next.
Select Windows Server OS and then click Next.
Options include:
• Windows Desktop OS provides individual and customizable desktops based on a workstation operating
system.
• Windows Server OS provides a standardized desktop based on a Server operating system.
• Remote PC Access enables end users to log on remotely to a physical PC from anywhere. The Remote PC
Service must be installed on the Delivery Controller VM in order to place physical PCs in a machine
catalog. Once installed, the VDA on the office PC enables it to register with the Controller and manages
the HDX connections between the machine and the endpoints. The Receiver running on the endpoint
provides the end user with access to all of the applications and data on the office PC.
9. Determine how the infrastructure will be built and managed and then click Next.
Verify that Machines that are power managed and Citrix Machine Creation Services (MCS) are selected and then
click Next.
10. Select a virtual machine to use as the master image and then click Next.
Select Win2012R2Master and then click Next.
11. Specify the number of VMs to create, the number of virtual CPUs and the amount of memory for each VM, and then
click Next.
Verify that 2 is specified in the Number of virtual machines needed field, 2 is specified in the vCPUs field, 2048 is
specified in the Memory (MB) field, and then click Next.
Because of the limited storage in the lab environment, you are only creating two machines. In a real-world
environment, you would create enough machines to satisfy the needs of the end users in the environment.
12. Determine whether to use existing Active Directory accounts or to create new ones.
Verify that Create new Active Directory accounts is selected and then double-click Training Virtual Desktops >
Servers in the Active Directory location for computer accounts section.
If you are creating new accounts, you must specify the OU where they should be created. The Active Directory
organizational units must be created before you complete this step.
13. Create an account-naming scheme, specify the format for the numbering, and then click Next.
Type Server2012R2-## in the Account naming scheme field, verify that 0-9 is selected, and then click Next.
The ## in the naming scheme will be replaced with numbers or letters. If a large number of machines will be
needed, you can add additional # signs to the end of the Account naming scheme.

14. Type a machine catalog name and description and then click Finish.
Type Windows 2012 R2 Servers-Apps in the Machine Catalog name field, Win 2012 R2 Servers with Apps in the
Description field, and then click Finish.
The master image will be copied, then differencing disks and identity disks will be created for each VM. If you
click the Hide progress button during the creation of the machine catalog, the progress bar becomes visible as
a green bar in the name of the machine catalog on the Machine Catalog screen. The green bar will grow in
size as the machine creation progresses. You can expect the configuration to take approximately 15 minutes.
You can continue to use Studio while the machine creation process runs.
Creating a Machine Catalog for Desktop OS Machines

The Desktop OS machine catalog type lets you provide individual desktop environments and hosted applications for each end
user as well as customizable desktops that include Personal vDisks (PvD). The types of machines that can be configured in a
machine catalog for Desktop OS machines include:
• Random machines (formerly known as pooled) provide desktops to end-users on a per-session, first-come, first-serve
basis. They are arbitrarily assigned to end users at each logon and returned to the pool when the end users log off.
• Static machines (formerly known as assigned) provide desktops that are assigned to individual end users that usually
need to install their own applications on their desktops. Machines can be assigned manually or they can be automatically
assigned to the first end user to connect to the machine. Whenever end users request a desktop, they are always
connected to the same machine. This allows end users to personalize their desktops to suit their needs.
• Static machines and streamed machines that use Personal vDisks to support end users that need to personalize their
desktops and store their changes to a separate vDisks so the changes are available at the next log on. If Personal vDisks
are used, the Update Personal vDisk tool must be run on the master image to update the Personal vDisk inventory
whenever you make changes to the master image. Failure to update the Personal vDisk inventory can result in machines
that cannot be accessed by end users or the Personal vDisk being unavailable in machines based on the master image.
Streamed machines refer to virtual machines provided by Provisioning Services. Provisioning Services will be
covered later in this course.
To Create a Desktop OS Machine Catalog

1. Shut down the master image VM for the Desktop OS and then click Yes to confirm the shutdown.
Verify the Win8Master VM is shut down. If the Win8Master VM is not shut down, it is probably still updating the
personal vDisk. Do not force the shut down, allow the process to continue and it will shut down when it is finished.
2. Wait until the icon turns red.

3. Log on to the VM that is hosting Studio using domain administrator credentials.
You must log on to the VM hosting Studio with a domain administrator account if you plan to use XenApp
and XenDesktop to create the Active Directory computer accounts for the machines in the catalog.
4. Click Start, type Studio, and then click Citrix Studio.

5. Select the Machine Catalogs node in the left pane.
6. Click Create Machine Catalog in the right pane.
If this is the first machine catalog you have created, the Machine Catalog node is not visible until you have
completed one of the initial configuration tasks presented when you first start Studio.
7. Click Next on the Introduction page.

You can avoid seeing this page when creating additional machine catalogs by selecting Don't show this again.
8. Select the type of machine catalog you want to create and then click Next.
Verify that Windows Desktop OS is selected and then click Next.
Options include:
• Windows Desktop OS provides individual and customizable desktops based on a workstation operating
system.
• Windows Server OS provides a standardized desktop based on a Server operating system.
• Remote PC Access enables end users to log on remotely to a physical PC from anywhere. The Remote PC
Service must be installed on the Delivery Controller VM in order to place physical PCs in a machine
catalog. Once installed, the VDA on the office PC enables it to register with the Controller and manages
the HDX connections between the machine and the endpoints. The Receiver running on the endpoint
provides the end user with access to all of the applications and data on the office PC.
9. Determine how the infrastructure will be built and managed and then click Next.
Verify that Machines that are power managed and Citrix Machine Creation Services (MCS) are selected and then
click Next.
The infrastructure can be built using either virtual machines or physical hardware. The machine images can be
managed using: Machine Creation Services, Provisioning Services (PVS), or a service or technology other than
Citrix (existing images).
10. Select a user experience in the Desktop Experience page.

Select I want users to connect to the same (static) desktop each time they log on.
You can configure the desktop experience to use a new (random) desktop each time the user logs on, or use
the same (static) desktop each time the user logs on.
11. Determine whether user changes will be saved to a Personal vDisk, to the local disk, or discarded, and then click Next.
Select Yes, save changes on a separate Personal vDisk and then click Next.
The Desktop Experience page is not available if you are configuring a Server OS machine catalog or Remote
PC Access. In addition, Personal vDisk is not available if you are configuring a machine catalog for:
• A Windows Desktop OS that will deliver a new (random) desktop each time the user logs on.
• Windows Server OS.
• Remote PC Access.
Personal vDisk is only available for machine catalogs providing static Desktop OS desktops.
12. Select a virtual machine to use as the master image and then click Next.
Select Win8Master and then click Next.
13. Specify the number of VMs to create, the number of virtual CPUs, and the amount of memory for each VM.
Verify that 1 is specified in the Number of virtual machines needed field, 2 is specified in the vCPUs field, and 2048 is
specified in the Memory (MB) field.
Because of the limited storage in the lab environment, you are only creating a single machine. In a real-world
environment, you would create enough machines to satisfy the needs of the end users in the environment.

14. Specify the size and the drive letter to use for the Personal vDisk and then click Next.
Type 5 in the Personal vDisk size (GB) field and then click Next.
The default drive size is 10 GB and the default drive letter is P. You should not reduce the size of the Personal
vDisk below 3 GB.
15. Determine whether to use existing Active Directory accounts or to create new ones.
Verify that Create new Active Directory accounts is selected and then double-click Training Virtual Desktops >
Desktops in the Active Directory location for computer accounts section.
16. Create an account-naming scheme, specify the format for the numbering, and then click Next.
Type Static-PvD-## in the Account naming scheme field, verify that 0-9 is selected, and then click Next.
The ## in the naming scheme can be replaced with numbers or letters. If a larger number of machines will be
needed, you can add additional # signs to the end of the Account naming scheme.
17. Type a machine catalog name and description, and then click Finish.
Type Windows 8 Desktops in the Machine Catalog name field, type Static Win 8 desktops with PvD in the
Description field, and then click Finish.
The master image will be copied onto each VM created in the machine catalog. If you click the Hide progress
button during the creation of the machine catalog, the progress bar becomes visible as a green bar in the name
of the machine catalog on the Machine Catalog screen. The green bar will grow in size as machine creation
progresses. You can expect the configuration to take approximately 15 minutes. When the configuration
completes, one machine in the machine catalog will start automatically to initialize the disks. Once the disks
have been initialized, the machine will automatically shut down. You can continue to use Studio while the
machine creation process runs.
Discussion Question
During the creation of a machine catalog, you are prompted to use existing computer accounts or create new computer
accounts in Active Directory. What permissions must you have in order for XenApp and XenDesktop to create new computer
accounts?
Creating a Delivery Group

Delivery Groups are a grouping of end users who require access to a common set of applications or desktop resources, and
require the same end-user experience across those resources. A Delivery Group can access different machine catalogs as long
as the machine catalogs consist of similar machine types. For example, end users assigned to the Engineer Delivery Group can
access the hosted applications on the Server 2012 App Catalog as well as the CAD application hosted on the Server 2012 CAD
Catalog; the desktop and the applications are delivered with a consistent end-user experience from a single Delivery Group.
You cannot create mixed Delivery Groups from machine catalogs with different machine types. Machine catalog
characteristics must match if you want to put the machines into a single group. For example, you cannot mix
machines from Server OS machine catalogs with Desktop OS machine catalogs.
Defining the end-user experience in the Delivery Group means that you do not need to duplicate or maintain these settings
across multiple pools of resources, and the backend resources can be changed without affecting the end-user experience.
Delivery Groups identify the end users that have access to the desktops and hosted applications provided by machine catalogs.
You can configure multiple Delivery Groups for a single machine catalog in Citrix Studio. Active Directory integration allows
you to select specific groups and grant them access to desktops and applications.

Session prelaunch and session linger are user session experience optimizations. The session prelaunch and session linger
features help users quickly access applications by starting sessions before they are requested (session prelaunch) and keeping
application sessions active after a user closes all applications (session linger). These features are supported for Server OS
machines only.
By default, session prelaunch and session linger are not used; a session starts (launches) when a user starts an application, and
remains active until the last open application in the session closes. Session prelaunch and session linger settings are
configured in the settings for a Delivery Group.
Considerations:
• The Delivery Group must support applications, and the Server OS machines must be running a Server VDA version 7.6
or later.
• Users must be using a Citrix Receiver for Windows that is configured with additional settings. For more information
about these additional settings, see Citrix product documentation at http://docs.citrix.com for session prelaunch for the
specific Receiver for Windows version.
• When using session prelaunch:
• Physical client machines cannot use the suspend or hibernate power management functions.
• Users can lock their end-user devices but should not log off.
• Prelaunched and lingering sessions consume a license, but only when connected. Unused prelaunched and lingering
sessions disconnect after 15 minutes by default. This value can be configured in PowerShell using the New/Set-
BrokerSessionPreLaunch cmdlet.
Careful planning and monitoring of your users’ activity patterns are essential to tailoring these features to
complement each other. Optimal configuration balances the benefits of earlier application availability for users
against the cost of keeping licenses in use and resources allocated.
Securing Connections
Many administrators are faced with compliance with company security requirements and ensuring that all company traffic
(internal and external) is secure. To ensure that communications are properly encrypted, administrators typically add
certificates to Delivery Controllers, StoreFront servers, NetScaler appliances and more.
The SSL to VDA feature allows you to secure communications between users and the Virtual Delivery Agents (VDAs) with
SSL. To configure SSL to VDA, you:
• Manually configure SSL on the machines containing the VDA using the Microsoft Management Console or use the
Enable-VdaSSL.ps1 PowerShell script located on the installation media.
The PowerShell script configures SSL on static VDAs; it does not configure SSL on random (pooled) VDAs
that are provisioned by Machine Creation Services or Provisioning Services, where the machine image resets
on each restart.
• Configure SSL in the Delivery Groups containing the VDAs using the Get-BrokerAccessPolicyRule and Set-
BrokerAccessPolicyRule PowerShell scripts in Studio.
Before you configure the SSL to VDA communications, you should be aware of the following considerations:
• SSL connections between users and VDAs are valid only for sites in XenApp 7.6 and XenDesktop 7.6 or later versions.
• SSL configuration in the Delivery Groups and on the machines containing the VDA is done after you create the Delivery
site, create the machine catalogs, and create the Delivery Groups.
• Only Full Administrators have the permissions required to configure SSL in the Delivery Groups and change the Delivery
Controller access rules.
• Only Windows administrators on the machines containing the VDA have the necessary permissions to configure SSL on
those machines.
• If SSL Relay was installed on a machine, it must be uninstalled before installing the VDA on the machine. This is
applicable to machines being upgraded from a previous version of XenApp or XenDesktop.
For more information about securing internal communications using the SSL to VDA feature, see
http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-security-article/xad-ssl.html.

To Create a Delivery Group to Provide Hosted Applications
This procedure will make applications installed on Server OS machines available to end users through a Delivery
Group. This functionality was formerly provided by Citrix XenApp, but is now integrated in XenApp and
XenDesktop.
This procedure could also be performed on a Desktop OS machine to provide hosted applications to users,
although some choices may be slightly different. This functionality was formerly known as VM Hosted Apps.
1. Log on to the computer hosting Citrix Studio using domain administrator credentials.
2. Click Start and then click Citrix Studio.

3. Select the Delivery Groups node in the left pane.
4. Click Create Delivery Group in the right pane.
If the Create Delivery Group option is not available, make sure the Delivery Group tab is selected in the center
pane.
5. Click Next in the Getting Started with Delivery Groups page.
If you previously selected Don't show this again, this page will not appear.
6. Select a machine catalog, determine the number of machines in the catalog that this Delivery Group will consume, and
then click Next.
Select Windows 2012 R2 Servers-Apps, type 1 in the Choose number of machines to add field, and then click Next.
Because of the limited storage in the lab environment, you only have a single machine available in the machine
catalog. In a real-world environment, you would create enough machines to satisfy the needs of the end users
in the environment.
7. Select the resource to deliver in the Delivery Type screen and then click Next.
Select Applications and then click Next.
The options include:

a. Desktops: Presents end users with an entire Windows Server desktop when they log on.
b. Applications: Publishes specific applications and delivers only those applications to end-users.
c. Desktops and applications: Provides a combination of the previous two options.
8. Click Add to specify which end users will be part of the Delivery Group.
Only those end users added to the Delivery Group will be able to access the selected resource (desktop,
applications, or desktop and applications).
9. Type the names of the end users or groups, click Check Names, and then click OK.
Type Human Resources; Accounting; in the Enter the object names to select field, click Check Names and then click
OK.
10. Verify that the appropriate end users and groups appear in the Assign users field and then click Next.
Verify that TRAINING\Human Resources and TRAINING\Accounting appear and then click Next.
11. Select the applications to publish and then click Next.

Select Microsoft Excel 2010, Microsoft PowerPoint 2010, and Microsoft Word 2010, and then click Next.

You can select user groups by browsing or typing a list of Active Directory users and groups each separated by
a semicolon.
The Virtual Delivery Agent on the image identifies all of the applications on the machine and presents them
for hosting. If no applications appear, verify that the machines in the machine catalog are in a registered state.
If the machines fail to register, ensure that the VDA installation completed successfully on the master image
prior to creating the machine catalog.
Keep in mind that the VDA installation on a Server OS machine requires several restarts with the installation
media still in the drive. Once the master image restarts, log on to the image, eject the media and restart the
master image one more time to ensure that the VDA installation is completed.
12. Type a descriptive name for the Delivery Group in the Delivery Group name field.
Type Office Apps in the Delivery Group name field.
This is the name that the administrator sees.
13. Click Finish.
The end users added to the Delivery Group can now use Citrix Receiver to access the hosted applications, but
not the server hosting the applications. If Desktop and Applications had been selected in Step 8, the end users
would be able to access both the hosted applications and the Server OS desktop using Citrix Receiver.
14. Shut down the newly created VM, if it is started.

Right-click Server2012R2-01 in XenCenter and then click Shut Down.
You are shutting down the VM only to save lab environment resources.
15. Optimize the Hosted Applications Delivery Group with Session Prelaunch and Session Lingering.
Select the Office Apps Delivery Group and then click Edit Delivery Group in the Actions pane.
16. Configure Application Prelaunch.
a. a. Click on Application Prelaunch and then select Prelaunch when any user in the Delivery Group
logs on to Receiver for Windows .
b. Select Minutes and set the number to 15.
c. Click Apply and click OK.
17. Configure Application Lingering.
a. Click Application Lingering and select Keep sessions active until.

b. Select Minutes and set the number to 15.
c. Click Apply and then click OK.
Creating a Delivery Group for Anonymous User Access

In some scenarios, administrators may want to allow non-domain users to access company resources from non-domain joined
computers such as kiosks at libraries, schools and trade shows. You can configure Delivery Groups containing Server OS
machines to allow users to access applications and desktops without presenting credentials to StoreFront or Citrix Receiver.
Considerations:
• Unauthenticated user support is configured through Delivery Groups. Each machine in the Delivery Group must have a
Server VDA version 7.6 or later installed and a store must be specifically configured in StoreFront for use by
unauthenticated users.

Users requiring sessions on Desktop OS machines must log on using authenticated user credentials.
• An Anonymous Users Group is created when you install the Delivery Controller.
Some applications might still require credentials even though the StoreFront store and Citrix Receiver do not.
• Unauthenticated user accounts are created on demand when a session is launched. User accounts are named AnonXYZ,
in which XYZ is a unique three-digit value.
• Unauthenticated user sessions have a default idle timeout of 10 minutes and are logged off automatically when the user
device disconnects. Reconnection, roaming between user devices, and Workspace Control are not supported.
To Create a Delivery Group for Anonymous User Access

1. Log on to a machine that has Citrix Studio installed on it.
Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
2. Open Citrix Studio.

Double-click the Citrix Studio icon on the desktop.
3. Select the Delivery Groups node.

4. Click Create Delivery Group.
5. Click Next on the Getting started with Delivery Groups screen.
6. Select the machine catalog and the number of machine to add.
Select Windows 2012 R2 Server-Apps machine catalog and select 1 machine
.
7. Click Next.
8. Select Applications and then click Next.
9. Add the unauthenticated (anonymous) users.
Select Give access to unauthenticated (anonymous) users; no credentials are required to access StoreFront.
10. Click Next.

11. Add the applications to the Delivery Group and then click on Next.
Select Paint, and then click Next.
12. Verify that all of the details on the Summary page are correct and then specify a Delivery Group name.
Type Unauthenticated Access as the Delivery Group name.
13. Click Finish.
Organizing Applications in Folders

Application folders allow XenApp and XenDesktop administrators to organize applications in the Delivery Groups without
affecting how users access the applications. This organization is accomplished during the creation of the Delivery Group or
afterwards using Citrix Studio.
By default all applications specified in a Delivery Group are organized under the default application folder named
Applications. Application folders can be nested up to five times by dragging and dropping applications and folders.

To Organize Applications in Folders
1. Log on to a machine that has Citrix Studio installed on it.
2. Open Citrix Studio.

Click Start, type Studio, and then click on Citrix Studio.
3. Select the Delivery Groups node.

4. View the default Application organization.
Click the Applications tab, and note that Excel, PowerPoint, Word and, Paint are all listed under the default
Applications folder. This complete list of applications reflects multiple delivery groups.
5. Create a new Application folder.

Right click the Applications blue bar to the left of the applications list and select Create Folder. Name the new folder
Productivity and click OK.
6. Organize the Office Applications.

Click Show all and then drag-and-drop Word and Excel and PowerPoint into the Productivity folder.
7. Verify that all Office applications are in the Productivity folder.

Click the Productivity folder and verify that Excel, PowerPoint and Word are listed.
To Create a Delivery Group to Provide Desktops

This exercise will make Desktop OS desktops available to end users through a Delivery Group. This exercise could
also be used to make Server OS desktops available to end users through a Delivery Group, although some choices
may be slightly different.
1. Log on to the VM hosting Citrix Studio using domain administrator credentials.

2. Click Start and then click Citrix Studio.

pane.
5. Click Next in the Getting Started with Delivery Groups screen.

then click Next.
Select Windows 8 Desktops, type 1 in the Choose the number of machines for this Delivery Group field, and then
click Next.
in the environment.
7. Select the resource to deliver in the Delivery Type screen and then click Next.
Select Desktops and then click Next.

The choices include:
• Desktops: Allows you to provide end users with a desktop.
• Applications: Allows you to publish applications found on the master image, applications provided on an
App-V server, or applications located on other network locations. You can also edit the properties of
those applications.
• Desktops and Applications: Provides a combination of the previous two choices. This choice is only
available for random desktops, not static desktops.
8. Click the Add button to specify which end users can access the desktops.
9. Type the name of the end user or group, click Check Names, and then click OK.
Type Accounting in the Enter the object names to select field, click Check Names, and then click OK.
10. Verify that the appropriate end users and groups appear in the Assign users field and then click Next.
Verify that TRAINING\Accounting appears and then click Next.
11. Determine how Receiver will be configured on the machines.

Select Automatically, using the StoreFront servers selected below.
If you select Manually, end users will need to add the server address of a StoreFront server to Receiver on
their virtual desktop before Receiver can be used to access resources.
12. Click Add new and then type a name for the first StoreFront server in the Name field.
Click Add new and then type SFS-1 in the Name field.
If the URLs for the StoreFront servers appear in the Receiver StoreFront URL list, you can proceed to Step 18.
13. Type a description in the Description field, type the URL for the first StoreFront server, and then click OK.
Type First StoreFront in the Description field, type https://sfs-1.training.lab in the URL field, and then click OK.
14. Click Add new.

15. Type a name for the second StoreFront in the Name field.
Type SFS-2 in the Name field.
16. Type a description in the Description field, type the URL for the second StoreFront server, and then click OK.
Type Second StoreFront in the Description field, type https://sfs-2.training.lab in the URL field, and then click OK.
17. Select the StoreFront URLs that will be used by Receiver and then click Next.
Select https://sfs-1.training.lab and https://sfs-2.training.lab and then click Next.
18. Type a name for the Delivery Group that administrators will see in the Delivery Group name field.
Type Win8-Accounting.
19. Type a name for the Delivery Group that end users will see in the Display name field.
Type Win8 Desktop.
20. Type a description for the machine that end users will see and then click Finish.
Leave the description field blank and then click Finish.
Discussion Question
You have the following machine catalogs created in Studio:

• Windows 8 Desktop OS (random)
• Windows 8 Desktop OS (static)
Each of these machine catalogs has 5 machines that have not been allocated to users using a Delivery Group. You want to
allocate all of the remaining desktops to the Accounting group. How many Delivery Groups will you need to create to provide
the Accounting group with these desktops?
You have the following machine catalogs created in Studio:
• Windows 2012 Server OS with Microsoft Office installed
• Windows 2012 Server OS with no apps installed
Each of these machine catalogs has 7 machines that have not been allocated to users using a Delivery Group. You want to
allocate these machine catalogs to users in the Contractors group. How many Delivery Groups will you need to create to
provide the Contractors group with all of the machines in these machine catalogs?
Troubleshooting XenApp and XenDesktop Resource Issues

The following table contains resolutions for XenApp and XenDesktop resource configuration issues.
Issue Resolution
Applications installed on a master image do not appear Verify that at least one of the newly created VMs is started
during the creating of the Delivery Group for a machine and registered. Verify that the VDA was installed completely.
catalog.
A red X appears next to the Delivery Controller address Type the fully qualified name of the Delivery Controller in
when testing the Controller connection. the Test connection field during the VDA installation.
StoreFront servers do not appear during the creation of a Use the Add new button during the creation of the Delivery
Delivery Group even though "Automatically, using the Group to add the URL of each StoreFront server using the
StoreFront servers selected below" is selected. appropriate format for your environment: http://FQDN or
https://FQDN
Troubleshooting: Managing Desktops and Applications
Issue Resolution
An administrator is unable to update desktops in a machine Verify that the administrator has the appropriate
catalog. permissions.
Unable to remove a machine from a machine catalog. Verify that the machine is in maintenance mode prior to
removal.
When creating an application delivery group in Studio, the Verify that the application is installed on the application
desired application does not appear. server/host.
Not all end users have access to a newly created application. Verify that the application has been assigned to all of the
required Delivery Groups. Verify that the application is
enabled.
You are unable to power manage a machine. Verify that the machine is a virtual machine. Physical
machines cannot be power-managed through XenApp and
XenDesktop.

Issue Resolution
Users logon time is taking longer than usual. Ensure that the power management settings for a Delivery
Group are appropriate for the end users. Verify that different
time zones are taken into consideration.
1. Choose the Delivery Group in which you would like to
verify the time zone.
2. Click Edit Delivery Group.
3. Click End user settings.
4. Verify the time zone.
You are unable to reallocate a machine within a Delivery Ensure that the machine was not created using Provisioning
Group. Services, as they are unable to be reallocated.
Users in a Delivery Group are unable to access their Verify that maintenance mode is not enabled.
applications or desktops.
Reinforcement Exercise: Adding Machines and Delivery Groups

• Configure a master image for Server OS machines and hosted applications.
• Configure a master image for Desktop OS machines and hosted applications.
• Create a machine catalog for hosted applications installed on Server OS machines.
• Create a machine catalog for Desktop OS machines.
• Create a Delivery Group to deliver hosted applications.
• Create a Delivery Group to deliver Desktop OS machines.
You are ready to try your hand at adding machines to an existing machine catalog and configuring a Delivery Group to
provide the Contractors group with access to the new machines.
Training is growing. The hospital just hired a group of contract IT personnel. You need to provide the contractors with access
to Server OS desktops so they can use them to test applications prior to making them available to hospital personnel.
1. Add one new machine to the existing machine catalog for the Windows 2012 R2 Servers-Apps.
Because of the limited storage and memory in the lab environment, you should only add a single machine to
the machine catalog. In a real-world environment, you would create enough machines to satisfy the needs of
the end users in the environment.
2. Create new Active Directory accounts in the Training Virtual Desktops > Servers OU using the same account naming
scheme as was previously used for the Server 2012 R2 machines.
3. Create a new Delivery Group that will provide the TRAINING\Contractors group with access to the Server OS machines
in the machine catalog.
4. Configure a Delivery Group to provide the Contractors group with access to the desktop of the server, but not hosted
applications.
5. Add both StoreFront servers to the Delivery Group.
6. Use Win2012R2-Contractors as the Delivery Group name.
7. Use Win2012R2 Desktop as the Display name.

6
Module 6
Setting Up and Managing

Policies and Profiles
144
Setting Up and Managing Policies and Profiles
Overview
HDX (ICA) policy settings directly affect the efficiency of the HDX (ICA) protocol and the channels that are contained in
each HDX (ICA) packet. Proper configuration of these settings ensures that the end user has an optimal work experience and
that corporate mandates such as bandwidth, storage, and security are satisfied. If HDX policies are configured using Studio,
they are applied only to HDX (ICA) connected XenApp and XenDesktop sessions. If HDX policies are configured using the
Group Policy Management Console (GPMC), global settings will be applied to all connected XenApp and XenDesktop
sessions regardless of the protocol being used.
Policies are the most efficient method of controlling connection settings, security settings, bandwidth settings, and some
feature settings such as Profile Management in a XenApp and XenDesktop environment.
Each policy can contain multiple settings. You can work with policies through Studio or the Group Policy Management
Console.
To create policies:
1. Determine which console will be used to create or modify the policy.
If the Group Policy Management Console is used to create the policy, the policy is applied to the selected OU.
If Citrix Studio is used to create the policy, the policy is applied based on the OU, and the filters you configure
after the policy settings are added.
2. Create the policy from scratch or by using a template.

3. Configure the settings for the policy.
4. Prioritize the policy to address conflicting policies. For example, one policy removes a printer, while another policy
provides a printer. Which one should prevail? The one with the highest priority.
5. Run a Resultant Set of Policy to analyze the policies/filters/prioritization settings.
• Create a policy from a template
• Create policies using Studio
• Prioritize the policies
• Export a policy using Studio
• Import a policy using Studio
• Create policies using Group Policy
• Run the Resultant Set of Policies (RSOP)
• Import a policy template with Group Policy
• Export a policy template with Group Policy
• Configure Remote Assistance
• Configure Citrix Profile Management settings
Module Timing: 2.5 hours
Module 6: Setting Up and Managing Policies and Profiles 145

Policy Precedence (Studio vs. Group Policy Objects)

Policies can be created using Studio or using GPOs. Prior to creating policies, you should evaluate whether policies should be
managed and stored in Studio or by using GPOs.
Citrix recommends managing and storing policies using GPOs if you have the appropriate permissions in Active
Directory.
In situations where policies exist that have been created using both Studio and GPOs, Group Policy-based settings take
precedence over policies stored within the site database.
Installing the Group Policy Management Feature

The Group Policy Management Console is a tool that can be used to create, edit and manage group policy objects, and model
policies to simulate the Resultant Set of Policy.
The Group Policy Management Console is one of two consoles that can be used to create, edit and manage Citrix policies;
Citrix Studio is the other. To use the Group Policy Management Console for Citrix policies, you must install the Citrix Group
Policy Management extensions and add the Group Policy Management Feature onto a system. It is Citrix best practice to
manage the XenApp and XenDesktop policies using the Group Policy Management Console, if you have the appropriate
permissions in Active Directory. If not, you have the complete access to the same Citrix policies within Studio.
If the same policy settings are configured in both the Group Policy Management Console and in Studio, the policy settings
configured in the Group Policy Management Console will take precedence. An exception to this rule is the Session printer
policy settings. If Session printer policy settings are configured in both consoles, the settings will be merged to produce the
Resultant Set of Policy.
146 Module 6: Setting Up and Managing Policies and Profiles

Creating Policies Using Studio
If you do not have the necessary permissions to manage Group Policy, or if filtering mechanisms such as SmartAccess are
required, use Studio to create policies for your site. Policies created using Studio are stored in the site database and updates
are pushed to the end-user session either when the machine registers with the broker or when an end user connects to the
relevant resource.
Before you create a policy, decide which group of end users or devices you want it to affect. You may want to create a policy
based on end-user job function, connection type, end-user device, or geographic location.
Unfiltered Policy
You have the option of creating policies that can be assigned to all objects in a site, or using the pre-created unfiltered policy.
Unfiltered policies are created by default upon the installation of XenApp and XenDesktop. By default, unfiltered policies
apply to all objects and sessions within the site, allowing you to configure global, organization-based settings within one
policy. If you want policies to impact specific groups or end users or objects, you can use policy filters to apply these settings.
The pre-created unfiltered policies cannot be deleted.
Using a Policy Template in Studio

Templates can help you save time when administering a large environment and are also useful for establishing standards that
multiple administrators can use.
You can create templates from either an existing template or an existing policy. Several computer policy templates already
exist for specific purposes. New policies can be created from these templates and modified as needed or you can choose to
create your own custom policy templates. The new template is then populated with the same settings as the original template
or policy. Any assignments specified in the original policy are not included in the template.
Citrix Policy Extensions
The following is a description of the policy flow depicted in the graphic.

1. Citrix policy extensions are installed on the same machine where GPOs will be created or managed. These extensions add
a Citrix node in the Microsoft GPO Editor and GPMC consoles for managing machines and end users.
In general, Citrix does not recommend installing policy extensions on domain controllers.
2. Local and domain policies are created

a. Active Directory group policies are created and assigned using GPMC or GPO Editor. These policies are applied
at the OU, Domain and site level of Active Directory. Citrix policies are created in exactly the same manner as
Microsoft policies.

b. Local site policies are created using the Citrix Studio Management Console. The settings are stored in the site
database and propagated to the registry of the VDAs. Upon next restart or logon, policies are implemented.
3. Active Directory Group Policies take precedence over local system policies. If you do not have access to Active Directory,
site policies can be used to accomplish all of the same tasks.
4. Policies are stored in a Directory file structure or System Volume (SysVol) on Domain Controllers only.
a. Microsoft policy GUID folders are created in SysVol and hold ADM/X files
b. Citrix policies configured at the Active Directory level are stored in SysVol as GPF/X files (XML files) that are
parsed by Citrix Client-side extensions
Citrix settings are stored in the site database as metadata and propagated to servers as GPF/X files stored in Windows
directory. These settings are applied to the VDA registry of each VDA configured.
To Create a Policy from a Template

1. Log on to the machine that has Citrix Studio installed.
2. Double-click Citrix Studio on the desktop to open it.

3. Select Policies in the left pane of Studio and then select the Templates tab.
If the Welcome screen for Citrix Policies appears, select Don't show this again and then click Close.
4. Select the template that you want to implement and then create a new policy from it.
Select High Definition User Experience and then click Create Policy from Template in the Actions pane.
5. Verify that Template default settings (recommended) is selected and then click Next.
6. Select how you would like to apply the policy and then click Next.
a. Click Assign to the right of the User or Group option.

b. Type TRAINING\Human Resources in the User or group name field.
c. Click + and then type TRAINING\Accounting in the new User or group name field.
d. Click OK.
e. Click Next.
7. Type a policy name and then click Finish.

Type User Experience Enhancements for Remote Employees and then click Finish.
To Create a Policy Using Studio

1. Log on to the machine that has Citrix Studio.

3. Select Policies in the left pane of Studio.
4. Click Create Policy from Template in the Actions pane. The Create Policy wizard opens.
5. Add and configure individual policy settings, as required and then click OK.
a. Select Desktop UI from the All Settings menu

b. Click Select to the right of the Menu animation setting.
c. Select Prohibited and then click OK.
d. Click Select to the right of the View window contents while dragging setting.
e. Select Prohibited and then click OK.

6. Click Next.
7. Assign the policy to a particular user or group or assign to it all objects within the site and then click OK.
a. Click Assign to the right of the Delivery Group object.

b. Select Win8-Accounting from the Delivery Group field and then click OK.
8. Click Next.
9. Enter a unique name for the new policy or accept the default name that is generated automatically.
Type Disabled Desktop UI Elements as the policy name.
10. Click Finish to create the policy.
Applying a Policy Using Studio

When you assign a policy to certain end users and machine objects, that policy is applied to connections according to specific
criteria or rules. If no assignments are added, the policy is applied to all connections. You can add as many assignments as
you want to a policy, based on a combination of criteria.
You must add at least one assignment to a policy for that policy to be applied correctly. If you do not add any assignments,
policy settings are applied to all user sessions, unless those policy settings are overridden by settings in a policy with a higher
priority.
Citrix recommends that you apply policies to groups rather than individual end users. If you apply policies to
groups, assignments are updated automatically when you add or remove end users from the group.
To Apply a Policy

4. Click the Policies tab and then select an existing policy or create a new policy.
Select the Disabled Desktop UI Elements policy.
5. Click Edit Policy in the Actions pane to open the Policy Wizard.
6. Configure policy settings, if necessary and then click Next.
Click Next.
7. Click Assign or Edit for each user or machine object to which you want to assign the policy.
a. Select Edit to the right of the Delivery Group object.

b. Click + and then select Office Apps from the Delivery Group field.
c. Click OK.
8. Click Next to use the existing assignment settings and then click Finish to complete editing the policy.
Editing a Policy Using Studio

If you want to apply another policy setting, consider editing the existing policy and configuring the appropriate options
instead of creating an additional policy. Avoid creating a new policy solely to enable a specific setting or to exclude the policy
from applying to certain end users.

To Edit a Policy

4. Click the Policies tab and then select an existing policy or create a new policy.
Click the Policies tab and then select the Disabled Desktop UI Elements policy.
5. Click Edit Policy in the right pane to open the Policy Wizard.
6. Add or edit the policy settings and then click OK.
a. Select Desktop UI from the All Settings menu.

b. Click Select to the right of the Desktop wallpaper setting.
c. Select Prohibited and then click OK.
7. Click Next.
8. Adjust user and machine assignments, if necessary and then click Next.
Click Next.
9. Click Finish.
Prioritizing Policies Using Studio

When creating policies for a site, you may encounter a situation in which specific end users require exceptions to the current
policy. This action is taken by creating policies and prioritizing them.
Prioritizing policies allows you to define the precedence of policies when they contain conflicting settings. You prioritize
policies by giving them different priority numbers. By default, new policies are given the lowest priority. If policy settings
conflict, a policy with a higher priority overrides a policy with a lower priority.
A priority number of 1 is the highest.
To Prioritize a Policy

4. Click the Policies tab and then select an existing policy.
Click Policies and then select the Disabled Desktop UI Elements policy.
5. Change the policy to a higher or lower priority, as necessary.

Select Higher Priority for the Disabled Desktop UI Elements policy.
Discussion Question
What type of policy should you configure if you need to create specific settings and want them applied globally across your
organization?
What if there are end users or objects that should not be affected by these policy settings?

To Create a Computer Template in Studio

3. Select Policies in the left pane of Studio and then select the Policies tab.
4. Select the policy you would like to use as a template.
Select the Disabled Desktop UI Elements policy that you previously configured.
5. Right-click the policy and select Save as Template.

6. Verify the settings, click Unselect to the right of any settings that you want to exclude from the template, and then click
Next.
Click Next.
7. Type a name for the template and a description.

Type Disabled Desktop UI Elements without a description.
8. Click Finish. The new template appears on the Templates tab of Studio within the Custom templates pane.
Exporting a Policy Template Using Studio

Exporting a policy template allows you to create backups of your template files to aid in the recovery of policy configurations.
It also allows you to supply policy configurations from your site to aid Citrix Support in troubleshooting issues.
You can also export policies created in Studio into Group Policy Objects.
To Export a Policy Template


4. Click the Templates tab and then select the template you want to export.
Click the Templates tab and then select Disabled Desktop UI Elements in the Custom templates field.
5. Click Export Template. The Export Template dialog box appears.

6. Select the location where you want to save the template and then click Save. A .gpt file is created in the location you
specified.
Type \\FS-1\Share\Policies\ in the Address field of the Export Template window and then click Save.
Importing a Policy Template Using Studio

Policy templates are local to the computer on which you are running the console to manage your site. You can transfer policy
configurations between environments, including other sites that you manage on the computer running the console.
You can transfer templates by importing or exporting them. Importing a policy template allows you to implement policy
configurations from servers in other sites, or policy configurations created by Citrix Support to resolve issues in your site.

To Import a Policy Template
2. Launch Citrix Studio from the start screen.

4. Click the Templates tab and click Import Template.
5. Find the policy to import, click Open, and then click Yes.
a. Browse to the \\FS-1\Share\Policies folder and select USB Security.gpt.

b. Click Open.
Creating Policies Using Group Policy
The following is a description of the policy flow depicted in the graphic.

1. Citrix policy extensions are installed on the same machine where GPOs will be created or managed. These extensions add
a Citrix node in the Microsoft GPO Editor and GPMC consoles for managing machines and end users.
In general, Citrix does not recommend installing policy extensions on domain controllers.
2. Local and domain policies are created

a. Active Directory group policies are created and assigned using GPMC or GPO Editor. These policies are applied
at the OU, Domain and site level of Active Directory. Citrix policies are created in exactly the same manner as
Microsoft policies.
b. Local site policies are created using the Citrix Studio Management Console. The settings are stored in the site
database and propagated to the registry of the VDAs. Upon next restart or logon, policies are implemented.
3. Active Directory Group Policies take precedence over local system policies. If you do not have access to Active Directory,
site policies can be used to accomplish all of the same tasks.
4. Policies are stored in a Directory file structure or System Volume (SysVol) on Domain Controllers only.
a. Microsoft policy GUID folders are created in SysVol and hold ADM/X files
b. Citrix policies configured at the Active Directory level are stored in SysVol as GPF/X files (XML files) that are
parsed by Citrix Client-side extensions
Citrix settings are stored in the site database as metadata and propagated to servers as GPF/X files stored in Windows
directory. These settings are applied to the VDA registry of each VDA configured.

Discussion Question
Where do you manage policies in your organization? Why do you choose one method over another?
Creating and Applying a Group Policy Object

The same criteria for creating a policy using Studio applies to creating a GPO. You may want to create a policy based on user
job function, connection type, end-user device, or geographic location.
To Create a GPO
1. Log on to the machine that has the Group Policy Management Console and Citrix Studio installed.
3. Right-click an organizational unit in the left pane and then select Create a GPO in this domain, and Link it here to
open the New GPO window.
a. Expand the Forest: training.lab > Domains > training.lab nodes.

b. Right-click Training Virtual Desktops and then select Create a GPO in this domain, and Link it here to
open the New GPO window.
4. Type a name for the new Group Policy Object.

Type VDA Settings.
5. Click OK. The new GPO appears in the console tree.
Editing a Group Policy Object

By default, only domain administrators, enterprise administrators, and members of the Group Policy creator owners group
can edit GPOs.
Citrix recommends creating a separate GPO for distributing Citrix policies through Active Directory, and advises
against editing the Default Domain Controllers Policy GPO or the Default Domain Policy GPO.
To Edit a Policy
3. Select the organizational unit in the left pane of the Group Policy Management Console that contains the policy that you
want to edit.
Select Training Virtual Desktops.
4. Right-click the GPO you would like to edit and then click Edit.
Right-click the VDA Settings GPO in the right pane and then click Edit.
5. Expand the Computer Configuration node.

6. Expand Policies and then select Citrix Policies to open the Citrix Computer Policy window.
7. Create or edit an existing policy.
Click Edit in the Policies tab.

8. Add or edit the settings within the policy and then click OK.
a. Select the Settings tab.

b. Select Virtual Delivery Agent Settings from the Categories menu.
c. Click Add to the right of the Controllers setting.
d. Type c-1.training.lab in the Value field and then click OK.
9. Click OK.
10. Close the Group Policy Management Editor.
Running the Resultant Set of Policy

When multiple policies settings are configured in an environment, it can be difficult to determine the effect of those settings
on a resource or end user. You can model the outcome of the policy settings on a connection using the Citrix Group Policy
Modeling Wizard. With the Citrix Group Policy Modeling Wizard, you can specify conditions for a connection scenario such
as domain controller, end users, Citrix policy assignment evidence values, and simulated environment settings such as slow
network connection. The report that the wizard produces lists the policies that would likely take effect in the scenario.
The Citrix Group Policy Modeling Wizard can be run from Studio and from the Group Policy Management Console. If you
created policies using:
• Studio only, you should use the Citrix Group Policy Modeling Wizard from Studio.
• Studio and the Group Policy Management console, you should use the Citrix Group Policy Modeling Wizard from
Studio.
• Group Policy Management Console only, you should use the Citrix Group Policy Modeling Wizard from the Group
Policy Management Console.
To Create a Resultant Set of Policy Using the Group Policy Management

Console
Log on to the Controller-1 virtual machine from the Citrix lab environment using the TRAINING\Administrator
and Password1 credentials.
2. Open Server Manager and then click Tools in Server Manager.

3. Click Group Policy Management.
4. Expand the Forest node.
Expand the Forest: training.lab node.
5. Expand and right-click Citrix Group Policy Modeling and then click Citrix Group Policy Modeling Wizard.
6. Click Next in the "Welcome" screen.

7. Specify the domain controller that will process the Resultant Set of Policy.
Select This domain controller. Click Next to use AD.training.lab.
8. Specify the OU containing the end users or computers you want to model and then click OK.
a. Click Browse to the right of Container in the Computer Information field.

b. Double-click Training > Training Virtual Desktops > Servers.
c. Click OK.
9. Click Next on the "User and Computer Selection" screen.

10. Specify the filter criteria and then click Next.
Click Next.
11. Specify the advanced simulation options and then click Next.
Click Next.
12. Review the settings on the "Summary of Selections" screen and then click Run.
Click Run.
13. Click Close in the "Completing the Citrix Group Policy Modeling Wizard" screen to view the report.
If you receive a message from Internet Explorer that the site is being blocked click Add.
14. Review the policy modeling report to determine which policies were applied and have an effect on the selected end users
or computers.
15. Close the modeling results window.
Using a User Template with Group Policy

Policy templates are displayed on the Templates tab in Group Policy Editor. Computer templates are displayed when you are
working with Computer policies. User templates are displayed when you are working with user policies.
To Use a User Template

3. Select the organizational unit in the left pane of the Group Policy Management Console.
a. Expand the Forest: training.lab > Domains > training.lab > Training Users nodes in the left pane.
b. Right-click Training Users and then select Create a GPO in this domain, and Link it here.
c. Type WAN Optimization and then click OK.
Right-click the WAN Optimization GPO from the linked Group Policy Objects tab in the right pane and then click
Edit.
5. Expand User Configuration.

6. Expand Policies.
7. Click Citrix Policies.
8. Click the Templates tab.

9. Select the template from which you want to create a new template.
Select Optimized for WAN.
10. Click New Policy to open the New Policy Wizard opens.
11. Type a name for the new template.
Type Remote Users in the Name field.
12. Click Next two times to accept the default settings.

13. Configure when the policy is applied.
a. Click Add to the right the Client IP address filter.

b. Click Add.
c. Select Deny from the Mode menu.
d. Type 192.168.1.1-192.168.255.255 in the Client IP address field.
e. Type Policy applies to every user without an IP in this range in the Comment field and then click OK.
f. Click OK.
14. Click Next.

15. Click Create.
Discussion Question
How are remote employees affected when you deny a policy to all end users within an IP address range of 192.168.1.1-
192.168.255.255?
Importing a Policy Template with Group Policy

Built-in templates are created and updated by Citrix. You cannot modify or delete these templates. However, you can modify
templates that you import through Studio or the Group Policy Editor.
To Import a Policy Template

Expand the Forest: training.lab > Domains > training.lab > Training Users nodes in the left pane.
Right-click WAN Optimization GPO from the linked Group Policy Objects tab in the right pane and then click Edit.
5. Expand User Configuration.

6. Select Policies.
7. Double-click Citrix Policies in the right pane.
8. Click Templates tab.
9. Select Actions and then select Import from the Actions menu.
10. Select the template that you want to import and then click Yes.
a. Type \\FS-1\Share\Policies in the Address field of the Import Template window, press Enter, and then
double-click USB Security.gpt.
b. Click Open.

11. Close the Group Policy Editor.
Exporting a Policy Template with Group Policy

Exporting a policy template allows you to create backups of your template files to aid in the recovery of policy configurations.
It also allows you to supply policy configurations from your site to aid Citrix Support in troubleshooting issues.
To Export a Policy Template

Expand the Forest: training.lab > Domains > training.lab > Training Virtual Desktops. Select Training Virtual
Desktopsnodes in the left pane.
Right-click the VDA Settings GPO from the linked Group Policy Objects tab in the right pane and click Edit.
5. Expand Computer Configuration.

6. Expand Policies.
7. Click Citrix Policies.
8. Click theTemplates tab in the right pane.
9. Select the template that you want to export.
Select High Server Scalability.
10. Select Actions and then select Export from the Actions menu.
11. Select the location where you would like to export the file to and then click OK.
a. Type \\FS-1\Share\Policies in the Address field of the Export Template window.

b. Click Save.
12. Close the Group Policy Editor.
Prioritizing a Policy Using Group Policy

With the tree-based structure of Active Directory, policies can be created and enforced at any level in the tree structure. It is
important to understand how the aggregation of policies, known as policy precedence, flows in order to understand how a
resultant set of policies is created.
Any policy setting that is disabled takes precedence over a lower-ranked setting that is enabled. Policy settings that are not
configured are ignored.
If you are using Active Directory, policy settings are updated when Active Directory re-evaluates policies at regular 90 minute
intervals and when a user logs on.
To Change the Priority of a Policy

3. Browse to the OU containing the policies you want to prioritize.
Expand the Forest: training.lab > Domains > training.lab > Training Users nodes in the left pane.

4. Select the Linked Group Policy Objects tab in the right pane.
5. Select a policy in the Group Policy Editor for which you want to change the priority.
Select WAN Optimization.
6. Use the arrows on the left side of the Linked Group Policy Object tab to raise and lower the priority of the policy.
You will not be able to change the priority of the policy because only one policy exists for the OU.
Discussion Question
You have created and applied a new policy. You configured the policy with client removable drives set to disabled. The policy
contains a filter that has been set to allow for the Accounting group. Some employees from the Contractor group are now
asking the Support team why they are unable to access their client drives. What could be causing this issue? How can you fix
the issue?
Configuring Remote Assistance

Windows Remote Assistance allows an administrator to monitor and control another end-user's session remotely. It is most
commonly used to troubleshoot issues on endpoints. Windows Remote Assistance is always installed during the installation of
Director, but is disabled and should remain disabled for security purposes. In addition, Remote Assistance is installed during
the installation of the VDA on machines. TCP port 3389, which is used by Remote Assistance, is opened on the firewall
during the VDA installation.
In order for IT administrators, Help Desk personnel, and others to initiate Windows Remote Assistance using the Shadow
button in Director, you must enable Remote Assistance using a policy and grant the appropriate administrator groups the
required permissions using a Group Policy Object.
In XenApp 6.5 and earlier, administrators set policies to control ICA based user-to-user shadowing. These policies
have been removed. In this release of XenApp and XenDesktop, Windows Remote Assistance replaces this
functionality. In order for shadowing to work properly, you must configure the Remote Assistance feature on any
server used to remotely assist end users. This feature is configured within the lab environment.
To Configure Remote Assistance Permissions

1. Log on to a VM with the Group Policy Management feature installed using domain administrator credentials.
3. Browse to the OU where you want to create and link the policy.
Right-click the Training Virtual Desktops OU and then click Create a GPO in this domain, and Link it here.
5. Type a descriptive name in the Name field and click OK.

Type Remote Assistance in the Name field and then click OK.
6. Right-click the newly created policy and then click Edit.

Right-click the Remote Assistance policy and then select Edit.
7. Double-click Computer Configuration > Policies > Administrative Templates > System and then double-click Remote
Assistance.
8. Double-click the Configure Offer Remote Assistance setting and then select Enabled.

9. Specify the level of remote control that will be provided to the helpers.
Verify Allow helpers to remotely control the computer is selected in the Permit remote control of this computer
drop-down menu.
10. Click Show.

11. Type the domain users (domain\username) and domain user groups (domain\group) that will have permission to
remotely control endpoints and then click OK.
a. Type TRAINING\HelpDesk in the Value field.

b. Press Tab.
c. Type TRAINING\XenDesktop Admins.
d. Press Tab.
e. Type TRAINING\Domain Admins.
f. Click OK.
12. Click OK to close the Configure Offer Remote Assistance window.

13. Close the Group Policy Management Editor and Group Policy Management Console windows.
Discussion Question
You enabled the "Configure Offer Remote Assistance" setting for the OU containing the virtual desktops and added the
HelpDesk, XenDesktop Admins, and Domain Admins groups to the policy as directed. In addition, the VDA has been
installed on all of the master images used to create the Desktop OS and Server OS machines in the environment. Your
manager calls you directly and asks for your help. You use a Web browser to access Director and attempt to Shadow the
session, but you get an error. What could be causing the issue?
Troubleshooting: Managing Policies
Issue Resolution
A new policy is not functioning properly. • Ensure that the policy is enabled.
• Verify that it is assigned to the appropriate end users,
groups, OUs, and/or domains.
• Verify that there are no Active Directory policies that
supersede the policy built in Studio.
• Check the prioritization of the policies.
• Ensure that the correct policy settings have been chosen
to achieve the desired results.
Unable to modify or delete a template. Verify that the administrator attempting to make this change
has the authority to do so.
Built-in templates can be used as a model for other

templates, but cannot be modified or deleted.
Loopback policy issues. For information about loopback policy issues, see
http://technet.microsoft.com Web site.

Issue Resolution
Virtual IPs are not being assigned by the policy. Verify that:
• The applications are installed on Windows Server 2008
R2 or Windows Server 2012 R2 machines. Virtual IPs
and virtual loopback do not apply to applications
installed on Desktop OS machines.
• Enough IP addresses are available in the reservation to
support the number of applications and users accessing
those applications. For more information about virtual
IPs and virtual loopback, see http://docs.citrix.com/en-
us/xenapp-and-xendesktop/7-6/xad-deliver-virtual-ip.html.
Unable to find the appropriate policy settings. Use the Search field to narrow the results as you search for
settings.
Setting Up Citrix Profile Management

End-user profiles contain properties and settings for each end user accessing resources using XenApp and XenDesktop. When
end users access a resource (desktop or application), their profile is loaded. You can elect to use a third-party profile
management solution, Group Policy Objects, or Citrix Profile Management to configure profile settings. In this version of
XenApp and XenDesktop, Citrix Profile Management is integrated into XenApp and XenDesktop as policy settings. Citrix
Profile Management provides 78 policy settings that allow you to finely control your end-user profiles. Earlier in the course,
you configured folder redirection. It is common to use both folder redirection and Citrix Profile Management in an
environment.
Managing End-User Profiles
1. An end user starts a session for a machine with profile management enabled.
2. The Citrix Profile management service determines if the end user is a member of the processed group defined in the
profile management policies. If the end user is a member of the group, the service attempts to load the end user's profile
from the store. If the end user is not part of the group a Microsoft profile is assigned.
3. If the end user is a member of the processed group, Citrix Profile management verifies that the user store contains the
profile. If a profile is not found in the store, the service migrates the end user's Microsoft profile to the store or creates a
new one from a template specified in the policy.
4. A local profile that is managed by Citrix Profile management is streamed from the store to the virtual machine.
5. Profile management monitors the end user's profile and logs any changes back to the end user's profile store.
Profile management addresses end-user profile deficiencies in environments where simultaneous domain logons by the same
end user introduces complexities and consistency issues to the profile. For example, if an end user starts sessions on two
different virtual resources based on a roaming profile, the profile of the session that terminates last overwrites the profile of

the first session. This problem, known as "last writer wins", discards any personalization settings that the end user has made
in the first session.
You can prevent this by using separate profiles for each resource silo. However, this results in increased administration
overhead and storage capacity requirements. Another drawback is that end users will experience different settings depending
on the resource silo they access.
Profile management optimizes profiles in an easy and reliable way. At interim stages and at logoff, changes to the registry, as
well as files and folders in the profile, are saved to the user store for each end user. If a file already exists, it is overwritten if it
has an earlier timestamp. This helps safeguard application settings for mobile end users who experience network disruption
and end users who access resources from different operating systems.
Alternatives to using Citrix Profile management exist, including Environment Manager from AppSense and RES PowerFuse.
By default, Citrix Profile management is installed silently on master images when you install the VDA.
To Configure the Profile Management Settings

This procedure only implements a few of the policy settings. You should evaluate your end-user and
environmental requirements and configure your profile management settings accordingly. For more information
about properly configuring Profile Management, see http://blogs.citrix.com/ and search for "Citrix Profile
Management and VDI". Include the quotes in the search to limit the search results.
1. Log on to a VM with the Group Policy Management feature and Citrix Studio installed using domain administrator
credentials.
2. Click Tools in the Server Manager window and then select Group Policy Management.
3. Browse to the OU containing the desktops to create a policy to enable Citrix Profile Management.
You want a set of common profile settings to apply to both Server OS and Desktop OS machines and custom
profile settings for Server OS and Desktop OS machines so the profiles for the end users will go to different
sub-directories.
4. Right-click the OU containing the virtual desktops and then click Create a GPO in this domain, and Link it here.
Right-click Training Virtual Desktops and then click Create a GPO in this domain, and Link it here.
5. Type a name for the policy and then click OK.

Type Citrix Profile Management - Common Settings in the Name field and then click OK.

Right-click Citrix Profile Management - Common Settings and then click Edit.

8. Click Edit and then click the Settings tab to edit the unfiltered policy.
9. Select Profile Management > Basic settings in the Categories field.
10. Determine if Profile Management should be enabled and then click OK.
Click Add to the right of the Enable Profile management setting, select Enabled, and then click OK.
By default to facilitate deployment, Profile Management does not process logons or logoffs. You can turn on
processing by enabling a policy setting. If the policy setting is not configured, the value from the .ini file is
used. If the policy setting is not configured here or in the .ini file, Profile Management does not process
Windows end-user profiles in any way.

11. Determine if you want to enable Active write back and then click OK.
Click Add to the right of the Active write back setting, select Enabled, and then click OK.
With active write back:

• Files and folders (but not Registry entries) that are modified can be synchronized to the end-user store in
the middle of a session, before the end user logs off.
• If this setting is not configured here, the value from the .ini file is used.
• If this setting is not configured here or in the .ini file, active write back is disabled.
12. Select Profile Management > Streamed user profiles in the Categories field.
13. Determine if end-user profiles will be streamed and then click OK.
Click Add to the right of the Profile streaming setting, select Enabled, and then click OK.
With profile streaming:

• End-user profiles are synchronized on the local computer only when they are needed.
• Registry entries are cached immediately, but files and folders are only cached when accessed by end users.

16. Browse to the OU containing Desktop OS machines.
Double-click Forest: training.lab > Domains > training.lab > Training Virtual Desktops > Desktops in the Group
17. Right-click the OU for the Desktop OS machines and then click Create a GPO in this domain, and Link it here.
Right-click Desktops and then click Create a GPO in this domain, and Link it here.
Type Citrix Profile Management - Desktops path to user store in the Name field and then click OK.
Right-click Citrix Profile Management - Desktops path to user store and then click Edit.

23. Specify the path to the user store for end users of Desktop OS machines.
a. Click Add to the right of the Path to user store setting.

b. Verify that Enabled is selected.
c. Type \\FS-1\UPM$\%USERNAME%.%USERDOMAIN%\Win8 in the text box below Enabled and then click
OK.

26. Browse to the OU containing Server OS machines.
Double-click Forest: training.lab > Domains > training.lab > Training Virtual Desktops > Servers in the Group
27. Right-click the OU for the Server OS machines and then click Create a GPO in this domain, and Link it here.
Right-click Servers and then click Create a GPO in this domain, and Link it here.
Type Citrix Profile Management - Servers path to user store in the Name field and then click OK.

Right-click Citrix Profile Management - Servers path to user store and then click Edit.

33. Determine if a path to the user store for end users of Server OS machines should be specified.
a. Click Add to the right of the Path to user store setting.

b. Verify that Enabled is selected.
c. Type \\FS-1\UPM$\%USERNAME%.%USERDOMAIN%\Win2012 in the text box below Enabled and then
click OK.

35. Close the Group Policy Management Editor and the Group Policy Management Console.
Discussion Question
Citrix Profile Management is installed during which XenApp and XenDesktop component installations?
Reinforcement Exercise: Working with Policies

During these exercises, you will not be given step-by-step instructions for performing the tasks. Instead, you are
asked to use what you have just learned to complete them. These exercises are designed to take your newly
acquired knowledge determine if you can perform a task you have never done before. In most instances the default
value will be the best choice, but we encourage you to explore and try things out. If you have a question or need
help, ask the instructor or a fellow student for assistance.

• Create, apply and edit a policy in Studio and as a Group Policy Object (GPO).
• Prioritize policies within Studio and with Active Directory GPOs.
• Use, import, and export a user policy template within Studio and Active Directory.
• Run and obtain a resultant set of policy (RSOP) report.
• Configure folder redirection and streaming user profiles.
• Manage profile settings using Citrix policies.
• Resolve conflicting profiles.
The Training contractors tools will eventually be hosted on a desktop provided by XenApp and XenDesktop. Since they are
not official company employees, management wants you to put some policies in place that may make it more difficult for the
source code to be taken outside company systems.
Your objective is to put a group policy object in place to put some safeguards in place to limit how the Contractor team can
transfer this kind of data.
To complete your objective:
• Create a group policy object called "Safeguards Against Data Theft" that is applied to the Contractor organizational unit.
• Add the following settings to the Citrix User Policies:
• Disable client clipboard redirection
• Disable client drive redirection
• Disable USB device redirection
. Module 6: Setting Up and Managing Policies and Profiles 163

164
7
Module 7
Managing Printing Through

Policies
166
Managing Printing
Overview
Printing is a very important aspect of every Citrix infrastructure, but it is not well understood and a common cause of issues.
XenApp and XenDesktop offer a variety of features to enable you to successfully integrate printing in almost every scenario.
Choosing the most appropriate printing configuration for your organization helps to simplify administration and improve the
end-user experience. In order to successfully design a printing infrastructure it is vital to understand the available technologies
as well as their benefits and limitations.
• Manage printers using policies.
• Add session printers.
• Map and install printer drivers.
• Customize and optimize printing performance.
• Manage the Universal Print Server.
• Domain Controller-1 = On
• File Server-1 = On
• StoreFront Server-1 = On
• Student Management Console = On
• Universal Print Server = On
Print Management Process

Managing printing in a XenApp and XenDesktop environment is a multistage process:
• Plan your printing architecture, including analyzing your business needs, your existing printing infrastructure, how your
end users and applications interact with printing today, and which printing management model best applies to your
environment.
• Configure your printing environment, including creating the policies necessary to deploy your printing design.
• Test a pilot printing configuration before deploying it to end users.
• Maintain your Citrix printing environment, including updating policies when new employees or servers are added and
maintaining drivers on your XenApp and XenDesktop machines.
• Troubleshoot issues that may arise in your printing environment.
Default Printing Behavior

By default, if you do not configure any policy rules, XenApp and XenDesktop printing behaviors are as follows:
• All printers configured on the end-user device are created automatically at the beginning of each session. This behavior is
equivalent to configuring the Citrix policy setting Auto-create client printers with the Auto-create all client printers
option.
• XenApp and XenDesktop route all print jobs queued to printers locally attached to end-user devices as client print jobs.
• XenApp and XenDesktop route all print jobs queued to network printers directly from Server OS machines. If XenApp
and XenDesktop cannot route the jobs over the network, they will route them through the end-user device as a redirected
client print job.
Module 7: Managing Printing Through Policies 167

• XenApp and XenDesktop uses the Windows version of the printer. If the printer driver is not available, XenApp and
XenDesktop attempts to install the driver from the Windows operating system. If the driver is not available in Windows,
they use a Citrix Universal Printer Driver.
• The Universal Print Server is disabled.
Configuring Client Printing

XenApp and XenDesktop policies specify the client printers that are made available for end-user sessions. You can control the
number and type of printers that are made available, along with customizing printer settings and options.
Within client-based printing policies, you can configure options such as client printer auto-creation, client printer redirection,
printer property retention, print mapping, and other settings.
Modifying Client Printer Auto-Creation

The Auto-Creation policy setting specifies the client printers that are auto-created. Auto-creation takes place initially during
the HDX login to the session by mapping drivers in the session. During printer auto-creation, if a new local printer connected
to an endpoint is detected, the machine hosting the session checks for the required printer driver. By default, if a Windows-
Native driver is not available, the Universal Printer Driver is used. This setting overrides the default client printer auto-
creation settings and takes effect only if the Client printer redirection setting is present and set to Allowed.
By default, auto-creation is set to auto-create all printers available on the endpoints. Other Auto-Creation options include:
• Auto-create the client’s default printer only
• Auto-create the local client printers only
• Do not auto-create client printers
If the default setting works for your environment, you do not need to create a policy to configure printer auto-creation.
The more printers that are auto-created, the more overhead created on the machine hosting the user session in both memory
and CPU consumption which can cause increased delays in end user login times. In larger environments, where there are
many client printers, the default auto-creation setting to auto-create all client printers, which may cause a slower login time.
168 Module 7: Managing Printing Through Policies

Citrix recommends to compensate and reduce login times, by changing the default auto-creation setting to Auto-create the
client’s default printer only.
To Modify Client Printer Auto-Creation Behavior

1. Log on to a virtual machine that has Citrix Studio and the Group Policy Management feature installed using domain
administrator credentials.
2. Click Tools in Server Manager and then click Group Policy Management to open the Group Policy Management
Console.
3. Select the organizational unit to which you want to apply the policy.
Expand Forest: training.lab > Domains > training.lab > Training Users > Human Resources.
Right-click Human Resources and then click Create a GPO in this domain, and Link it here.
5. Type a name for the new Group Policy Object and then click OK.
Type Print Settings in the Name field and then click OK.
6. Click the OU containing the policy, right-click the GPO to which you want to add settings in the Linked Group Policy
Objects tab and then click Edit.
Click the Human Resources OU, right-click Print Settings in the Linked Group Policy Objects tab, and then click
Edit.
7. Expand User Configuration > Policies > Citrix Policies nodes.

8. Click Edit in the right pane to add settings to the unfiltered Citrix User Policy.
If you select Edit, you are adding new settings to the Unfiltered policy. If you select New, you are creating a
new policy and can filter that policy to determine to which objects the policy will apply.
9. Select the Settings tab to view the available settings.

10. Select a category of settings in the Categories field.
Select Printing > Client Printers in the Categories field.
If you know the name of the category or a word in the name of the setting, you can search for the setting
using the Search field. For example, you could search for Printing or Client Printers, or auto-create.
11. Click Add to the right of the desired setting.

Click Add to the right of the Auto-create client printers setting.
12. Select the desired value for the setting in the Value field and then click OK.
Select Auto-create the client's default printer only and then click OK.
13. Click OK.

15. Expand the Group Policy Object OU in the left pane and drag the policy to another OU to which you also want to apply
that policy.
a. Expand the Group Policy Objects OU, select the Print Settings policy, and drag it to the Training Users >
Contractors OU.
b. Click OK in the Group Policy Management message.

This step is only necessary if you want to apply an existing policy to another OU.
Discussion Question
In your environment, you have attempted to configure printer auto-creation. You notice however that when a Windows-
native driver is not available, the Universal print driver is not being used. What could be the problem?
Adding Session Printers

By default, network printers on the end-user device are created automatically at the beginning of sessions, because of the
Auto-Creation setting. The Session Printers setting enables administrators to control the assignment of network printers that
are on the network, but are not defined on the endpoints so Auto-Creation does not apply.
Session printing policies allows to administrators to enable proximity printing, where a network printer is assigned to a
session based on the location of the end point accessing it. This is typically using policy filtering based on IP address locations
and requires a well-designed IP mapping within an organization. An example of this might be a doctor who connects into
different machines throughout a hospital, but is always mapped to the printer in the wing of the hospital from which he is
establishing his HDX connection.
To Add Session Printers

Console.
Expand Forest: training.lab > Domains > training.lab > Training Users.
Right-click Training Users and then click Create a GPO in this domain, and Link it here.
Type Session Printers in the Name field and then click OK.
6. Click the OU containing the newly created policy, right-click the GPO to which you want to add settings in the Linked
Group Policy Objects tab, and then click Edit.
Click Training Users, right-click Session Printers in the Linked Group Policy Objects tab and then click Edit.
7. Expand User Configuration > Policies > Citrix Policies.

8. Click New in the right pane to launch the New Policy wizard.
You are creating a new policy so that filters can be applied at a later time should you decide to enable proximity
printing.
9. Type a name for the new policy or leave the field blank and then click Next.
Type Citrix Session Printers in the Name field and then click Next.

10. Type a setting name or a word contained in the setting to filter the Settings list.
Type Session printers in the Search field.
You could also scroll through the categories of settings in the Categories field to find the required setting.

Click Add to the right of the Session printers setting.
12. Click Add.

13. Click Browse, go to the location where the network printers are defined, and then click OK.
a. Type \\UPS-1 into the Printer UNC path and then click Browse.
b. Expand Entire Network > UPS-1.
c. Click Accounting to add the Accounting printer.
d. Click OK twice.
You could also type the UNC path to the printer directly into the Printer UNC path field and then click OK.
14. Click OK after all desired network printers are added to the Session printers list.
15. Click Next to go to the Filters screen.
16. Configure any necessary filters and then click Next.
Click Next.
You will not be adding any filters at this time. If you wanted to enable proximity printing, you could assign
session printers to end users based on the Client IP address filter. Session printers are an optimal
configuration for scenarios where users roam between locations using the same device (i.e. laptop) or where
thin clients are used because they do not have the ability to connect to network-based printers directly.
17. Click Create.
Managing Printer Drivers

There are three options for managing printer driver usage within XenApp and XenDesktop policies:
• Automatic installation of in-box printer drivers
• Universal Printer Driver preference
• Universal Printer Driver usage
Using these features, you can control the way end-user sessions use specific printer drivers as well as configure the Citrix
Universal Printer driver settings.
Automatic Installation of In-Box Printer Drivers

You have the ability to control the automatic installation of Windows-native printer drivers. If it is necessary to ensure
consistency across Server OS machines and virtual desktops, this can be achieved by disabling the policy setting through
Citrix or Microsoft policies.

To Configure the Automatic Installation of Printer Drivers
Console.
Right-click Training Users and then click Create a GPO in this domain, and Link it here.
Type Disable Auto-Install of Printer Drivers in the Name field and then click OK.
6. Click the OU containing the newly created policy, right-click the GPO to which you want to add settings in the Linked
Group Policy Objects tab, and then click Edit.
Click Training Users, right-click Disable Auto-Install of Printer Drivers in the Linked Group Policy Objects tab and
then click Edit.

8. Select Edit to add settings to the unfiltered Citrix User Policy.
Type Automatic or Printers in the Search field.

Click Add to the right of the Automatic installation of in-box printer drivers setting.
12. Select the appropriate value for the setting and then click OK.
Select Disabled and then click OK.
13. Click OK.
While you added multiple settings to the unfiltered Citrix User Policy in previous procedures, the reason that
you do not see them now is because they were applied to a different OU in the environment.
Configuring Printer Driver Mapping and Compatibility

Each client provides information about client-side printers during logon, including the printer driver name. During client
printer auto-creation, Windows server printer driver names are selected; these names correspond to the printer model names
provided by the client. The auto-creation process then uses identified, available printer drivers to construct redirected client
print queues.
When you define these rules, you can allow or prevent printers from being created with the specific driver. Additionally, you
can allow created printers to use only the Universal Printer Driver.
You can add a driver mapping, edit an existing mapping, or override custom settings.

To Configure Printer Driver Mapping and Compatibility
Console.
3. Browse to the OU containing the Group Policy Objects.
Expand Forest: training.lab > Domains > training.lab > Group Policy Objects.
4. Right-click the policy to which you want to add new settings and then click Edit.
Right-click the Print Settings policy and then click Edit.


Type Printer driver mapping in the Search field.

Click Add to the right of the Printer driver mapping and compatibility setting.
10. Specify the desired values for the setting.
a. Click Add to configure driver mapping.

b. Type HP PhotoSmart D-110 in the Driver Name field.
c. Select Replace with.
d. Type HP PhotoSmart 220X in the Replace with field.
e. Click OK.
You could also click the Find Driver button to search for the desired printer driver. If you have printer drivers
already configured, you can use those drivers.
11. Click OK twice after all settings have been configured.
The new setting in the unfiltered policy is displayed in the Active Settings pane of the Group Policy
Management Editor.
Universal Printer Driver

To simplify printing in XenApp and XenDesktop environments, Citrix recommends the use of the Citrix Universal Printer
Driver (UPD). The Universal Printer Driver is a device-independent driver that supports any print device and thus simplifies

administration by reducing the number of drivers required. The Universal Printer Driver supports advanced printer
functionality, such as stapling and sorting, and does not limit color depth.
The UPD consists of two components:
• Server component: On a XenApp and XenDesktop-based virtual desktop, the Citrix UPD is installed as part of the
XenApp and XenDesktop VDA installation. When a print job is initiated, this driver records the output of the application
and sends it, without any modification, to the end-user device with the ICA/HDX connection.
• Client component: The client component of the Citrix UPD is installed as part of the Citrix Receiver installation. It
receives the incoming print stream for the virtual desktop and forwards it to the local printing subsystem where the print
job is rendered using the device-specific printer driver.
The diagram shows the UPD components and a typical work flow for a printer locally attached to a device.
Controlling Universal Printing Behavior

Universal Printing behavior is controlled by configuring policies to optimize processing, print quality, and compression limit
settings. Using these features you can streamline items such as the transfer of printer traffic and the spooling process.
Optimizing Print Job Routing

In a XenApp and XenDesktop environment, you can control how print jobs destined for network printers are routed using
policies. Jobs can take two paths to a network printing device, the client printing pathway or the network printing pathway. If
the job is being routed to the endpoint, the print job is sent using the HDX (ICA) protocol (client printing pathway). If the
job is being routed directly to the print server, the print job is sent using RPC over SMB (network printing pathway). If you
want to manage printing bandwidth or compression, the print job must be sent using the HDX (ICA) protocol. There is no
Citrix policy that controls the bandwidth or compression when a print job is sent using Microsoft's network printing.

The client printing pathway (dashed line) takes a print job from the virtual desktop using a virtual channel in the HDX
protocol and sends it to the endpoint where it is removed from the HDX packet and forwarded via TCP/IP onto the print
server. This behavior must be configured in a policy. If it is not configured, XenApp and XenDesktop routes the print jobs
directly to the print server (solid line).
Routing jobs along the network printing pathway (solid line) is ideal for fast local networks and when you want users to have
the same end-user experience that they have on their local endpoint (that is, when you want the printer names to appear the
same in every session). However, print jobs relayed using the network printing pathway are not suitable for WANs unless the
job is being routed to a Universal Print Server which compresses the job by up to 90%. The routing of print jobs to a non-
Universal Print Server using the network printing pathway uses more bandwidth than using the client printer pathway.
Consequently, end users might experience latency while the print jobs are printing over the WAN when a non-Universal
Print Server is being used. Also, the print job traffic from the server to the print server is treated as regular network traffic,
competing with normal HDX (ICA) traffic. When printing across a WAN, you should keep the printer traffic in the HDX
(ICA) packet printer channel when printing to a non-Universal Print Server.
If XenApp and XenDesktop and the print server are on different domains, XenApp and XenDesktop automatically routes the
print job through Receiver (client printing pathway).
HDX (ICA) can use multiple virtual channels. When print jobs are delivered over an HDX (ICA) virtual channel, other
virtual channels (such as video) may compete for bandwidth leading to decreased performance. To prevent this, you can
create a policy to manage the printer bandwidth in the virtual channel. Printer bandwidth limits can be set using the
following settings:
• The Printer redirection bandwidth limit setting specifies the fixed bandwidth that is used for printing in kilobits per
second (kbps).
• The Printer redirection bandwidth limit percent setting specifies a percentage of the available bandwidth that is used
for printing.
The printing virtual channel will consume bandwidth only when a print job is being sent.
Optimizing Printing Performance

To optimize printing performance, use the Universal Print Server and Universal Printer Driver. The following policies control
printing optimization and compression:
• Universal printing optimization defaults
• Desired image quality
• Enable heavyweight compression
• Image and Font caching
• Allow non-administrators to modify these settings
• Universal printing image compression limit
• Universal printing print quality limit
• Printer redirection bandwidth limit
• Printer redirection bandwidth limit percent

To Configure Printing Optimization
Console.
3. Browse to the OU to which you want to apply the policy.
Right-click the Training Users and then click Create a GPO in this domain, and Link it here.
5. Type a name for the new policy and then click OK.
Type Printer Optimizations in the Name field and then click OK.
6. Right-click the policy in the Linked Group Policy Objects tab and then click Edit.
Right-click the Printer Optimizations policy and then click Edit.


Type Universal or Printing in the Search field.

Click Add to the right of the Universal printing optimization defaults setting.
12. Specify the desired values for the setting.

Select Reduced quality (maximum compression) in the Desired image quality field, select the Enable heavyweight
compression and then click OK.

Click Add to the right of the Universal printing print quality limit setting.
14. Select the desired option from the Value field.

Select Medium Resolution (600 DPI).
15. Click OK twice after all settings have been configured.
The new settings in the unfiltered policy are displayed in the Active Settings pane of the Group Policy
Management Editor.
While you added multiple settings to the unfiltered Citrix User Policy in previous procedures, the reason that
you do not see them now is because they were applied to a different OU in the environment.

Discussion Question
End users are experiencing substantial network latency when attempting to print high quality images used for marketing
campaigns. What polices should be adjusted or implemented to resolve this? Which policies would you want to avoid?
Setting Up and Managing the Universal Print Server

The Universal Print Server provides universal printing support for network printers. The Universal Print Server uses the
Universal Printer Driver, which is installed with XenApp and XenDesktop.
Citrix recommends the Citrix Universal Print Server for remote print server scenarios. The Universal Print Server
transfers the print job over the network in an optimized and compressed format, thus minimizing network use
and improving the end-user experience.
To Set Up and Manage the Universal Print Server

Console.
3. Browse to the OU to which you want to apply the policy.
Expand Forest: training.lab > Domains > training.lab > Training Virtual Desktops.
Right-click the Training Virtual Desktops and then click Create a GPO in this domain, and Link it here.
5. Type a name for the new policy and then click OK.
Type Universal Printing in the Name field and then click OK.
6. Right-click the policy in the Linked Group Policy Objects tab and then click Edit.
Right-click the Universal Printing policy and then click Edit.
7. Expand Computer Configuration > Policies > Citrix Policies.

Ensure that you select Computer Configuration in this step.

Type Print Server in the Search field.

Click Add to the right of the Universal Print Server enable setting.
12. Specify the desired values for the setting and then click OK.
Select Enabled with fallback to Windows' native remote printing in the Value field and then click OK.
13. Click OK after the settings have been configured.
The new settings in the unfiltered policy are displayed in the Active Settings pane of the Group Policy
Management Editor. While you added multiple settings to the unfiltered Citrix User Policy in the previous
procedure, the reason that you do not see them now is because this policy setting is a Citrix Computer Policy
rather than a Citrix User Policy.
Troubleshooting: Managing Printing
Issue Resolution
Cannot update printer drivers. Citrix recommends that you never update a printer driver.
Always uninstall a driver, restart the print server, and install
the replacement driver. This helps ensure consistency and
decreases the chance that issues with existing drivers are
transferred to the updated drivers.
Printers that are no longer used or no longer exist are being Verify that all unused drivers are uninstalled to prevent this.
created.
The Universal Print Server does not appear. • Verify that the Universal Print Server is enabled.
• Ensure that the operating system is Windows Server
2008 or later.
Reinforcement Exercise: Managing Printing

to use what you have just learned to complete it. This exercise is designed to take your newly-acquired knowledge
and determine if you can perform a task you have never done before. In most instances the default value will be
the best choice, but we encourage you to explore and try things out. If you have a question or need help, ask the
instructor or a fellow student for assistance.

• Manage printers using policies.
• Add session printers.
• Map and install printer drivers.
• Customize and optimize printing performance.
• Manage the Universal Print Server.
Your manager at Training has tasked you with creating the following policies in Citrix Studio. To complete your objective,
create the following policies:
• Local Users Print
• Universal printing image compression limit - no compression
• Default printer: \\UPS-1\Accounting
• Wait for printers to be created - enabled
• Apply it to the Office Apps delivery group
• Satellite Office Users Print
• Automatic installation of in-box printer drivers disabled
• Universal printing image compression limit to reduced quality
• Default printer \\UPS-1\Color Laser Printer
• Apply it to the Win8-Accounting delivery group.
• Contractor NY Print
• XPS Universal Printer driver to a higher priority
• Client printer redirection prohibited
• Retained and restored printers prohibited
• Apply it to the TRAINING\Contractor-NY users group
• Contractor Miami Print
• Client default printer only auto create
• Automatic installation of in-box printer drivers disabled
• Apply it to the Contractor-Miami users group
• Unfiltered
• Computer policy with universal print server enabled (Windows fallback)
• 200 kbps Print Server bandwidth limit
• Ensure the Satellite Office Users Print policy has a higher priority than the Local Users print policy.
Remember to use the RSOP wizard to verify settings.

180
8
Module 8
Setting Up and Managing

Provisioning Services
182
Setting Up and Managing Provisioning Services
Overview
Provisioning Services allows multiple virtual machines to start up from the same virtual disk (vDisk). This many-to-one
relationship simplifies disk management and storage requirements. Provisioning Services improves the scalability of the
environment by allowing the instant provisioning of resources on demand.
• Install and configure Provisioning Services.
• Install the Provisioning Services Console.
• Configure DHCP Options 66 and 67.
• Configure the bootstrap file for high availability.
• Create a vDisk and assign it to a target device.
• Create a machine catalog from Provisioning Services.
• Create a Delivery Group for the machine catalog created with Provisioning Services.
MCS versus PVS

Provisioning Services works differently than Machine Creation Services to provide resources to users. Provisioning Services
allows computers to be provisioned and re-provisioned in real-time from a single shared vDisk. In doing so, administrators
can completely eliminate the need to manage and update individual systems. Instead, all image management is done on the
master vDisk. The local hard-disk drive of each system may be used for runtime data caching or, in some scenarios, removed
from the system entirely, which reduces power usage, system failure rates, and security risks.
Module 8: Setting Up and Managing Provisioning Services 183

MCS and PVS are two mechanisms that do basically the same thing in different ways. While MCS is all about storage, PVS
relies on network. With PVS, you start off with a Master Target Device, capture the disk as a new vDisk and then target
devices use the vDisk. The AD-identity comes from an additional disk in MCS, while PVS uses database entries for this.
The Provisioning Services infrastructure is based on software-streaming technology. After installing and configuring
Provisioning Services components, a vDisk can be created by imaging a hard disk that contains the operating system with
applications installed to a vDisk file on the network. A device that is used to create the vDisk is called the Master Target
Device. The devices that use the vDisk are called target devices. Writes with MCS are saved to a Differencing Disk, while
writes with PVS are saved to a Write Cache.
The target device downloads a boot file from a Provisioning Services server, and then uses that boot file to start. Based on the
device boot configuration settings, the appropriate vDisk is located, and then mounted on the Provisioning Services server.
The software on the vDisk is streamed by the Provisioning Services server to the target device as needed. To the target device,
it appears like a regular hard drive.
Instead of immediately pulling all of the vDisk contents down to the target device (as is done with traditional or imaging
deployment solutions), the data is brought across the network in real-time, as needed. This approach allows a target device to
get a completely new operating system and set of software in the time it takes to restart, without requiring an administrator to
visit the endpoint. This approach dramatically decreases the amount of network bandwidth required by traditional disk
imaging tools; making it possible to support a larger number of target devices on the network without impacting overall
network performance.
Provisioning Services Architecture
184 Module 8: Setting Up and Managing Provisioning Services

Provisioning Services can be explained using a hard drive controller card replacement analogy:
1. Target device A powers on and uses TFTP to download a driver called the bootstrap file (ARDBP32.BIN). This driver
provides the target device with the connection required to get its vDisk (virtual hard drive).
2. Target device A uses the bootstrap file to request that Provisioning Services send the boot sector from the vDisk.
3. Provisioning Services accesses the vDisk from storage and dynamically merges the boot sector with the SQL Server data
to apply the appropriate SID based on the MAC address of the target device.
4. As the target device starts up, further requests for additional sectors from the vDisk are accessed in the same method, but
I/O requests are made directly to the vDisk. With Provisioning Services, the entire vDisk is not streamed to the target
device. Instead, sectors are sent to the target device as needed.
Discussion Question
What is meant by the terms Master Target Device and target device?
Setting Up a Provisioning Services Server

A Provisioning Services server is used to stream vDisk sectors as needed, to target devices. In some implementations, vDisks
reside directly on the Provisioning Services server. In larger implementations, Provisioning Services servers access the vDisk
from a shared-storage location on the network.
Provisioning Services servers use an SQL Server database to store and retrieve configuration information.
Creating a Service Account for Provisioning Services

A service account is used by two services in Provisioning Services, the Citrix PVS SOAP Server and the Citrix PVS Streaming
Service. The service account can be a local system account, network service account, or a named user account. The service
account is not required for installation.
Creating a Share for the Store

Provisioning Services requires at least one store to provide booting target devices with a vDisk. A store is the logical name for
the physical location of PVS vDisks or golden images. The Provisioning Services service account must be granted
read/write/create privileges to the store share.
When vDisks are created in the Provisioning Services Management Console, they are assigned to a store. Within a site, one or
more Provisioning Services servers are given permission to access a store in order to serve vDisks to target devices. A
Provisioning Services server checks the database for the store name and the physical location where the vDisk resides, in
order to provide a vDisk to the target device.
. Module 8: Setting Up and Managing Provisioning Services 185

In a highly available implementation, if the active Provisioning Services server in a site fails, the target device can get its vDisk
from another Provisioning Services server that has access to the store and permissions to serve the vDisk.
There are three locations administrators can choose to place the store: local storage to the Provisioning Services server, local
storage on multiple Provisioning Services servers with replication, and shared storage like a SAN or SMB share.
The following considerations explain the locations to choose for the vDisk Store:
Diagram Label vDisk Store Location Considerations

1 The vDisk Store can be placed on the The vDisks reside on a local folder on a
local storage of the Provisioning single PVS server. High-availability is
Services Server. not supported with this model.
2 The vDisk Store can be placed on the In order to support high availability
local storage of multiple Provisioning these replicated vDisks must be
Services Servers with the latest version identical. Replication can be done
of each vDisk replicated across the manually or using solutions like DFS
server. replication. Note that the *.vhd, *.avhd,
and *.pvp files for each vDisk should be
replicated, but not *.lok which specifies
its location.
3 The vDisk can be placed on shared This model requires a single vDisk
storage. without replications, but requires shared
storage.
To Create the Share for the Store

environment.
1. Log on to the file server where the share will be created using domain administrator credentials.
Log on to FileServer-1 using the TRAINING\Administrator and Password1 credentials.
2. Click File and Storage Services in the left pane of the Server Manager and then click Shares.
3. Click Tasks in the center pane and then select New Share.
4. Select a File share profile and then click Next.
Verify SMB Share - Quick is selected and then click Next.
5. Select the drive on the file server where the share will be created and then click Next.
Select E: in the Select by volume section and then click Next.
6. Type a descriptive name for the share in the Share name field and then click Next.
Type vDisks in the Share Name field and then click Next.
7. Deselect Allow caching of share and then click Next on the Configure Share Settings screen.

8. Click Customize permissions and then configure the permissions for the share.
Click Customize permissions, click Disable inheritance, and then click Remove all inherited permissions from this
object.
9. Click Add, click Select a principal, type System, click Check Names, and then click OK to add a principal to the share.
10. Select Full Control and then click OK.
11. Click Add, click Select a principal, type the name of the service account created for Provisioning Services, click Check
Names, and then click OK to add a principal to the share.
Click Add, click Select a principal, type PVS_svc, click Check Names, and then click OK.
12. Select Full Control and then click OK.

13. Click OK and then click Next.
14. Click Create and then click Close.
Write Cache Considerations

When the Provisioning Services vDisk is in standard image mode a write cache is required to store any machine writes. The
write cache location is flexible and can be placed in several places: Target Device hard drive, Target Device RAM, Target
Device RAM with overflow to hard drive, or on the Provisioning Services server.
The following considerations explain the locations to choose for the Write Cache:
Diagram Label Write Cache Location Considerations:

1 The Write Cache can be placed on the This option limits the network
target device hard drive. communication to reads only on the
standard vDisk. This option requires no
additional software to enable this
feature. In this case the write cache file
is temporary.
2 The Write Cache can be placed on the This option frees up the Provisioning
target device RAM. Services Server and limits the network
communication to reads only on the
standard vDisk. This option provides
the fastest method of disk access since
memory access is always faster than disk
access. It requires sufficient memory for
the machine to remain operational.

Diagram Label Write Cache Location Considerations:
3 The Write Cache can be placed on the This option frees up the Provisioning
target device RAM with overflow on Services Server and limits the network
hard disk (only available for Windows 7 communication to reads only on the
and Server 2008 R2 and later). standard vDisk. This option uses target
device paged pool memory when it is
available and overflows the write cache
is the local disk when required. This
option allows for both optimal
performance without a large memory
requirement.
4 The Write Cache can be placed on the In this option both reads and writes are
Provisioning Services Server disk. handled by the Provisioning Services
Server, which causes an increase disk
I/O and Network traffic. The write
cache on server disk is temporary
between server reboots.
4 The Write Cache can be placed on the In this option both reads and writes are
Provisioning Services Server disk handled by the Provisioning Services
persisted. Server, which causes an increase disk
I/O and Network traffic. The write
cache on server disk is persistent
between reboots.
Citrix leading practice is to use the RAM cache with overflow to the hard disk method for storing the write cache whenever
possible.
Reference the following URL for more information on write cache locations: http://docs.citrix.com/en-
us/provisioning/7-6/pvs-product-wrapper-6-2/pvs-technology-overview-write-cache-intro.html.
Discussion Question
Where can vDisks be stored for use with Provisioning Services?
Creating Windows Firewall Exceptions

Provisioning Services uses UDP and TCP for the following communications:
• Provisioning Services server to Provisioning Services server - at least five ports must exist in the port range selected. Ports
must be selected from the following range: UDP ports 6890 - 6909.
• Provisioning Services server to target devices over the Stream Service: UDP ports 6910 - 6930. UDP ports 6910-6912 are
reserved for Provisioning Services.
• Target devices to Provisioning Services servers: UDP 6901, 6902, 6905. These ports cannot be changed.
• Target devices communications with the write cache: UDP ports 10802 - 10803.
• Provisioning Services Console communications via the SOAP Server: TCP ports 54321 - 54322.
• TFTP communications: UDP port 69.
• TSB Boot Device Manager communications: UDP port 6969.
• PXE (DHCP) communications: UDP port 67.
• Alternate boot service: UDP port 4011.
To enable Provisioning Services communications, you must open up these inbound ports on the firewalls of the servers
hosting these components. You can open these ports manually on each server or use a group policy to simplify the process.

Discussion Question
Why does Provisioning Services use UDP for Citrix Streaming Services?
Installing Provisioning Services

Provisioning Services streamlines the management of vDisk images and provides scalability of the XenApp and XenDesktop
environment. For example, after configuring a Server OS machine to host applications, you can easily use that machine as a
Master Target Device to create a vDisk that can expand to multiple instances instantly using Provisioning Services.
Provisioning Services consists of two required services: the Citrix PVS SOAP Server, and the Citrix PVS Stream Service. TFTP
is an optional service that can be installed if an existing TFTP server is not currently implemented in the environment. TFTP
is only used to deliver the ARDBP32.BIN file to the target device that is starting up. The difference between FTP (file
transport protocol) and TFTP (trivial file transfer protocol) is that FTP is based on TCP/IP and TFTP is based on UDP.
The Citrix PVS SOAP Server is the management service that enables administrative functionality and communication with the
database. The Citrix PVS Stream Service uses the UDP protocol to deliver requested sectors of a vDisk to the target device.
To Install Provisioning Services

1. Right-click the first Provisioning Services VM, click Start, and then click Console.
Right-click ProvisioningServicesHost-1, click Start, and then click Console.
2. Log on to the first Provisioning Services VM using domain administrator credentials.

Log on to ProvisioningServicesHost-1 using the TRAINING\Administrator and Password1 credentials.
3. Insert the Provisioning Services installation media in the DVD drive.

Select Citrix_ProvisioningServices_7_6_English.ISO in the DVD Drive 1 field.
4. Click the File Explorer icon.

5. Click This PC and then double-click CD Drive (D:).
If the installation wizard does not start, double-click autorun.
6. Select Server Installation in the wizard window.

7. Click Install to begin the installation of Provisioning Services.
8. Click Yes in the message to install SQLncx64, if it is presented.
SQLncX64 is the SQL native client and is required if you are using database mirroring. If the SQL native client
is already on the system, you will not be presented with this message.
9. Wait for the Citrix Provisioning Services wizard to appear and then click Next.
If the wizard does not appear on the screen, check the taskbar.

Select I accept the terms in the license agreement and then click Next.
11. Specify your customer information, determine for whom the application will be installed, and then click Next.
Click Next to accept the default information.
12. Specify a destination folder and then click Next.

Click Next to accept the default Destination folder.

14. Click Finish.
15. Click OK in the message concerning the PVS Console.
16. Click Next in the Provisioning Services Configuration wizard screen.
17. Specify where DHCP is running and then click Next.
Select The service that runs on another computer and then click Next.
DHCP will be used to provide instructions for starting vDisks from the network. Options 66/67 contain the
settings required for PXE booting. Options 66/67 are configured within the DHCP Manager.
18. Specify where the PXE Service is running and then click Next.
19. Decide whether to create a new farm or join an existing farm and then click Next.
Select Create farm and then click Next.
If this is the first Provisioning Services server in the environment, you must create a new farm.
20. Specify, in the Server name field, the name of the database server that will host the Provisioning Services database and
then click Next.
Type SQL-1 in the Server name field and then click Next.
21. Specify a name for the Provisioning Services database and a name for the farm.
Type PVS_db in the Database name field and then verify that Farm is specified in the Farm name field.
22. Specify a site name and a collection name.

Verify that Site is specified in the Site name field and Collection is specified in the Collection name field.
23. Determine which groups will be used for security and then click Next.
Verify that Use Active Directory groups for security and training.lab/Builtin/Administrators are selected, and then
click Next.
24. Type a name for the Provisioning Services store.

Verify that Store is specified as the store name.
25. Specify where the vDisks will be stored.

Type \\FS-1\vDisks in the Default path field and then click Next.
vDisks must be stored in a shared directory if multiple Provisioning Services servers will access the same vDisk
simultaneously. You created the \\FS-1\vDisks share earlier in this module.
26. Specify the license server in the License server name field.
Type Licenses.citrixvirtualclassroom.com.
27. Select Validate license server version and communication and then click Next.

28. Select the account to use for the Stream Services and SOAP Server and then click Next.
a. Select Specified user account.

b. Type PVS_svc in the User name field.
c. Type training.lab in the Domain field.
d. Type Password1 in the password fields.
e. Click Next.
29. Verify that Automate computer account password updates is selected and then click Next.
This ensures that Provisioning Server resets the Active Directory computer accounts of the provisioned
endpoints before the computer accounts expire in Active Directory.
30. Specify the network card to be used for streaming and management, specify the ports to use, and then click Next.
Verify that 6890 is specified as the First communications port, 54321 is specified as the Console port, and then click
Next.
You will use the network cards on this Provisioning Services server (192.168.10.31) in the lab environment.
31. Select Use the Provisioning Services TFTP service and then click Next.
32. Specify the boot servers that target devices can contact to complete their start up process and then click Next.
Click Next to accept the default Stream Servers Boot List.
33. Verify that Automatically Start Services is selected and then click Finish.
34. Click OK in the Windows Firewall message.
The message will always appear even if the firewall is turned off.
35. Wait while the configuration completes and then click Done.
36. Click the Server Manager icon in the taskbar of the Provisioning Services server and then click Tools > Services.
Service startups can fail in high-latency environments. You should configure the following Recovery settings
for the Citrix PVS SOAP Server, Citrix PVS Stream Service, and Citrix PVS TFTP Service to ensure that these
services start.
37. Right-click Citrix PVS Soap Server and then click Properties.
38. Click the Recovery tab, select Restart the Service in the First failure, Second failure, and Subsequent failures fields, and
then click OK.
39. Right-click Citrix PVS Stream Service and then click Properties.
then click OK.
41. Right-click Citrix PVS TFTP Service and then click Properties.
then click OK.
43. Close the Services window.
Discussion Question
How does Provisioning Services simplify the management of updating target devices?

Granting Database Permissions
Before installing the Provisioning Services Console, the service account specified for use with the Provisioning Services Stream
Service and SOAP Service must be configured with db_datareader and db_datawriter permissions to the database. This is
done automatically by the XenApp and XenDesktop Configuration wizard, if the service account has securityadmin
permissions.
The service account configured to access the database does not have securityadmin permissions in the lab
environment, so you must perform the following procedure.
To Grant Database Permissions to the Service Account

1. Log on to the first SQL Server using domain administrator credentials.
Log on to SQL Server-1 using the TRAINING\Administrator and Password1 credentials.
2. Click Start, type SQL Server Management Studio, and then click SQL Server Management Studio.
If SQL Server Management Studio does not appear in the Start menu, you probably did not install SQL Server using
the TRAINING\Administrator account. You should log off and log on again using the credentials used to install SQL
Server.
3. Select the first SQL Server in the Server name field and then click Connect.
Select SQL-1 in the Server name field and then click Connect.
4. Double-click the first SQL Server and then double-click Security > Logins in the left pane.
Double-click SQL-1 > Security > Logins.
If SQL-1 does not appear in the left pane, click Connect above the left pane, select Database Engine, select
SQL-1 in the Server name field, and then click Connect.
5. Right-click Logins and then click New Login.

6. Click Search.
7. Click Object Types, verify that Users is selected, and then click OK.
8. Click Locations, double-click Entire Directory and the domain name, and then click OK.
Click Locations, double-click Entire Directory> training.lab, and then click OK.
9. Specify the service account, click Check Names, and then click OK.
Type PVS_svc, click Check Names, and then click OK.
10. Click Server Roles in the left pane and then verify public is selected in the right pane to grant server-wide security
privileges to the specified user.
11. Click User Mapping in the left pane, select the database, and then select db_owner.
Click User Mapping, select PVS_db, and then select db_owner for the role membership.
Public must remain selected.
12. Click OK.

13. Verify that the service account appears in the Security > Logins node.
Click Security > Logins and verify that TRAINING\PVS_svc appears.
14. Close the Microsoft SQL Server Management Studio.

Installing the Provisioning Services Console
The Provisioning Services Console is an MMC snap-in used to manage the sites, Provisioning Services servers, target devices,
target device collections, and the lifecycle of the vDisk images. To install the console on a system, PowerShell 2.0 must be
available on that system. In addition, the SOAP Server must be running on a Provisioning Services server in order to
communicate with the console.
To Install the Provisioning Services Console



4. Click This PC and then double-click CD Drive (D:).
5. Select Console Installation in the wizard window.

6. Click Next in the wizard.
Select I accept the terms of the license agreement and then click Next.
8. Specify customer information, determine for whom the application will be installed, and then click Next.
9. Select a destination folder and then click Next.

Click Next to accept the default destination folder.
10. Determine which components will be installed and then click Next.
Verify that Complete is selected and then click Next.
11. Click Install to begin the installation of the Provisioning Services Console.
12. Click Finish.
13. Click Exit.
14. Click Eject to eject the installation media from the DVD drive.
Click Eject to the right of the DVD Drive 1 field to eject the Provisioning Services media.
Discussion Question
The Console uses the SOAP Server to communicate with which two components of the Provisioning Services
implementation?

Configuring Boot from Network
When a target device is turned on, it is set to start from the network and to communicate with a Provisioning Services host.
The target device downloads the startup file from a TFTP server, and then the target device starts up. Based on the device
start up configuration settings, the appropriate vDisk is located, and then mounted by a Provisioning Services host. The
software on that vDisk is streamed to the target device, as needed.
Instead of immediately pulling all the vDisk content down to the target device, the data is brought across the network in real
time, as needed. The Provisioning Services host provides blocks of data from the vDisk as they are requested by the operating
system, in the same way that the operating system would normally request them from its hard drive. This approach allows a
target device to load a completely new operating system and software from the vDisk in the time it takes to restart. This
approach dramatically decreases the amount of network bandwidth required by traditional disk imaging tools; making it
possible to support a larger number of target devices on your network without impacting overall network performance,
although a dedicated storage network could be required for larger implementations.
An alternate method of network startup is available via Boot Device Manager. With Boot Device Manager, a small partition
can be automatically created on the vDisk (VHD) file by Provisioning Services. The small partition contains all of the
information needed to start the target device. The Boot Device Manager can also be used to create an ISO file which can be
loaded into the machines CD tray for booting off CD-ROM.
To Configure DHCP (Options 66 and 67) for PXE Booting

1. Log on to the VM hosting the DHCP server role using domain administrator credentials.
Log on to DomainController-1 using the TRAINING\Administrator and Password1 credentials.
2. Click Tools > DHCP in Server Manager to open the DHCP console.
3. Double-click the server name and then double-click IPv4 > Server Options.
Double-click ad.training.lab and then double-click IPv4 > Server Options.
4. Right-click Server Options and then click Configure Options.

5. Select 066 Boot Server Host Name in the Available Options list on the General tab.
6. Type the IP address of the TFTP server in the String value field.
Type 192.168.10.31 in the String value field.
This is the IP address of the Provisioning Service server in our lab environment.
7. Select 067 Bootfile Name in the Available Options list on the General tab.
8. Type ARDBP32.BIN in the String value field and then click OK.

9. Close the DHCP console.
Discussion Question
Why might you opt to use BDM rather than PXE?
When might PXE be a better option than BDM?
Setting Up a Second Provisioning Services Server

A single instance of Provisioning Services is a single point of failure. If that instance fails, all of the running target devices will
stop because they will experience a hard drive failure due to their vDisk becoming unavailable. You should always configure
an additional Provisioning Services server for high-availability protection. Remember that each Provisioning Services server
can only be a member of one site at a time. If you want to move a Provisioning Services server to another site, you need to
rerun the Configuration wizard on the server being moved.
Configuring a second Provisioning Services server is similar to installing the first instance. The administrator must ensure that
the second Provisioning Services server has access to the store via shared storage to see the existing vDisks.
To Configure a Second Provisioning Services Server

1. Right-click the second Provisioning Services VM, click Start, and then click Console.
Right-click ProvisioningServicesHost-2, click Start, and then click Console.
2. Log on to the second Provisioning Services VM using domain administrator credentials.


6. Select Server Installation in the wizard window.

7. Click Install to begin the installation of Provisioning Services on the VM.
8. Click Yes in the message to install SQLncx64, if it is presented.
SQLncX64 is the SQL native client and is required if you are using database mirroring. If the SQL native client
is already on the system, you will not be presented with this message.
9. Wait for the Citrix Provisioning Services wizard to appear and then click Next.
If the wizard does not appear on the screen, check the taskbar.

11. Specify customer information, determine for whom the application will be installed, and then click Next.


14. Click Finish when the installation is completed.
15. Click OK in the message concerning the PVS Console.
16. Click Next in the Provisioning Services Configuration wizard screen.
17. Specify where DHCP is running and then click Next.
This is done so provisioned machines (vDisks) know where to get instructions to start from the network.
Options 66/67 contain the settings required for PXE booting. Options 66/67 are configured within the DHCP
Manager.
18. Specify where the PXE Service is running and then click Next.
You will point to the VM that hosts the bootstrap file which tells the provisioned machines (target devices) to
start up from the network. In the lab environment, the bootstrap file is stored on this Provisioning Services
server.
19. Decide whether to create a new farm or join an existing farm and then click Next.
Select Join existing farm and then click Next.
If this is not the first Provisioning Services VM in the environment, you probably want to join a farm instead
of create a new farm.
20. Specify the name of database server that is hosting the database to be used by Provisioning Services and then click Next.
Type SQL-1 and then click Next.
21. Select the Provisioning Services farm that this server will join and then click Next.
Verify that PVS_db:Farm is specified in the Farm name field and then click Next.
In the lab environment, PVS_db is the name of the Provisioning Services database and Farm is the name you
gave the Provisioning Services farm.
22. Specify the site to be used by the Provisioning Services server and then click Next.
Verify that Existing site is selected and then click Next.
In the lab environment, Site is the name you gave the Provisioning Services site.
23. Specify the vDisk store to be used by the Provisioning Services server and then click Next.
Verify that Existing store is selected and then click Next.
In the lab environment, Store is the name you gave the Provisioning Services store.

24. Select the account to use for the Stream Services and SOAP Server and then click Next.
a. Select Specified user account.

b. Type PVS_svc in the User name field.
c. Type training.lab in the Domain field.
d. Type Password1 in the password fields.
e. Click Next.
25. Verify Automate computer account password updates is selected and then click Next.
This ensures that Provisioning Server resets the Active Directory computer accounts of the provisioned
endpoints before the computer accounts expire in Active Directory.
26. Specify the network card to be used for streaming and management, specify the ports to use, and then click Next.
Verify that 6890 is specified as the First communications port, 54321 is specified as the Console port, and then click
Next.
27. Select Use the Provisioning Services TFTP service and then click Next.
28. Specify the boot servers that target devices can contact to complete their start up process and then click Next.
Click Next to accept the default Stream Servers Boot List.
29. Verify that Automatically Start Services is selected and then click Finish.
30. Click OK in the Windows Firewall message.
This message will always appear even if the firewall is turned off.
31. Wait while the configuration completes and then click Done.
32. Click Exit and then eject the installation media from the DVD drive.
Click Exit and then click Eject to the right of the DVD Drive 1 field to eject the Provisioning Services installation
media.
33. Click the Server Manager icon in the taskbar of the Provisioning Services server and then click Tools > Services.
Service startups can fail in high-latency environments. You should configure the following Recovery settings
for the Citrix PVS SOAP Server, Citrix PVS Stream Service, and Citrix PVS TFTP Service to ensure that these
services start.
34. Right-click Citrix PVS Soap Server and then click Properties.
then click OK.
36. Right-click Citrix PVS Stream Service and then click Properties.
then click OK.
38. Right-click Citrix PVS TFTP Service and then click Properties.
then click OK.
40. Close the Services console.
Discussion Question
You have virtualized your first Provisioning Services server and then added a second Provisioning Services server for
redundancy to prevent a single point of failure. Everything seems to be working as planned. One day, the Help Desk lines
light up with numerous calls from end users complaining that their desktops are not available. What might be causing the
issue?

Configuring the Bootstrap File for High Availability
The bootstrap file contains connection information used by the starting target device to locate the Provisioning Services
servers. Adding all Provisioning Services servers to the bootstrap file provides the ability for the starting target device
connections to be load-balanced among the Provisioning Services servers and to identify the next available Provisioning
Services server upon failure of the currently connected Provisioning Services server.
After a Provisioning Service server is added, you must update the server information in the bootstrap file (ARDBP32.BIN)
using the Provisioning Services Console. Once the bootstrap file is updated, subsequent connections to Provisioning Services
are load-balanced between all Provisioning Services servers. An administrator can rebalance the target device connections at
any time using the console without impacting VM performance.
To Configure the Bootstrap File for High Availability

2. Click Start, type Provisioning Services Console, and then click Provisioning Services Console.
3. Right-click Provisioning Services Console in the left pane and then click Connect to Farm.
4. Type the NetBIOS name or IP address of the first Provisioning Services server in the Server Information Name field and
then click Connect.
Type PVS-1 and then click Connect.
If you cannot access the farm, restart the Provisioning Services server and try again.
This will connect the console to the first Provisioning Services server so you can see information about the
farm, the sites, and the stores.
5. Double-click the farm name > Sites > site name, and then click Servers.
Double-click Farm > Sites > Site > Servers.
6. Right-click the name of the first Provisioning Services server in the Servers node and then click Configure Bootstrap.
Right-click PVS-1 and then click Configure Bootstrap.
7. Click Read Servers from Database, and then click OK.
The bootstrap file for the first Provisioning Services server will now include the IP addresses of all
Provisioning Services servers in the farm.
8. Right-click the name of the second Provisioning Services server in the Servers node and then click Configure Bootstrap.
Right-click PVS-2 and then click Configure Bootstrap.
9. Click Read Servers from Database, and then click OK.
The bootstrap file for the second Provisioning Services server will now include the IP addresses of all
Provisioning Services servers in the farm.
10. Close the Provisioning Services Console.

11. Shut down the PVS-2 VM to conserve lab resources.
Discussion Question
How many Provisioning Services servers can be specified in the bootstrap file?

Configuring the Master Target Device
A Master Target Device refers to a target device from which a hard disk image is built and stored on a vDisk. Provisioning
Services then streams the contents of the vDisk created from the Master Target Device to other target devices.
In order to support a single vDisk, that is shared by multiple target devices, those devices must have certain similarities to
ensure that the operating system has all required drivers. The three key components that must be consistent include the:
• Motherboard
• Network card
• Video card
The Provisioning Services Common Image Utility allows a single vDisk to simultaneously support different
motherboards, network cards, video cards, and other hardware devices.
If target devices will be sharing a vDisk, the Master Target Device serves as a template for all subsequent diskless target
devices as they are added to the network. It is crucial that the hard disk of the Master Target Device is prepared properly and
that all software is installed on it in the following order:
1. Windows Operating System
2. Device Drivers
3. Service Packs Updates
4. Target Device Software
5. Applications, which can be installed before or after the Target Device Software is installed
Creating the Master Target Device

Using Provisioning Services, administrators prepare a Master Target Device for imaging by installing an operating system and
software on the device. A vDisk image is then created from the hard drive on the Master Target Device and saved to shared
storage.
Once the vDisk image is available from the network, the target device no longer needs its local hard drive to operate; the
target device starts up directly from the network. The Provisioning Services server streams the contents of the vDisk to the
target device on demand, in real time. The target device behaves as if it is running from its local hard drive. However, unlike
thin-client technology, all processing takes place on the target device.
When creating a vDisk for use with Provisioning Services, you can:

• Use a physical machine with a configured desktop as the Master Target Device, load the Provisioning Services utilities on
the physical machine, and then use the utilities to convert the workload of the physical device to a vDisk (VHD) file.
• Use a virtual machine with a configured desktop as the Master Target Device, load the Provisioning Services utilities on
the virtual machine, and then use the utilities to convert the workload of the virtual machine to a vDisk (VHD) file.
• Use a headless virtual machine (a machine without a hard drive), associate it with a Provisioning Services server to attach
a blank vDisk to it, and then install an operating system and software on the blank vDisk to create the vDisk (VHD) file.
You do not need to convert the workload of the virtual machine because it is already a VHD file.
In this procedure, you will create a virtual machine that will become the Master Target Device. You will then use
the utilities to convert the workload of the Master Target Device to a vDisk (VHD) file.
Installing the Virtual Delivery Agent

The Virtual Delivery Agent (VDA) is required to make HDX (ICA) connections to the target device that is booting off of the
vDisk. The VDA must be installed on the master target device prior to creating the vDisk and assigning the vDisk to a target
device.
Although this master machine will be used to create a vDisk for Provisioning Services and not used by Machine Creation
Services, the same VDA installation process must precede the imaging process.
Creating the vDisk

After the operating system and desired software are installed on the Master Target Device, you must convert the hard drive of
the Master Target Device into a vDisk file. The resultant vDisk file is stored on a Provisioning Service server or shared storage
so it can be accessed by any Provisioning Services server that will provide the vDisk to target devices.
To Convert the Hard Drive of the Master Target Device to a vDisk

1. Right-click the master target VM, click Start, and then click Console.
Right-click MasterTargetDevice-1, click Start, and then click Console.
2. Log on to the Master Target Device using your domain administrator credentials.
Log on to MasterTargetDevice-1 using the TRAINING\Administrator and Password1 credentials.


5. Click This PC.
7. Click Target Device Installation and then click Target Device Installation again.
8. Click Next on the Welcome screen of the Installation wizard.
10. Type the customer information in the appropriate field, determine for whom the application is being installed, and then
click Next.
Click Next to accept the default selections.

12. Click Install and wait while the installation completes.

13. Verify that Launch Imaging Wizard is selected and then click Finish.
14. Click Next on the Welcome screen of the Imaging wizard.
15. Type the IP address of the first Provisioning Services VM and then click Next.
Type 192.168.10.31 and then click Next.
16. Determine whether a new or existing vDisk will be used and then click Next.
Select Create new vDisk and then click Next.
17. Type a name for the new vDisk.

Type Win2012R2vDisk.
18. Select the vDisk type and then click Next.

Select Dynamic and then click Next.
The Fixed vDisk type allocates 100% of the space allocated for the vDisk immediately. The Dynamic vDisk
type allocates space as it is needed. A Dynamic vDisk starts out small and then grows up to the maximum
amount of space allocated as it is needed.
19. Select the Volume Licensing method to be used with the vDisk and then click Next.
Select Key Management Service (KMS) and then click Next.
20. Define the size of each volume and then click Next.
Click Next to accept the default volume sizes.
21. Type a name for the target device and then click Next.
Type Win2012R2TD and then click Next.
22. Click Optimize for Provisioning Services, click OK, and then click Finish.
23. Click No in the Reboot message and then click No again.
Do not restart the VM at this point.
24. Click Exit in the Provisioning Services installation program.

25. Eject the installation media from the DVD drive.
Click Eject to the right of the DVD Drive 1 field to eject the Provisioning Services installation media.
26. Click the General tab for the Master Target Device VM in XenCenter and then click Properties.
Click MasterTargetDevice-1 in XenCenter, click the General tab, and then click Properties.
27. Click Boot Options and then select Network.

28. Move Network to the top of the list to force the VM to start up from the network instead of from the hard drive and
then click OK.
Click Move Up until the Network option is at the top of the list; deselect DVD-Drive and Hard Disk, and then click
OK.
Recall that the PXE boot option was set during the initial Provisioning Services installation.

29. Right-click the Master Target Device VM in XenCenter and then click Reboot.
Right-click MasterTargetDevice-1 and then click Reboot.
30. Click Yes in the Reboot VM message.

31. Log on to the Master Target Device VM using your domain administrator credentials.
Log on to MasterTargetDevice-1 VM using the TRAINING\Administrator and Password1 credentials.
After you log on, you will see the XenConvert progress window for the vDisk capture process. Do not restart
the VM until the XenConvert process completes. This process takes around 30-45 minutes.
32. Wait while the XenConvert process completes and then click Finish.
33. Shut down the Master Target Device VM.
Right-click MasterTargetDevice-1, click Shut Down, and then click Yes to confirm.
34. Log on to the first Provisioning Services VM using the domain administrator credentials.
36. Type the NetBIOS name or IP address of the first Provisioning Services server in the Name field and then click Connect.
Type PVS-1 and then click Connect.
37. Double-click the farm name > Sites > site name > vDisk Pool in the left pane of the Provisioning Services Console.
Double-click Farm (PVS-1) > Sites > Site > vDisk Pool.
38. Verify that the newly created vDisk is listed.

Verify that Win2012R2vDisk is listed.
39. Double-click Device Collections > collection name in the left pane of the Provisioning Services Console.
Double-click Device Collections > Collection.
40. Verify that the newly created target device is listed.

Verify that Win2012R2TD is listed.
41. Double-click Stores > store name in the left pane of the Provisioning Services Console.
Double-click Stores > Store.
42. Verify that the newly created vDisk is listed.

Verify that Win2012R2vDisk is listed.
Discussion Question
What does XenConvert do?
To Create the Target Device Template

1. Attach a new disk to MasterTargetDevice-1.
a. Select MasterTargetDevice-1 in XenCenter. Click on the Storage tab.

b. Click on the Add button. Name the new disk WriteCache and set the size to 20 GB. Click on the Add
button.

2. Login to ProvisioningServicesHost-1 and launch the Provisioning Services Console
a. Log in to ProvisioningServicesHost-1 using TRAINING\Administrator with Password1 and open the

Provisioning Services Console.
3. Ensuring the vDisk is set to Private Image mode.
a. Using the Provisioning Services Console, type PVS-1 and then click Connect. Double-click Farm (PVS-1) >
Sites > Stores > Store.
b. Right click the Win2012R2vDisk and choose Properties.
c. Verify Access mode is set to Private Image (single device, read/write access).
d. Click Ok.
4. Set the Target Device to boot from vDisk.
a. Using the Provisioning Services Console, browse to Sites > Site > Device Collections > Collection.
b. Right click the Win2012R2TD device and choose properties.
c. On the General tab, set the Boot from to vDisk.
d. Click Ok.
5. Create the Target Device Active Directory Machine Account.
a. Using the Provisioning Services Console, browse to Sites > Site > Device Collections > Collection.
b. Right click the Win2012R2TD device and choose Active Directory > Create Machine Account.
c. Choose the Organizational Unit: Training Servers.
d. Click Create Account then click Close.
6. Initialize the new disk on the MasterTargetDevice-1 with the vDisk.
a. Using XenCenter, select MasterTargetDevice-1 and click start.

b. Switch to the Console tab and allow the MasterTargetDevice-1 to boot from the vDisk.
c. Login to the MasterTargetDevice-1 using TRAINING\Administrator with Password1.
d. Right click the Start button and choose Disk Management.
e. Click OK in the pop up. Right click the new 20 GB partition and choose New Simple Volume.
f. Follow the defaults and click next through each screen, then click Finish.
g. Shut Down the MasterTargetDevice-1.
7. Create the Provisioning Services Template that you will use later in the labs to create a catalog.
a. Right click the MasterTargetDevice-1 and copy the machine naming it PVS_2012R2_template.
b. Select the PVS_2012R2_template machine and click the Storage tab.
c. Select the disk that is not the write cache disk and choose Delete. Click Yes to confirm the delete.
d. Right click PVS_2012R2_template and choose convert to template and click Convert.
Setting the vDisk Mode

A vDisk is a fully configured workload that contains the operating system, applications, third party tools and etc; and is
formatted onto a VHD file. When creating the vDisk, you have the choice between creating a Dynamic or Static VHD file.
When saved, the storage footprint of a Dynamic vDisk VHD file equals the size of the sum of the data on the VHD. This
footprint can grow up to the maximum size allocation. When Static is chosen for the VHD file type, the storage footprint
equals the size of the configured VHD and does not grow.
Once the vDisk is created, you can specify in the Provisioning Services Console to set the vDisk to one of two modes,
Standard Image Mode or Private Image Mode. Standard Image Mode, allows the administrator to share the vDisk with
multiple target devices, providing a central point of updates and management. When using Standard Image Mode, the vDisk
is read only, which requires the Target Devices to have a write cache to save all writes. Private Image Mode does not use a

write cache, because this is a one to one mode, where only one target device can access the vDisk at a time. Using Private
Image Mode, the target device and read write privileges to the vDisk.
Citrix recommends using standard image mode for production use and private image mode for updates only.
To Set the vDisk Mode

1. Log on to the Provisioning Services VM using domain administrator credentials.
2. Click Start, type Provisioning Services Console and then click Provisioning Services Console.
3. Type the NetBIOS name or IP address of a Provisioning Services server in the Name field and then click Connect.
Verify that PVS-1 appears in the Name field and then click Connect.
4. Double-click the farm name > Stores > store name to display the contents of the store.
Double-click Farm (PVS-1) > Stores > Store.
5. Right-click the vDisk in the store and click Properties.

Right-click Win2012R2vDisk and then click Properties.
6. Click Standard Image (multi-device, read-only access) in the Access mode field and click Cache in device RAM with
overflow on hard disk in the Cache type field. Click OK.
Discussion Question
In Provisioning Services, private image mode identifies a vDisk as being available to only one target device. What term is used
in Machine Creation Services to specify that a VM is dedicated to a single end user?
In Provisioning Services, standard image mode identifies a vDisk as being available to many target devices. What term is used
in Machine Creation Services to specify that a VM can be used by many end users?
Assigning a vDisk to a Target Device

Whenever a new target device is added to the environment, you must assign a vDisk to it. There are multiple ways to assign a
vDisk to a target device:
• Manually create the target device in the Provisioning Services console and assign it a vDisk.
• Import a comma-delimited file with a list of MAC addresses.
• Auto-add the target device to the Provisioning Services server. This will automatically add the default vDisk to the target
device.
When a vDisk is assigned to a target device, the MAC address of the target device is mapped to the vDisk. A vDisk in
standard image mode can have multiple mappings (multiple target devices/one-to-many). A vDisk in private image mode can
have only a single mapping. Target devices are always identified by the MAC address. If you clone a target device and do not
randomize the MAC address, you will have multiple target devices with the same MAC address and you will have conflicts in
the environment.
To Assign a vDisk to a Target Device

environment.
1. Log on to a Provisioning Services VM using domain administrator credentials.

4. Double-click the farm name > Sites > site name >Device Collection > collection name.

5. Right-click the name of a target device in the right pane and then click Properties.
6. Click the vDisks tab.
7. Click Add, select the vDisk to add, and then click OK twice.
You can remove a vDisk from a target device using the Properties of the target device.
Creating the Machine Catalog

The XenApp and XenDesktop Setup Wizard can be used to create machine catalogs of target devices from the Master Target
Device and Provisioning Services. Machine catalogs created with the XenApp and XenDesktop Setup Wizard are displayed in
Citrix Studio and are managed like machine catalogs created using Machine Creation Services.
To Create the Machine Catalog

1. Log on to the Provisioning Services VM using domain administrator credentials.
Verify that PVS-1 appears in the Name field and then click Connect.
4. Double-click farm name > Sites.

Double-click Farm (PVS-1)>Sites.
5. Right-click the site name and then click XenDesktop Setup Wizard.
Right-click Site and then click XenDesktop Setup Wizard.
6. Click Next on the Welcome screen.

7. Type the name of a Delivery Controller in the XenDesktop Controller address field and then click Next.
Type C-1 and then click Next.
8. Select the host network and then click Next.

Select XenApp and XenDesktop Network and then click Next.
9. Type the log on credentials of the host (XenServer) and then click OK.
Type root in the Username field, type the Password provided to you in the beginning of the lab and then click OK.
10. Select a VM template to use for the Master Target Devices and then click Next.
Select PVS_2012R2_template and then click Next.
11. Select a Standard image mode vDisk and then click Next.
Select Store\Win2012R2vDisk and then click Next.
12. Determine if a new or existing catalog will be used and then click Next.
Select Create a new catalog, type Win2012R2PXE in the Catalog name field, and then click Next.
13. Specify the type of operating system machines to create in the catalog and then click Next.
Select Windows Server Operating System and then click Next.
You must be careful to select the correct type of desktop at this point. Selecting the incorrect OS will result in
an unusable machine catalog.

14. Specify the virtual machines preferences for vCPUs, memory, Personal vDisk size and drive letter, and startup mode, and
then click Next.
a. Select 1 in the Number of virtual machines to create field.

b. Select 2 in the vCPU field.
c. Select 2048 MB in the Memory field.
d. Select PXE boot (requires a running PXE service).
e. Click Next.
Personal vDisk is not available, because you are creating a machine catalog based on the Windows Server OS.
15. Determine whether to use existing Active Directory accounts or to create new ones for the new target device machines in
the machine catalog and then click Next.
Verify that Create new accounts is selected and then click Next.
16. Specify the domain and OU to which the new target devices in the machine catalog will be added in Active Directory.
Select training.lab in the Domain field and then double-click training.lab > Training Virtual Desktops > Servers.
17. Determine the account naming scheme and then click Next.
Type Win2012R2PXE-##, verify that the 0-9 enumeration scheme is selected, and then click Next.
This will be the naming scheme associated with the target devices that will use the Win2012R2vDisk vDisk.
18. Click Finish and wait for the VM (target device) to be created in the machine catalog.
19. Verify that the new target devices appear in XenCenter and then click Done.
Verify that Win2012R2PXE-01 appears in XenCenter and then click Done.
20. Log on to a computer hosting Studio using domain administrator credentials.

21. Click Start, type Citrix Studio and then click Citrix Studio.
22. Click Machine Catalogs and then verify that the newly created catalog appears.
Click Machine Catalogs and verify that Win2012R2PXE appears in the list.
Discussion Question
Personal vDisk can only be used with which type of desktop?
Creating the Delivery Group

Creating a Delivery Group is not a Provisioning Services function, but in order for end users to connect to the newly created
machine catalog of target devices, you can use Studio to create a Delivery Group. Alternatively, if a Delivery Group already
exists, you only need to associate that Delivery Group with the new machine catalog.

To Create the Delivery Group
1. Log on to the computer hosting Citrix Studio using domain administrator credentials.
2. Click Start, type Citrix Studio, and then click Citrix Studio.
pane. If you receive an error message stating: "There are no available machines in a compatible Machine
Catalog. You must create a new Machine Catalog or add machines to an existing one." Use Studio to verify
that a machine catalog exists and contains machines that have not been assigned to a Delivery Group. If the
machine catalog was newly created and none of its machines have been assigned through a Delivery Group
yet, the problem could be that the machine catalog did not create correctly. Create a new machine catalog and
delete the corrupted one.
5. Click Next in the Getting Started with Delivery Groups page.
If you previously selected Don't show this again, this page will not appear.
then click Next.
Select Win2012R2PXE, type 1 in the Choose number of machines to add field, and then click Next.
in the environment.
7. Select the service to deliver in the Delivery Type screen and then click Next.
Select Desktops and then click Next.
8. Click Add users to specify which end users will be part of the Delivery Group.
Only those users added to the Delivery Group will be able to access the selected service (desktops, applications,
or desktops and applications).
9. Type the name of the user or group, click Check Names, and then click OK.
Type HelpDesk in the Enter the object names to select field, click Check Names, and then click OK.
10. Verify that the appropriate end users appear in the Assign users field and then click Next.
Verify that TRAINING\HelpDesk appears and then click Next.
11. Determine how to provide the StoreFront server address to Citrix Receiver and then click Next.
a. Select Automatically, using the StoreFront servers selected below.

b. Select https://sfs-1.training.lab.
c. Select https://sfs-2.training.lab.
d. Click Next.
12. Type a name for the Delivery Group in the Delivery Group name field that administrators will see.
Type Win2012R2Server-HD.
13. Type a Display name in the Display name field that end users will see.
Type Win2012R2 Server.

14. Type a description for the machine that end users will see and then click Finish.
Leave the description field blank and then click Finish.
15. Right-click the machine associated with the Delivery Group and then click Shut Down.
Right-click Win2012R2PXE-01 in XenCenter and then click ShutDown.
You are shutting down the VM only to save lab environment resources.
Discussion Question
Delivery Groups are used to assign end users and groups to machines. What methods are available for selecting the end users?
To Update a vDisk
1. Log on to a virtual machine that has the Provisioning Services Console installed using domain administrator credentials.
2. Click the Provisioning Services Console icon on the Start screen and then click Connect.
3. Browse to a site in the Provisioning Services Console.
Double-click Farm (PVS-1) > Sites > Site.
4. Click the vDisk Pool node, right-click a vDisk in the right pane, and then click Versions.
Click vDisk Pool, right-click Win2012R2vDisk in the right pane, and then click Versions.
If the vDisk does not appear, right-click vDisk Pool and then click Refresh.
5. Click New and then click Done.

6. Click the Device Collections node and then click on the device collection that contains a device that uses the targeted
vDisk.
Click Device Collections > Collection.
7. Right-click the target device and then click Properties.

Right-click Win2012R2TD and then click Properties.
8. Select Maintenance in the Type field and then click OK.

9. Right-click the virtual machine associated with the target device that you put in Maintenance mode and then start or
restart the virtual machine.
Right-click the MasterTargetDevice-1 virtual machine in XenCenter and then click Start.
10. Select the Console tab.

11. Wait while the virtual machine restarts and then select the target device that you put in Maintenance mode from the
Boot Menu in the console of the virtual machine.
Type 1 in the console of the MasterTargetDevice-1 virtual machine and then press Enter.

12. Log on as an administrator and make the desired changes to the virtual machine.
Perform the following changes to the virtual machine:
a. Log onto the Default Desktop using the TRAINING\Administrator and Password1 credentials.
b. Type \\FS-1\Share in the Start screen and then press Enter.
c. Double-click Firefox Setup and then click Run.
d. Click Yes on the security warning window if it appears.
e. Click Next on the Welcome screen of the wizard.
f. Ensure that Standard is selected and click Next.
g. Click Install and then allow the installation to complete.
h. Deselect Launch Firefox now and click Finish.
i. Click OK on the Citrix License Management window.
13. Right-click the virtual machine in XenCenter, click Shut Down and then click Yes in the Shut Down virtual machine
message.
Right-click the MasterTargetDevice-1 virtual machine in XenCenter, click Shut Down, and then click Yes in the Shut
Down virtual machine message.
Promoting Updated Versions

An updated version of the vDisk is not available to production devices until it is promoted to production. The updated
promotion stages include maintenance, test, and production. Each time a new version is created, the Access setting is
automatically set to maintenance to allow maintenance devices to make updates. After updates are complete, this version can
be promoted from maintenance to test to allow for testing by test devices, or directly to production, for use by all target
devices.
To Promote Updated vDisk Versions

2. Double-click the Provisioning Services Console icon on the Start screen and then click Connect.
3. Browse to a site in the Provisioning Services Console.
Double-click Farm (PVS) > Sites > Site.
Click vDisk Pool, right-click Win2012R2vDisk in the right pane, and then click Versions
5. Select the latest version of the vDisk and then click Promote to promote the updated version of the vDisk.
Select version 1 and then click Promote.
6. Select the version access and availability time frame and then click OK.
Select Production, select Immediate, and then click OK.
7. Click Done.
Click Cancel if the End Snap-in window appears and then click Done.
8. Start or restart a target device to test that the update was successful.
Reboot the Win2012R2PXE-01 virtual machine in XenCenter, log on as the TRAINING\Administrator user, and
ensure that Firefox is now present.

Discussion Question
What are the benefits of updating and merging a vDisk over traditional re-creation of images?
VHD Chain of Differencing Disks

A vDisk consists of a VHD base image file, any associated files, and if applicable, a chain of referenced VHD differencing
disks. Differencing disks are created to capture the changes made to the base disk image, leaving the original base disk
unchanged. Each differencing disk that is associated with a base disk represents a different version.
vDisk versions are created and managed using the vDisk versions dialog box and by performing vDisk versioning tasks. Each
time a vDisk is put into maintenance mode a new version of the VHD differencing disk is created and the file name is
numerically incremented.
Merging VHD Differencing Disks

Merging VHD differencing disk files can save disk space and increase performance, depending on the merge method selected.
Merge methods include merging to a new base image or merging to a consolidated differencing disk.
A merge can only occur when no Maintenance version exists for this vDisk or when the vDisk is in Private Image
mode. A merge starts from the top of the chain down to a base disk. A starting disk cannot be specified for the
merge.
Merging to a new base image is recommended when performance is more important than disk space, because a new base disk
is created for every merge performed.
Merging to a consolidated differencing disk is recommended when disk storage is limited or when the bandwidth between
remote locations is limited, which makes copying large images impractical.

To Merge VHD Differencing Disks
2. Click the Provisioning Services Console icon on the Start screen and then click Connect.
Click vDisk Pool, right-click Win2012R2vDisk in the right pane, and then click Versions.
4. Click Merge to open the Merge window.

5. Select the type of merge version you want to create and the merge version access type.
Select Merged Base and then select Maintenance.
6. Click OK to merge the process and the click OK again. In the vDisk Versions window, periodically press Refresh until
the merge is complete and then press Done.
Troubleshooting: Provisioning Services
Issue Resolution
Streamed Services stops running. Set the service to automatically restart on failure.
End-user machine is not receiving an IP address (DCHP Verify that DHCP is accessible on the subnet. Ensure that the
issues). client device is BIOS is configured to start from the network.
You need to adjust the BIOS device startup order for the
virtual machine. It is hypervisor-specific.
Machine cannot obtain ARDBP32.bin. Ensure the settings in DHCP (67) are pointing to the correct
file. Verify that the boot file is present on the PVS machine.
Ensure that the TFTP service running points to the relevant
boot file.
When starting up a target device using Boot Device Manager Place the target device in Private image mode and change the
(BDM), the static address assigned in the boot file is not network adapter to use any statically assigned IP address.
what is reflected when the target device fully starts. Avoid using DHCP unless it is preferred, in which case you
must specify DHCP in the BDM file when running the BDM
wizard.
For more information about BDM, see Citrix article

CTX125066 at
http://support.citrix.com/article/CTX125066
After updating a Provisioning Services vDisk that has There are corrupt files or directories on the Personal vDisk.
Personal vDisk enabled, a blue screen of death (BSOD) Detaching the personal vDisk from the virtual machine
appears with a STOP error indicating a corrupt file. allows it to start.
Reinforcement Exercise: Creating BDM Target Devices

• Install and configure Provisioning Services.
• Install the Provisioning Services Console.

• Configure DHCP Options 66 and 67.
• Configure the bootstrap file for high availability.
• Create a vDisk and assign it to a target device.
• Create a machine catalog.
• Create the Delivery Group.
You are ready to try your hand at creating a machine catalog and a Delivery Group using a vDisk created in Provisioning
Services.
You created a machine catalog for Windows 2012 R2 servers using PXE, but now Training wants you to create a machine
catalog that uses the Boot Device Manager (BDM) and a vDisk. Once you create this new machine catalog, Training wants to
provide these machines to the XenDesktop Admins group of users at Training.
1. Ensure that MasterTargetDevice-1 is shutdown.
2. Use the XenDesktop Setup Wizard in Provisioning Services to create a new machine catalog called Win2012R2BDM.
3. Use the credentials provided at the beginning of the class for the host (XenServer).
4. Base the machine catalog on the PVS_2012R2_template and Win2012R2vDisk VMs that you created earlier.
5. Create a single target device and set it to start using BDM.
6. Create new accounts for the target devices in the training.lab > Training Virtual Desktops > Servers OU.
7. Use the default account naming scheme for the target devices.
8. Create a new Delivery Group that assigns Desktops to the XenDesktop Admins group from the newly created target
device.
9. Specify both StoreFront servers.
10. Set the name of the Delivery Group to Win2012R2Desktop-XDA (Admin view).
11. Set the Display name to Win2012R2 Desktop (End-user view).

9
Module 9
Managing and Monitoring

Sessions, Sites and End
Users with Director
214
Managing and Monitoring Sessions, Sites, and End
Users with Director
Overview
Managing end users and their sessions is a common administrative task. When end users experience difficulty accessing their
applications or desktops, they will require troubleshooting assistance from the administrator in order to resolve the session
issues.
Another important administrative task is the monitoring of your XenApp or XenDesktop environment and the
troubleshooting of issues before they become system critical. Director enables support teams to obtain an overview of the
entire XenApp or XenDesktop site, including real-time machine issues, usage metrics, and host and controller information.
With this data, you can proactively monitor and troubleshoot system issues.
• Monitor sessions and sites using the Dashboard within Director.
• Monitor and manage end-user sessions within Director.
• Monitor historical trends within Director.
• Endpoint-Internal = On
• Domain Controller-1 = On
• File Server-1 = On
• StoreFront Server-1 = On
• Student Management Console = On
• ProvisioningServicesHost-1 = On
Director Overview
Director is a Web-based tool that enables IT Support and Helpdesk teams to monitor a XenApp or XenDesktop environment,
troubleshoot issues before they become system critical, and perform support tasks for end users.
Director allows you to search for a particular end user and display activity associated with that end user, such as:
• Finding the status of the end user's applications and processes
• Ending unresponsive applications or processes
• Restarting an end user's machine
• Disconnecting end-user sessions
• Shadowing an end-user session
Director provides an overview of the key aspects of a deployment, such as the status of connections, sessions, and the site
infrastructure. Meaningful performance metrics and graphs are displayed, together with information about the health of the
hypervisors and Controllers. Information is updated every minute. If issues occur, details appear automatically about the
number and type of failures that have occurred. You can view more detailed information, for example, to display all the end
users affected and the associated machines.
In preparation for the exercises in this module, you will need to log on as an end user and begin a session that you
can use Director to monitor in subsequent procedures.
Module 9: Managing and Monitoring Sessions, Sites and End Users with Director 215
To Monitor an End-User Session
1. Log on to an internal endpoint using domain user credentials.
a. Log on to the EndPoint-Internal virtual machine using the TRAINING\AcctUser1 and Password1
credentials.
b. Reboot the EndPoint-Internal virtual machine to apply the policies created in the previous module.
c. Log on to the EndPoint-Internal virtual machine once the reboot has completed, using the
TRAINING\AcctUser1 and Password1 credentials.
2. From the Start screen launch Citrix Receiver.
a. Click Start and click the down arrow. Click on Citrix Receiver.
Citrix Receiver must be installed on the endpoint before an end user can access resources. If you do not install
Citrix Receiver, an .ICA file will be downloaded to the endpoint. You will not be able to open the .ICA file,
because Receiver is not installed on the endpoint. If Internet Explorer fails to open, restart the EndPoint-
Internal VM.
3. Log on to Citrix Receiver using the domain user credentials.
Log on using the TRAINING\AcctUser1 and Password1 credentials.
4. Access an application and a desktop.
a. Click the + icon and select All Applications and then click Microsoft Office Word 2010 and Win8 Desktop.
5. Launch an Application and a desktop.
a. Click on Microsoft Office Word 2010 and Win8 Desktop.
To Access Director
1. Log on to a computer within the same network as your Controller using domain administrator credentials.
2. Open a browser window and type the URL for Director using the following format, http://server/Director and then press
Enter.
Click Start and type Director and click on Citrix Director.
3. Type your domain user name.

Type Administrator in the User name field.
4. Type your password.

Type Password1 in the Password field.
5. Type the domain you would like to connect to.

Type Training in the Domain field.
6. Click Log on.
Monitoring within the Director Dashboard

The Director Dashboard is the opening page of Director and shows basic information regarding your environment including:
• Infrastructure
• Sessions Connected
• Average Logon Duration
216 Module 9: Managing and Monitoring Sessions, Sites and End Users with Director
The Dashboard will give you a general overview of the current status of the environment and allow you to quickly view
unusual and irregular activity.
Monitoring Infrastructure
From the Infrastructure panel in Director, you can monitor the health status of your XenApp and XenDesktop site
components, as well as view performance alerts. This panel lists all servers with alerts in alphabetical order.
The columns list different states for each server. A green check represents that everything is working properly; an alert or
error represents a warning or failure of an infrastructure component. The panel lets you monitor the current status of the
following entities:
• Hosts
• Delivery Controllers
• Services
• Database
• License Server
• Configuration Logging Database
• Monitoring Database
To Monitor the Infrastructure

1. Log on to Director (http://server/Director) using domain administrator credentials.
a. Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
b. Click Start and type Director and click on Citrix Director
c. Log on using the Administrator, Password1, and Training credentials.
2. Scroll the Dashboard to view the Infrastructure panel of Director.
If the Infrastructure panel is not available, click Trends at the top of the Director window and then click
Dashboard again.
3. Ensure that no alerts exist. If a performance alert is indicated, click the alerts in the Infrastructure panel to read more
information.
The status of Controller-2 will be offline due to the machine being powered down.
Monitoring Connected Sessions

The Dashboard shows information for Sessions Connected, which provides you with a real-time view of end users connected
to the environment, including an option to view historical trends.
To Monitor Connected Sessions

2. Click the number above the Sessions Connected text on the Dashboard.
Click 2 to view information about the two connected sessions.
Instead of clicking on the number of end users, you also have the option of clicking View Historical Trend in
the Sessions Connected graph on the Dashboard if you would like to view information about the past number
of concurrent sessions.
3. Click Dashboard at the top of the Director window to return to the Dashboard.
Monitoring Logon Duration Averages

From the Average Logon Duration panel within the Dashboard, you can view logon data for end users across a site. This
panel provides data to determine where any patterns are affecting logon times.
The logon duration chart displays two types of information at each data point: The average logon duration and the number of
logons. When you hover over the chart, a red line appears at the cursor to highlight that point in time and display a dialog
box showing both the values of logon duration and logons at the same time.
To Monitor Logon Duration Averages

2. Scroll the Dashboard to view the Average Logon Duration panel in Director.
3. Point your cursor at the chart and view the logon duration and logon information at the same time.
4. Click Trends at the top of the Director screen to view logon performance data across a site beyond the last 60 minutes.
5. Select the Delivery Group that you want to view logon trend information about.
Select All in the Delivery Group field.
6. Select a time period for which you want to view logon trend information.
Select Last 7 days in the Time period field.
7. Click Apply to view the logon data for the Delivery Groups and time period selected.
Monitoring Machine and End-User Connection Failures

If there were Machine or User Connection failures in the previous 60 minutes, additional panels appear on the Dashboard
automatically.
The large number on the left of the panel indicates the total number of failures for that type. If you click the large number,
the Filters page opens and displays all the individual failures in this instance. Click the User Connection Failures number to
see a list of these end users whose connections failed, so that you can troubleshoot and resolve the cause of these failures.
The list and graph on the right displays data for each type of failure. If a particular category has more than one failure during
the last 60 minutes, it is expanded by default. These panels stay open even when you fix the failures, but you can click the tab
to collapse them.
End-user connection failures can be categorized as follows:
• Client Connection Failures - Virtual machine unavailable, connection not established
• Machine failures - End user connection failures resulting from machine failures
• Unavailable capacity - Desktop OS machine or Server OS machine session is not available due to maximum capacity
reached
• No License Available - Failure to acquire a license for this user
Monitoring and Managing End-User Sessions
You can easily monitor and manage end-user sessions within Director. Common monitoring tasks include:
• Viewing end-user sessions
• Searching for end-user sessions
• Monitoring end-user applications
• Monitoring machine processes
• Managing an end user's machine power status
• Enabling or disabling maintenance mode
• Disconnecting and logging off end users
• Shadowing end users
• Sending messages to end users
• Monitoring HDX channels
• Resetting end user profiles
These tasks may also be helpful for Helpdesk representatives to troubleshoot and resolve issues prior to escalation.
Viewing End-User Sessions

There are multiple ways to view sessions within Director. The steps below will be beneficial when you would like to search for
groups of users or filter with specific requirements.
To View End-User Sessions

2. Click Filters at the top of the Director window.

3. Select Sessions > All Sessions.
The page displays information about all of the sessions currently running in the environment. You can reduce
the number of sessions displayed using the Filter by fields. For example, you may want to view current
sessions that exist by a particular Delivery Group, OS, machine catalog, etc.
4. Select one or more user sessions to enable the Session Control and Send Message functions for the selected user sessions.
Select the AcctUser1 session that is running on the Server2012R2-01 machine.
Searching for an End User

In order to search for a specific end user and have the ability to perform all management tasks, you should use the Search
users field.
To Search for an End User
2. Scroll to the right within any page in Director to access the Search users field.
3. Type a specific end user's account name or a partial account name in the Search users field and then press Enter to locate
information about matching end-user sessions.
Type AcctUser1 in the Search for users field, select AcctUser1, and then click Activity Manager.
4. Select the appropriate end user to open the Activity Manager for that user.
Select AcctUser1 and then verify that Details appears below the Search users field.
This step is only necessary if a "fuzzy" search was performed using the Search users field.
Monitoring End-User Applications

You can monitor end-user applications by performing the following tasks:
• View local and hosted applications for currently connected machines.
• View applications on all machines to which the end user has access.
• Stop an application.
To Monitor End-User Applications

2. Scroll to the right within any page in Director to select the Search field.
3. Click Search for user.
4. Type a specific end user's account name or a partial account name in the Search users field and then press Enter to locate
information about matching end user's sessions.
Type AcctUser1 in the Search users field, select AcctUser1, and then click Activity Manager.
5. If there are multiple sessions for the user, you will have the option to select a session.
Select Office Apps.
6. Click Activity Manager below the Search users field to view the Activity Manager.
If the Details button is displayed below the Search field, then the Activity Manager screen is already displayed.
The Activity Manager screen is white and the Details screen is black.
7. Click the Applications tab menu in the Activity Manager to view a list of the applications and hosted applications being
run by the selected end user.
Monitoring End-User Machine Processes
When an end user calls the Helpdesk about a slow desktop machine, you can monitor the status of the processes on that
machine without needing to start a Remote Assistance session and shadow the end user.
One resolution for a process problem is to stop the process. If the process is successfully stopped, it disappears from the list of
processes. If the process problems continue, you can escalate by restarting the machine or by resetting the end user's profile.
To Monitor End-User Machine Processes

3. Search for an end-user session and then click Activity Manager under the Search users field.
If the Details button is displayed below the Search users field, then the Activity Manager screen is already
displayed. The Activity Manager screen is white and the Details screen is black.
4. Click the Processes tab in the Activity Manager.

5. Select the process to be stopped, click End Process and then select Yes to confirm the action.
Do not end any processes.
Managing an End User's Machine Power Status

Director gives you the ability to restart, shutdown, or suspend virtual machines within the environment.
To Manage an End User's Machine Power Status

3. Search for an end-user session and then click Details below the Search users field.
If Activity Manager button is displayed below the Search users field, then the Details screen is already
displayed. The Activity Manager screen is white and the Details screen is black.
4. Click Power Control under Machine Details on the page.

5. Select the appropriate action to take on the machine.
The following power controls are available:
• Restart
• Force Restart
• Shutdown
• Force Shutdown
• Suspend
• Resume
• Start
Do not select any of the available actions at this time.
Enabling or Disabling Maintenance Mode

Maintenance mode prevents end users from launching a session to specified desktops or Delivery Groups. If an end user has a
connection, maintenance mode will not be enabled until the session is disconnected.
To Enable or Disable Maintenance Mode

3. Search for an end-user session that you would like to put in maintenance mode and then click Details.
If Activity Manager button is displayed below the Search users field, then the Details Manager screen is
already displayed. The Activity Manager screen is white and the Details screen is black.
4. Ensure that the appropriate desktop or application connection for the end user is displayed.
Click the machine switcher icon (Computer display icon) at the top of the Details Manager page and then select the
Office Apps (TRAINING\Server2012R2-01) resource from the drop-down menu.
The machine switcher icon is only available when the selected end user has multiple sessions running.
5. Click the Maintenance mode button under Machine Details to change the mode. If you are unsure if Maintenance mode
is enabled or disabled, hover over the Maintenance mode button and a message will appear with the status.
Ensure that maintenance mode is off.
Resetting an End-User Profile

Resetting a profile allows you to manage end-user settings stored within their Citrix-based profile or Microsoft roaming-based
profile. When a profile is reset, the end user's folders and files are saved and copied to the new profile. All other profile
properties are reset to default, including registry, applications, and personalization settings.
To Reset an End-User Profile
b. Click Start and type Director and click on Citrix Director.
3. Search for an end-user session whose profile you want to reset and then click Details below the Search users field.
If Activity Manager button is displayed below the Search button, then the Details screen is already displayed.
The Activity Manager screen is white and the Details screen is black.
4. Ensure that the appropriate desktop or application connection for the user is displayed.
Click the machine switcher icon (Computer display icon) at the top of the Activity Manager page and then select the
Win8 Desktop (TRAINING\Static-PVD-01) resource from the drop-down menu.
5. Scroll the Details page down until you reach the Personalization panel.
6. Click Reset Profile in the Personalization panel of the Details page and then click Reset.
Discussion Question
Can you provide examples of when Director would be useful within your organization?
Monitoring HDX Channels

Monitor the status of the HDX channels within the user session in the HDX panel of the User Details page. The HDX
channels monitor allows you to view the status and current configuration of end user's specific HDX channels within their
session, greatly assisting in the diagnostic of connections and performance concerns. Detailed information can be gathered
around numerous HDX parameters including Audio and Media Stream, Thinwire, USB utilities, and Flash.
To Monitor HDX Channels

2. Scroll to the right within any page in Director to access the Search for users field.
3. Search for an end-user session whose HDX details you want to view and then click Details below the Search users field.
If Activity Manager button appears instead of Details, you are already on the Details page.
. Module 9: Managing and Monitoring Sessions, Sites and End Users with Director 223
Click the machine switcher icon (Computer display icon) at the top of the Details page and then select the Office
Apps (TRAINING\Server2012R2-01) resource from the drop-down menu.
5. Scroll down to the HDX panel on the Details page.

6. View the information specified below the HDX heading.
7. Click an HDX channel preceded by a red circle or triangle to view error information for an HDX channel.
a. Click Smart Cards to view error information.

b. Click the X to close the window.
c. Click Graphics - Thinwire to view warning information.
d. Click the X to close the window.
8. Click an HDX channel preceded by a green check mark to view information for an HDX channel that has no current
alerts.
a. Click VDA to view information about the channel.

b. Click the X to close the window.
9. Click Download System Report to export HDX channel information for the session to an .XML file.
10. Save the file to a location of your choice or open the file.
a. The DirectorHDXReport.xml document is automatically saved to your Downloads folder.

b. Click DirectorHDXReport.xml to open the file within a new Internet Explorer browser window.
c. Click X in Tab that is displaying the report within Internet Exlporer to close the file.
Sending a Message to an End User

You can send individual messages to end users (or as a group message) to inform them about desktop maintenance or to
communicate with a user directly. For example, you may want to tell end users to log off before critical maintenance is about
to take place to ensure they save their work, preventing loss of data.
To Send a Message to an End User

3. Search for an end-user session whose HDX details you want to view and then click Details below the Search users field.
Type AcctUser1 in the Search users field, press Enter, and then click Details.
Click the machine switcher icon (Computer display icon) at the top of the Details page and then select the Office
Apps (TRAINING\Server2012R2-01) resource from the drop-down menu.
5. Scroll the page to the right to view the Session Details pane.
6. Click the Send Message button.
7. Type a message you would like to send the end user.
Type Thank you for contacting the Helpdesk. Your issue should now be resolved.
8. Click Send and then verify that the message was successfully sent.
a. Click Send.
b. Switch to the EndPoint-Internal virtual machine and then click OK on the message to close it.
c. Switch back to the Controller-1 virtual machine.
The selected end user must have an active session running in order to receive the message. If the end user is
disconnected or the session has timed out, the end user will not receive the message.
Shadowing an End-User Session

Director allows you to shadow a XenApp and XenDesktop session while assisting an end user. When shadowing, you are
using the Microsoft Remote Assistance client, which allows you to view and work on the virtual machine of an end user
whom you are assisting. You can also request that the end user allow you to share control of the keyboard and mouse.
The Microsoft Remote Assistance client must be installed on the system running Director, usually the Helpdesk Agent's
desktop. In addition, remote assistance must be enabled on the virtual desktop, either through the Virtual Delivery Agent
Installation Wizard or through an Active Directory GPO. By default, only local administrators on the virtual desktop,
including domain administrators, can launch a shadowing session. To provide shadowing access to Helpdesk administrators,
you must configure an Active Directory GPO to add those administrators as remote assistance users.
To Shadow an End-User Session

c. .
d. Log on using the Administrator, Password1, and Training credentials.
3. Search for an end-user session that you want to shadow and then click Details below the Search users field.
Click the machine switcher icon (Computer display icon) at the top of the Details page and then select the Win8
Desktop (TRAINING\Static-PVD-01) resource from the drop-down menu.
5. Scroll the page to the right to view the Session Details pane.
6. Click the Shadow button.
7. Open the Invite.msrcincident file that is downloaded.
a. Click Invite.msrcincident on the bottom-left side of the screen.

b. Switch to the Endpoint-Internal and select the Win8-Accounting from the taskbar.
c. Click Yes in the "Would you like to allow HelpAssistant to connect to your computer" message.
If the end user does not respond within 120 seconds, the connection will fail. If the user does not respond,
click OK in the Windows Remote Assistance message, on the system running Director, to end the shadowing
request.
8. Click Request control at the top of the Windows Remote Assistance window on the system running Director to ask the
end user to allow you to take control of the keyboard and mouse in the session.
a. Switch to the Controller-1 virtual machine.

b. Click Request control from the Windows Remote Assistance window on the system running Director.
c. Switch to the EndPoint-Internal virtual machine.
d. Click Yes on the Windows Remote Assistance screen to allow Administrator to share control.
e. Switch back to the Controller-1 virtual machine.
9. Assist the end user from the system running Director and then close the Windows Remote Assistance window to end the
shadowing session.
Click the X in the small or full screen Windows Remote Assistance window.
The end user could also end the shadowing session by clicking the X in the Windows Remote Assistance
window displayed on the endpoint. If the administrator ends the shadowing session closing the small
Windows Remote Assistance window, they must close the full screen Windows Remote Assistance window
separately.
Disconnecting an End-User Session

Disconnecting a session will break the connection that the end user has with their virtual desktop or application, however, the
desktop or application will continue to run. When creating a new user session, the end user will have the ability to resume
their work where they were interrupted. This is valuable when an end user has difficulty during a session, and may have
unsaved work.
To Disconnect an End-User Session

3. Search for an end-user whose session that you want to disconnect and then click Details below the Search users field.
Click the machine switcher icon (Computer display icon) at the top of the page and then select the Office Apps
(TRAINING\Server2012R2-01) resource from the drop-down menu.
5. Scroll the Details page to the right and then click Session Control.
6. Click Disconnect to disconnect the selected session.
7. Verify that the state of the session has changed to Disconnected.
Logging an End User Off

Unlike disconnecting an end-user session, logging an end user off will completely log the end user off the desktop or
application, therefore leading to a loss of data. Once an end user is logged off of a desktop, it will become available to other
end users.
To Log an End User Off

3. Search for an end user whose session that you want to log off and then click Details below the Search users field.
If Activity Manager appears instead of Details, you are already on the Details page.
Click the machine switcher icon (Computer display icon) at the top of the page and then select the Office Apps
(TRAINING\Server2012R2-01) resource from the drop-down menu.
The machine switcher icon is not visible if the selected end user only has a single connection running.
5. Scroll the Details page to the right and then click Session Control.
6. Click Log Off to log the end user off the session.
Wait while the end user is logged off. Do not click Log Off again, doing so will result in an error being
displayed. After the end user is logged off the session, the session details will disappear from the Details pane.
Discussion Question
What is the difference between disconnecting a session and logging off an end user?
Monitoring Historical Trends
In Director, use the Trends page to access historical trend information for sessions, connection failures, machine failures,
logon performance, and load evaluation for each site. To locate the information, on the Dashboard or Filters page, click
Trends.
Each graph shows trend data for a specified period of time (the default is previous 24 hours) and for specified Delivery
Groups (default: all groups). You can also view data for a single point in time by pointing your cursor to that location. Click
the refresh icon at any time to update the data.
You can save the graph to a PDF file or save the data to a CSV file so that you can reuse the data in other applications. When
the data is exported, you can view more detailed information that was not visible within the graph, assisting with the analysis
of historical trends.
To Monitor Historical Trends

2. Click Trends at the top of the Director window.

3. Select the appropriate tab according to the type of trend analysis you would like to perform.
Select the Logon Performance tab.
4. Select specific filters to view only important information that is relative to your analysis.
a. Select All in the Delivery Group field.

b. Select Last 24 hours in the Time period field.
5. Click Apply.
6. Review the information for specific trends.
Troubleshooting: Managing Sites, Sessions, and End Users with Director
Issue Resolution
An error dialog is received during configuration with Citrix If an error dialog box is received while configuring
Studio. XenDesktop in Citrix Studio, a descriptive message will
display that may help you self-diagnose the issue.
If you are unable to address the issue based on the
descriptive error message, you can select the option in
Studio: "I need help from Citrix to solve this problem." When
this option is selected, the Citrix Tools as a Service (TaaS)
system searches an error reporting web service maintained by
the Citrix TaaS team. If the service locates a matching
Knowledge Base (KB) article that specifically addresses the
problem, it displays the article. If no match is found, you are
directed to a web page where you can send details to Citrix
and search Citrix Support forums.
For more information about TaaS, access your Student

Resource Kit (SRK).
Issue Resolution
Unable to shadow an end-user session in Director. 1. Ensure that the end user has an active session.
2. Verify that remote assistance is enabled on the virtual
desktop.
3. Verify that the administrator has the correct permissions
to shadow end users within Director.
4. Verify that the device you are trying to shadow accepts
connections on port 3389.
The HDX Panel is not available in the administrator's Verify that the end user's machine is connected using HDX.
Director. If the end user is not connected using HDX, then the panel
will not be available.
Usage graphs are not displayed in the dashboard. Ensure that the latest version of Flash is installed on the
system running Director.
An error is displayed when running Real-Time reports. Citrix Director requires that WinRM 1.1 or later be installed
and enabled on the desktop machine.
Citrix recommends upgrading to WinRM 2.0 - based

on operating system compatibility.
Reinforcement Exercise: Using Director

to use what you have learned to complete it. This exercise is designed to take your newly-acquired knowledge and
determine if you can apply it to perform a task you have never done before. In most instances the default value
will be the best choice, but we encourage you to explore and try different options. If you have a question or need
help, ask the instructor or a fellow student for assistance.

• Monitor using the Dashboard within Director.
• Monitor and manage end-user sessions within Director.
• Monitor historical trends within Director.
As a prerequisite for this exercise, perform the following:
• Log on to the EndPoint-Internal virtual machine using the AcctUser1 and Password1 credentials.
• Log on to StoreFront (https://sfs-1.training.lab/Citrix/StoreWeb) using the AcctUser1 and Password1 credentials.
• Launch the Win8-Accounting.
You want to explore some more of the options that Director can offer Training.
To complete your objective:
• Use Director to restart the machine used by the AcctUser1 user.
• View the results of issuing the command:
• Watch the virtual machine restart in Citrix XenCenter.
• View the results on the EndPoint-Internal virtual machine.
• On the EndPoint-Internal virtual machine log on again to Win8-Accounting using the TRAINING\AcctUser1 credentials
once the machine has finished restarting.
• Reset the Personal vDisk of the Win8-Accounting for the TRAINING\AcctUser1.
230
10
Module 10
Setting Up Netscaler
232
Setting Up NetScaler
Overview
The Configure NetScaler Gateway for Enterprise Store wizard should not be used with the NetScaler version being
used in the lab environment (NetScaler 11.0 Build 64.34). Using this wizard will result in http being used instead
of https even though you selected https in the wizard. For this reason, you should follow the steps provided in the
exercises rather than use the wizard. The steps in the exercises will bypass this issue.
The Citrix NetScaler product line optimizes delivery of applications over the Internet and private networks, combining
application-level security, optimization, and traffic management into a single, integrated appliance. You can install a NetScaler
appliance in the DMZ and route all connections from the endpoints to your managed servers through it. The NetScaler
features that you enable and the policies you set are then applied to incoming and outgoing traffic.
The features available in NetScaler are based on the license installed.
• A NetScaler Gateway Platform license allows an unlimited number of end users to access internal XenApp and
XenDesktop resources using ICA proxy without compromising the security of your internal network.
• A NetScaler Gateway Universal license enables a full VPN tunnel, endpoint analysis, policy-based SmartAccess, and
clientless access to Web sites and file shares in your internal network.
For more information about NetScaler licensing, search www.citrix.com for "netscaler-data-sheet.pdf".
• Perform the initial NetScaler configuration.
• Configure NetScaler high availability.
• Load balance StoreFront servers through NetScaler.
• Enable remote access to the StoreFront store.
• Configure HDX (ICA) proxy.
• Configure a pre-authentication policy to scan an endpoint.
• Configure NetScaler for email-based account discovery.
Module 10: Setting Up Netscaler 233

Please perform the following steps to ensure that you will have sufficient lab environment resources available to
complete this module.
• Shut down the following VMs:
• Win2012R2PXE-01 (Wait for this VM to completely shut down before proceeding.)
• ProvisioningServicesHost-1
• Server2012R2-01
• UniversalPrintServer-1
• EndPoint-Internal
• Start the following VMs:
• Controller-2
• EndPoint-External
• StoreFrontServer-2
• Verify that the following VMs are started before proceeding:
• EndPoint-External = On
All other VMs should be off.
To Import the NetScaler Gateway VPX

The NetScaler VPX has already been imported into the lab environment. You should use the pre-created VMs
instead of downloading and importing the NetScaler appliance. To experience importing the NetScaler VPX, we
have provided an exercise below. For demonstration purposes NS 10.0 54.7.nc is used, however, it is the same
process to import a VPX in XenServer for the 11.0 builds. Click the following link and use the steps in this course
to complete the exercise:
• Importing NetScaler VPX Exercise
1. Click File > Import in the XenCenter console.

2. Click Browse and then browse to the location of the NetScaler VPX image file.
Click Browse.
3. Select the image file and then click Open.

Select the NSVPX-XEN-10.0-54.7_nc.xva image file and then click Open.
4. Click Next.
5. Select the location where the imported VM will be placed.
Select the XS1 XenServer and then click Next.
6. Select the local storage repository on which to store the virtual appliance and then click Import to begin the import
process.
Select NFS virtual disk storage and then click Import.
234 Module 10: Setting Up Netscaler

7. Select the network interface to be used by the VM image and then click Next.
Verify that Network 0 is selected on Interface 0 and then click Next.
8. Review the import settings and then click Finish to complete the import process.
The imported NetScaler VPX appears in XenServer after the import is finished. The imported NetScaler VPX
will be configured in an exercise later in this module.

Click the X in the upper-right corner of the XenCenter window to close the exercise.
Discussion Question
When is the default IP address of 192.168.100.1 / 255.255.0.0 used to configure a NetScaler?
Creating the NetScaler VM

The NetScaler resides in the DMZ between the endpoints and the Server, so that requests for resources and the server
responses pass through it. In a typical installation, virtual servers (vServers) configured on the NetScaler provide connection
points that endpoints use to access the resources behind the firewall.
Discussion Question
How many concurrent end-user connections can a NetScaler VPX support?
Performing the Initial NetScaler Configuration

NetScaler uses FreeBSD as its OS. The NetScaler kernel can be accessed through a browser or an SSH connection. The
command-line interface (CLI) on Console 0 is used for the initial configuration of the NetScaler including the network
configuration and device name. All other configuration is performed using the SSH client or the NetScaler Configuration
utility.
You should pay close attention whenever you are asked to type anything into the NetScaler interface. Check and
then double-check everything before moving to the next step in all NetScaler procedures. This can reduce the
amount of troubleshooting you need to do later.
To Perform the Initial Configuration of the First NetScaler

1. Right-click the NetScaler VM in XenCenter and then click Start.
Right-click NetScaler-1 and then click Start.
2. Click the Console tab.

3. Type the IPv4 address that you want to assign to the NetScaler at the prompt and then press Enter.
Type 192.168.10.33 and then press Enter.
4. Type the subnet mask for the IP address at the prompt and then press Enter.
5. Type the default gateway address at the prompt and then press Enter.
6. Type 4 to save the configuration and then press Enter.

7. Wait approximately 60 seconds for the initialization to finish.

8. Log on to a system to access the NetScaler Configuration utility.
Log on to the StudentManagementConsole-1 VM using the TRAINING\Administrator and Password1 credentials.
The StudentManagementConsole-1 VM is being used in this lab to access a browser. Any system could be
used at this point.
9. Open a browser.
Double-click Chrome on the desktop.
Do not use Internet Explorer to manage the NetScaler in this lab environment.
10. Type the IP address that you assigned to the first NetScaler VM into the Address field and then press Enter.
Type 192.168.10.33 into the Address field and then press Enter.
11. Type the user name and password into the appropriate fields and then click Login.
Type nsroot in both fields and then click Login.
12. Click Skip on the Citrix User Experience Improvement Program screen.
13. Verify that the NetScaler IP Address is correct.
Verify that the NetScaler IP address is 192.168.10.33
14. Type the Subnet IP (SNIP) in the Subnet IP Address field.

Type 192.168.10.34 in the Subnet IP Address field.
15. Verify the Subnet IP Address Netmask in the Subnet IP Address NetMask field.
Type 255.255.255.0 in the Subnet IP Address field.
16. Click Done.

17. Click in the field Host Name, DNS IP address, and Time Zone.
18. Type a host name in the Host Name field.
Type NS-1 in the Host Name field.
19. Select the correct time zone in the Time Zone field.
Select GMT-5:00-EST-America/Jamaica.
20. Click Done.

21. Click No on the Confirmation window to save the configuration and reboot the NetScaler.
22. Click in the Licenses field.
23. Verify that Upload license files is selected then click Browse.
24. Browse to the location where the license file is stored.
Type \\AD\lab_resources in the File Name field and then press Enter.
25. Click the license file and then click Open.

Click NetScaler_VPX1_PLT_Citrix_Education_Expires_20180109.lic and then click Open.
26. Click Reboot.

27. Click Yes in the Confirm message to restart the NetScaler.
28. Type the user name and password into the appropriate fields and then click Login.
Type nsroot in both fields and then click Login.

29. Click on System > User Administration > Users then click nsroot on the right pane then click Change Password.
30. Type Password1 in the Password and Confirm Password fields then click OK.
Discussion Question
How do you access the NetScaler Configuration utility?
Configuring NTP
Network Time Protocol (NTP) uses a time server to provide all devices in an environment with an authoritative source from
which to synchronize their local clocks. The time server can be private or public. If the servers in the environment do not
have their local clocks set consistently, Kerberos authentication may fail and Event Logs may not be time stamped properly.
NTP configuration should be configured on the NetScaler immediately after the initial configuration is completed. NTP
servers that have been retired or are no longer accessible should be removed from the NetScalers.
In the lab, you are using the domain controller to provide the NTP service.
To Synchronize the Time on the NetScaler

1. Log on to a system using domain administrator credentials.
Log on to StudentManagementConsole-1 with the TRAINING\Administrator and Password1 credentials.
2. Open a browser, type the IP address of the NetScaler, and then press Enter.
Open Chrome, type 192.168.10.33, and then press Enter.
3. Log on to the NetScaler with the NetScaler credentials.

Type nsroot and Password1 and then press Enter.
4. Click System > NTP Servers and then click Add at the top of the NTP Servers tab.
5. Type the IP address of the NTP server in the NTP Server field and then click Create.
Type 192.168.10.11 in the NTP Server field and then click Create.
This step can be repeated to add additional NTP servers. One of the NTP servers can also be set as preferred.
6. Right-click NTP Servers in the left pane and then click NTP Synchronization.
7. Select the desired state and then click OK.
Select Enabled and then click OK.
8. Right-click NTP Servers in the left pane and then click NTP Parameters.
9. Set the desired parameters and then click OK.
Deselect Authentication and then click OK.
Discussion Question
What will happen if the time server configured to provide NTP services to the NetScaler becomes unavailable?

Configuring NetScaler High Availability
A high availability deployment of two NetScalers can provide uninterrupted operation to any transaction. In a high-
availability pair configuration, only one system is active. This system, which is known as the primary, actively accepts
connections and manages servers. All shared IP addresses are active on the primary system only.
The secondary system monitors the health of the primary system. If the secondary system senses a failure on the primary
system, then the secondary system assumes the role of the primary with all of the primary settings. This process prevents
downtime and ensures that the services provided by the NetScaler system remain available even if one system ceases to
function.
To set up a NetScaler HA pair:
1. Verify that each NetScaler has a unique NSIP (NetScaler IP address.) The NSIP is used to determine which NetScaler is
the primary and which is the secondary system. The two NetScalers communicate with each other using the NSIP and a
heartbeat packet is sent every 200 milliseconds via UDP port 3003 to determine the health of the systems.
2. Configure one of the NetScalers with the NSIP of the other NetScaler.
3. Enable the HA pair to complete the configuration.
For more information about NetScaler High Availability with hands on experience contact your class provider and
schedule the CNS-207 course.
Setting Up DNS
NetScaler uses DNS for name resolution. In this procedure, you are adding DNS entries for the virtual servers configured on
the NetScaler and configuring NetScaler to use a DNS server for name resolution.
An Address (A) record is an entry in DNS that maps a fully qualified domain name (FQDN) to an IP address. You must set
up an A record for the NetScaler and the load-balanced StoreFront servers because you will be creating SSL certificates and
the common name will be the FQDN.
1. XenApp and XenDesktop components are installed on physical or virtual machines.

2. Each machine that will be load balanced needs a "server" entity to be created on the NetScaler.
3. "Service" entities are created and associated with each "server" entity.
4. Load balancing "virtual servers" are created for each set of "services" you want to load balance. The "services" are bound to
the appropriate "virtual server".
5. A monitor is configured for each "service" on the NetScaler to determine if the actual system to be load balanced, as
defined in the "service" and "server" entities, is up and ready to accept connections. If it is offline or experiencing issues,
the monitor flags the "service" as down so that the load balancing "virtual server" does not direct communications to it.

To Configure DNS A Records for the NetScaler
2. Click Tools at the top right of the Server Manager window and then click DNS.
3. Browse to the forward lookup zone for the domain.
Browse to AD > Forward Lookup Zones > training.lab.
4. Right-click the domain name and then click New Host (A or AAAA) to create an A record for the NetScaler.
Right-click training.lab and then select New Host (A or AAAA).
5. Type a name for the new NetScaler host in the Name field and then type the IP address of the host.
Type access in the Name field and then type 192.168.10.50 in the IP Address field.
6. Click Add Host and then click OK.

7. Type a name for the new StoreFront host in the Name field and then type its IP address.
Type sf and then type 192.168.10.51 in the IP Address field.
You will create a virtual server tied to this IP address later.
8. Click Add Host and then click OK.

9. Click Done.
Log on to StudentManagementConsole-1 using the TRAINING\Administrator and Password1 credentials.
11. Open a browser, type the IP address of the first NetScaler, and then press Enter.
12. Log on to the first NetScaler using the NetScaler credentials.

Log on to NetScaler-1 using the nsroot and Password1 credentials.
13. Expand the Traffic Management > DNS > Name Servers nodes in the left pane of the first NetScaler.
14. Click Add to add a new Name Server.
15. Type the IP address of the DNS server in the environment into the IP Address field and then click Create.
Type 192.168.10.11 in the IP Address field and then click Create.
Discussion Question
If you add another StoreFront server to the environment, how many more virtual servers (vServers) do you need to add to
NetScaler?
Creating Certificates for NetScaler

Certificates can be issued by a third-party CA or be self-signed. A self-signed certificate guarantees its own trust and security
but has no one to "vouch" for it. A third-party certificate is signed by a trusted third-party Certificate Authority root
certificate indicating that the third party "vouches" for it. The root certificates from some large third-party Certificate
Authorities are automatically marked as trusted by Web browsers and programs. This is important because browsers check to
determine if an encrypted HTTPS connection has a certificate signed by a trusted root certificate. If a certificate is not trusted
or is not signed by a trusted root certificate, then end users will be warned that the site should not be trusted. For this reason,
all external-facing components in the environment should use certificates signed by a third-party Certificate Authority.

Internal components should be signed by certificates issued by an internal enterprise Certificate Authority. The root certificate
of the internal Certificate Authority should be trusted by all internal devices. When using the Microsoft Enterprise Certificate
Authority role in an Active Directory infrastructure, the root certificate is automatically distributed to and trusted by all
domain-joined machines running a Microsoft operating system. These certificates would not be appropriate to use on
external-facing services as the majority of browsers that come across the certificate will not trust it and will present a warning.
Creating a Wildcard Certificate for Internal Resource Access

Wildcard SSL certificates are processed in the same way as regular SSL certificates. Placing a wildcard character before the
domain name (for example, *.training.lab), will secure any FQDN ending in .training.lab, but not its subdomains.
The wildcard character only covers one full stop (period) in the address. For example, while the certificate would
secure the accounts.training.lab and hr.training.lab FQDNs, it would not secure the new.accounts.training.lab
FQDN.
If you use a third-party and assign it to the domain, you would need to purchase additional certificates for each FQDN. This
could become expensive if you have multiple sub-domains. In addition, you would have to manage the expiration and
replacement of multiple certificates instead of just one.
To Create a Wildcard Certificate for the Domain

3. Log on to the first NetScaler with the NetScaler credentials.

4. Expand the Traffic Management node in the left pane.

5. Right-click SSL and then click Enable Feature in the NetScaler Configuration utility.
While this step is not a part of creating a certificate, SSL must be enabled on the NetScaler in order to use the
certificate that you are creating.
6. Click SSL in the left pane and then click Create RSA Key in the SSL tab.
7. Type a name in the Key Filename field.
Type wildcard_training_lab.key in the Key Filename field.
8. Type an appropriate key size in the Key Size (bits) field.

Type 2048 in the Key Size (bits) field.
9. Select a key format and a PEM encoding algorithm.

Select PEM for the key format and then select DES3 for the PEM encoding algorithm.
10. Type a passphrase in the PEM Passphrase and Confirm PEM Passphrase fields and then click Create.
Type Password1 in the PEM Passphrase and Confirm PEM Passphrase fields and then click Create.
11. Click Create Certificate Signing Request (CSR) in the SSL tab.
12. Type a name in the Request File Name field.
Type wildcard_training_lab.csr in the Request File Name field.
13. Click Browse to the right of the Key Filename field and then double-click the name of the key file created earlier.
Click Browse to the right of the Key Filename field and then double-click wildcard_training_lab.key.

14. Type the password in the PEM Passphrase field.
Type Password1 in the PEM Passphrase field.
15. Select the country and then type the state or province to use for the certificate.
Select United States in the Country field and then type Florida in the State or Province field.
16. Specify a name for the organization in the Organization Name field.
Type Training in the Organization Name field.
17. Type the FQDN of the company or Web site in the Common Name field and then click Create.
Type *.training.lab in the Common Name field and then click Create.
You are creating a wildcard certificate, so you are using a wildcard character in the FQDN.
18. You can click on the Click here to View link to see the CSR.
The following steps are the alternate way to view the CSR.
19. Click Manage Certificates / Keys / CSRs in the Tools section of the SSL tab.
20. Click Yes to confirm refresh, if a prompt appears.
21. Select the certificate signing request that you created and then click View at the bottom of the window.
Select the wildcard_training_lab.csr file and then click View.
Selecting the wrong file will result in you receiving an "ASN1 bad tag value met" error during the certificate
request.
22. Press Ctrl+A and then press Ctrl+C to copy all of the text to the clipboard.
23. Click Close and then click Close again.
24. Browse to the internal Certificate Authority issuer and follow their steps to generate a certificate.
a. Select Internet Explorer in the start screen of StudentManagementConsole-1.

b. Type http://ad/certsrv and then press Enter to access the Certificate Authority.
If requested type TRAINING\Administrator in the User name field, Password1 in the Password
field, and then click OK.
25. Use the certificate signing request to request the certificate.
Every Certificate Authority has slightly different steps. The lab environment uses Microsoft Enterprise
Certificate Authority Web Enrollment.

a. Click Request a certificate.
b. Click advanced certificate request.
c. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal
request by using a base-64-encoded PKCS #7 file.
d. Click within the Saved Request field and then press Ctrl+V to paste the certificate into the field.
e. Select Web Server in the Certificate Template field and then click Submit.
f. Select Base 64 encoded.
g. Click Download certificate.
h. Click the down arrow next to Save at the bottom of the window.
i. Click Save as and then click Desktop.
j. Type wildcard_training_lab in the File name field.
k. Click Save.
l. Close Internet Explorer.
26. Click Traffic Management > SSL >Certificates in the left pane of the NetScaler Configuration utility on the first
NetScaler.
27. Click Install.
28. Type a name in the Certificate-Key Pair Name field.
Type wildcard_training_lab.certkey in the Certificate-Key Pair Name field.
29. Click the down arrow to the right of the Browse button for the Certificate File Name field and then select Local.
30. Browse to where the certificate file was saved and then double-click the certificate file.
Click Desktop and then double-click wildcard_training_lab.cer.
31. Click Browse to the right of the Key Filename field and then double-click the name of the key file you created earlier.
Click Browse and then double-click wildcard_training_lab.key.
32. Type the password for the private key in the Password field.
33. Click Create.
There is no confirmation message. If you prematurely click Create before all of the information has been
entered, you can delete the certificate by selecting the certificate and then clicking Remove in the Traffic
Management > SSL > Certificates window.
34. Click Close.
Discussion Question
Which two fields on a certificate are used to verify the chain of trust?
Creating a Certificate Signed by a Third-Party Certificate Authority

A third-party certificate signed by a public Certificate Authority should be installed on the NetScaler for the public facing
services to allow remote end users to communicate via SSL. In this procedure, you are creating and installing a public
certificate on the NetScaler.
You will be using an internal Certificate Authority instead of a public Certificate Authority in this procedure,
because of lab environment and monetary constraints.

To Create a Public Certificate for the NetScaler
Open Chrome (located on the desktop), type 192.168.10.33, and then press Enter.

4. Click Traffic Management > SSL in the left pane and then click Create RSA Key.
5. Type a name in the Key Filename field.
Type access_training_lab.key in the Key Filename field.
6. Type an appropriate key size in the Key Size (bits) field.

Type 2048 in the Key Size (bits) field.
7. Select a key format and a PEM encoding algorithm.

Select PEM for the key format and then select DES3 for the PEM encoding algorithm.
8. Type a passphrase in the PEM Passphrase and Confirm PEM Passphrase fields and then click Create.
Type Password1 in the PEM Passphrase and Confirm PEM Passphrase fields and then click Create.
9. Click Create Certificate Signing Request (CSR) in the SSL tab.

10. Type a name in the Request File Name field.
Type access_training_lab.csr in the Request File Name field.
11. Click Browse to the right of the Key Filename field and then double-click the key file.
Click Browse to the right of the Key Filename field and then double-click access_training_lab.key.
12. Type the password in the PEM Passphrase field.

Type Password1 in the PEM Passphrase field.
13. Select the country and then type the state or province to use for the certificate.
Select United States in the Country field and then type Florida in the State or Province field.
14. Type a name in the Organization Name field.

Type Training in the Organization Name field.
15. Type the FQDN in the Common Name field and then click Create.
Type access.training.lab in the Common Name field and then click Create.
16. Click Manage Certificates / Keys / CSRs in the Tools section of the SSL tab.
17. Click Yes to refresh the configuration, if a prompt appears.
18. Select the certificate signing request that you created and then click View at the bottom of the window.
Select the access_training_lab.csr file and then click View.
Selecting the wrong file will result in you receiving an "ASN1 bad tag value met" error during the certificate
request.
19. Press Ctrl+A and then press Ctrl+C to copy all of the text to the clipboard.
20. Click Close and then click Close again.
21. Browse to the third-party certificate issuer and follow their steps to generate a certificate.

Every third-party Certificate Authority has slightly different steps. The lab environment does not have a third-
party Certificate Authority available. In the real world, the NetScaler certificate should use a trusted third-
party Certificate Authority. In the lab environment, you will receive a warning when an external endpoint
attempts to access a resource through the NetScaler. You will use the Enterprise Certificate Authority Web
Enrollment for the domain to simulate this using the following steps.
a. Select Internet Explorer in the toolbar of StudentManagementConsole-1

b. Type http://ad/certsrv and then press Enter to access the Certificate Authority.
22. Obtain the third-party certificate.
a. Click Request a certificate.

b. Click advanced certificate request.
c. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal
request by using a base-64-encoded PKCS #7 file.
d. Click in the Saved Request field and then press Ctrl+V to paste the certificate into the Saved Request field.
e. Select Web Server in the Certificate Template field and then click Submit.
f. Select Base 64 encoded.
g. Click Download certificate.
h. Click the down arrow next to Save at the bottom of the Internet Explorer window.
i. Click Save as and then click Desktop.
j. Type access_training_lab in the File name field.
k. Click Save.
l. Close Internet Explorer.
23. Click Certificates under Traffic Management > SSL in the left pane.
24. Click Install.
25. Type a name in the Certificate-Key Pair Name field.
Type access_training_lab.certkey in the Certificate-Key Pair Name field.
26. Select the down arrow next to the Browse button for the Certificate File Name field and then select Local.
27. Browse to where the certificate file was saved and then double-click the certificate file.
Click Desktop and then double-click access_training_lab.cer.
28. Click Browse to the right of the Key File Name field and then double-click the key file.
Click Browse to the right of the Key File Name field and then double-click access_training_lab.key.
29. Type the password for the private key in the Password field.
30. Click Install.
There is no confirmation message.
31. Click Close.

32. Click the diskette in the upper-right area of the window and then click Yes to save the NetScaler configuration.
Load Balancing StoreFront Servers

One of the built-in features of NetScaler is the ability to load-balance backend resources to provide high availability in a
XenApp and XenDesktop environment. In this procedure, you will load balance the StoreFront servers that end users rely on
to access their XenApp and XenDesktop resources. Once load balancing is configured, it is a simple task to add StoreFront
servers to the load-balancing configuration.

To Load Balance StoreFront Servers
1. Log on to a system.
Open Chrome (located on the desktop), type 192.168.10.33, and then press Enter.
3. Log on to the NetScaler using the NetScaler credentials.

Log on to the first NetScaler using the nsroot and Password1 credentials.
4. Expand the Traffic Management node, right-click Load Balancing, and then right-click to Enable Feature.
5. Expand the Load Balancing node and then click Servers to create a server for each of your StoreFront servers.
6. Click Add and type a name for the first StoreFront server in the Name field.
Click Add and then type StoreFrontServer-1 in the Server Name field.
7. Type the IP address for the first StoreFront server in the IP Address field and then click Create.
NetScaler Gateway will use this IP address to load balance and direct connections to the StoreFront server.
8. Click Add to create a server for your second StoreFront server.

9. Type the name of the second StoreFront server in the Name field.
Type StoreFrontServer-2 in the Server Name field.
10. Type the IP address for the second StoreFront server in the IP Address field and then click Create.
NetScaler Gateway will use this IP address to load balance and direct connections to the StoreFront server.

Verify that both servers are enabled.
11. Click Services under the Load Balancing node and then click Add to create a service for each of the StoreFront servers in
the environment.
12. Type a name for the first StoreFront service in the Service Name field.
Type SFService-1 in the Service Name field.
13. Select the name of the first StoreFront server in the Server field.
Click the Existing Server radio button and select StoreFrontServer-1 (192.168.10.28).
14. Select SSL in the Protocol field. The port should be 443. Then click OK.
15. Click 1 Service to Load Balancing Monitor Binding under Monitors, select the proper StoreFront monitor, and then
click Add.
Click 1 Service to Load Balancing Monitor Binding under Monitors, click Add Binding, click in the field below
Select Monitor. Select the https monitor radio button then click Select. Click Bind.
16. Click Close and then click Done.

17. Click Add in the Services page to add a service for the second StoreFront server.
18. Type a name for the second StoreFront service in the Service Name field.
Type SFService-2 in the Service Name field.
19. Select the name of the first StoreFront server in the Server field.
Click the Existing Server radio button and select StoreFrontServer-2 (192.168.10.29) from the drop down menu.
20. Select SSL in the Protocol field. The port should be 443. Then click OK.
21. Click 1 Service to Load Balancing Monitor Binding under Monitors, select the proper StoreFront monitor, and then
click Add.
Click 1 Service to Load Balancing Monitor Binding under Monitors, click Add Binding, click in the field below
Select Monitor. Select the https monitor radio button then click Select. Click Bind.
22. Click Close and then click Done.

23.
Verify that both services are in the Up state. If a StoreFront server is off, you can expect the service associated
with that server to be down. If the server is on, and the service shows as down, verify that no errors appear in
Studio.
24. Select Virtual Servers in the left pane under the Load Balancing node and then click Add in the Virtual Servers tab to
create the load balancing virtual server for the StoreFront servers.
Only one load balancing virtual server needs to be created regardless of the number of StoreFront servers in
the environment.
25. Type an appropriate name in the Name field for the load balancing virtual server used by the StoreFront servers.
Type sf_training_lab in the Name field.
26. Select SSL in the Protocol drop-down list box.

27. Type the IP address to use for the load balancing virtual server in the IP Address field.
Type 192.168.10.51 in the IP Address field then click OK.
28. Click No Load Balancing Virtual Server Service Binding under Services and Groups tab and then select the StoreFront
services that will be load balanced by this virtual server.
Click No Load Balancing Virtual Server Service Binding under Services and Groups then click in the field below
Select Service. Check the boxes next to SFService-1 and SFService-2 then click Select. Click Bind, then click
Continue.

In this release of NetScaler, do not use Service Groups with StoreFront.
29. Click No Server Certificate under Certificates and then select the proper SSL certificate.
Click No Server Certificate under Certificates, then click in the field below Select Server Certificate and then select
wildcard_training_lab.certkey then click Select, click Bind, then click Continue.
30. Click the Persistence node on the right.

31. Specify the persistence type to be used.
Select SOURCEIP in the Persistence drop down menu on the left pane.
Do not use COOKIEINSERT as the persistence method in the lab environment.
32. Specify the time out setting.

Type 60 in the Time-out (min) field.
33. Click OK and then click Done.

34. Verify that the state of the load balancing virtual server is Up.
Verify that the state of the sf_training_lab load balancing virtual server is Up.
35. Click the diskette in the upper-right area of the window and then click Yes to save the configuration.
Configuring NetScaler for Remote Access

The NetScaler will use LDAP to authenticate with Active Directory. To use LDAP, the NetScaler needs credentials to log on
to the Active Directory domain. Using a service account with few privileges provides less of an attack surface than using an
account with domain administrator permissions.
To only allow certain users to log on, a security group will be created in Active Directory. The NetScaler will then be
configured to allow only users in that group to access the environment remotely.
To Create a Service Account for LDAP Authentication and the Security

Group for Remote Access
2. Click Tools in the Server Manager window.

3. Select Active Directory Users and Computers.
4. Browse to the OU that contains the service accounts.
Expand training.lab > Training Service Accounts.
5. Right-click the service account OU.

Right-click Training Service Accounts.
6. Select New > User.

7. Type a name for the NetScaler LDAP authentication service account in the Full name field.
Type LDAPAuth in the Full name field.
8. Type a name in the User logon name field and then click Next.
Type LDAPAuth in the User logon name field and then click Next.

9. Type the password for the account in the Password and Confirm password fields.
Type Password1 in the Password and Confirm password fields.
10. Specify the desired password settings and then click Next.
a. Deselect User must change password at next logon.

b. Select User cannot change password.
c. Select Password never expires.
d. Click Next.
11. Click Finish.
You are doing this so that the credentials you type into the NetScaler later on will not be for the domain
administrator account. This is not strictly necessary, but may reduce the potential attack surface. It is a good
practice to use a relatively long randomized password for service accounts.
12. Right-click the newly created service account and then click Add to a group to add the NetScaler LDAP service account
to the service accounts group.
Right-click LDAPAuth and then click Add to a group.
The service accounts group was created in an earlier exercise.
13. Specify the group to which you want to add the service account.
Type Service Accounts.
14. Click Check Names, click OK, and then click OK again.
Adding the account to the service accounts group will prevent interactive logon because you created a Group
Policy Object earlier that disallows log on locally to the service accounts group.
15. Browse to the OU that contains the end-user accounts to begin creating a security group for end users that will be
allowed remote access through the NetScaler.
Expand training.lab > Training Users.
16. Right-click the end-users OU and then click New > Group.
Right-click the Training Users OU and then click New > Group.
17. Type a name for the new group and then click OK.
Type Remote Access in the Group name field and then click OK.
18. Right-click the newly created group and then click Properties to begin adding the end users to the security group that
will be granted remote access.
Right-click the Remote Access group and then click Properties.
19. Click the Members tab and then click Add.

20. Specify the end users to be added to the security group and separate them by a semi-colon.
Type acctuser1; acctuser2; contractor1; contractor2; hduser1; hruser1; hruser2; xdadmin1; xdadmin2.
Do not include the hduser2 account in the security group so you can use it to verify that end users not
included in the group will not be granted remote access.
21. Click Check Names.

22. Click OK and then click OK again.

Configuring Active Directory Integration
You can configure Active Directory integration with NetScaler so that remote end users can authenticate at the NetScaler.
This allows remote end users to authenticate once and have access to all their resources without further authentication
prompts. If NetScaler authentication is not configured, remote end users must authenticate at the StoreFront server.
A service account is used to enable the LDAP communication from the NetScaler to Active Directory. Once LDAP
communication is enabled under the service accounts authority, you can use the service account to send end-users' credentials
to Active Directory for authentication, authorization, and auditing (AAA).
In the previous procedure you created the service account required for LDAP authentication and the security
group that identifies the end users who will be given remote access through the NetScaler. In this procedure, you
are configuring the NetScaler to use the service account and security group. The primary configuration will be the
LDAP settings.
To Configure Active Directory Integration with NetScaler


4. Right-click NetScaler Gateway in the left pane of the Configuration utility and then click Enable Feature.
5. Click NetScaler Gateway wizard in the NetScaler Gateway tab on the right.
6. Click Get Started on the Welcome page.
7. Type the IP address to use for the NetScaler Gateway virtual server in the NetScaler Gateway IP Address field.
Type 192.168.10.50 in the NetScaler Gateway IP Address field.
8. Specify the port number.

Verify that port 443 is specified.
9. Type a name for the NetScaler virtual server in the Virtual Server Name field and then click Next.
Type access_training_lab in the Virtual Server Name field and check the box next to Redirect requests from port 80
to secure port . This redirects users to if they forget to type https to access the NetScaler virtual server.
10. Type a name for the Gateway FQDN and then click Continue.
Type access_training_lab in the Gateway FQDN field then click Continue.
11. Select the certificate action to perform and then click Continue.
Select Use existing certificate in the Server Certificate field, select access_training_lab.certkey in the Server Certificate
field, and then click Continue.
12. Select Active Directory/LDAP as the Primary authentication method.

13. Type a name in the Name field and then type the IP address of the LDAP server in the IP Address field.
Type LDAP_DomainController-1 in the Name field and then type 192.168.10.11 in the IP Address field.
14. Verify that 389 appears in the Port field.

15. Type the base domain name in the Base DN field.
Type dc=training,dc=lab.

If your domain was citrix.com, you would type DC=citrix,DC=com. DC stands for Domain Component. If
you want to allow only end users from a specific Organizational Unit (OU), that can also be specified. If you
only want end users in the end-user's OU and descendant OUs to be able to authenticate, you would specify
OU=users,DC=Training,DC=Lab. For more information about LDAP, see
http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol.
16. Type the name of the service account to be used in the form of username@domain (FQDN) in the Service account field.
Type LDAPAuth@training.lab in the Service account field.
17. Type the password in the Password and Confirm Password fields.
Type Password1 in the Password and Confirm Password fields.
18. Click Retrieve Attributes to test the connection to the LDAP server and then click OK.
If the test fails, verify that the password and the IP address of the LDAP server are correct.
19. Type sAMAccountName in the Server Logon Name Attribute field.
Failure to specify a value in this field will result in remote users receiving an Incorrect Password error.
20. Click Continue then click Done.

21. Close the Dashboard to go to the Configuration page.
22. Modify the LDAP policy.
23. Navigate to NetScaler Gateway > Policies > Authentication > LDAP then click the Servers tab on the right.
24. Highlight the LDAP_DomainController-1 server then click Edit.
25. Type a value in the Search Filter field to only allow end users that are a member of the proper group to access the
environment remotely.
Type memberOf=CN=Remote Access,OU=Training Users,DC=Training,DC=Lab in the Search Filter field.
There must be a space between "Remote" and "Access" and "Training" and "Users". Remote Access is a group
that you created in an earlier exercise. It is used to group the user accounts that will be allowed remote access
into the environment. By specifying a group, you can limit who can access the environment remotely through
the NetScaler. For more information about configuring LDAP settings, refer to CTX111079 on the
www.citrix.com Website.
26. Specify a group attribute.
Select memberOf from the Group Attribute field.
27. Select a sub attribute.

Select cn from the Sub Attribute Name field.
28. Click OK.

29. Click the diskette in the upper-right area of the window and then click Yes to save the NetScaler configuration.
Modifying StoreFront to Integrate with NetScaler

You now want to use NetScaler to load balance the traffic to the StoreFront servers. To use NetScaler load-balancing, you will
need to configure StoreFront and the NetScaler. This procedure only needs to be done once. After it is set up, adding
StoreFront servers to the environment requires only the addition of servers in the NetScaler that represent the new StoreFront
servers.

To Modify StoreFront to Work with NetScaler
1. Log on to the first StoreFront server with domain administrator credentials.
Log on to StoreFront Server-1 using the TRAINING\Administrator and Password1 credentials.
2. Click Start in the taskbar.

3. Type StoreFront and then click Citrix StoreFront in the Start screen.
If you receive an Add Snap-in error, click Cancel in the End Snap-in message and the console will open. Do
not click End Now.
4. Click Stores in the left pane and then select the proper store.
Click Stores and then select Store-1.
5. Click Manage Delivery Controllers in the right pane, verify that the Delivery Controllers are listed in the Servers
column, and then click OK.
Click Manage Delivery Controllers in the right pane, verify that c-1.training.lab and c-2.training.lab are listed in the
Servers column, and then click OK.
6. Click Authentication in the left pane and then click Add/Remove Methods.
7. Select the desired authentication methods and then click OK.
a. Verify that User name and password is selected.

b. Select Domain pass-through.
c. Select Pass-through from NetScaler Gateway and then click OK.
You are selecting Domain pass-through so that the Receiver on domain-joined endpoints can authenticate
without the end user re-entering credentials.
8. Click NetScaler Gateway in the left pane and then click Add NetScaler Gateway in the right pane.
9. Type an appropriate name in the Display name field.
Type access.training.lab in the Display name field.
Remote end users will use this name to configure Citrix Receiver preferences.
10. Type the FQDN to the NetScaler in the NetScaler Gateway URL field.
Type https://access.training.lab in the NetScaler Gateway URL field.
11. Select the correct logon type.

Verify Domain is selected as the logon type.
12. Type the FQDN to the NetScaler in the Callback URL field and then click Next.
Type https://access.training.lab in the Callback URL field and then click Next.
13. Click Add, and then type the URL to the STA in the STA URL field to add Secure Ticket Authorities (STAs).
Click Add and then type https://c-1.training.lab in the STA URL field.
/scripts/ctxsta.dll will automatically be appended to the end of the URL for the STA. Each Controller is a
Secure Ticket Authority (STA).
14. Click OK.

15. Click Add and then type the URL for the next STA in the STA URL field.
Click Add and then type https://c-2.training.lab in the STA URL field.
Ensure that you type https for both entries.
16. Click OK.

17. Click Create and then click Finish.
Discussion Question
You just configured NetScaler to load balance your StoreFront servers. What do you need to configure on your StoreFront
servers to direct traffic through the NetScaler?
Creating Beacons
You can specify URLs inside and outside your internal network to be used as beacon points. Citrix Receiver uses beacon
points to determine whether end users are connected from internal or external networks and then selects the appropriate
access method.
By default, StoreFront uses the server URL or load-balanced URL of your deployment as the internal beacon point. The Citrix
Web site and the virtual server or end-user logon point URL of the first NetScaler deployment you add are used as external
beacon points by default.
If you change any beacon points, ensure that end users update Citrix Receiver with the modified beacon information. If a
Receiver for Web site is configured for a store, end users can obtain an updated Citrix Receiver provisioning file from the site.
If a Receiver for Web site is not configured for the store, you can export a provisioning file for the store and make this file
available to your end users.
To Create a Beacon Point

This may be done automatically by StoreFront using the information previously entered in the various fields. If
you attempt to create the beacons before configuring the other NetScaler entries, you will need to complete these
steps. Verify that the information specified in the Beacon Contact Points session is correct using the following
steps.
1. Log on to the first StoreFront server using domain administrator credentials.

Log on to StoreFront Server-1 using the TRAINING\Administrator and Password1 credentials.

3. Click Beacons in the left pane.
4. Click Manage Beacons in the right pane.
5. Verify that the URL for the first external beacon is listed.
Verify that https://access.training.lab appears.
6. Verify that the URL for the second external beacon appears.
Verify that http://www.citrix.com appears.
7. Select Specify beacon address and then type the URL for the load balanced virtual server for StoreFront.
Select Specify beacon address and then type https://sf.training.lab in the Specify beacon address field.

You are specifying the URL for the load balanced virtual server for StoreFront here. In the lab environment,
all IP addresses in the DMZ are accessible from the outside. Because the service URL (the load-balanced
StoreFront server) is accessible from the outside, you need to use a different beacon address for the inside. In
the real world, the service URL should not be accessible from the outside. Firewall rules would only allow
external access to specific IP addresses and ports to the DMZ.
8. Click OK.
From now on in the lab environment, internal users will use https://sf.training.lab to access resources. External
users will access resources using the https://access.training.lab URL.
Enabling Remote Access to the Store

The default deployment of StoreFront allows only internal users to access it directly. Remote users cannot access a StoreFront
directly. You can enable StoreFront to accept remote user connections from a designated NetScaler appliance. Once enabled,
the setting is synchronized among all current and future StoreFront servers.
To Enable Remote Access to the Store

1. Log on to the first StoreFront server using the domain administrator credentials.

3. Click Stores in the left pane of the StoreFront console and then select the appropriate store.
Click Stores in the left pane and then click Store-1.
4. Click Enable Remote Access in the right pane.

5. Determine how remote access will be configured for end user access from external networks.
Select No VPN tunnel.
6. Select the NetScalers to provide remote access.
If multiple appliances are selected, select a default appliance.
Select access.training.lab.
7. Click OK.
Propagating Settings to the StoreFront Server Group

A server group is a container for the StoreFront servers in the Site. The servers in the group each have a data file that
contains their settings. The end-user settings in the data file for each StoreFront must be synchronized with the other
StoreFront servers in the server group. In addition, you can force the propagation of administrative settings from the current
StoreFront server to the other servers in the group. Any configuration changes made on other servers in the group are
discarded. While running this task, you cannot make any further configuration changes until all the servers in the group have
been updated.
If you plan to make change to StoreFront:

1. Make the administrative configuration changes from a single StoreFront server.
2. Propagate the administrative configuration changes to the other servers in the group.

To Propagate the StoreFront Settings
1. Log on to a StoreFront server using domain administrator credentials.

3. Click Server Group in the left pane of the StoreFront console.
4. Click Propagate Changes in the right pane and then click Yes.
5. Verify that the propagation completed successfully and then click OK.
Discussion Question
John is changing the configuration settings on StoreFrontServer-1. Kelly is changing the configuration settings on
StoreFrontServer-2. John selects Propagate Changes. What happens?
Configuring ICA Proxy

ICA proxy allows multiple end users in the external network to access multiple resources in the internal network via a single
IP address and port configured on the external interface of the firewall. This requires fewer configured openings on the
firewall, which provides a more secure environment.
ICA proxy communications include:

1. The end user browses to the NetScaler URL. NetScaler optionally runs an endpoint analysis scan before authentication. If
the scan is successful, NetScaler presents the authentication page to the end user.
2. The end user authenticates to NetScaler. The NetScaler then sends an LDAP query to the domain controller.
3. If authentication is successful, the credentials are forwarded to StoreFront, which passes the results to the Controller.
4. The Controller queries the database and returns a list of all resources for the end user and then forwards that list to the
StoreFront. StoreFront converts the list into icons and passes them to the end user via the NetScaler.
5. The end user clicks a resource in the store and the request is sent to StoreFront. StoreFront forwards the request to the
Controller to be load balanced. The Controller makes a load balancing decision and forwards back to StoreFront the
selected resource. StoreFront converts the selected resource into an HDX (ICA) file and then forwards the HDX (ICA)
file to the STA and retrieves a session ticket.
6. StoreFront generates an HDX (ICA) file that includes a session ticket generated by the Secure Ticket Authority (STA) on
the Controller. The new HDX (ICA) file is delivered to the end user via the NetScaler.

7. The Receiver on the endpoint processes the HDX (ICA) file and presents the HDX (ICA) session ticket to NetScaler.
NetScaler validates the ticket. If the ticket is valid, the STA responds with the IP address of the load-balanced object.
8. The NetScaler then creates a proxy from the external network into the internal network. NetScaler establishes a
connection between the Receiver on the endpoint and the load-balanced object.
To Configure the NetScaler for ICA Proxy


4. Click NetScaler Gateway > Policies > Session in the left pane and then click the Sessions Profiles tab on the right.
5. Select the 192.168.10.50_443 Session Profile and then click Edit.
Select 192.168.10.50_443 Session Profile and then click Edit.
6. Type the URL for the Receiver for Web site using the FQDN to the Store Front load Balancing virtual server in the Web
Interface Address field.
Check the box to Override Global under the Published Applications tab and then type
https://sf.training.lab/Citrix/Store-1Web in the Web Interface Address field.
This is the load balancing virtual server for StoreFront on the NetScaler. If sf.training.lab fails to resolve, use
the IP address of 192.168.10.51 instead.
7. Type the domain name in the Single Sign-on Domain field.

Check the box to Override Global then type Training in the Single Sign-on Domain field and then click OK.
8. Click NetScaler Gateway > Virtual Servers in the left pane, click the access_training_lab virtual server on the right then
click Edit.
9. Click the Published Applications node on the right.
10. Click No STA Server under Published Applications on the left.
11. Type the URL to the Secure Ticket Authority on the first Controller and then click Bind.
Type https://c-1.training.lab in the Secure Ticket Authority Server field, select IPV4 as the Secure Ticket Authority
Server Address Type and then click Bind.
The STAs specified on the NetScaler Gateway must be identical to the ones specified in StoreFront. If you
remove an STA in the future from StoreFront, then it must be removed from NetScaler Gateway. The same
goes for adding new STAs.
12. Click 1 STA Server, then click Add binding.

13. Type the URL to the Secure Ticket Authority on the second Controller and then click Bind.
Type https://c-2.training.lab in the Secure Ticket Authority Server field, select IPV4 as the Secure Ticket Authority
Server Address Type and then click Bind, then click Close.
The STAs specified on the NetScaler Gateway must be identical to the ones specified in StoreFront. If you
remove an STA in the future from StoreFront, then it must be removed from NetScaler Gateway. The same
goes for adding new STAs.
14. Click on 2 STA Servers under Published Applications to view the STAs.

If both Delivery Controllers are running, both STAs should be UP. If the STAs are in a DOWN state, power
on the server or recreate the STA. Deselecting an STA and clicking OK will delete the STA.
15. Click Done to close the VPN Virtual Server window.

16. Click the diskette in the upper-right area of the Configuration utility and then click Yes to save the configuration.
Discussion Question
Why might you implement ICA proxy instead of a VPN?
Configuring Pre-Authentication Policies

NetScaler can run pre-authentication policies and post-authentication policies (session policies). With both types of policies,
NetScaler makes decisions about the connection based on the results of a scan of the endpoint.
NetScaler performs the following basic steps using pre-authentication policies:
1. Examines an initial set of information about the endpoint to determine which scans to apply.
2. Runs all applicable scans.
3. Compares property values detected on the endpoint with desired property values listed in your configured pre-
authentication policies.
4. Produces an output verifying whether or not the desired property values are found.
When end users try to connect, NetScaler checks the endpoint for the requirements specified within all pre-authentication
policies. If the endpoint passes the pre-authentication policy scans, end users are allowed to log on and the post
authentication policy scans are run. If the pre-authentication policy scans fail, end users can be denied access or redirected to
another logon page. For example, you can set up a pre-authentication policy to determine if the endpoint has a particular
registry entry. If the endpoint passes the test, the end user is allowed to log on using their domain credentials. If the endpoint
fails the test, the end user can be required to log on using a two-factor authentication method.
Pre-authentication policy scans complete before the end-user's session uses a license.
For more information about NetScaler High Availability with hands on experience contact your class provider and
schedule the CNS-207 course.
Enabling XML Service Trust

If you intend to use SmartAccess endpoint analysis, pass-through authentication, or smart card authentication with XenApp
and XenDesktop, you must configure XenApp and XenDesktop to trust XML Services.
Configuring NetScaler for Email-Based Account Discovery

You can configure NetScaler Gateway to accept connections from internal end-users that use an email address to discover the
StoreFront URL. To allow internal end users to connect to their desktops and applications with an email address, you need to
add the StoreFront URL to NetScaler.
To Configure NetScaler for Email-Based Account Discovery

You already completed this task in the lab environment when you configured ICA proxy in an earlier task. You do
not need to complete this procedure in the lab environment.

3. Log on to the NetScaler Configuration utility with the NetScaler credentials.
4. Expand NetScaler Gateway and then click the Global Settings node.
5. Click Change global settings under Settings and then click the Published Applications tab.
6. Type the Store URL in the Account Services Address on the Published Applications tab and then click OK.
If NetScaler is being used to load balance the StoreFront servers, you should specify the URL of the load
balancing virtual server for the StoreFront servers. For example: https://sf.training.lab/Citrix/Store-1Web.
Testing Access through NetScaler

The NetScaler is now configured for:
• High availability
• Load balancing of StoreFront servers
• Http redirect for both NetScaler and StoreFront
• Pre-authentication endpoint analysis
• ICA proxy access to internal resources for remote end users.
You will need to validate that end-users can access the environment as configured.
To Test External Access to the Environment

You need to validate that end users on an external endpoint can access resources in the environment. You must
use a non-domain joined system to test this access. You can also use this test to verify that http redirect is working
for the NetScaler and that a remote end user that is not a member of the Remote Access group cannot access
resources remotely.
1. Log on to an external endpoint using local user credentials.

Log on to Endpoint-External using the ExternalUser and Password1 credentials.

If Endpoint-External is not started, double-click the VM in XenCenter to start it.
Important: In the lab environment, you used the internal Certificate Authority to simulate a trusted third-
party Certificate Authority. Because Endpoint-External is not joined to the domain, it does not trust the root
certificate of the internal Certificate Authority that signed the certificate bound to the StoreFront load
balancing virtual server on the NetScaler.
Before you can test external access to resources, you must configure the Endpoint-External VM to trust the
root certificate of the internal Certificate Authority. This task would not be necessary in an environment
where a third-party Certificate Authority were used to provide the NetScaler certificates. To configure the
Endpoint-External VM to trust the root certificate of the internal Certificate Authority:
a. Click Desktop.
b. If the Windows Update window appears, click Close.
c. Click Internet Explorer in the taskbar of Endpoint-External.
d. Type http://ad.training.lab/certsrv and then press Enter.
e. Type TRAINING\Administrator in the User name field, Password1 in the Password field, and then
click OK.
f. Click Download a CA certificate, certificate chain, or CRL.
g. Click Download CA certificate and then click Open.
h. Click Open and then click Install Certificate.
i. Select Local Machine, click Next, and then click Yes.
j. Select Place all certificates in the following store.
k. Click Browse, select Trusted Root Certification Authorities, and then click OK.
l. Click Next, click Finish, and then click OK.
m. Close Internet Explorer and then click OK in the Certificate window.
2. Open a browser to test external access to the resources in the environment.

Click Internet Explorer in the taskbar of Endpoint-External.
3. Click the Tools icon on the top right.

4. Click Compatibility View Settings.
5. Type training.lab in the Add this website field.
6. Click Add and then click Close.
7. Type the URL for the NetScaler and then press Enter.
Type http://access.training.lab and then press Enter.
Remote end users will use this URL or https://access.training.lab to access Store-1 using the Receiver for Web
site.
8. Verify https now appears in the URL bar even though you originally typed http.
This proves that http is being redirected to https.
9. Verify that the Log On page is displayed.
At this point, the Log On page being displayed is the Log On page for the NetScaler.

If the Logon Page is not displayed the perform the following:
a. Click Download on the Checking System Configuration on your device scree and then click Run. (A
security scan may run for about a minute).
b. Click Yes on the User Account Control window if it appears.
c. Click Run, respond affirmatively to an security prompts, and then click Install. (If needed, click
Run control).
d. Wait for the installation to complete, click Finish, and then click Yes to run the scan. (If Internet
Explorer encounters an Internal Error Message, then click Back in the browser and then click Yes to
perform the scan again).
10. Log on to the Web site using domain user credentials.

Log on to the Web site using the AcctUser1 and Password1 credentials.
11. If Receiver is not installed, select I agree with the Citrix license agreement, and then click Install.
12. Click Run.
13. Click Yes on the User Account Control window.
14. Click Install.
15. Click Finish.
16. Click Allow three times.
17. Verify that resources are available to the end user.
If resources were previously added for the end user, resources will appear in the Citrix Receiver window. If
both applications and desktops have been added, tabs will be available at the bottom of the Citrix Receiver
window, if no applications or desktops have been added for the end user, a plus sign will appear on the left
side of Citrix Receiver.
18. Verify that a resource launches successfully for the remote end user.
Click Win8 Desktop, click Allow, and then verify that it starts.
19. Close the resource and then log off of Citrix Receiver.
Click AcctUser1 in the Win8 Desktop and choose Sign out. Click the arrow to the right of AcctUser1 in Citrix
Receiver, and then click Log Off.
20. Close Internet Explorer.

21. Open a browser to verify that end users that are not part of the Remote Access group in Active Directory cannot log on
remotely to access resources.
Click Internet Explorer in the taskbar of Endpoint-External.
22. Type the URL for the NetScaler and then press Enter.
Type https://access.training.lab and then press Enter.
23. Verify that the Welcome screen is displayed.
At this point, the Log On page being displayed is the Log On page for the NetScaler.
If the Welcome screen is not displayed, perform the following:

• Click OK in the Security Alert window.
• Click Yes to run the Security Scan.
24. Log on to the Web site using domain user credentials for a user not in the Remote Access group.
Log on to the Web site using the HDUser2 and Password1 credentials.

Recall that TRAINING\HDUser2 was not added to the Remote Access group.
25. Verify that the user is denied access to resources because they are not a member of the Remote Access group.
26. Close Internet Explorer.

261
851 West Cypress Creek Road Fort Lauderdale, FL 33309 USA (954) 267 3000 www.citrix.com
Rheinweg 9 8200 Schaffhausen Switzerland +41 (0) 52 63577 00 www.citrix.com

CMB-300-2I-en-StudentManual-SoftLayer-v04 (Rétabli)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CMB-300-2I-en-StudentManual-SoftLayer-v04 (Rétabli)

Uploaded by

Copyright:

Available Formats

Deploy and Manage Citrix

Citrix Course CMB-300-2I

Module 2: Hypervisor Considerations and Setup .......................................................................... 41

Module 3: Setting Up Infrastructure Components ......................................................................... 59

Module 4: Setting Up Citrix Components ..................................................................................... 77

Module 5: Setting Up XenApp and XenDesktop Resources ........................................................ 117

Module 6: Setting Up and Managing Policies and Profiles .......................................................... 143

Module 8: Setting Up and Managing Provisioning Services ........................................................ 181

Module 10: Setting Up Netscaler ................................................................................................ 231

Why Hands-on Labs?

SecurID® Security Dynamics Technologies, Inc.

Java®, JavaScript® Sun Microsystems, Inc.

VMWare®, ESX Server® VMware, Inc.

Product Specialist: Evin Safdia

Graphic Artist: Tyler Fromma, Andres Mungarrieta, Veronica Fuentes

Product Managers: Amit Ben-Chanoch

Editor: Kathryn Morris

Translation Project Manager: Tanya Brice

Publication Services: Dustin Clark, Adrianna Cournoyer

CCI Enablement: Christy Vega

Understanding the XenApp

VDA Chart XenApp XenApp XenApp XenDesktop XenDesktop XenDesktop

Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture 19

*XenDesktop VDI does not support the use of physical machines.

XenApp and XenDesktop Architecture Overview

20 Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture

Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture 21

22 Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture

Machine Creation Services

Citrix Provisioning Services

Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture 23

Virtual Delivery Agent

24 Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture

Local Application Access

Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture 25

26 Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture

Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture 27

28 Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture

Citrix Profile Management

Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture 29

30 Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture

Compatibility mode in Internet Explorer 10 is not supported.

Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture 31

XenApp and XenDesktop Sites

32 Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture

Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture 33

DNS The DNS server role can be installed on the domain

DHCP The DHCP server role can be installed on a Linux or

Certificate Authority The Certificate Authority role can be installed on a Windows

Deploying multiple Certificate Authorities instead of

File Server A file server is a network accessible server that provides a

34 Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture

SQL Server Express cannot be configured for high

To ensure that the XenApp and XenDesktop database is

Storage Storage is required to store the VMs, ISOs, vDisks, Personal

Hypervisor A hypervisor is responsible for low-level tasks such as CPU

Agile means that VMs can be moved from host to host.

Installing individual licenses on VMs and Multiple

Module 1: Understanding the XenApp and XenDesktop 7.6 Architecture 35

A print server may need to be restarted in order to

StoreFront can be deployed in either the internal

To ensure the security of your internal network, you should

Reinforcement Exercise: XenApp and XenDesktop Components