Professional Documents
Culture Documents
XenApp/XenDesktop 7.15
5
Discussion Question ................................................................................................................................................ 48
Connecting the Management Console to the Hypervisor ......................................................................................... 48
To Connect XenCenter to the XenServer Host ......................................................................................................... 48
Discussion Question ................................................................................................................................................ 49
Configuring the Hypervisor ...................................................................................................................................... 49
Configuring the Virtual Networks .............................................................................................................................. 49
To Configure an External Network ........................................................................................................................... 50
Discussion Question ................................................................................................................................................ 51
Creating a Resource Pool ........................................................................................................................................ 51
To Create a New Resource Pool in XenServer ......................................................................................................... 51
Discussion Question ................................................................................................................................................ 52
Configuring an ISO Library ....................................................................................................................................... 52
To Configure an ISO Library for XenServer .............................................................................................................. 52
Discussion Question ................................................................................................................................................ 53
Configuring Virtual Disk Storage .............................................................................................................................. 53
To Configure Virtual Disk Storage ............................................................................................................................ 53
Discussion Question ................................................................................................................................................ 55
Applying Updates and Hotfixes ................................................................................................................................ 55
To Upload and Apply a XenServer Hotfix ................................................................................................................. 55
Discussion Question ................................................................................................................................................ 56
Creating Templates ................................................................................................................................................. 56
Discussion Question ................................................................................................................................................ 57
Creating the Virtual Machine .................................................................................................................................... 57
Troubleshooting Hypervisor Setup Issues ................................................................................................................ 57
Troubleshooting: Managing and Monitoring Hypervisors .......................................................................................... 58
6
Installing the SQL Server Witness ............................................................................................................................ 71
Discussion Question ................................................................................................................................................ 72
Configuring SQL Server Mirroring ............................................................................................................................ 72
To Configure SQL Server Mirroring .......................................................................................................................... 72
Discussion Question ................................................................................................................................................ 74
Troubleshooting SQL Server Issues ......................................................................................................................... 75
Installing Anti-Virus Software .................................................................................................................................... 75
Discussion Question ................................................................................................................................................ 75
Setting up the DMZ ................................................................................................................................................. 75
Discussion Question ................................................................................................................................................ 75
7
StoreFront Components ........................................................................................................................................ 102
StoreFront Communication .................................................................................................................................... 103
Discussion Question .............................................................................................................................................. 103
Installing Citrix StoreFront ...................................................................................................................................... 103
To Install StoreFront .............................................................................................................................................. 104
Discussion Question .............................................................................................................................................. 104
Requesting and Installing a Certificate on StoreFront ............................................................................................. 105
To Create and Install a Certificate on StoreFront ................................................................................................... 105
Discussion Question .............................................................................................................................................. 106
Creating and Configuring a Store ........................................................................................................................... 106
To Configure a Store ............................................................................................................................................. 106
Discussion Question .............................................................................................................................................. 107
To Configure Authentication Methods .................................................................................................................... 107
Enabling End Users to Change Their Passwords ................................................................................................... 107
To Enable End Users to Change Their Passwords ................................................................................................. 107
Creating a Store for Unauthenticated (Anonymous) Users ..................................................................................... 108
To Create a Store for Anonymous User Access ..................................................................................................... 108
Discussion Question .............................................................................................................................................. 109
Managing Delivery Controllers ................................................................................................................................ 109
Setting Up a Second StoreFront Server ................................................................................................................. 109
To Install a Second StoreFront Server ................................................................................................................... 109
Discussion Question .............................................................................................................................................. 111
StoreFront Management Console .......................................................................................................................... 111
Setting Up Receiver ............................................................................................................................................... 111
Configuring DNS for Email-Based Account Discovery ............................................................................................ 112
To Configure a Service Location Locator Record for Email-based Account Discovery ........................................... 112
Installing and Configuring Receiver ........................................................................................................................ 113
To Install and Configure Receiver .......................................................................................................................... 114
Discussion Question .............................................................................................................................................. 115
Troubleshooting Receiver ...................................................................................................................................... 115
Troubleshooting: Managing StoreFront .................................................................................................................. 115
Reinforcement Exercise: Using the Receiver for Web Site ...................................................................................... 116
8
Securing Connections ........................................................................................................................................... 135
To Create a Delivery Group to Provide Hosted Applications .................................................................................. 136
Creating a Delivery Group for Anonymous User Access ........................................................................................ 137
To Create a Delivery Group for Anonymous User Access ...................................................................................... 138
Organizing Applications in Folders ......................................................................................................................... 138
To Organize Applications in Folders ....................................................................................................................... 139
To Create a Delivery Group to Provide Desktops ................................................................................................... 139
Discussion Question .............................................................................................................................................. 140
Troubleshooting XenApp and XenDesktop Resource Issues .................................................................................. 141
Troubleshooting: Managing Desktops and Applications ......................................................................................... 141
Reinforcement Exercise: Adding Machines and Delivery Groups ........................................................................... 142
9
Module 7: Managing Printing Through Policies ........................................................................... 165
Managing Printing ...................................................................................................................................................... 167
Overview ................................................................................................................................................................ 167
Print Management Process ................................................................................................................................... 167
Default Printing Behavior ........................................................................................................................................ 167
Configuring Client Printing ..................................................................................................................................... 168
Modifying Client Printer Auto-Creation ................................................................................................................... 168
To Modify Client Printer Auto-Creation Behavior .................................................................................................... 169
Discussion Question .............................................................................................................................................. 170
Adding Session Printers ......................................................................................................................................... 170
To Add Session Printers ........................................................................................................................................ 170
Managing Printer Drivers ........................................................................................................................................ 171
Automatic Installation of In-Box Printer Drivers ...................................................................................................... 171
To Configure the Automatic Installation of Printer Drivers ....................................................................................... 172
Configuring Printer Driver Mapping and Compatibility ............................................................................................ 172
To Configure Printer Driver Mapping and Compatibility ......................................................................................... 173
Universal Printer Driver ........................................................................................................................................... 173
Controlling Universal Printing Behavior ................................................................................................................... 174
Optimizing Print Job Routing ................................................................................................................................. 174
Optimizing Printing Performance ............................................................................................................................ 175
To Configure Printing Optimization ........................................................................................................................ 176
Discussion Question .............................................................................................................................................. 177
Setting Up and Managing the Universal Print Server .............................................................................................. 177
To Set Up and Manage the Universal Print Server ................................................................................................. 177
Troubleshooting: Managing Printing ....................................................................................................................... 178
Reinforcement Exercise: Managing Printing ........................................................................................................... 178
10
To Convert the Hard Drive of the Master Target Device to a vDisk ........................................................................ 200
Discussion Question .............................................................................................................................................. 202
To Create the Target Device Template .................................................................................................................. 202
Setting the vDisk Mode ......................................................................................................................................... 203
To Set the vDisk Mode .......................................................................................................................................... 204
Discussion Question .............................................................................................................................................. 204
Assigning a vDisk to a Target Device ..................................................................................................................... 204
To Assign a vDisk to a Target Device .................................................................................................................... 204
Creating the Machine Catalog ............................................................................................................................... 205
To Create the Machine Catalog ............................................................................................................................. 205
Discussion Question .............................................................................................................................................. 206
Creating the Delivery Group ................................................................................................................................... 206
To Create the Delivery Group ................................................................................................................................ 207
Discussion Question .............................................................................................................................................. 208
To Update a vDisk ................................................................................................................................................. 208
Promoting Updated Versions ................................................................................................................................. 209
To Promote Updated vDisk Versions ..................................................................................................................... 209
Discussion Question .............................................................................................................................................. 210
VHD Chain of Differencing Disks ............................................................................................................................ 210
Merging VHD Differencing Disks ............................................................................................................................ 210
To Merge VHD Differencing Disks .......................................................................................................................... 211
Troubleshooting: Provisioning Services .................................................................................................................. 211
Reinforcement Exercise: Creating BDM Target Devices ......................................................................................... 211
Module 9: Managing and Monitoring Sessions, Sites and End Users with Director ..................... 213
Managing and Monitoring Sessions, Sites, and End Users with Director ................................................................... 215
Overview ................................................................................................................................................................ 215
Director Overview .................................................................................................................................................. 215
To Monitor an End-User Session ........................................................................................................................... 216
To Access Director ................................................................................................................................................ 216
Monitoring within the Director Dashboard .............................................................................................................. 216
Monitoring Infrastructure ........................................................................................................................................ 217
To Monitor the Infrastructure ................................................................................................................................. 217
Monitoring Connected Sessions ............................................................................................................................ 217
To Monitor Connected Sessions ............................................................................................................................ 217
Monitoring Logon Duration Averages ..................................................................................................................... 218
To Monitor Logon Duration Averages .................................................................................................................... 218
Monitoring Machine and End-User Connection Failures ......................................................................................... 218
Monitoring and Managing End-User Sessions ....................................................................................................... 219
Viewing End-User Sessions ................................................................................................................................... 219
To View End-User Sessions ................................................................................................................................... 219
Searching for an End User ..................................................................................................................................... 219
To Search for an End User .................................................................................................................................... 220
Monitoring End-User Applications .......................................................................................................................... 220
To Monitor End-User Applications ......................................................................................................................... 220
Monitoring End-User Machine Processes .............................................................................................................. 221
To Monitor End-User Machine Processes .............................................................................................................. 221
Managing an End User's Machine Power Status ................................................................................................... 221
To Manage an End User's Machine Power Status ................................................................................................. 221
Enabling or Disabling Maintenance Mode .............................................................................................................. 222
To Enable or Disable Maintenance Mode ............................................................................................................... 222
Resetting an End-User Profile ................................................................................................................................ 222
To Reset an End-User Profile ................................................................................................................................ 223
Discussion Question .............................................................................................................................................. 223
Monitoring HDX Channels ...................................................................................................................................... 223
To Monitor HDX Channels ..................................................................................................................................... 223
Sending a Message to an End User ...................................................................................................................... 224
To Send a Message to an End User ...................................................................................................................... 224
Shadowing an End-User Session .......................................................................................................................... 225
To Shadow an End-User Session .......................................................................................................................... 225
Disconnecting an End-User Session ...................................................................................................................... 226
To Disconnect an End-User Session ..................................................................................................................... 226
Logging an End User Off ....................................................................................................................................... 227
11
To Log an End User Off ......................................................................................................................................... 227
Discussion Question .............................................................................................................................................. 227
Monitoring Historical Trends .................................................................................................................................. 228
To Monitor Historical Trends .................................................................................................................................. 228
Troubleshooting: Managing Sites, Sessions, and End Users with Director ............................................................. 228
Reinforcement Exercise: Using Director ................................................................................................................. 229
12 .
Citrix Hands-on Labs
What are Hands-on Labs?
Hands-on Labs from Citrix Education allows you to revisit, relearn, and master the lab exercises covered during the course.
This offer gives you 25 days of unlimited lab access to continue your learning experience outside of the classroom.
Claim introductory pricing of $500 for 25 days of access. Contact your Citrix Education representative or
purchase online here.
Practice outside of the classroom You'll receive a fresh set of labs, giving you the opportunity to recreate and master
each step in the lab exercises.
Test before implementing Whether you're migrating to a new version of a product or discovered a product
feature you previously didn’t know about, you can test it out in a safe sandbox
environment before putting in live production.
25 days of access Get unlimited access to the labs for 25 days after you launch, giving you plenty of time
to sharpen your skills.
Certification exam preparation Get ready for your Citrix certification exam by practicing test materials covered by lab
exercises.
Mark Owner
Secure Computing®, SafeWord® Secure Computing Corporation
Toolwire® Toolwire
Other product and company names mentioned herein might be the service marks, trademarks or registered trademarks of
their respective owners in the United States and other countries.
Credits
Instructional Designer: John Spina, Karla Stagray, Neetu Arora
Subject Matter Expert: Jeff Apsley, Justin Apsley, Allen Furmanski, Dave Gunn,
James Hsu, David Jimenez, Arnd Kagelmacher, Christopher
Rudolph, Stacy Scott, Mark Simmons, Elisabeth Teixeira
1
Module 1
XenApp vs XenDesktop
XenApp and XenDesktop share a common architecture; where one or more Delivery Controllers are used to broker user
connections to sessions. Users connect to XenApp and XenDesktop sessions using the Citrix HDX protocol (formerly known
as ICA).
Sessions are hosted on physical or virtual machines running the Citrix Virtual Delivery Agent (VDA). The VDA can be
installed on both Server OS and Desktop OS machines. The operating system on which you can run the VDA and the type of
sessions supported is dependent upon whether you bought XenApp or XenDesktop. The following table identifies the type of
machines and sessions available per product edition.
Desktop OS X X X
Machines
Server OS X X X X X
Hosted
Applications
Desktop OS X X X
Desktop
Desktop OS X X X X
Applications
User Layer
The user layer contains Citrix Receiver, regardless of whether the end user is connecting from an internal or external device.
Access Layer
The access layer contains the components that provide end-user access to the environment: Citrix NetScaler and StoreFront.
NetScaler provides secure access and intelligent load balancing for StoreFront, Delivery Controller, and other infrastructure
components.
Internal end-user devices connect from the user layer to the access layer using Citrix StoreFront.
In a Citrix-recommended implementation, external end-user devices connect first through Citrix NetScaler - and often a
firewall and perimeter network - and then through StoreFront to access resources.
Citrix StoreFront
Citrix StoreFront delivers a powerful, self-service Windows applications store to provide a single, simple, and consistent
aggregation point for all IT user services. Users may subscribe to applications, desktops, or data services from multiple devices
and have access to those services from all devices for a seamless and simple experience.
StoreFront requires 2 GB of memory. StoreFront 2.0 is the minimum version supported by XenApp and
XenDesktop. For more information about StoreFront requirements, see Citrix Support at
http://www.citrix.com/support.
Discussion Question
What type of solution are you using for external access?
Control Layer
The Control Layer is home for the various controllers and infrastructure components required for managing and delivering
virtual desktops and hosted applications. Within the control layer, decisions surrounding the management and maintenance
of the overall solution are addressed. The control layer is comprised of access controllers, delivery controllers, and
infrastructure controllers. Once an end-user connection moves past the access layer, Citrix StoreFront communicates with the
Delivery Controller in the control layer.
Delivery Controller
Installed on servers in the datacenter, the Delivery Controller consists of services that communicate with the hypervisor to
distribute applications and desktops, authenticate and manage end-user access, and broker connections between end users and
their virtual desktops and applications. The Controller manages the state of the desktops, starting and stopping them based on
demand and administrative configuration. Each site has one or more delivery controllers.
Supported operating systems for the Delivery Controller include:
XenApp and XenDesktop require PVS version 7.0 or later. Provisioning Services for Server OS is included with
XenApp and XenDesktop Enterprise and Platinum editions. Provisioning Services for Desktop OS is included with
XenDesktop VDI (not including physical desktops), Enterprise and Platinum editions.
Resource Layer
The resource layer contains the end user's virtual desktop and applications and is subdivided into three components:
applications, operating system image, and personalization. The personalization component contains the user profile, policies,
and personal vDisk.
Applications
You can install applications on Server OS or Desktop OS machines in your XenApp and XenDesktop environment. Once
installed, these applications can be made available and delivered to end users.
Hosted Applications
With the Hosted Applications model, end users may not be provided with a virtual desktop; instead Windows applications are
centralized in the datacenter and instantly delivered through a multi-channel protocol. Hosted applications can be provided to
connected end users or configured to use Microsoft App-V technology to stream to end users for offline use. The Citrix
version of application streaming, is not supported in XenDesktop 7.6.
Discussion Question
How can end users access hosted applications?
With the Local Application Access model, end users are provided with a Server OS machine or Desktop OS machine
delivered full screen. The end user has locally installed applications on the endpoint that they want to use within their virtual
desktop. Local Application Access allows you to make those locally installed applications available on the virtual desktop and
in the Start menu even when the desktop is running in locked-down full-screen mode. When the end user launches a local
application in the virtual desktop, the application window appears in the desktop session window even though it is actually
running on the endpoint. This is ideal for use-cases where desktops are being delivered full-screen and end users want to
simultaneously work with local applications like iTunes, CD burning software, video conferencing software, games, and more.
To use Local Application Access, Citrix Receiver must be installed. Local Application Access is enabled by default in Citrix
Receiver. In addition, you must enable Local Application Access using the Allow Local App Access (HDX) policy and apply it
to the Server OS and Desktop OS machines. Local Application Access is disabled by default in XenApp and XenDesktop.
Once enabled, you must deliver the local applications using a Delivery Group in Studio.
Discussion Question
What is an advantage of providing Local Application Access to end users rather than installing the applications on the virtual
desktop?
A Server OS machine was formerly known as a published desktop in Citrix XenApp 6.5. With the Server OS machine model,
multiple desktop sessions are hosted on a single server-based operating system. The Server OS machine model provides a low-
cost, high density solution. Applications must be compatible with a server-based operating system. In addition, because
multiple users are sharing a single operating system end users are restricted from performing actions which may negatively
affect other end users, for example installing applications, changing system settings, and restarting the operating system.
Discussion Question
How can end users access Server OS machines?
With the Desktop OS machine model, each end user is provided with a full desktop operating system, which provides
administrators with a granular level of control over the number of virtual processors and memory assigned to each desktop.
Desktop OS machines can be delivered as:
• RandomDesktops, which are based on a single master image and provisioned using Citrix Machine Creation Services or
Citrix Provisioning Services. End users are dynamically connected to one of the desktops in the pool each time they log
on. Changes to the desktop image are lost when the machine is restarted.
Desktop OS machines are delivered on a first-come, first served basis. An end user may get a different desktop
each time they log on.
• StaticDesktops, which are based on a single master image and provisioned using Citrix Machine Creation Services or
Citrix Provisioning Services. End users are administratively assigned a virtual desktop or are allocated a virtual desktop
on first access. Once assigned, end users will always be connected to the same virtual desktop. Changes to the desktop
image are lost when the machine is restarted unless persistent write cache or Personal vDisk is implemented. If high
availability/persistence of the end user's desktop personalization settings is required, use Static with Personal vDisk
Desktops.
• Static with Personal vDiskDesktops are based on a single master image and provisioned using Citrix Machine Creation
Services (MCS) or Provisioning Services (PVS). End users are administratively assigned a virtual desktop or are allocated
a virtual desktop on first access. Once assigned, end users will always be connected to the same virtual desktop. Changes
to the desktop are stored on a Personal vDisk and retained between restarts. Desktops with a Personal vDisk cannot be
shared between multiple end users; each end user requires their own desktop. If high availability/persistence of the end
user's desktop personalization settings is required, the Personal vDisk must be stored on shared storage.
• Existing refers to virtual desktops created from a manual build, a hypervisor template, cloning, or third-party tools. They
are not created using Citrix Machine Creation Services (MCS) or Citrix Provisioning Services (PVS). These desktops must
be managed manually with third-party desktop management tools.
Remote PC Access
With Remote PC Access, end users are provided access to their physical workplace computers or laptops remotely using the
Citrix HDX protocol. This allows businesses to quickly benefit from a flexible work style without implementing virtual
desktops. Remote PC Access can be used as a stepping stone towards a full XenDesktop virtualization implementation. When
a company is ready, an established Remote PC Access environment can be converted to a full XenDesktop virtualization
infrastructure. Specialized physical computers such as CAD workstations, video editors, and high-security devices that need
physical FOBs for licensing and classified content are perfect candidates for Remote PC Access.
Discussion Question
What do you need to install on the endpoint to enable Remote PC Access?
What do you need to install on the office PC to enable Remote PC Access?
What do you need to configure for the Delivery Controller to enable Remote PC Access?
With the Streamed VHD model, Provisioning Services provides desktop workloads based on a master image (either shared or
private) for each hardware type. In shared mode, changes to desktops are lost upon startup.
The Streamed VHD model allows any desktop workload to be run locally on the endpoint hardware. Streamed VHD is a
great solution for high-end hardware because it allows an existing corporate investment in high-end hardware to be used as
an asset in the XenDesktop environment. Streamed VHD requires a LAN connection between the desktop and the server
running Provisioning Services. The Provisioning Services server can be physical or virtual. If you only have one Provisioning
Services server, make it a physical Provisioning Services server. If all end user hardware is similar, then you can use a
common VHD. Each VHD must be customized to match the hardware of the endpoint.
Discussion Question
The Streamed VHD model allows you to use the computing power of the endpoint while still using desktop virtualization. In
order to use this computing power, what must the desktop image contain?
Personal vDisk
With the personal vDisk feature, you can manage pooled and streamed desktops from a single image while offering end users
the flexibility to install applications and change personal settings. This feature is available on XenDesktop only.
Unlike traditional Virtual Desktop Infrastructure (VDI) deployments involving pooled desktops, where end users lose their
customizations and personal applications when the administrator alters the base virtual machine, deployments using personal
vDisks retain those changes. This means administrators can easily and centrally manage their base virtual machines while
providing end users with a customized and personalized desktop experience.
Personal vDisks provide this separation by redirecting all changes made on the end user's virtual machine to a separate disk -
the personal vDisk - attached to the end user's virtual machine. The content of the personal vDisk is blended at runtime with
the content from the base virtual machine to provide a unified experience. In this way, end users can still access applications
provisioned by their administrator in the base virtual machine.
Personal vDisks have two parts, which use different drive letters and are by default equally sized. The first part comprises
C:\Users, which contains the end user's data, documents, and profile. By default this uses drive P: but you can choose a
different drive letter when you use Studio to create a catalog with personal vDisks. The second part is comprised of a Virtual
Hard Disk (.vhd) file, which contains all other user items, for example applications that are installed in C:\Program Files.
Management Layer
The management layer contains all of the consoles and utilities used to configure and manage the XenApp and XenDesktop
components.
• Studio
• Director
• StoreFront Console
• Provisioning Services Console
• Hypervisor console
• License Administration Console
• Optional third-party consoles
Citrix Director
Citrix Director is a web-based tool that enables IT support and Help Desk teams to monitor a XenApp and XenDesktop
environment, troubleshoot issues before they become system critical, and perform support tasks for end users.
Supported operating systems for Director include:
• Windows Server 2012 R2, Standard and Datacenter Editions.
• Windows Server 2012, Standard and Datacenter Editions.
• Windows Server 2008 R2 SP1, Standard, Enterprise, and Datacenter Editions.
Requirements for Director include:
• 50 MB of disk space.
• Microsoft .NET Framework 4.0.
• Microsoft Internet Information Services (IIS) 7.0 and ASP.NET 2.0. If these are not already installed, you are prompted
for the Windows Server installation media, then they are installed for you.
Supported browsers for viewing Director include:
• Internet Explorer 9 and 10
• Firefox
• Chrome
Discussion Question
The Delivery Controller, Studio, and Director can be installed on which operating systems?
Which tools does your organization use (or plan to use) for monitoring your XenApp and XenDesktop environment?
Hardware Layer
The Hardware Layer is responsible for the physical devices required to support the entire solution including servers, and
storage devices. A key component of the Hardware Layer is the hypervisor.
Discussion Question
What are the benefits of hosting virtual machines within a hypervisor as opposed to physical machines? What hypervisor does
your organization use?
Ports
The following is a summary of the ports used by the components we have discussed throughout this module.
Infrastructure Components
A XenApp and XenDesktop implementation is only as good as the configuration of the infrastructure components on which
it is built. It is important that anyone tasked with deploying XenApp and XenDesktop in an environment understand the
purpose of each component in that infrastructure as it relates to XenApp and XenDesktop and understands how the
configuration of the infrastructure components affect the XenApp and XenDesktop implementation.
During this course, you will build an environment, similar to that shown in the following graphic, to produce a
pilot implementation of XenApp and XenDesktop for the Children's Charitable Hospital (Training). The pilot
implementation will configure hosted applications, Server OS machines, and Desktop OS machines for the
Accounting, Human Resources, and IT departments at the hospital. To accomplish this, you must set up not only
the Citrix components and resources, but configure the infrastructure that will support the deployment.
The following infrastructure components play a key role in the XenApp or XenDesktop solution:
(Optional) Key Management Services (KMS) License Server The KMS License Server provides a way to automatically
activate volume license editions of Microsoft products
removing the need for end users to provide licensing
information or to connect to a Microsoft activation server.
This is important in a XenApp and XenDesktop environment
because desktops are provisioned on demand. A KMS Client
License is embedded in Microsoft products.
Print Server A print server is a server that accepts print jobs from
networked computers for one or more printers. In addition,
it queues the print job and sends it to the correct print device
in the network. This enables multiple computers to use a
printer and eliminates the need for each computer to have a
printer physically attached to it. To ensure that the print
server function is highly available in your XenApp and
XenDesktop solution, you should configure at least two print
servers in a cluster.
Demilitarized Zone (DMZ) or Perimeter Network The DMZ is an area between two firewalls, one firewall
protects the internal network and the other firewall protects
the DMZ from the external network. Some XenApp and
XenDesktop components are located in the DMZ and others
are located in the internal network.
This course will take you through the steps required to set up a basic infrastructure to host a XenApp and
XenDesktop implementation. To ensure the security and the performance of your implementation, follow
Microsoft guidelines, your corporate guidelines, your customized XenApp and XenDesktop Design document, and
the advice of a security professional before rolling your implementation out to a production environment.
Discussion Question
In the lab environment, you will use a single firewall that places the internal, DMZ, and external networks on different
network interfaces. This configuration is not optimal for a production environment. What are some weaknesses of this
solution and how might you improve the security?
Definition Matching
Match each of the following terms with its correct description.
Time to complete: Approximately 5 minutes
• Citrix Receiver
• Citrix NetScaler
• Hypervisor
• Personal vDisk
• Citrix StoreFront
• Delivery Controller
Term Description
• Citrix Director
• Citrix Profile management
• Machine Creation Services
• Citrix Provisioning Services
• Citrix Studio
• Virtual Delivery Agent
Term Description
• Citrix Studio
• Citrix Receiver
• Citrix Provisioning Services
• Machine Creation Services
• Personal vDisk
• Virtual Delivery Agent
• Hypervisor
Term Description
Hypervisor Considerations
and Setup
42
Hypervisor Considerations and Setup
Overview
A hypervisor allows multiple operating systems to run as virtual machines (VMs) on a single physical host. A hypervisor is
installed on a host computer that is dedicated entirely to the task of running the hypervisor and hosting VMs. It works by
allocating the resources of the host computer to the VMs running on it. The management console used to manage the
hypervisor can be installed on any system with a supported operating system. The management console allows you to create
VMs, take VM disk snapshots, and manage VM workloads.
Using a hypervisor rather than installing XenApp and XenDesktop components directly on physical hardware limits your
exposure to hardware failure and reduces the cost of deploying the solution. This cost reduction is the result of reduced
power consumption, increased utilization of existing hardware, fewer required servers, and decreased space and cooling
requirements. In addition, management becomes streamlined and efficient because you are managing the pool as a single unit
rather than managing each system separately.
The hypervisor should be the first component configured in the environment so that most or all of the components in the
environment can be virtualized.
XenApp and XenDesktop can be used with Microsoft Hyper-V, Citrix XenServer, or VMware vSphere. Citrix
XenServer will be the virtualization platform used during this course, but any of the supported hypervisors could
have been used.
To Install XenServer
XenServer is pre-installed in the lab environment. To experience installing XenServer to support a XenApp and
XenDesktop implementation, we have provided an Installing XenServer exercise below. Click the following link
and use the steps in this course to complete the exercise:
• Installing XenServer Exercise
You can access a list of all simulated exercises from the Student Resource Kit module located in this course.
1. Insert the XenServer installation media in the drive of the computer and start the installation program.
Proceed to the next step since this has been competed within the simulation.
2. Select the Keymap layout for the installation and then press Enter.
Verify that [qwerty] us is highlighted, press the spacebar, and then press Enter twice.
If the server does not have Hardware Assist enabled in the BIOS, an error message will appear after you accept
the EULA. You can continue with the installation, but XenServer will have limited functionality until
Hardware Assist is enabled.
5. Specify the storage to use, whether the storage should be optimized for XenApp and XenDesktop, and then press Enter.
Thin Provisioning optimizes the utilization of available storage for XenApp and XenDesktop end users and
enables local caching to work properly.
Select Local media if you are installing XenServer from a CD. Select HTTP, FTP, or NFS if you are installing
XenServer using PXE. When Local media is selected, the installer will check the repository.
This step is only displayed if you selected Local media during the previous step. If you selected HTTP, FTP, or
NFS, you must configure networking so that the installer can connect to the XenServer installation media files
on the network.
8. Determine if the integrity of the installation media should be verified before beginning the installation and then press
Enter.
Press the Up arrow key to select Skip verification and then press Enter twice.
If you select Verify installation source, the MD5 checksum of the package is calculated and checked against the
known value. Verification may take a few minutes.
10. Specify how networking should be configured, set up the primary management interface, and then press Enter.
You can get an IP address automatically using Automatic configuration (DHCP) or specify it yourself using
Static configuration.
a. Press the Down arrow key to highlight Static configuration and then press the spacebar.
b. Press the Down arrow key to move to the IP Address field, type 192.168.10.24, and then press Enter.
c. Type 255.255.255.0 in the Subnet mask field and then press Enter.
d. Type 192.168.10.1 in the Gateway field and then press Enter.
e. Press the Down arrow key and then press Enter.
11. Specify the host name and DNS configuration and then press Enter.
To be part of a pool, XenServer hosts must have static IP addresses or be DNS addressable. When using
DHCP, ensure that a static DHCP reservation policy is in place. If you want to manually specify the host
name, use a short host name and not the fully qualified domain name (FQDN). Typing an FQDN may cause
external authentication to fail. At least one DNS server address must be specified. Adding a second and third
DNS address will ensure that XenServer can find other machines on the network based on their names if the
first DNS server is unavailable.
12. Select the geographical area and then press Enter.
Press the Down arrow key to select America for the time zone and then press Enter twice.
14. Specify how you would like the server to determine local time and then press Enter.
Press the Down arrow key to select Manual time entry for the system time and then press Enter twice.
NTP (Network Time Protocol) requires an NTP server on the network. If you select Using NTP, you must
provide the address of the NTP server in your network. If your network does not have an NTP server, you
should select Manual time entry.
15. Press the Left arrow key to select Install XenServer and then press Enter.
16. Set the local time and date and then press Enter.
Press the Down arrow key to select OK and then press Enter to accept the default settings for the local time and date.
17. Press Enter when the installation completes to restart the server.
Discussion Question
What is the minimum number of physical computers required for a redundant XenServer implementation?
The management console is a GUI that allows you to see multiple settings at once. It should be used for daily maintenance
tasks and for tasks that are performed on an as-needed basis. Tasks that must be repeated on a regular basis should be
scripted to use the command-line interface instead of the management console for the hypervisor. For example, you can
create a script that takes a snapshot of a live running machine and then exports it as a backup. You can then run the script as
a scheduled task to create regular backups of a machine without shutting it down. Scripting is enabled by the XE command-
line interpreter, which is installed wherever you install the XenCenter management console. For a comprehensive list of
commands that can be used for scripting, see Appendix A in the XenServer Administrator's Guide which is available from
http://docs.citrix.com
To Install XenCenter
You can install XenCenter on any computer that has access to the servers running the XenServer hypervisor and has
Microsoft .NET Framework 3.5.1 installed on it. In this exercise, you will install XenCenter on a Windows 8.1 system called
MyLaptop.
XenCenter is pre-installed in the lab environment. To experience installing XenCenter to support a XenApp and
XenDesktop implementation, we have provided an Installing XenCenter exercise below. Click the following link
and use the steps in this course to complete the exercise:
• Installing XenCenter Exercise
You can access a list of all simulated exercises from the Student Resource Kit module located in this course.
1. Insert the XenServer installation media in the drive of the computer that has Microsoft .NET 3.5.1 installed on it and
start the installation program.
Proceed to the next step.
Discussion Question
Why should you secure the XenCenter management console for your hypervisor? How can you secure the management
console?
5. Press Tab and then type the user name for the administrator account on the server.
Proceed to the next step to accept the default user name.
6. Press Tab and then type the password for the administrator account.
Type Password1 in the Password field and then press Enter.
7. Click Add.
The XenServer environment will appear in the console and storage is automatically configured on the local
disk of the host. If XenServer is installed on additional servers, you can add them to the XenCenter console
using these steps.
NIC bonding is another network task that can be performed at the physical layer of the network. It combines one or more
NICs connected to the same physical network.
3. Select the XenServer host in XenCenter to which you want to add a network.
Verify that xs1 is highlighted in the left column under XenCenter.
XenServer automatically manages NICs as needed based on the related network, virtual interface, server
network, and bond configuration. You can view the available NICs, configure NIC bonds, and dedicate NICs
to a specific function from the NICs tab.
7. Specify the name of the new network and then click Next.
Type Network2 in the Name field, press Enter, and then click Next.
Discussion Question
A database application has recently emerged from the pilot phase. After the rollout to the production environment, end users
began complaining about slow access to the database. What should the administrator do to address this issue?
There are two XenServer hosts available in XenCenter. You are going to create a pool so VMs running on
these hosts can be dynamically moved from one host to the other.
6. Select one or more servers to place in the new pool from the Additional members list.
All available XenServer hosts are listed. If a host is not listed, it may be because it does not satisfy one or more
of the pool joining requirements.
Discussion Question
What is required to implement a pool or cluster of hosts for a hypervisor environment?
3. Select the XenServer host to which you want to attach the new storage repository.
Verify that xs1 is selected.
4. Click New Storage in the XenCenter toolbar to open the New Storage Repository wizard.
5. Select the type of ISO library you want to create and then click Next.
Select Windows File Sharing (CIFS) and then click Next.
6. Type a name for the new storage repository in the Name field.
Type My-ISOs in the Name field and then press Enter.
Different credentials may be necessary if the host instance does not have the necessary rights to the network
share.
Discussion Question
You can perform Detach, Forget, and Destroy operations on a storage repository. What do each of these operations do and
when might you use each?
• NFS VHD storage repository stores VM images as thin-provisioned VHD format files on a shared NFS
target. Existing NFS servers that support NFS V3 over TCP/IP can be used as a storage repository for
virtual disks. NFS storage repositories can be shared, allowing any VMs with their virtual disks in an NFS
VHD storage repository to be migrated between servers in the same resource pool. Because virtual disks
on NFS storage repositories are created as sparse, you must ensure that there is enough disk space on the
storage repository for all required virtual disks to grow as they are used.
• Software iSCSI storage repository uses a shared Logical Volume Manager on a SAN attached LUN over
iSCSI. iSCSI is supported using the open-iSCSI software iSCSI initiator or by using a supported iSCSI
Host Bus Adapter (HBA).
• Hardware HBA storage repository connects to Fibre Channel (FC), Fibre Channel over Ethernet (FCoE),
or shared Serial Attached SCSI (SAS) LUNs via an HBA. Prior to configuring a Hardware HBA storage
repository, you need to expose the LUN because the wizard will automatically probe for and display a list
of all available LUNs found.
• StorageLink storage repository uses an existing Network Appliance (NetApp), Dell EqualLogic storage
infrastructure, or Citrix StorageLink Gateway (CSLG) to access a range of different storage systems.
Dynamic multipathing support is available for Software iSCSI and Hardware HBA storage repositories. By
default, multipathing uses round-robin mode load balancing, so traffic will be active on both routes
during normal operation. You can enable and disable storage multipathing in XenCenter using the
Multipathing tab in the Properties of the server.
6. Type a name for the new storage repository in the Name field.
Use the default name provided.
7. Type a description or allow XenCenter to automatically generate the description for the storage repository and then click
Next.
Click Next to allow XenCenter to automatically generate the description.
8. Type the location of the share in the Share Name field or click Scan if you would like to re-attach an existing storage
repository.
Type WIN-V06KOCR56GO:/NFS_Share in the Share name field and then press Enter.
The advanced options available are based on the type of virtual disk storage selected.
10. Determine if a new storage repository will be created or an existing storage repository will be reattached and then click
Finish.
Verify that Create a new SR is selected and then click Finish.
11. Verify that the new storage repository is listed in the left pane of the XenCenter window.
Verify that NFS virtual disk storage is listed.
3. Click Tools > Check for Updates in the XenCenter menu bar.
4. Select the required update from the list and then click Download & Install to start the download process and perform
pre-checks on the servers.
Select XS61E017 and then click Download & Install.
Updates that are applied to a XenServer host can be viewed in the General tab of the host. If you opted to
manually perform the post-update tasks, you should complete those tasks at this time.
Discussion Question
What is the difference between a hotfix, a rollup/service pack, and a feature pack?
Creating Templates
A virtual machine (VM) is a software container that runs on a host and behaves as if it were a physical computer itself. VMs
consist of a guest operating system, CPU, memory (RAM), networking resources, and software applications. All of the
information about the virtual machine is stored in an image file.
A template is a virtual machine encapsulated into a base image file and makes it possible to rapidly create new VMs. In
XenServer, once a VM is converted to a template, it cannot be reverted. This limitation does not apply to Hyper-V or
vSphere.
The template creation process allows you to pre-create a library of base images from which new virtual machines can be
created very quickly without reinstalling the operating system or other applications. Templates can be created at any time.
When templates are used to create VMs, the VMs have increased consistency and reliability across the environment.
Steps required to create a template include:
1. Create a virtual machine.
2. Install the operating system.
3. Install updates and fixes.
4. Install the hypervisor tools.
5. Run Sysprep on VM running a Windows operating system.
6. Convert to template.
Control Function
Send Ctrl+Alt+Del Sends the Ctrl+Alt+Del sequence to the VM to access the
Windows Security screen.
DVD Drive Select an ISO image to insert into the DVD drive for the
selected VM.
Switch to Remote Desktop/Switch to Default Desktop Toggle between VNC connection and RDP connection.
Using RDP to connect can improve the performance of the
user interface.
Without tools installed graceful lifecycle operations such as shutdown and reboot are unavailable from the
hypervisor consoles
You can find out if XenServer Tools are installed on a VM by looking at the Virtualization state field on the General tab for
the VM. Valid states include:
State Definition
Optimized (version x installed) The most up-to-date version of XenServer Tools is installed
XenServer tools not installed XenServer Tools are not currently installed on the VM. You
can click the status field to install the latest version from the
XenServer Tools ISO.
Tools out of date (version x installed) The VM has a version of XenServer Tools installed from an
earlier XenServer release.
Although it is common for many organizations to compartmentalize XenApp and XenDesktop away from the hypervisor
team, in such cases it is equally common for the XenApp and XenDesktop administrators to be tasked with VM creation for
Citrix using the hypervisor management console.
There are several steps to creating a VM that is ready for production use. It is acceptable to use templates to assist with this
process. A hypervisor template may come in one of three forms: Standard, Complete or Custom. Standard templates are built
in to the hypervisor management console and contain pre-defined parameters to assist with the initial VM configuration.
Complete templates are typically downloaded from a third party and include the fully configured VM settings with the OS
installed and any third party applications. Custom templates are more commonly used because they were once virtual
machines.
For Example, if a company needs to create multiple Windows Server 2012R2 VMs, a common method would be to create a
custom template from a machine which has undergone sysprep. By doing this, each new machine built from the custom
template would have the operating system already installed and the machine prepared for final configuration.
Issue Resolution
VMs can communicate with each other but not with the • The VMs have private or cross-private networks. Attach
hypervisor. a network to the VM that can communicate with the
hypervisor.
• The DHCP service is offline and the VMs are configured
for DHCP. Turn the DHCP service on.
The option to install XenServer Tools on a virtual machine is XenServer Tools are already installed on the virtual machine.
unavailable.
You receive a fatal error message when attempting to run the The VM is corrupted. This error message is designed to
Sysprep tool. prevent the deployment of a corrupted VM. You cannot
correct the problem within the VM, you must recreate the
VM.
Issue Resolution
Memory statistics are not displayed for a virtual machine. Confirm that the necessary hypervisor tools are installed on
the virtual machine.
XenServer - Disk space is not reclaimed after deleting a XenServer 5.5 Update 1 and later
snapshot. 1. Retrieve the UUID of the VM (virtual machine)
2. Run coalesce-leaf-u<UUID of virtual machine>. This
command suspends the virtual machine, initiates the
reclamation process, and resumes the virtual machine.
Hyper-V - Virtual machines are missing from the Hyper-V Configure real-time scanning within anti-virus software to
Management Console. exclude:
• Default and custom virtual machine configuration
directories
• Default and custom virtual hard disk drive directories
• Snapshot directories
• Vmms.exe and Vmwp.exe files
Setting Up Infrastructure
Components
60
Setting Up the Infrastructure Components
Overview
The infrastructure on which Citrix components will be installed plays a key role in the success of a XenApp and XenDesktop
implementation. At a minimum, the infrastructure components required are:
• Domain Controller
• Domain Name Services (DNS) server
• Dynamic Host Configuration Protocol (DHCP) server
• Certificate Authority (CA)
• File Server
• SQL Server
• Microsoft Licensing (RDS/KMS/MAK)
You may need to install and configure additional components to support your specific organizational needs.
After completing this module, you will be able to:
• Understand the role of Active Directory and DNS to support a XenApp and XenDesktop environment.
• Understand how Dynamic Host Configuration Protocol (DHCP) plays a role in a XenApp and XenDesktop environment.
• Understand the role of a Certificate Authority to secure a XenApp and XenDesktop environment.
• Understand how file servers can be leveraged in a XenApp and XenDesktop environment.
• Set up and configure SQL Server mirroring.
Module timing: 1.5 hours
• SQL Server -1 = On
• SQL Server-2 = On
• SQL Server-Witness = On
A domain controller should be a dedicated server. Do not install any XenApp and XenDesktop component or SQL
Server on a domain controller.
You should install and configure multiple domain controllers in a XenApp and XenDesktop environment. When multiple
domain controllers exist, they synchronize their information and provide high availability to optimize Active Directory
functionality.
Discussion Question
XenApp and XenDesktop can be used with domain controllers running which versions of Windows Server?
Once the AD DS role is installed, the name of the server should not be changed. Doing so could be problematic
and could impact the performance of the domain controller for up to 24 hours.
Discussion Question
Why should you use Active Directory Domain Services with XenApp and XenDesktop?
Issue Resolution
After installing the domain controller VM, you do not see There may be critical alerts that need to be attended to
the Promote this server to domain controller link in Server before the link appears. Click the red flag in Server Manager
Manager. to view the alerts and get additional information.
The installation of roles and features fails. • Click the red flag in the Server Manager window to view
messages. Reinstall the roles and features again using
Server Manager after all critical alerts have been
addressed.
• Ensure that all the required source files are on the server.
You cannot add servers to the domain. • The installation of the AD role has not completed.
• The administrator account being used to add the servers
to the domain does not have domain administrator
rights.
Organizational units are Active Directory containers into which you can organize end user accounts, groups, computers, and
other organizational units. An organizational unit cannot contain objects from other domains. OUs are the smallest unit to
which you can assign Group Policy settings. All required OUs have been pre-created in our lab environment.
This graphic shows the organizational units configured for use in the lab environment.
A well-designed organizational unit structure (OU) is an important piece for a XenApp and XenDesktop environment.
Discussion Question
What are some benefits of using OUs?
Discussion Question
When providing end users with access to resources, why is it better to specify groups rather than individual end-user
accounts?
You should use GPOs linked to the domain mainly for policies that must be applied to all end users and
computers in order to comply with corporate security policies, industry-specific best practices, or general security
best practices.
The majority of GPOs will be linked to OUs rather than directly to the domain. The policy then will apply only to the end
users or computers within that OU or any child OUs. Policies are inherited from the parent of an object. All OUs, by default,
inherit GPOs linked to the domain as the domain is the parent of all OUs.
GPOs are the most efficient and consistent method of controlling connection, security, and bandwidth settings. You can
create them for specific groups of end users, devices, or connection types. Each GPO can contain multiple settings.
Citrix HDX policies can be managed through both Group Policy Objects in Microsoft Windows or within the Citrix Studio
console in XenApp and XenDesktop. The console or tool you use depends on whether you have the appropriate permissions
to manage GPOs, where policies will be stored, and how policies will be maintained. Using Group Policy Objects is usually
preferred over creating policies in Citrix Studio when it is organizationally possible to do so.
The Training Service Accounts group that the following policy will be applied to has already been created in the
lab environment.
Discussion Question
John configured a GPO to "Allow log on locally" and then applied it to the Everyone group. Kelly configured a GPO to "Deny
log on locally" and then set it for the Service Accounts group. What effect will these group policies have on the Everyone and
Service Accounts groups?
Configuring DHCP
After the DHCP service is installed, you must configure it. Configurations can include setting up one or more scopes and
scope or server options. The range of IP addresses that are available to be leased is called a scope. One scope should be set up
for each subnet in the environment.
Issue Resolution
All end users are experiencing slow start times. Check the DNS entries for errors.
Discussion Question
What two components are required for SSL encryption?
How does the client determine whether to trust the server certificate?
Which kind of certificate would need to be installed to allow for communication between an internal endpoint and
StoreFront?
Discussion Question
What tools can you use to centrally manage the file servers in your environment?
Citrix leading practice is to use folder redirection in conjunction with Citrix profile management to deliver
optimally sized user profiles and providing access to all user data.
In this class, the lab machines point to a central and hidden preconfigured KMS License Server.
Creating the Computer and Service Accounts for SQL Server 2012
You can create the computer accounts required by the Primary, Mirror, and Witness SQL Servers prior to joining them to the
domain. This removes the need to move the computers into the correct OU at a later time. In addition, during the installation
of SQL Server 2012, you will be asked to provide the name of the account that will be used to access the database engine. If
you create the service account prior to the installation, you will not need to change the account after the installation is
completed.
1. Log on to a domain controller with domain administrator credentials to create the computer and service accounts that
will be used with SQL Server.
2. Click Tools in Server Manager and then click Active Directory Users and Computers.
3. Browse to the OU hosting the SQL Servers.
4. Right-click the OU and then select New > Computer to create a new computer account within the OU.
5. Name the computer account and then click OK.
Doing this now will prevent you from having to go back to the domain controller after joining the SQL Server
to the domain in order to move the computer account into the proper OU.
The password you set should be a strong, and relatively randomized password. You should not allow accounts
with non-expiring passwords to log on locally. Windows Server 2008 R2 and 2012 R2 can be used to create
managed service accounts where the passwords are automatically changed. For further information, see
http://technet.microsoft.com/en-us/library/jj128431.aspx. In addition, Windows Server 2012 R2 added the ability
to create group managed service accounts. For more information, see http://technet.microsoft.com/en-
us/library/hh831782.aspx.
16. Right-click the newly created service account and then click Add to a group.
17. Type the group names to which this account will be a member and then click Check Names.
18. Click OK.
Adding the account to the service accounts group is what will prevent the service account from being used to
log on locally because you created a Group Policy Object that disallows log on locally to that group.
1. Create a Windows Server 2012 R2 virtual machine using the Creating a VM steps covered previously.
2. Insert the ISO file for Microsoft SQL Server 2012 into the DVD drive.
3. Click the File Explorer (file folder) icon in the taskbar.
4. Click Computer.
5. Double-click the CD Drive containing the installation media and then click Yes in the User Account Control message.
6. Click Installation in the left column of the window and then click New SQL Server stand-alone installation or add
features to an existing installation.
7. Ensure that the Setup Support Rules run successfully and then click OK.
Verify that the bar is green with a message: Operation completed - 0 Failed.
11. Wait for the setup files to be installed, review the Setup Support Rules page, and then click Next.
12. Verify that SQL Server Feature Installation is selected and then click Next.
13. Select Database Engine Services >SQL Server Replication >Management Tools - Basic, and then click Next.
14. Click Next on the installation Rules page.
15. Click Next on the Instance Configuration page.
16. Click Next on the Disk Space Requirements page.
17. Click the entry under Account Name for SQL Server Database Engine service and then select Browse to change the SQL
Server Database server to use the new SQL Server service account.
18. Type the name associated with the newly created service account, click Check Names, and then click OK.
19. Type the appropriate password for the SQL Server service account in the Password column for the SQL Server Database
Engine and then click Next.
20. Click Add and then type the names of the SQL Server administrators.
21. Click Check Names and then click OK.
22. Click Next in the Database Engine Configuration page.
23. Click Next in the Error Reporting page.
24. Click Next in the Installation Configuration Rules page.
25. Click Install to begin the installation.
26. Wait for the installation to finish and then click Close.
Discussion Question
Does SQL Server need to be installed before you install XenApp and XenDesktop?
10. Click Tools in the Server Manager and then click Group Policy Management.
11. Browse to the OU hosting the SQL Servers.
Double-click Forest: Training.lab > Domains > Training.lab > Training Servers > SQL.
12. Right-click the OU and then click Create a GPO in this domain, and Link it here.
Right-click the SQL OU and then click Create a GPO in this domain, and Link it here.
13. Type a name for the GPO and then click OK.
Type Windows Firewall - SQL Rules in the Name field and then click OK.
14. Right-click the newly created policy and then select Edit.
Right-click Windows Firewall - SQL Rules and then click Edit.
15. Double-click Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with
Advanced Security > Windows Firewall with Advanced Security > Inbound Rules.
16. Right-click Inbound Rules and then click New Rule.
17. Click Port and then click Next.
18. Specify the ports that will be used to communicate with the SQL Server and then click Next.
Verify that TCP is selected, type 1433, 5022 in the Specific local ports field, and then click Next.
Port 1433 is for regular SQL Server communications and Port 5022 is for mirroring.
19. Verify that Allow the connection is selected and then click Next.
20. Click Next in the Profile page to apply this rule to the Domain, Private, and Public firewall profiles.
21. Type SQL in the Name field and then click Finish.
22. Right-click Inbound Rules and then click New Rule to configure a rule that allows inbound Windows file sharing.
This inbound rule will be useful when you set up SQL Server Mirroring later on.
23. Click Predefined, click File and Printer Sharing in the Predefined field and then click Next.
24. Click Next on the Predefined Rules page.
25. Click Finish.
26. Close the Group Policy Management Editor and the Group Policy Management Console.
27. Log on to the first SQL Server using domain administrator credentials.
Log on to SQLServer-1 using the Training\Administrator and Password1 credentials, if not already logged on.
You can also open a command prompt window by selecting the Start icon, typing cmd or command, and then
pressing Enter.
30. Type gpupdate /force and then press Enter to force an update.
31. Type exit and then press Enter to close the command prompt window.
Discussion Question
Is it a good practice to disable the Windows firewall on a SQL Server?
Mirroring requires a primary SQL Server, a secondary SQL Server, and a SQL Server witness. Mirroring is an active/passive
arrangement. All activity takes place on the primary SQL Server. In the event of a primary failure, the secondary SQL Server
assumes the primary role. The witness determines when a failure occurs. Mirroring does not protect data integrity - only the
database engine is protected. If data corruption occurs, the preferred method of recovery is rollback. Therefore, it is
imperative to follow appropriate backup procedures for the SQL Server database.
Discussion Question
Does the SQL Server Witness need to use the same version and edition of SQL Server as the mirroring partners?
You can choose to use a database on a separate server. If you intend to use an external database created manually,
that is, one that is not created using Studio, ensure that the database administrator uses the following collation
setting when creating the database: Latin1_General_100_CI_AS_KS (where Latin1_General varies depending on
the country; for example Japanese_100_CI_AS_KS). If this collation setting is not specified during database
creation, subsequent creation of the XenApp and XenDesktop service schemas within the database will fail, and an
error similar to "<service>: schema requires a case-insensitive database" appears (where <service> is the name of
the service whose schema is being created).
10. Right-click the Databases node and then click New Database.
11. Type a name for the database in the Database name field.
Ensure there are no spaces in the database name as it may cause issues with Citrix Director
Ensure that you select the correct Collation option. Many of the options are very similar. If you accidentally
choose the wrong collation for the lab environment, the Delivery Controller Site will not be able to use the
database. You will need to go through this procedure again, because the database will be mirrored but may be
unusable.
16. Verify that Full appears in the Backup type field and then click OK.
17. Wait for the backup process to complete and then click OK.
18. Copy the SQL backup file from the Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Backup
folder on the first SQL Server (Primary) to the backup SQL Server (Mirror).
If the Windows Firewall is enabled, firewall exceptions need to be added to the SQL Servers either manually or
through a GPO to grant this access. This has already been done for the lab environment. Ensure that the
SQLServer-2 VM is running before continuing with this exercise.
19. Click the Connect menu in the Object Explorer of the Microsoft SQL Server Management Studio and then click
Database Engine.
20. Type the name of the backup SQL Server in the Server name field and then click Connect.
Type SQL-2 and then click Connect.
21. Right-click Databases under the backup SQL Server instance and then click Restore Database.
Right-click Databases under the SQL-2 instance and then click Restore Database.
22. Select Device and then click the ... button to the right of the Device field.
23. Click Add, browse to the backup file, and then click OK.
Click Add, click CitrixMainSite.bak, and then click OK.
Ensure that you select RESTORE WITH NORECOVERY before you click OK. Failure to do so will result in
errors later in the procedure in the lab environment.
34. Click Connect to the right of the Mirror server instance field to connect to the SQL Server that will be the mirror.
35. Click Connect on the Connect to Server dialog and then click Next in the Configure Database Mirroring Security wizard
to proceed.
36. Click the Witness server instance drop-down and then click Browse for more.
Ensure that SQLServer-Witness is running before continuing with the next step in this exercise.
37. Type the name of the SQL Server that will be the witness and then click Connect.
Type SQL-W and then click Connect in the Connect to Server window.
This service account was pre-created for you in the lab environment.
If you receive an error stating that SQL-1 cannot be reached on port 5022, delete the database for SQL-1 and
SQL-2 and start again with Step 10 in this procedure.
The SQL Server witness must remain running after mirroring is configured. The databases may become
inaccessible if the server is shut down.
Discussion Question
Why is SQL Server mirroring a better high-availability solution for the Site database than using the high-availability feature of
the hypervisor?
Issue Resolution
You cannot connect to the database engine. Verify that the SQL database is configured to accept remote
connections. To correct this issue:
• Use SQL Server Management Studio, open the properties
for the local server, click Connections and then verify
that TCP Port 1433 is open for SQL traffic on the
firewall.
• Open Windows Firewall Advanced Security to verify or
create an Inbound rule for the SQL Server ports.
• Verify that the settings contained in the DSN file are
appropriate and that the DSN file is not corrupted. If the
file is corrupted, recreate the DSN file or copy the DSN
file from a server that can connect to the database.
You receive an error stating that the primary SQL Server Delete the SQL Server mirror database and start again by
cannot be reached on port 5022. right-clicking Databases under the mirror SQL Server
instance and then click Restore Database. Continue to follow
the steps to configure the mirror database.
Discussion Question
You installed anti-virus software on all of the infrastructure servers in your environment and now performance is slow and
the operating systems on the servers are having reliability problems. What can you do to correct the problem?
Discussion Question
Which services might be appropriate for deployment in the DMZ?
Setting Up Citrix
Components
78 .
Setting Up Citrix Components
Overview
Once the non-Citrix infrastructure components required by XenApp and XenDesktop are in place, you can begin to
implement the Citrix components.
By the end of this module, you will be able to:
• Install and configure the Citrix License Server.
• Install and configure Citrix Delivery Controller, Citrix Studio, and Citrix Director.
• Install and configure the Citrix Universal Print Server.
• Install and configure Citrix StoreFront.
• Install and configure Citrix Receiver.
Module timing: 4.5 hours
At the beginning of this module, the VMs should be in following the states:
• DomainController-1 = On
• FileServer-1 = On
• SQLServer-1 = On
• SQLServer-2 = On
• SQLServer-Witness = On
• All other VMs = Off
Architecture
XenApp and XenDesktop relies on the following Citrix components to provide server-hosted desktops and applications, and
desktop-hosted desktops and applications to end users.
• Citrix License Server stores and manages the license files for all components within the XenApp and XenDesktop
architecture with the exception of NetScaler components, which require the license files to be installed directly on them.
• Delivery Controller consists of services that communicate with the hypervisor to distribute applications and desktops,
authenticate and manage user access, and broker connections between end users and their virtual desktops and
applications.
• Studio is the management console used to set up and administer a XenApp and XenDesktop implementation.
• Director is a Web-based tool that enables IT support and Help Desk teams to monitor an environment, troubleshoot
issues before they become critical, and perform support tasks for end users.
Discussion Question
The network onto which XenApp and XenDesktop is placed must be resilient, robust, and reliable. You can configure all
components perfectly and still have a failed implementation if the network doesn't meet the needs of the environment. What
constitutes a resilient, robust and reliable network?
At this time, the Citrix License Server VPX is not supported for use with XenApp and XenDesktop. This may
change in the future. Refer to www.citrix.com for further information.
Citrix licenses are stored in a file that must be added to the license server. The license file is initially acquired from My
Account on the www.citrix.com Web site or by using Citrix Studio.
All components must be configured to communicate with the license server. This communication is configured from the
Citrix product. The default port for communication is 27000. The license server then uses the vendor daemon with a default
port of 7279 to deliver the license. The License Administration Console communicates with the Citrix License Server on port
8082. All ports can be configured from within the License Administration Console. After a license is installed for use with
XenApp and XenDesktop, all license management is done through the Web-based License Administration Console or Citrix
Studio.
The License Administration Console lets you manage and monitor your Citrix licenses. The availability of a license is
determined by the number of available licenses on the license server when a session is requested. If a license is not available,
the session is denied.
The license server determines how to minimize license consumption based on whether the licenses installed are
User/Device or Concurrent and how the environment is configured. For example, with concurrent licensing, load
balancing of the license server can affect license consumption, as can multiple product editions in the
environment. For a detailed description of how the various license models work, see the "Types" topic under
Licensing Your Product on the http://docs.citrix.com Web site.
4. Click the File Explorer icon in the taskbar and then click This PC.
5. Double-click CD Drive (D:) to start the installation wizard.
9. Click Next on the Core Components screen to accept the default installation location setting.
10. Select the method to use for port configuration.
Verify that Automatically is selected on the Firewall page and then click Next.
You should select Automatically, if you are using the default ports for communication with your license server.
If you are using custom ports, select Manually. Changing the licensing port after licenses are installed might
cause the "No such product or vendor exists: CITRIX" message to appear on the License Administration
Console dashboard instead of the installed licenses.
11. Click Install and wait for the installation to complete.
12. Click Finish.
13. Eject the XenApp and XenDesktop media from the DVD drive.
Issue Resolution
The license server will not start or an upgrade of the license Run the License Server Configuration tool from C:\Program
server fails. Files\Citrix \Licensing\LS\resource\LSPostConfigTool.exe. If
the License Server Configuration tool fails for any reason,
uninstall and reinstall the license server.
The installation fails when localized characters are used in Accept the default installation path or use only ASCII
the installation path. alphabetic characters for the installation path.
The 30-day free trial license is the only license available. Verify that a license for the product edition has been added
to the license server. Accept the trial license and then use
Studio to change the license information after installation.
A read-only administrator receives the following message in Have a full license administrator log on and access the
Studio after the Citrix License Server software is uninstalled License node in Studio to initiate a trust with the new license
and then reinstalled: "You do not have permissions to server.
perform this operation."
If your company already has an account, you would use the existing account rather than create a new one.
6. Click Activate and Allocate Licenses under the Licensing heading on the page.
7. Click the Single Allocation tab.
If you currently have available licenses, they will appear within the Activate and Allocate Licenses tab.
8. Type the license code into the Enter license code field and then click Continue.
Type CTXLF-12345-67890-12345-67890 and then click Continue.
Not all licenses for Citrix products are allocated based on the host name of the license server.
10. Type the case-sensitive name of the Citrix License Server that will host the license in the Host ID field.
Type LS-1 into the Host ID field.
Make sure that students do not type CLS-1 as the host name. CLS-1 is the host name of the Citrix License
Server that the students created in the lab environment, but is not the host name used in this exercise.
11. Click the Quantity/Available field, type the license quantity, and then click Continue.
Click the Quantity/Available field, type 5, and then click Continue.
You can always come back to reallocate and re-download your licenses should they become corrupt, lost, or
you need to specify a different allocation of your licenses using the Reallocate and Redownload tabs from My
Account on the www.citrix.com Web site.
12. Verify that the information is correct and then click Confirm.
13. Click OK in the message stating that the allocation was successful.
14. Click Download.
15. Click the down arrow next to Save and then click Save as.
The name of the license file can be changed, but the contents within the file cannot be changed without
corrupting the license file.
16. Click Save in the Save As window to download the license file to the Downloads folder.
17. Click Log Out in the upper-right corner of the window.
18. Close the browser window.
19. Click the Start button on the bottom-left corner of the screen.
20. Type Citrix License and then click the Search icon.
21. Click Citrix License Administration Console.
22. Click Administration in the upper-right corner of the License Administration Console.
23. Log on as a license administrator.
Type TRAINING\Administrator in the User Name field, Password1 in the Password field, and then click Submit.
24. Click Vendor Daemon Configuration in the lower-left corner of the License Administration Console.
25. Click Import License.
26. Click Browse to the right of the License File from Your Local Machine field to browse to the recently downloaded license
file.
In order to view the active licenses within the dashboard, you must restart the license server or reread the
license file.
31. View the allocated licenses and then click X in the upper-right corner of the window to close the dashboard.
Discussion Question
When downloading the license for the first time from My Account on the www.citrix.com Web site, you are asked to allocate
the licenses. What does allocate mean?
Active Directory users and groups are part of an Active Directory/network authentication system. To support
Active Directory users and groups, the license server must be a member of a Microsoft Active Directory domain.
The StudentManagementConsole-1 (SMC-1) is a system specifically set up in the lab environment for you to
use to administer components in the environment. In the real-world, it is more realistic that administrators
use an endpoint to administer their environments than to log on directly to the servers in the environment.
You should not include a backslash for a locally managed administrator (for example, tester1\). If you do, you
will be unable to delete that account.
10. Type the name of an end user or group in the User name field in the form of domain\username or domain\group and
then click Save.
Type TRAINING\Admin2 and then click Save.
11. Verify that the new account appears on the User Configuration page.
12. Click Log Out on the top right of the License Administration console.
Discussion Question
What steps are required to recover from a catastrophic failure of the license server?
Alerts and license usage are displayed on the first page of the License Administration Console. By default, to view
information on the first page of the License Administration Console, you do not need log on credentials. You can
change this behavior and require log on.
If the Log On screen does not appear, click Log Out at the top of the console and then click Administration.
8. Deselect an alert to remove it from the Dashboard and then click Save.
Deselect Overdraft license issued and then click Save in the lower-right corner of the console.
9. Click Dashboard in the upper-right corner of the console to view the Dashboard.
10. Click Citrix Start-up License|Server to expand and view the license.
The alerts, if any, will be displayed in the left pane of the console.
There should not be any alerts at this time because you do not have any Citrix products installed.
You can shut down the CitrixLicenseServer-1 VM to free up lab environment resources. You will be using a
centralized license server in the classroom.
XenApp supports Server OS-based applications and desktops. XenDesktop supports Server OS-based applications
and desktops and Desktop OS-based applications and desktops along with other FlexCast models. The installation
media for XenDesktop contains options for installing XenApp 7.6 or XenDesktop 7.6. The installations are the
same with the exception of branding. The licenses you upload determine the features and functions available to
you. For example, if you choose to install XenApp 7.6 and then upload XenDesktop licenses, your installation will
be XenDesktop.
The Controller:
1. Receives authentication requests from end users and queries Active Directory.
2. Interacts with the database to retrieve the list of resources for the end user.
To add a Controller, you need the securityadmin or db_owner database server role permission for the XenApp
and XenDesktop database.
The license server should be installed before the Controller is installed. This will simplify the registration of the
Controller with the license server.
3. Insert the XenApp and XenDesktop installation media into the DVD drive.
Select XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field.
4. Click the File Explorer icon in the taskbar and then click This PC.
5. Double-click CD Drive (D:) to start the installation wizard.
If you are deploying a Proof of Concept or small implementation that will not grow, you can install the
Controller, Studio, and Director on the same server.
10. Specify whether or not to install Microsoft SQL Server 2012 Express or Remote Assistance and then click Next.
Deselect Install Microsoft SQL Server 2012 SP1 Express, verify that Install Windows Remote Assistance is selected,
and then click Next.
Microsoft SQL Server 2012 Express does not need to be installed on the server because we will be using a
mirrored instance of SQL Server 2012. If a SQL Server installation was not available in the environment, SQL
Server Express could be selected and installed automatically from the installation media. Windows Remote
Assistance is selected for installation because you are installing Director on this server. Director can be used by
Help Desk personnel to assist end users, so Windows Remote Assistance is needed.
11. Select the port configuration method to use and then click Next.
Verify that Automatically is selected and then click Next.
If the Controller will use the default ports for communications, select Automatically. If the Controller will use
alternate port assignments, select Manually to configure the ports after the installation.
Based on the components that are selected for installation in the lab environment and the number of VMs
running, you can expect the installation to take approximately 15 minutes.
13. Wait for the installation to complete, deselect Launch Studio, and then click Finish.
14. Click Eject to the right of the DVD drive field to eject the media from the drive.
15. Click Tools at the top of the Server Manager window and then click Internet Information Services (IIS) Manager to
begin the process of requesting and installing a certificate on the first Delivery Controller.
16. Click the name of the Delivery Controller in the left pane.
Click C-1 in the left pane.
18. Double-click Server Certificates in the center pane under the IIS heading.
19. Click Create Domain Certificate in the Actions pane on the right.
20. Specify the appropriate distinguished name properties and then click Next.
The Common name must match the FQDN that will be used to access the Site.
22. Type a friendly name for the certificate and then click Finish.
Type c-1.training.lab and then click Finish.
23. Double-click Sites > Default Web Site in the left pane.
24. Click Bindings in the right pane.
25. Click Add and then select https in the Type field.
26. Select the newly created certificate from the SSL certificate field, click OK, and then click Close.
Select c-1.training.lab in the SSL certificate field, click OK, and then click Close.
Discussion Question
How are Virtual Delivery Agents (VDAs) notified of available Controllers?
Configuring a Site
A Site is the management scope for a XenApp and XenDesktop environment and encompasses all of the components needed
for the deployment of XenApp and XenDesktop. All management is done at the Site level. All administrators are configured
at the Site level. A Site must be named during the configuration phase of the first Controller. Components contained in a Site
must be able to communicate with each other and are managed by the Controller.
Studio is the GUI interface used to manage the Site. During the configuration of the Site, you configure communications
between the Controller, Citrix License Server, database, and the hosting environment. Studio can be installed on the
Controller, on an administrator's desktop, on a Server OS machine, or made available as a hosted application.
To Configure a Site
1. Log on to the VM hosting Studio using domain administrator credentials.
Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials, if not already logged on.
2. Open Studio.
Click Start, type Studio and then click Citrix Studio.
Studio will open automatically at the end of the Controller installation by default, if Studio was selected for
installation.
Semantically, the Site name should make sense in the context of the overall architecture or be relevant to the
groups or Controller residing on the Site.
6. Type the database server location and the name of the database in the appropriate fields.
Type sql-1.training.lab in the Database server location field and verify that CitrixMainSite appears in the Database
name field.
You are not using the CitrixLicenseServer-1 VM during this class to provide licenses for XenApp and
XenDesktop. Instead, you are connecting to an external license server to provide the licenses.
It is recommended that HTTPS connections be used to communicate with XenServer. HTTPS prevents the
XenServer password from being transmitted over the network in plain text. Certain tools are able to read plain
text user names and passwords in HTTP (unencrypted) network packets, which creates a security risk for
users. A certificate is not installed on the XenServer host in the lab environment.
15. Type the user name and password for the host connection.
Type the user name and password provided by the instructions at the beginning of the lab.
17. Determine which provisioning tool will be used to create VMs for XenApp and XenDesktop and then click Next.
Verify that Studio tools (Machine Creation Services) is selected and then click Next.
18. Type a name for the virtualization settings in the Enter a name for the Resources field, select the desired networks for the
VMs to use, and then click Next.
Type XenApp and XenDesktop Network in the Enter a name for the Resources settings field, select Internal, verify
that all other networks are deselected, and then click Next.
When Shared and NFS virtual disk storage are selected, you can specify whether or not IntelliCache will be
used to reduce the load on the shared storage device. This option is not valid for Local storage. To learn more
about IntelliCache, see http://support.citrix.com/article/CTX129052.
20. Determine where Personal vDisks will be stored and then click Next.
Verify that Use same storage for virtual machines and Personal vDisk is selected and then click Next.
21. Determine if App-V publishing will be used, specify the appropriate information, and then click Next.
Verify that No is selected on the App-V Publishing page and then click Next.
You can expect the Site configuration to take approximately 10 minutes because the primary and mirror
database schemas are being created for the new Site.
23. Verify that a green check mark appears next to Step 1 and then click the Test site configuration button.
24. Click Show report to review the test results.
25. Close the Site Configuration Testing Report and then click Close.
Some warnings may appear. The warnings will not affect the lab environment, but should be addressed in a
real-world implementation. In our database, Read Committed Snapshot is disabled. This means that the
database engine will not modify information in the database while a transaction is reading that information.
When Read Committed Snapshot is enabled, versioning is used to allow reading and writing of the
information at the same time.
For more information about connection settings and connection throttling, see http://docs.citrix.com/en-us/xenapp-
and-xendesktop/7-6/xad-connections.html.
2. Open Studio.
Click Start, type Studio and then click Citrix Studio.
a. Click Hosting.
b. Verify XenServer is selected.
c. Click Edit Connection in the Actions pane.
4. View the options to improve the performance of the XenApp and XenDesktop Delivery site by enhancing the connection
throttling settings.
Click the Advanced tab.
5. Click Cancel.
Citrix recommends that you only adjust these advanced connection properties under the guidance of a Citrix
Support representative.
In most large deployments, connection leasing will likely never be used because the SQL clustering options will
prevent the loss of connection to the site database.
Example: An end user has accessed Microsoft Word within the last two weeks, but has not accessed Microsoft PowerPoint.
During the site outage, the connection leasing feature allows the Delivery Controllers to broker that user’s request to
Microsoft Word, but not to Microsoft PowerPoint, because Microsoft PowerPoint is not in the cache. Connection leasing is
enabled by default and is limited to user sessions accessing server-hosted applications, server desktops and static (assigned)
desktops; it is not supported for random (pooled) desktops. Connection leasing can be turned on or off using the PowerShell
SDK or the Windows registry.
When the Delivery Controller enters into lease connection mode during a database connection failure:
• Studio, Director and the PowerShell console cannot be used.
• Workspace control is not available, so users will not be automatically reconnected to disconnected sessions.
• If new sessions are created just before the database becomes unavailable, users may not be able to access the resources in
those sessions if the Delivery Controllers did not have a chance to sync with the database.
• Users roaming from an external to internal HDX connection may not be able to reconnect to a session established from a
different network.
• Power managed, powered off static (assigned) desktops remain unavailable until the database connection is restored.
• New sessions will not prelaunch and session lingering timeouts are not used.
• Server-based connections are routed to the most recently used VDA, and all server-based load balancing is ignored.
• Only VDAs that are 7.6 minimum version are supported.
Discussion Question
When might you consider adding an additional Controller to the environment?
Troubleshooting Studio
The following table identifies resolutions for issues related to Studio.
Issue Resolution
There is a delay when starting Studio. Verify that there is an Internet connection prior to starting
Studio. If no connection is available, you must disable the
Authenticode signature checking feature as described in
http://support.citrix.com/article/CTX120115.
Studio sometimes shows completed tasks as "In progress." This issue is cosmetic and can be ignored if you are certain
that the task has been completed. You should not restart
Studio if a long-running task is genuinely active because it
will cause the task to remain in an incomplete state.
Administrators
An administrator represents an individual person or a group of people identified by their Active Directory account. Each
administrator is associated with one or more role and scope pairs, which allows organizations to delegate responsibility based
on the administrator's role and function.
Roles
Roles represent a job function with defined permissions. XenApp and XenDesktop have the following built-in roles:
Scopes
Scopes represent a collection of objects. Scopes are used to group objects in a way that is relevant to your organization.
Objects can be in more than one scope; you can think of objects being labeled with one or more scopes. There is one built-in
scope: 'All,' which always contains all objects. The Full Administrator role is always paired with the All scope.
2. Open Studio.
Click Start, type Studio and then click Citrix Studio.
3. Expand Configuration in the left pane and then click Administrators, Delegated Administration welcome screen appears
click Close to continue.
4. Click Create Administrator in the right pane.
5. Click Browse and then type the name of the user or group to be added in the Enter the object name to select field.
Click Browse and then type HelpDesk into the Enter the object name to select field.
If you create a new scope, refresh the console so new administrators can create a new connection or resource
without encountering an error. If the console is not refreshed, the new connection/hosting scope will not be
available to new administrators.
Discussion Question
The administrator account used to install the Controller and configure the Site has Full Administrator privileges. What
happens if you delete that account from Studio?
3. Insert the XenApp and XenDesktop installation media into the DVD drive.
Select XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field.
4. Click the File Explorer icon in the taskbar and then click This PC.
5. Double-click CD Drive (D:) to start the installation wizard.
If you are deploying a Proof of Concept or small implementation that will not grow, you can install the
Controller, Studio, and Director on the same server.
10. Specify whether or not to install Microsoft SQL Server 2012 Express or Windows Remote Assistance and then click Next.
Deselect Install Microsoft SQL Server 2012 SP1 Express, verify that Install Windows Remote Assistance is selected,
and then click Next.
Microsoft SQL Server 2012 Express does not need to be installed on the server because you already have a
mirrored instance of SQL Server 2012. The same database must be used for both the first Controller in the
environment and all subsequent Controllers in the environment. If Windows Remote Assistance was selected
for installation on the first Controller, it must be selected for all subsequent Controllers to ensure that it is
available to Director.
11. Select the port configuration method to use and then click Next.
Verify that Automatically is selected and then click Next.
If the Controller will use the default ports for communications, select Automatically. If the Controller will use
alternate port assignments, select Manually to configure the ports after installation completes.
13. Wait for the installation to complete, deselect Launch Studio, and then click Finish.
14. Click Eject to the right of the DVD drive field to eject the media from the drive.
15. Click Tools at the top of the of the Server Manager window, select Internet Information Services (IIS) Manager to
begin the process of requesting and installing a certificate on the second Delivery Controller server.
16. Click the name of the Delivery Controller in the left pane.
Click C-2 in the left pane.
18. Double-click Server Certificates in the center pane under the IIS heading.
19. Click Create Domain Certificate in the right pane.
20. Specify the appropriate distinguished name properties and then click Next.
The Common name must match the FQDN that will be used to access the Site.
21. Click Select, select the Certificate Authority, and then click OK.
Click Select, select training-AD-CA, and then click OK.
22. Type a friendly name for the certificate and then click Finish.
Type c-2.training.lab and then click Finish.
23. Double-click Sites > Default Web Site in the left pane.
24. Click Bindings in the right pane.
25. Click Add and then select https in the Type field.
26. Select the newly created certificate in the SSL certificate field, click OK, and then click Close.
Select c-2.training.lab in the SSL certificate field, click OK, and then click Close.
As a best practice, you should locate each Controller VM on a different physical hypervisor hosts for high
availability purposes.
You can shut down the Controller-2 and SQLServer-2 VMs to free up lab resources.
Discussion Question
You added multiple Controllers to your implementation, but discover that you do not need all of them. You decide to use the
Remove Controller option in Studio to remove the extra Controllers. What impact will this have on the remaining
implementation and on the removed Controllers?
2. Log on to the Citrix Universal Print Server VM using domain administrator credentials.
Log on to Universal Print Server using the TRAINING\Administrator and Password1 credentials.
3. Insert the XenApp and XenDesktop installation media into the DVD drive.
Select XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field.
4. Click the File Explorer icon in the taskbar and then click This PC.
5. Double-click CD Drive (D:) to start the installation wizard.
9. Determine where the Citrix Universal Print Server will be installed and then click Next.
Click Next to accept the default location.
Discussion Question
What is the maximum number of concurrent print streams allowed when using the Universal Print Server?
You must include the Universal Print Server enable setting in a policy to enable the use of the Universal Print
Server.
2. Click Tools in Server Manager and then click Group Policy Management.
The Group Policy Management Console may be behind the Server Manager window.
You can determine which OU contains the virtual desktops using Active Directory Users and Computers on
the domain controller.
4. Right-click the OU containing your virtual desktops and then click Create a GPO in this domain, and Link it here.
Right click the Training Virtual Desktops OU and then click Create a GPO in this domain, and Link it here.
5. Type a descriptive name in the Name field and then click OK.
Type Enable and configure Universal Print Server Service and then click OK.
The Universal Print Server is disabled by default. When you enable Universal Print Server, you choose
whether to use the Windows Print Provider if the Universal Print Server is unavailable. After you enable the
Universal Print Server, a user can add and enumerate network printers through the Windows Print Provider
and Citrix Print Provider interfaces.
12. Click OK in the Edit Policy window.
13. Close the Group Policy Management Editor and Group Policy Management windows.
Discussion Question
To which OU must the Universal Print Server policy be applied?
Creating Printers
You can use the Print Management utility to automatically discover and create printers that are on the same subnet as the
Universal Print Server. Once the printers are discovered, you can configure the printers by installing the printer drivers,
setting up the print queues and sharing the printers.
Printers are already created in the lab environment, but will not work because there are no printer devices in the
environment. You can verify which printers exist in the lab environment using the following steps:
1. Log on to Universal Print Server using the TRAINING\Administrator and Password1 credentials.
2. Click Tools > Print Management in the Server Manager.
3. Select Printers in the left pane and then verify that the following network printers exist:
• Accounting (HP Color LaserJet Enterprise cm4549 MFP PCL6 Class Driver)
• Color Laser Printer (HP Color LaserJet 1600 Class Driver PCL6)
• Human Resources (HP Color LaserJet CP4005 PCL6 Class Driver)
• Microsoft XPS Document Writer
4. Close the Print Management window.
To Create Printers
The following steps are provided for informational purposes only and are not to be performed in the lab
environment.
1. Log on to the Citrix Universal Print Server using domain administrator credentials.
2. Click Tools in the Server Manager window and then click Print Management.
3. Expand Print Servers, right-click the Universal Print Server, and then click Add Printer.
4. Select the printer installation method and then click Next.
5. Click Next on the Printer Driver page.
6. Select a printer manufacturer in the left column, a printer in the right column, and then click Next.
7. Type a name for the printer in the Printer Name and Share Name fields and then click Next.
8. Click Next in the Printer Found page.
9. Click Finish.
Discussion Question
You want to automatically add the network printers through discovery, but the Print Management utility is not available.
What must you do to add printers?
StoreFront Components
StoreFront consists of several components and are described in the following section:
• StoreFront Server - The StoreFront server records details of end-user application subscriptions locally along with
associated shortcut names and locations. When an end user accesses a store, the application synchronization feature
automatically updates the subscribed applications on the end-user device to match the configuration stored on the
StoreFront server. The credentials are later retrieved by the Store Service to authenticate to XenApp and XenDesktop,
ensuring that the end user has a consistent experience across all devices.
• Authentication Service - The StoreFront authentication service authenticates end users to XenApp and XenDesktop sites.
When an end user's credentials have been validated, the authentication service handles all subsequent interactions to
ensure that the user only needs to log on once. The credentials are stored using built-in Windows security features.
• Store - The store retrieves end-user credentials from the authentication service to authenticate end users to the
components providing the resources. The store also enumerates and aggregates the resources currently available from
XenApp and XenDesktop sites and the Delivery Controller (SaaS applications). End users access the store through Citrix
Receiver or a Receiver for Web site.
• Receiver for Web site - This site enables end users to access stores through a Web page. Furthermore, this site can verify
the version of Receiver installed locally on the end-user device and guide the end user through an upgrade or installation
procedure if required. In scenarios where Receiver cannot be locally installed, an HTML 5-based Receiver will be used.
1. An end user enters a username and password into Receiver, which is then sent to the StoreFront server. End users may
skip this step if pass-through authentication is configured.
2. The authentication service of StoreFront retrieves the end-user credentials and validates them with a domain controller.
The StoreFront server must be a member of the same Active Directory forest as the end-user account and the accessed
resources.
3. StoreFront retrieves the end user's application subscriptions locally and loads them into memory.
4. StoreFront forwards the end-user credentials as part of an XML query to the XenApp and XenDesktop Delivery
Controller.
5. The Delivery Controller validates the end-user credentials with a domain controller.
6. After a successful validation, the Delivery Controller checks which resources have been published for this end user within
its SQL Server database.
7. The Delivery Controller sends an XML response to StoreFront, which contains all resources available for the end user
from the XenApp and XenDesktop site.
8. StoreFront sends the list of available resources including the existing subscriptions to Citrix Receiver or displays them in
the Receiver for Web site.
Discussion Question
What advantages does StoreFront offer in place of Web Interface?
Where is the physical location of the StoreFront server on your network?
To Install StoreFront
1. Right-click the Citrix StoreFront VM, click Start, and then click Console.
Right-click StoreFrontServer-1, click Start, and then click Console.
3. Insert the XenApp and XenDesktop installation media into the DVD drive.
Select XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field.
4. Click the File Explorer icon in the taskbar and then click This PC.
5. Double-click CD Drive (D:) to start the installation wizard.
10. Select the firewall rule configuration method to use and then click Next.
Verify that Automatically is selected and then click Next.
If the StoreFront will use the default ports for communications, select Automatically. If the StoreFront will use
alternate port assignments, select Manually to configure the ports after installation completes.
Based on the components that are selected for installation in the lab environment and the number of VMs
running, you can expect the installation to take approximately 10 minutes.
If you decide to open the StoreFront Management Console, and you receive an Add Snap-in error, click
Cancel in the End Snap-in message and the console will open. Do not click End Now because it will close the
console.
14. Eject the XenApp and XenDekstop media from the DVD Drive.
Click Eject to the right of the DVD Drive 1 field to eject the media from the drive.
Discussion Question
Do the StoreFront servers need to be a member of the same domain as the Controllers?
2. Click Tools in the Server Manager window and then click Internet Information Services (IIS) Manager.
3. Click the name of the StoreFront server in the left pane.
Click SFS-1 in the left pane.
5. Double-click Server Certificates in the center pane under the IIS heading.
6. Click Create Domain Certificate in the right pane.
7. Specify the appropriate distinguished name properties and then click Next.
The Common name must match the FQDN that will be used to access the Site.
8. Click Select, select your Certificate Authority, and then click OK.
Click Select, select training-AD-CA, and then click OK.
9. Type a friendly name for the certificate and then click Finish.
Type sfs-1.training.lab and then click Finish.
To Configure a Store
1. Log on to the StoreFront server using domain administrator credentials.
Log on to the StoreFront Server-1 VM using the TRAINING\Administrator and Password1 credentials, if not
already logged on.
2. Click Start, type StoreFront, and then click Citrix StoreFront to access the StoreFront console.
3. Click Create a new deployment.
4. Verify that the URL for the StoreFront server is correct for your deployment and then click Next.
Verify that https://sfs-1.training.lab appears in the Base URL field and then click Next.
6. Add the XenDesktop, XenApp, and XenMobile 9.0 Enterprise (AppController) deployments that will provide the
resources that you want to make available in the store and then click Next.
a. Click Add and then type XenApp and XenDesktop in the Display name field.
b. Verify that XenApp 7.5 (or later), or XenDesktop is selected.
c. Click Add, type c-1.training.lab and then click OK.
d. Click Add, type c-2.training.lab, and then click OK.
e. Verify that HTTPS is selected as the Transport type.
f. Click OK and then click Next.
You have not yet set up the NetScaler component, so at this stage you are not setting up remote access. Based
on the components that are selected for configuration in the lab environment and the number of VMs
running, you can expect the configuration to take approximately 10 minutes.
8. Click Finish.
9. Click Stores in the left pane of the StoreFront console and then verify that the store was successfully created.
Click Stores and then verify that Store-1 appears in the center pane.
Discussion Question
How do you create a Receiver for Web site?
6. Click OK.
7. Click OK.
Stores created for unauthenticated users do not support remote access through NetScaler Gateway.
Unauthenticated user support is specific to certain industries such as education and medical institutes and is not a
feature recommended for general use.
4. Select the Stores node and then click Create Store for Unauthenticated Users.
5. Click Next in the Information screen.
6. Specify the store name and the click Next.
Type Anonymous Store and then click Next.
16. Specify the port for StoreFront to use for connections to the XenApp or XenDesktop site.
Verify that 443 is specified in the Port field.
3. Insert the XenApp and XenDesktop installation media into the DVD drive.
Select XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field.
4. Click the File Explorer icon in the taskbar and then click This PC.
5. Double-click CD Drive (D:) to start the installation wizard.
10. Select the firewall rule configuration method to use and then click Next.
Verify that Automatically is selected and then click Next.
If the StoreFront will use the default ports for communications, select Automatically. If the StoreFront will use
alternate port assignments, select Manually to configure the ports after installation completes.
18. Double-click Server Certificates in the center pane under the IIS heading.
19. Click Create Domain Certificate in the right pane.
20. Specify the appropriate distinguished name properties and then click Next.
The Common name must match the FQDN that will be used to access the site.
21. Click Select, select the Certificate Authority, and then click OK.
Click Select, select training-AD-CA, and then click OK.
22. Type a friendly name for the certificate and then click Finish.
Type sfs-2.training.lab and then click Finish.
29. Click Start, type StoreFront, and then click Citrix StoreFront to access the StoreFront console.
30. Right-click Server Group in the left pane and then click Add Server.
31. Record the authorizing server and authorization code.
32. Leave the Add Server screen containing the authorizing server and authorization code open until the second server has
successfully joined the server group.
This window will automatically close when the server joins and the propagation of the configuration data is
completed.
34. Click Start, type StoreFront, and then click Citrix StoreFront to access the StoreFront console.
35. Click Join existing server group in the Welcome to StoreFront screen.
36. Type the authorizing server and authorization code noted earlier into the appropriate fields in the Join Server Group
window and then click Join.
Type SFS-1 in the Authorizing server field, type the code you wrote down into the Authorization code field, and then
click Join.
Based on the number of VMs actively running, you can expect the join task to take approximately 10 minutes.
38. Click OK in the "Joined Successfully" message on the second Citrix StoreFront server.
39. Return to the first Citrix StoreFront server.
Switch to the StoreFrontServer-1 VM.
Discussion Question
When you add additional StoreFront servers to a deployment, where should you manage those additional servers?
Setting Up Receiver
Citrix Receiver is a universal software client that provides secure, high-performance delivery of virtual desktops and hosted
applications.
Citrix Receiver provides:
• Simple, self-service access to virtual desktops, hosted applications, and IT services.
• High-definition user experience (HDX) on any network or device.
To enable email-based account discovery for internal end users connecting directly to StoreFront, you must install
a valid server certificate on the StoreFront server. The full chain to the root certificate must also be valid.
At this time, email-based account discovery cannot be used by remote end users.
4. Right-click the forward lookup zone for your domain and then click Other New Records.
Right-click training.lab and then click Other New Records.
9. Specify the fully qualified domain name (FQDN) of the StoreFront server (to support end users in the local network
only).
Type sfs-1.training.lab in the Host offering this service field.
The StoreFront FQDN must be unique and different from the NetScaler virtual server FQDN. Using the same
FQDN for StoreFront and the NetScaler virtual server is not supported. Citrix Receiver requires that the
StoreFront FQDN is a unique address that is only resolvable from endpoints connected to the internal
network. If this is not the case, Receiver for Windows users cannot use email-based account discovery.
11. Select Service Location (SRV) and then click Create Record in the Resource Record Type dialog box.
12. Type _citrixreceiver in the Service field.
13. Type _tcp in the Protocol field.
14. Type the port number used by StoreFront in the Port number field.
Type 443 in the Port number field.
15. Specify the fully qualified domain name (FQDN) of the StoreFront server (to support end users in the local network
only).
Type sfs-2.training.lab in the Host offering this service field.
• Using an Electronic Software Distribution (ESD) tool. During the installation, the user can set up an account using an
email address, a server URL, or by downloading a provisioning file using the Activate option.
When an email address is specified, Receiver contacts the StoreFront server associated with the email address and then
prompts the end user to log on and continue the installation. When a server URL is specified, Receiver is configured to point
to that server and then prompts the end user to log on and continue the installation. Once the end user provides their
You do not need administrator credentials to install Citrix Receiver unless Receiver will be configured to use
pass-through authentication. In addition, each end user that logs on to an endpoint must configure Receiver in
order to use it.
3. Insert the XenApp and XenDesktop installation media in the DVD drive.
Select XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field.
4. Click the File Explorer icon in the taskbar and then click This PC.
5. Right-click CD Drive (D:) to click Citrix Receiver and Plug-ins > Windows > Receiver.
6. Double-click CitrixReceiver.
7. Click Install on the Welcome screen.
8. Click Add Account in the Installed successfully screen to configure Receiver using an email address.
9. Type the end user's email address or the URL of the StoreFront server in the Enter your work email or server address
field and then click Next.
Type hruser1@training.lab and then click Next.
15. Click the + sign in the left portion of the Receiver window to view the applications that are available in the store.
16. Click the down arrow to the right of the user name at the top of the Receiver window and then click Log Off.
17. Close the Receiver window.
Click the X in the corner of the Receiver window to close it.
You can also shut down the EndPoint-Internal VM to save lab resources.
Troubleshooting Receiver
The following table identifies resolutions for Citrix Receiver issues.
Issue Resolution
Receiver for Windows end users cannot log on to stores Open a PowerShell command prompt and run the following
using pass-through authentication, even though the domain command on the Delivery Controller servers: Set-BrokerSite -
pass-through authentication method is enabled in the TrustRequestsSentToTheXmlServicePort $True
StoreFront authentication service.
Receiver for HTML5 is not available to end users. • Enable Receiver for HTML5 in StoreFront and propagate
the settings to all StoreFront servers in the environment.
• Ensure that a supported browser is being used.
Supported browsers include Internet Explorer version 10,
Safari version 6, Chrome version 23, and Firefox version
17.)
Issue Resolution
Receiver for Windows end users cannot log on to stores To resolve this issue, run the command Set-BrokerSite -
using pass-through authentication, even though the domain TrustRequestsSentToTheXmlServicePort $True from a
pass-through authentication method is enabled in the Windows PowerShell command prompt on the server
StoreFront authentication service. hosting the XenApp and XenDesktop Delivery Controller.
Changes to the configuration of the StoreFront server group In multiple server deployments, use only one server at a time
are not propagating. to make changes to the configuration of the server group.
Ensure that the StoreFront management console is not
running on any of the other StoreFront servers in the
deployment. Once complete, propagate your configuration
changes to the server group so that the other servers in the
deployment are updated.
StoreFront cannot join a server group. Ensure that you are not using Group Policy to prevent the
addition of new members to the local administrator group.
When you add a new server to a server group, StoreFront
service accounts are added as members of the local
administrator group on the new server. These services
require local administrator permissions to join and
synchronize with the server group.
After upgrading multiple StoreFront servers the stores, sites Ensure that you upgrade your StoreFront servers sequentially.
and services have become unusable. Upgrading multiple StoreFront servers in parallel is not
supported and can cause configuration mismatches that lead
to this issue.
StoreFront supports Windows event logging for the authentication service, stores, and Receiver for Web sites. Any
events that are generated are written to the StoreFront Application log, which can be viewed using the Event
Viewer under either Applications and Services Logs > Citrix Delivery Services or Windows Logs > Application.
For more information about event logging, see Citrix product documentation at http://docs.citrix.com.
If you receive an SSL error within Internet Explorer, this can be safely ignored.
At the beginning of this module, the VMs should be in following the states:
• Controller-1 = On
• DomainController-1 = On
• FileServer-1 = On
• SQLServer-1 = On
• SQLServer-Witness = On
• StoreFrontServer-1 = On
• StoreFrontServer-2 = On
• StudentManagementConsole-1 = On
• UniversalPrintServer-1 = On
• All other VMs = Off
Architecture Overview
The following diagram depicts the functions and communications of the Delivery Controller within a XenApp and
XenDesktop deployment.
The Delivery Controller contacts the hypervisor to confirm availability of the virtual machines and applications that will be
presented to an end user.
The Delivery Controller communicates with Active Directory to validate end-user credentials.
Studio and Director communicate with the Delivery Controller to manage and configure the site.
Once an end user's session has connected to a StoreFront server, the Delivery Controller can present the end user with a list
of resources from the physical network or from a supported hypervisor.
Resources
XenApp and XenDesktop provide a variety of virtualization models that can be used to provide the end-user with access to
virtual desktops and hosted applications. XenApp and XenDesktop virtualization models include:
• Server OS machines and hosted applications are provided via Remote Desktop Services (formerly Terminal Services) on
a Windows Server operating system. Remote Desktop Services allows multiple user sessions to be hosted on a single
system.
• Desktop OS machines and hosted applications are provided on virtual machines running a workstation operating
system.
• Remote PC Access provides direct access to any physical PC located in the environment. Installing the Virtual Delivery
Agent on the office PC enables it to register with the Delivery Controller. In addition, it manages the HDX (ICA)
connection between the machine and endpoints. The Citrix Receiver running on the endpoint provides access to all of the
applications and data on the office PC. An end user can be provided access to more than one physical PC or a
combination of physical PCs and virtual desktops.
Discussion Question
You want to provide four applications to over 50 end users, but you do not want to provide those end users with a desktop.
In addition, you want to run and deliver the applications from only two systems. Which XenApp and XenDesktop
virtualization model should you implement to meet these requirements?
You should only install the HDX 3D Pro Virtual Desktop Agent if the master image has a desktop OS
installed on it and the image will have access to a Graphical Processing Unit (GPU). You should install the
P2V (Physical to Virtual) tool if you are converting a physical machine to a virtual machine image. You
should install the V2V (Virtual to Virtual) tool if you are converting a Xen-based virtual machine to a Citrix
XenServer virtual machine.
• Install core applications that are appropriate for general distribution and that the majority of users of the machines
created from the image will need. Examples include anti-virus and alternate browsers.
• Install the Citrix Receiver and plug-ins that are needed such as the Microsoft App-V plug-in if applications will be
streamed to the VDA on the machine.
Installing Locales and Language Packs is not the best method for the localization of your master image. It is best
to create a separate master image for each language group. That way, the operating system, applications, and data
match the selected language group.
Make sure that you configure the amount of hard disk space in the master image to allow sufficient room for the
operating system, applications, and updates. The amount of hard disk space allocated is difficult to change later.
Remember that the amount of write cache space needed is equal to the amount of empty space on the master
image. Specifying a large empty disk space can cause problems with your storage. For example, in Provisioning
Services, if a master image has 100 GB of free space, and you deploy it to 1000 end users, you will need 1000
multiplied by the free space just for the write cache. Machine Creation Services has a differencing disk and an
identity disk for each end user and also scales using the same formula.
Discussion Question
You created a master image and used it to create a machine catalog consisting of 100 machines. One of your co-workers
deleted the master image from the hypervisor. What will be the effect of this deletion on the XenApp and XenDesktop
environment?
In larger environments, depending upon the class of network and the number of devices and applications
supported, it may be possible to run out of unique IP addresses.
Applications that might require the use of the virtual IP and virtual loopback features for addressing, licensing, and
identification, include CRM and Computer Telephone Integration (CTI). For more information about virtual IPs and virtual
loopback, see http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-deliver-virtual-ip.html.
Remote Desktop Services (RDS formerly known as Terminal Services) is not required on the servers running the
Delivery Controller role, because these servers do not host HDX connections. The Server OS machine in XenApp
and XenDesktop catalogs running the VDA must have RDS installed. Remote Desktop Licenses are required.
The VDA is configured to discover the Delivery Controllers during the installation of the VDA.
The HDX 3D Pro VDA is not available for installation on a Server OS operating system.
1. Right-click the master Windows 2012 R2 VM, click Start, and then click the Console tab.
Right-click Win2012R2Master, click Start, and then click the Console tab.
2. Log on to the VM on which you want to install the VDA using domain administrator credentials.
Log on to Win2012R2Master using the TRAINING\Administrator and Password1 credentials.
3. Insert the XenApp and XenDesktop installation media in the DVD drive.
Select XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field.
12. Select the features you want to install and then click Next.
Verify that all features are selected and then click Next.
13. Determine how the firewall ports will be configured and then click Next.
Verify that Automatically is selected and then click Next.
These are the ports used by the VDA. If the VDA will use alternate port assignments, select Manually to
configure the ports after installation completes.
15. Click Close and then wait for the master image to restart.
The machine will restart automatically after a few seconds and the VDA will be configured. Do not eject the
XenApp and XenDesktop media from the DVD drive. Doing so will cause the installation of the VDA to be
incomplete and result in desktops created from the image to fail to register.
17. Log on to the VM on which you installed the VDA using domain administrator credentials to complete the configuration
of the VDA.
Log on to Win2012R2Master using the TRAINING\Administrator and Password1 credentials.
18. Wait while the prerequisites and selected core components are installed and initialized.
19. Verify that Restart machine is selected and then click Finish.
20. Wait while the VM restarts.
21. Log on to the VM using domain administrator credentials.
Log on to Win2012R2Master using the TRAINING\Administrator and Password1 credentials.
22. Eject the XenApp and XenDesktop media from the DVD drive.
Click Eject to the right of the DVD Drive 1 field to remove the XenApp and XenDesktop media.
You should virtualize applications to significantly reduce the number of master images you need to support the
end users in the environment and to reduce the administrative overhead required to support multiple master
images when application updates need to be installed.
When configuring the applications, you should ensure that you use settings appropriate for the end users and the machine
type, as these configurations will be propagated to end users from the master image. Compatibility testing should be
conducted before you install any application on a master image that will be released to the production environment.
2. Click Desktop.
3. Insert the ISO image of the third-party application into the DVD drive.
Select Microsoft_Office_2010_Professional_SP1_English.iso in the DVD Drive 1 field.
4. Click the File Explorer icon in the taskbar and then click This PC.
5. Double-click CD Drive (D:).
Be aware that if you select a Standard install, all Microsoft Office applications will be installed which requires
additional disk space as well as the time to complete the download and installation.
Microsoft Excel, Microsoft PowerPoint, and Microsoft Word will be the only applications installed on the
master image.
The operating system and applications installed on the master image should be licensed before the master
image is used to create a machine catalog. Once armed, you do not need to rearm Microsoft Office or
Microsoft Windows if you are using XenServer 6.1, XenServer 6.2, vSphere, or SCVMM with Machine
Creation Services.
10. Click Eject next to the DVD drive field to eject the ISO image.
Discussion Question
You are providing desktops to four end-user groups in your environment. Each of the end user groups requires a set of
common applications. In addition each end user group requires that a set of job-specific applications be available to them
from their desktop. How many master images will you need to create to support the four end-user groups?
Issue Resolution
The VDA installation stops responding. Check behind the VDA installation window to see if an error
message is halting the installation. If an error message is
present, address the issue in the error message and then click
OK in the error message to continue installing the VDA.
There are two different VDAs available for installation on a Desktop operating system: Standard VDA and HDX 3D Pro
VDA. The HDX 3D Pro VDA allows the desktop to take advantage of the Graphical Processing Unit on the hardware
running the virtual desktop.
2. Log on to the VM on which you want to install the VDA using domain administrator credentials.
Log on to Win8Master using the TRAINING\Administrator and Password1 credentials.
3. Click Desktop on the Start screen and then click the File Explorer icon on the taskbar.
You may need to complete the mini tutorial before you are allowed to click the Desktop icon.
The HDX 3D Pro VDA should not be installed in the lab environment.
11. Determine if Citrix Receiver will be installed and then click Next.
Verify that Citrix Receiver is selected and then click Next.
a. Select Do it manually, type c-1.training.lab, click Test Connection and then click Add. Type c-
2.training.lab and then click Add. Click Next.
13. Select the features you want to install and then click Next.
Select Personal vDisk, verify that all features are selected, and then click Next.
These are the ports used by the VDA. If the VDA will use alternate port assignments, select Manually to
configure the ports after installation completes.
17. Verify that Restart machine is selected and then click Finish.
The machine will restart automatically after a few seconds and the VDA will be configured. Do not eject the
XenApp and XenDesktop installation media from the DVD drive. Doing so will cause the installation of the
VDA to be incomplete and desktops that are created from the image will fail to register.
20. Eject the XenApp and XenDesktop media from the DVD drive.
Click Eject to the right of the DVD Drive 1 field to remove the XenApp and XenDesktop media.
22. From the Start screen, type Update, and then click Update Personal vDisk. Click the Update Inventory button and be
sure to leave the box selected during the progress so the machine shuts down when finished.
This step is only necessary if Personal vDisk was selected in Step 13. Failure to run the Update Personal vDisk
tool when Personal vDisk is selected will result in a desktop that cannot be accessed by end users. It will take
approximately 10 minutes for the Personal vDisk inventory update to complete. If you plan to make additional
changes to the master image, you can wait and run the Update Personal vDisk tool later. If you forgot to select
the Personal vDisk option, you can enable it by running the Update Personal vDisk tool in the VM.
Discussion Question
What is meant by the term registration?
Citrix leading practice is to use MCS or PVS for centralized image management and resource savings for creating
and managing catalogs.
The first step to creating most machine catalogs is creating first the master machine. Each catalog requires its own master
machine. The master machine is the fully configured golden image that is used to create the machine catalog. You can update
a machine catalog and all its virtual machines by updating the master image.
After the machine catalog is created, a Delivery Group is created to organize the desktops or applications or both from a
catalog for a group of end users. The results of the delivery group populate the end user store with icons that reflects the
assigned resources for which the user has permission.
You must log on to the VM hosting Studio with a domain administrator account if you plan to use XenApp
and XenDesktop to create the Active Directory computer accounts for the machines in the catalog.
4. Click Start, type Studio, and then click Citrix Studio. Click Cancel if the End Snap-in window appears. Click Close on
Delegated Administration welcome screen.
5. Select the Machine Catalogs node in the left pane.
6. Click Create Machine Catalog in the right pane.
You can avoid seeing this page when creating additional machine catalogs by selecting Don't show this again.
8. Select the type of machine catalog you want to create and then click Next.
Select Windows Server OS and then click Next.
Options include:
• Windows Desktop OS provides individual and customizable desktops based on a workstation operating
system.
• Windows Server OS provides a standardized desktop based on a Server operating system.
• Remote PC Access enables end users to log on remotely to a physical PC from anywhere. The Remote PC
Service must be installed on the Delivery Controller VM in order to place physical PCs in a machine
catalog. Once installed, the VDA on the office PC enables it to register with the Controller and manages
the HDX connections between the machine and the endpoints. The Receiver running on the endpoint
provides the end user with access to all of the applications and data on the office PC.
9. Determine how the infrastructure will be built and managed and then click Next.
Verify that Machines that are power managed and Citrix Machine Creation Services (MCS) are selected and then
click Next.
10. Select a virtual machine to use as the master image and then click Next.
Select Win2012R2Master and then click Next.
11. Specify the number of VMs to create, the number of virtual CPUs and the amount of memory for each VM, and then
click Next.
Verify that 2 is specified in the Number of virtual machines needed field, 2 is specified in the vCPUs field, 2048 is
specified in the Memory (MB) field, and then click Next.
Because of the limited storage in the lab environment, you are only creating two machines. In a real-world
environment, you would create enough machines to satisfy the needs of the end users in the environment.
12. Determine whether to use existing Active Directory accounts or to create new ones.
Verify that Create new Active Directory accounts is selected and then double-click Training Virtual Desktops >
Servers in the Active Directory location for computer accounts section.
If you are creating new accounts, you must specify the OU where they should be created. The Active Directory
organizational units must be created before you complete this step.
13. Create an account-naming scheme, specify the format for the numbering, and then click Next.
Type Server2012R2-## in the Account naming scheme field, verify that 0-9 is selected, and then click Next.
The ## in the naming scheme will be replaced with numbers or letters. If a large number of machines will be
needed, you can add additional # signs to the end of the Account naming scheme.
The master image will be copied, then differencing disks and identity disks will be created for each VM. If you
click the Hide progress button during the creation of the machine catalog, the progress bar becomes visible as
a green bar in the name of the machine catalog on the Machine Catalog screen. The green bar will grow in
size as the machine creation progresses. You can expect the configuration to take approximately 15 minutes.
You can continue to use Studio while the machine creation process runs.
Streamed machines refer to virtual machines provided by Provisioning Services. Provisioning Services will be
covered later in this course.
You must log on to the VM hosting Studio with a domain administrator account if you plan to use XenApp
and XenDesktop to create the Active Directory computer accounts for the machines in the catalog.
If this is the first machine catalog you have created, the Machine Catalog node is not visible until you have
completed one of the initial configuration tasks presented when you first start Studio.
8. Select the type of machine catalog you want to create and then click Next.
Verify that Windows Desktop OS is selected and then click Next.
Options include:
• Windows Desktop OS provides individual and customizable desktops based on a workstation operating
system.
• Windows Server OS provides a standardized desktop based on a Server operating system.
• Remote PC Access enables end users to log on remotely to a physical PC from anywhere. The Remote PC
Service must be installed on the Delivery Controller VM in order to place physical PCs in a machine
catalog. Once installed, the VDA on the office PC enables it to register with the Controller and manages
the HDX connections between the machine and the endpoints. The Receiver running on the endpoint
provides the end user with access to all of the applications and data on the office PC.
9. Determine how the infrastructure will be built and managed and then click Next.
Verify that Machines that are power managed and Citrix Machine Creation Services (MCS) are selected and then
click Next.
The infrastructure can be built using either virtual machines or physical hardware. The machine images can be
managed using: Machine Creation Services, Provisioning Services (PVS), or a service or technology other than
Citrix (existing images).
You can configure the desktop experience to use a new (random) desktop each time the user logs on, or use
the same (static) desktop each time the user logs on.
11. Determine whether user changes will be saved to a Personal vDisk, to the local disk, or discarded, and then click Next.
Select Yes, save changes on a separate Personal vDisk and then click Next.
The Desktop Experience page is not available if you are configuring a Server OS machine catalog or Remote
PC Access. In addition, Personal vDisk is not available if you are configuring a machine catalog for:
• A Windows Desktop OS that will deliver a new (random) desktop each time the user logs on.
• Windows Server OS.
• Remote PC Access.
Personal vDisk is only available for machine catalogs providing static Desktop OS desktops.
12. Select a virtual machine to use as the master image and then click Next.
Select Win8Master and then click Next.
13. Specify the number of VMs to create, the number of virtual CPUs, and the amount of memory for each VM.
Verify that 1 is specified in the Number of virtual machines needed field, 2 is specified in the vCPUs field, and 2048 is
specified in the Memory (MB) field.
Because of the limited storage in the lab environment, you are only creating a single machine. In a real-world
environment, you would create enough machines to satisfy the needs of the end users in the environment.
The default drive size is 10 GB and the default drive letter is P. You should not reduce the size of the Personal
vDisk below 3 GB.
15. Determine whether to use existing Active Directory accounts or to create new ones.
Verify that Create new Active Directory accounts is selected and then double-click Training Virtual Desktops >
Desktops in the Active Directory location for computer accounts section.
If you are creating new accounts, you must specify the OU where they should be created. The Active Directory
organizational units must be created before you complete this step.
16. Create an account-naming scheme, specify the format for the numbering, and then click Next.
Type Static-PvD-## in the Account naming scheme field, verify that 0-9 is selected, and then click Next.
The ## in the naming scheme can be replaced with numbers or letters. If a larger number of machines will be
needed, you can add additional # signs to the end of the Account naming scheme.
17. Type a machine catalog name and description, and then click Finish.
Type Windows 8 Desktops in the Machine Catalog name field, type Static Win 8 desktops with PvD in the
Description field, and then click Finish.
The master image will be copied onto each VM created in the machine catalog. If you click the Hide progress
button during the creation of the machine catalog, the progress bar becomes visible as a green bar in the name
of the machine catalog on the Machine Catalog screen. The green bar will grow in size as machine creation
progresses. You can expect the configuration to take approximately 15 minutes. When the configuration
completes, one machine in the machine catalog will start automatically to initialize the disks. Once the disks
have been initialized, the machine will automatically shut down. You can continue to use Studio while the
machine creation process runs.
Discussion Question
During the creation of a machine catalog, you are prompted to use existing computer accounts or create new computer
accounts in Active Directory. What permissions must you have in order for XenApp and XenDesktop to create new computer
accounts?
You cannot create mixed Delivery Groups from machine catalogs with different machine types. Machine catalog
characteristics must match if you want to put the machines into a single group. For example, you cannot mix
machines from Server OS machine catalogs with Desktop OS machine catalogs.
Defining the end-user experience in the Delivery Group means that you do not need to duplicate or maintain these settings
across multiple pools of resources, and the backend resources can be changed without affecting the end-user experience.
Delivery Groups identify the end users that have access to the desktops and hosted applications provided by machine catalogs.
You can configure multiple Delivery Groups for a single machine catalog in Citrix Studio. Active Directory integration allows
you to select specific groups and grant them access to desktops and applications.
Careful planning and monitoring of your users’ activity patterns are essential to tailoring these features to
complement each other. Optimal configuration balances the benefits of earlier application availability for users
against the cost of keeping licenses in use and resources allocated.
Securing Connections
Many administrators are faced with compliance with company security requirements and ensuring that all company traffic
(internal and external) is secure. To ensure that communications are properly encrypted, administrators typically add
certificates to Delivery Controllers, StoreFront servers, NetScaler appliances and more.
The SSL to VDA feature allows you to secure communications between users and the Virtual Delivery Agents (VDAs) with
SSL. To configure SSL to VDA, you:
• Manually configure SSL on the machines containing the VDA using the Microsoft Management Console or use the
Enable-VdaSSL.ps1 PowerShell script located on the installation media.
The PowerShell script configures SSL on static VDAs; it does not configure SSL on random (pooled) VDAs
that are provisioned by Machine Creation Services or Provisioning Services, where the machine image resets
on each restart.
• Configure SSL in the Delivery Groups containing the VDAs using the Get-BrokerAccessPolicyRule and Set-
BrokerAccessPolicyRule PowerShell scripts in Studio.
Before you configure the SSL to VDA communications, you should be aware of the following considerations:
• SSL connections between users and VDAs are valid only for sites in XenApp 7.6 and XenDesktop 7.6 or later versions.
• SSL configuration in the Delivery Groups and on the machines containing the VDA is done after you create the Delivery
site, create the machine catalogs, and create the Delivery Groups.
• Only Full Administrators have the permissions required to configure SSL in the Delivery Groups and change the Delivery
Controller access rules.
• Only Windows administrators on the machines containing the VDA have the necessary permissions to configure SSL on
those machines.
• If SSL Relay was installed on a machine, it must be uninstalled before installing the VDA on the machine. This is
applicable to machines being upgraded from a previous version of XenApp or XenDesktop.
For more information about securing internal communications using the SSL to VDA feature, see
http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-security-article/xad-ssl.html.
If the Create Delivery Group option is not available, make sure the Delivery Group tab is selected in the center
pane.
If you previously selected Don't show this again, this page will not appear.
6. Select a machine catalog, determine the number of machines in the catalog that this Delivery Group will consume, and
then click Next.
Select Windows 2012 R2 Servers-Apps, type 1 in the Choose number of machines to add field, and then click Next.
Because of the limited storage in the lab environment, you only have a single machine available in the machine
catalog. In a real-world environment, you would create enough machines to satisfy the needs of the end users
in the environment.
7. Select the resource to deliver in the Delivery Type screen and then click Next.
Select Applications and then click Next.
Only those end users added to the Delivery Group will be able to access the selected resource (desktop,
applications, or desktop and applications).
9. Type the names of the end users or groups, click Check Names, and then click OK.
Type Human Resources; Accounting; in the Enter the object names to select field, click Check Names and then click
OK.
10. Verify that the appropriate end users and groups appear in the Assign users field and then click Next.
Verify that TRAINING\Human Resources and TRAINING\Accounting appear and then click Next.
12. Type a descriptive name for the Delivery Group in the Delivery Group name field.
Type Office Apps in the Delivery Group name field.
The end users added to the Delivery Group can now use Citrix Receiver to access the hosted applications, but
not the server hosting the applications. If Desktop and Applications had been selected in Step 8, the end users
would be able to access both the hosted applications and the Server OS desktop using Citrix Receiver.
You are shutting down the VM only to save lab environment resources.
15. Optimize the Hosted Applications Delivery Group with Session Prelaunch and Session Lingering.
Select the Office Apps Delivery Group and then click Edit Delivery Group in the Actions pane.
a. a. Click on Application Prelaunch and then select Prelaunch when any user in the Delivery Group
logs on to Receiver for Windows .
b. Select Minutes and set the number to 15.
c. Click Apply and click OK.
17. Configure Application Lingering.
• An Anonymous Users Group is created when you install the Delivery Controller.
Some applications might still require credentials even though the StoreFront store and Citrix Receiver do not.
• Unauthenticated user accounts are created on demand when a session is launched. User accounts are named AnonXYZ,
in which XYZ is a unique three-digit value.
• Unauthenticated user sessions have a default idle timeout of 10 minutes and are logged off automatically when the user
device disconnects. Reconnection, roaming between user devices, and Workspace Control are not supported.
12. Verify that all of the details on the Summary page are correct and then specify a Delivery Group name.
Type Unauthenticated Access as the Delivery Group name.
If the Create Delivery Group option is not available, make sure the Delivery Group tab is selected in the center
pane.
Because of the limited storage in the lab environment, you only have a single machine available in the machine
catalog. In a real-world environment, you would create enough machines to satisfy the needs of the end users
in the environment.
7. Select the resource to deliver in the Delivery Type screen and then click Next.
Select Desktops and then click Next.
8. Click the Add button to specify which end users can access the desktops.
9. Type the name of the end user or group, click Check Names, and then click OK.
Type Accounting in the Enter the object names to select field, click Check Names, and then click OK.
10. Verify that the appropriate end users and groups appear in the Assign users field and then click Next.
Verify that TRAINING\Accounting appears and then click Next.
If you select Manually, end users will need to add the server address of a StoreFront server to Receiver on
their virtual desktop before Receiver can be used to access resources.
12. Click Add new and then type a name for the first StoreFront server in the Name field.
Click Add new and then type SFS-1 in the Name field.
If the URLs for the StoreFront servers appear in the Receiver StoreFront URL list, you can proceed to Step 18.
13. Type a description in the Description field, type the URL for the first StoreFront server, and then click OK.
Type First StoreFront in the Description field, type https://sfs-1.training.lab in the URL field, and then click OK.
16. Type a description in the Description field, type the URL for the second StoreFront server, and then click OK.
Type Second StoreFront in the Description field, type https://sfs-2.training.lab in the URL field, and then click OK.
17. Select the StoreFront URLs that will be used by Receiver and then click Next.
Select https://sfs-1.training.lab and https://sfs-2.training.lab and then click Next.
18. Type a name for the Delivery Group that administrators will see in the Delivery Group name field.
Type Win8-Accounting.
19. Type a name for the Delivery Group that end users will see in the Display name field.
Type Win8 Desktop.
20. Type a description for the machine that end users will see and then click Finish.
Leave the description field blank and then click Finish.
Discussion Question
You have the following machine catalogs created in Studio:
Issue Resolution
Applications installed on a master image do not appear Verify that at least one of the newly created VMs is started
during the creating of the Delivery Group for a machine and registered. Verify that the VDA was installed completely.
catalog.
A red X appears next to the Delivery Controller address Type the fully qualified name of the Delivery Controller in
when testing the Controller connection. the Test connection field during the VDA installation.
StoreFront servers do not appear during the creation of a Use the Add new button during the creation of the Delivery
Delivery Group even though "Automatically, using the Group to add the URL of each StoreFront server using the
StoreFront servers selected below" is selected. appropriate format for your environment: http://FQDN or
https://FQDN
Issue Resolution
An administrator is unable to update desktops in a machine Verify that the administrator has the appropriate
catalog. permissions.
Unable to remove a machine from a machine catalog. Verify that the machine is in maintenance mode prior to
removal.
When creating an application delivery group in Studio, the Verify that the application is installed on the application
desired application does not appear. server/host.
Not all end users have access to a newly created application. Verify that the application has been assigned to all of the
required Delivery Groups. Verify that the application is
enabled.
You are unable to power manage a machine. Verify that the machine is a virtual machine. Physical
machines cannot be power-managed through XenApp and
XenDesktop.
You are unable to reallocate a machine within a Delivery Ensure that the machine was not created using Provisioning
Group. Services, as they are unable to be reallocated.
Users in a Delivery Group are unable to access their Verify that maintenance mode is not enabled.
applications or desktops.
Because of the limited storage and memory in the lab environment, you should only add a single machine to
the machine catalog. In a real-world environment, you would create enough machines to satisfy the needs of
the end users in the environment.
2. Create new Active Directory accounts in the Training Virtual Desktops > Servers OU using the same account naming
scheme as was previously used for the Server 2012 R2 machines.
3. Create a new Delivery Group that will provide the TRAINING\Contractors group with access to the Server OS machines
in the machine catalog.
4. Configure a Delivery Group to provide the Contractors group with access to the desktop of the server, but not hosted
applications.
5. Add both StoreFront servers to the Delivery Group.
6. Use Win2012R2-Contractors as the Delivery Group name.
7. Use Win2012R2 Desktop as the Display name.
To create policies:
1. Determine which console will be used to create or modify the policy.
If the Group Policy Management Console is used to create the policy, the policy is applied to the selected OU.
If Citrix Studio is used to create the policy, the policy is applied based on the OU, and the filters you configure
after the policy settings are added.
Citrix recommends managing and storing policies using GPOs if you have the appropriate permissions in Active
Directory.
In situations where policies exist that have been created using both Studio and GPOs, Group Policy-based settings take
precedence over policies stored within the site database.
Unfiltered Policy
You have the option of creating policies that can be assigned to all objects in a site, or using the pre-created unfiltered policy.
Unfiltered policies are created by default upon the installation of XenApp and XenDesktop. By default, unfiltered policies
apply to all objects and sessions within the site, allowing you to configure global, organization-based settings within one
policy. If you want policies to impact specific groups or end users or objects, you can use policy filters to apply these settings.
The pre-created unfiltered policies cannot be deleted.
In general, Citrix does not recommend installing policy extensions on domain controllers.
If the Welcome screen for Citrix Policies appears, select Don't show this again and then click Close.
4. Select the template that you want to implement and then create a new policy from it.
Select High Definition User Experience and then click Create Policy from Template in the Actions pane.
5. Verify that Template default settings (recommended) is selected and then click Next.
6. Select how you would like to apply the policy and then click Next.
8. Click Next.
9. Enter a unique name for the new policy or accept the default name that is generated automatically.
Type Disabled Desktop UI Elements as the policy name.
Citrix recommends that you apply policies to groups rather than individual end users. If you apply policies to
groups, assignments are updated automatically when you add or remove end users from the group.
To Apply a Policy
1. Log on to the machine that has Citrix Studio installed.
Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
5. Click Edit Policy in the Actions pane to open the Policy Wizard.
6. Configure policy settings, if necessary and then click Next.
Click Next.
7. Click Assign or Edit for each user or machine object to which you want to assign the policy.
8. Click Next to use the existing assignment settings and then click Finish to complete editing the policy.
5. Click Edit Policy in the right pane to open the Policy Wizard.
6. Add or edit the policy settings and then click OK.
7. Click Next.
8. Adjust user and machine assignments, if necessary and then click Next.
Click Next.
9. Click Finish.
To Prioritize a Policy
1. Log on to the machine that has Citrix Studio installed.
Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
Discussion Question
What type of policy should you configure if you need to create specific settings and want them applied globally across your
organization?
What if there are end users or objects that should not be affected by these policy settings?
8. Click Finish. The new template appears on the Templates tab of Studio within the Custom templates pane.
You can also export policies created in Studio into Group Policy Objects.
In general, Citrix does not recommend installing policy extensions on domain controllers.
To Create a GPO
1. Log on to the machine that has the Group Policy Management Console and Citrix Studio installed.
Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
2. Click Tools in Server Manager and then click Group Policy Management.
3. Right-click an organizational unit in the left pane and then select Create a GPO in this domain, and Link it here to
open the New GPO window.
Citrix recommends creating a separate GPO for distributing Citrix policies through Active Directory, and advises
against editing the Default Domain Controllers Policy GPO or the Default Domain Policy GPO.
To Edit a Policy
1. Log on to the machine that has the Group Policy Management Console and Citrix Studio installed.
Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
2. Click Tools in Server Manager and then click Group Policy Management.
3. Select the organizational unit in the left pane of the Group Policy Management Console that contains the policy that you
want to edit.
Select Training Virtual Desktops.
4. Right-click the GPO you would like to edit and then click Edit.
Right-click the VDA Settings GPO in the right pane and then click Edit.
9. Click OK.
10. Close the Group Policy Management Editor.
5. Expand and right-click Citrix Group Policy Modeling and then click Citrix Group Policy Modeling Wizard.
6. Click Next in the "Welcome" screen.
8. Specify the OU containing the end users or computers you want to model and then click OK.
11. Specify the advanced simulation options and then click Next.
Click Next.
12. Review the settings on the "Summary of Selections" screen and then click Run.
Click Run.
13. Click Close in the "Completing the Citrix Group Policy Modeling Wizard" screen to view the report.
If you receive a message from Internet Explorer that the site is being blocked click Add.
14. Review the policy modeling report to determine which policies were applied and have an effect on the selected end users
or computers.
15. Close the modeling results window.
2. Click Tools in Server Manager and then click Group Policy Management.
3. Select the organizational unit in the left pane of the Group Policy Management Console.
a. Expand the Forest: training.lab > Domains > training.lab > Training Users nodes in the left pane.
b. Right-click Training Users and then select Create a GPO in this domain, and Link it here.
c. Type WAN Optimization and then click OK.
4. Right-click the GPO you would like to edit and then click Edit.
Right-click the WAN Optimization GPO from the linked Group Policy Objects tab in the right pane and then click
Edit.
10. Click New Policy to open the New Policy Wizard opens.
11. Type a name for the new template.
Type Remote Users in the Name field.
Discussion Question
How are remote employees affected when you deny a policy to all end users within an IP address range of 192.168.1.1-
192.168.255.255?
2. Click Tools in Server Manager and then click Group Policy Management.
3. Select the organizational unit in the left pane of the Group Policy Management Console.
Expand the Forest: training.lab > Domains > training.lab > Training Users nodes in the left pane.
4. Right-click the GPO you would like to edit and then click Edit.
Right-click WAN Optimization GPO from the linked Group Policy Objects tab in the right pane and then click Edit.
a. Type \\FS-1\Share\Policies in the Address field of the Import Template window, press Enter, and then
double-click USB Security.gpt.
b. Click Open.
2. Click Tools in Server Manager and then click Group Policy Management.
3. Select the organizational unit in the left pane of the Group Policy Management Console.
Expand the Forest: training.lab > Domains > training.lab > Training Virtual Desktops. Select Training Virtual
Desktopsnodes in the left pane.
4. Right-click the GPO you would like to edit and then click Edit.
Right-click the VDA Settings GPO from the linked Group Policy Objects tab in the right pane and click Edit.
10. Select Actions and then select Export from the Actions menu.
11. Select the location where you would like to export the file to and then click OK.
2. Click Tools in Server Manager and then click Group Policy Management.
3. Browse to the OU containing the policies you want to prioritize.
Expand the Forest: training.lab > Domains > training.lab > Training Users nodes in the left pane.
6. Use the arrows on the left side of the Linked Group Policy Object tab to raise and lower the priority of the policy.
You will not be able to change the priority of the policy because only one policy exists for the OU.
Discussion Question
You have created and applied a new policy. You configured the policy with client removable drives set to disabled. The policy
contains a filter that has been set to allow for the Accounting group. Some employees from the Contractor group are now
asking the Support team why they are unable to access their client drives. What could be causing this issue? How can you fix
the issue?
In XenApp 6.5 and earlier, administrators set policies to control ICA based user-to-user shadowing. These policies
have been removed. In this release of XenApp and XenDesktop, Windows Remote Assistance replaces this
functionality. In order for shadowing to work properly, you must configure the Remote Assistance feature on any
server used to remotely assist end users. This feature is configured within the lab environment.
2. Click Tools in Server Manager and then click Group Policy Management.
3. Browse to the OU where you want to create and link the policy.
Double-click Forest: training.lab > Domains > training.lab > Training Virtual Desktops.
4. Right-click the OU and then click Create a GPO in this domain, and Link it here.
Right-click the Training Virtual Desktops OU and then click Create a GPO in this domain, and Link it here.
7. Double-click Computer Configuration > Policies > Administrative Templates > System and then double-click Remote
Assistance.
8. Double-click the Configure Offer Remote Assistance setting and then select Enabled.
Discussion Question
You enabled the "Configure Offer Remote Assistance" setting for the OU containing the virtual desktops and added the
HelpDesk, XenDesktop Admins, and Domain Admins groups to the policy as directed. In addition, the VDA has been
installed on all of the master images used to create the Desktop OS and Server OS machines in the environment. Your
manager calls you directly and asks for your help. You use a Web browser to access Director and attempt to Shadow the
session, but you get an error. What could be causing the issue?
Issue Resolution
A new policy is not functioning properly. • Ensure that the policy is enabled.
• Verify that it is assigned to the appropriate end users,
groups, OUs, and/or domains.
• Verify that there are no Active Directory policies that
supersede the policy built in Studio.
• Check the prioritization of the policies.
• Ensure that the correct policy settings have been chosen
to achieve the desired results.
Unable to modify or delete a template. Verify that the administrator attempting to make this change
has the authority to do so.
Loopback policy issues. For information about loopback policy issues, see
http://technet.microsoft.com Web site.
Unable to find the appropriate policy settings. Use the Search field to narrow the results as you search for
settings.
1. An end user starts a session for a machine with profile management enabled.
2. The Citrix Profile management service determines if the end user is a member of the processed group defined in the
profile management policies. If the end user is a member of the group, the service attempts to load the end user's profile
from the store. If the end user is not part of the group a Microsoft profile is assigned.
3. If the end user is a member of the processed group, Citrix Profile management verifies that the user store contains the
profile. If a profile is not found in the store, the service migrates the end user's Microsoft profile to the store or creates a
new one from a template specified in the policy.
4. A local profile that is managed by Citrix Profile management is streamed from the store to the virtual machine.
5. Profile management monitors the end user's profile and logs any changes back to the end user's profile store.
Profile management addresses end-user profile deficiencies in environments where simultaneous domain logons by the same
end user introduces complexities and consistency issues to the profile. For example, if an end user starts sessions on two
different virtual resources based on a roaming profile, the profile of the session that terminates last overwrites the profile of
By default, Citrix Profile management is installed silently on master images when you install the VDA.
2. Click Tools in the Server Manager window and then select Group Policy Management.
3. Browse to the OU containing the desktops to create a policy to enable Citrix Profile Management.
You want a set of common profile settings to apply to both Server OS and Desktop OS machines and custom
profile settings for Server OS and Desktop OS machines so the profiles for the end users will go to different
sub-directories.
Double-click Forest: training.lab > Domains > training.lab > Training Virtual Desktops.
4. Right-click the OU containing the virtual desktops and then click Create a GPO in this domain, and Link it here.
Right-click Training Virtual Desktops and then click Create a GPO in this domain, and Link it here.
By default to facilitate deployment, Profile Management does not process logons or logoffs. You can turn on
processing by enabling a policy setting. If the policy setting is not configured, the value from the .ini file is
used. If the policy setting is not configured here or in the .ini file, Profile Management does not process
Windows end-user profiles in any way.
12. Select Profile Management > Streamed user profiles in the Categories field.
13. Determine if end-user profiles will be streamed and then click OK.
Click Add to the right of the Profile streaming setting, select Enabled, and then click OK.
17. Right-click the OU for the Desktop OS machines and then click Create a GPO in this domain, and Link it here.
Right-click Desktops and then click Create a GPO in this domain, and Link it here.
18. Type a name for the policy and then click OK.
Type Citrix Profile Management - Desktops path to user store in the Name field and then click OK.
19. Right-click the newly created policy and then click Edit.
Right-click Citrix Profile Management - Desktops path to user store and then click Edit.
27. Right-click the OU for the Server OS machines and then click Create a GPO in this domain, and Link it here.
Right-click Servers and then click Create a GPO in this domain, and Link it here.
28. Type a name for the policy and then click OK.
Type Citrix Profile Management - Servers path to user store in the Name field and then click OK.
Discussion Question
Citrix Profile Management is installed during which XenApp and XenDesktop component installations?
At the beginning of this module, the VMs should be in following the states:
• Controller-1 = On
• Domain Controller-1 = On
• File Server-1 = On
• SQL Server-1 = On
• SQL Server-Witness = On
• StoreFront Server-1 = On
• Student Management Console = On
• Universal Print Server = On
• All other machines = Off
2. Click Tools in Server Manager and then click Group Policy Management to open the Group Policy Management
Console.
3. Select the organizational unit to which you want to apply the policy.
Expand Forest: training.lab > Domains > training.lab > Training Users > Human Resources.
4. Right-click the OU and then click Create a GPO in this domain, and Link it here.
Right-click Human Resources and then click Create a GPO in this domain, and Link it here.
5. Type a name for the new Group Policy Object and then click OK.
Type Print Settings in the Name field and then click OK.
6. Click the OU containing the policy, right-click the GPO to which you want to add settings in the Linked Group Policy
Objects tab and then click Edit.
Click the Human Resources OU, right-click Print Settings in the Linked Group Policy Objects tab, and then click
Edit.
If you select Edit, you are adding new settings to the Unfiltered policy. If you select New, you are creating a
new policy and can filter that policy to determine to which objects the policy will apply.
If you know the name of the category or a word in the name of the setting, you can search for the setting
using the Search field. For example, you could search for Printing or Client Printers, or auto-create.
12. Select the desired value for the setting in the Value field and then click OK.
Select Auto-create the client's default printer only and then click OK.
a. Expand the Group Policy Objects OU, select the Print Settings policy, and drag it to the Training Users >
Contractors OU.
b. Click OK in the Group Policy Management message.
Discussion Question
In your environment, you have attempted to configure printer auto-creation. You notice however that when a Windows-
native driver is not available, the Universal print driver is not being used. What could be the problem?
2. Click Tools in Server Manager and then click Group Policy Management to open the Group Policy Management
Console.
3. Select the organizational unit to which you want to apply the policy.
Expand Forest: training.lab > Domains > training.lab > Training Users.
4. Right-click the OU and then click Create a GPO in this domain, and Link it here.
Right-click Training Users and then click Create a GPO in this domain, and Link it here.
5. Type a name for the new Group Policy Object and then click OK.
Type Session Printers in the Name field and then click OK.
6. Click the OU containing the newly created policy, right-click the GPO to which you want to add settings in the Linked
Group Policy Objects tab, and then click Edit.
Click Training Users, right-click Session Printers in the Linked Group Policy Objects tab and then click Edit.
If you select Edit, you are adding new settings to the Unfiltered policy. If you select New, you are creating a
new policy and can filter that policy to determine to which objects the policy will apply.
You are creating a new policy so that filters can be applied at a later time should you decide to enable proximity
printing.
9. Type a name for the new policy or leave the field blank and then click Next.
Type Citrix Session Printers in the Name field and then click Next.
You could also scroll through the categories of settings in the Categories field to find the required setting.
a. Type \\UPS-1 into the Printer UNC path and then click Browse.
b. Expand Entire Network > UPS-1.
c. Click Accounting to add the Accounting printer.
d. Click OK twice.
You could also type the UNC path to the printer directly into the Printer UNC path field and then click OK.
14. Click OK after all desired network printers are added to the Session printers list.
15. Click Next to go to the Filters screen.
16. Configure any necessary filters and then click Next.
Click Next.
You will not be adding any filters at this time. If you wanted to enable proximity printing, you could assign
session printers to end users based on the Client IP address filter. Session printers are an optimal
configuration for scenarios where users roam between locations using the same device (i.e. laptop) or where
thin clients are used because they do not have the ability to connect to network-based printers directly.
17. Click Create.
18. Close the Group Policy Management Editor.
2. Click Tools in Server Manager and then click Group Policy Management to open the Group Policy Management
Console.
3. Select the organizational unit to which you want to apply the policy.
Expand Forest: training.lab > Domains > training.lab > Training Users.
4. Right-click the OU and then click Create a GPO in this domain, and Link it here.
Right-click Training Users and then click Create a GPO in this domain, and Link it here.
5. Type a name for the new Group Policy Object and then click OK.
Type Disable Auto-Install of Printer Drivers in the Name field and then click OK.
6. Click the OU containing the newly created policy, right-click the GPO to which you want to add settings in the Linked
Group Policy Objects tab, and then click Edit.
Click Training Users, right-click Disable Auto-Install of Printer Drivers in the Linked Group Policy Objects tab and
then click Edit.
You could also scroll through the categories of settings in the Categories field to find the required setting.
12. Select the appropriate value for the setting and then click OK.
Select Disabled and then click OK.
While you added multiple settings to the unfiltered Citrix User Policy in previous procedures, the reason that
you do not see them now is because they were applied to a different OU in the environment.
2. Click Tools in Server Manager and then click Group Policy Management to open the Group Policy Management
Console.
3. Browse to the OU containing the Group Policy Objects.
Expand Forest: training.lab > Domains > training.lab > Group Policy Objects.
4. Right-click the policy to which you want to add new settings and then click Edit.
Right-click the Print Settings policy and then click Edit.
If you select Edit, you are adding new settings to the Unfiltered policy. If you select New, you are creating a
new policy and can filter that policy to determine to which objects the policy will apply.
You could also scroll through the categories of settings in the Categories field to find the required setting.
You could also click the Find Driver button to search for the desired printer driver. If you have printer drivers
already configured, you can use those drivers.
The new setting in the unfiltered policy is displayed in the Active Settings pane of the Group Policy
Management Editor.
2. Click Tools in Server Manager and then click Group Policy Management to open the Group Policy Management
Console.
3. Browse to the OU to which you want to apply the policy.
Expand Forest: training.lab > Domains > training.lab > Training Users.
4. Right-click the OU and then click Create a GPO in this domain, and Link it here.
Right-click the Training Users and then click Create a GPO in this domain, and Link it here.
5. Type a name for the new policy and then click OK.
Type Printer Optimizations in the Name field and then click OK.
6. Right-click the policy in the Linked Group Policy Objects tab and then click Edit.
Right-click the Printer Optimizations policy and then click Edit.
If you select Edit, you are adding new settings to the Unfiltered policy. If you select New, you are creating a
new policy and can filter that policy to determine to which objects the policy will apply.
You could also scroll through the categories of settings in the Categories field to find the required setting.
The new settings in the unfiltered policy are displayed in the Active Settings pane of the Group Policy
Management Editor.
While you added multiple settings to the unfiltered Citrix User Policy in previous procedures, the reason that
you do not see them now is because they were applied to a different OU in the environment.
Discussion Question
End users are experiencing substantial network latency when attempting to print high quality images used for marketing
campaigns. What polices should be adjusted or implemented to resolve this? Which policies would you want to avoid?
Citrix recommends the Citrix Universal Print Server for remote print server scenarios. The Universal Print Server
transfers the print job over the network in an optimized and compressed format, thus minimizing network use
and improving the end-user experience.
2. Click Tools in Server Manager and then click Group Policy Management to open the Group Policy Management
Console.
3. Browse to the OU to which you want to apply the policy.
Expand Forest: training.lab > Domains > training.lab > Training Virtual Desktops.
4. Right-click the OU and then click Create a GPO in this domain, and Link it here.
Right-click the Training Virtual Desktops and then click Create a GPO in this domain, and Link it here.
5. Type a name for the new policy and then click OK.
Type Universal Printing in the Name field and then click OK.
6. Right-click the policy in the Linked Group Policy Objects tab and then click Edit.
Right-click the Universal Printing policy and then click Edit.
If you select Edit, you are adding new settings to the Unfiltered policy. If you select New, you are creating a
new policy and can filter that policy to determine to which objects the policy will apply.
You could also scroll through the categories of settings in the Categories field to find the required setting.
12. Specify the desired values for the setting and then click OK.
Select Enabled with fallback to Windows' native remote printing in the Value field and then click OK.
The new settings in the unfiltered policy are displayed in the Active Settings pane of the Group Policy
Management Editor. While you added multiple settings to the unfiltered Citrix User Policy in the previous
procedure, the reason that you do not see them now is because this policy setting is a Citrix Computer Policy
rather than a Citrix User Policy.
Issue Resolution
Cannot update printer drivers. Citrix recommends that you never update a printer driver.
Always uninstall a driver, restart the print server, and install
the replacement driver. This helps ensure consistency and
decreases the chance that issues with existing drivers are
transferred to the updated drivers.
Printers that are no longer used or no longer exist are being Verify that all unused drivers are uninstalled to prevent this.
created.
The Universal Print Server does not appear. • Verify that the Universal Print Server is enabled.
• Ensure that the operating system is Windows Server
2008 or later.
At the beginning of this module, the VMs should be in following the states:
• Controller-1 = On
• Controller-2 = On
• DomainController-1 = On
• FileServer-1 = On
• SQLServer-1 = On
• SQLServer-Witness = On
• StoreFrontServer-1 = On
• StudentManagementConsole-1 = On
• UniversalPrintServer-1 = On
• All other VMs = Off
Discussion Question
What is meant by the terms Master Target Device and target device?
The following considerations explain the locations to choose for the vDisk Store:
2 The vDisk Store can be placed on the In order to support high availability
local storage of multiple Provisioning these replicated vDisks must be
Services Servers with the latest version identical. Replication can be done
of each vDisk replicated across the manually or using solutions like DFS
server. replication. Note that the *.vhd, *.avhd,
and *.pvp files for each vDisk should be
replicated, but not *.lok which specifies
its location.
3 The vDisk can be placed on shared This model requires a single vDisk
storage. without replications, but requires shared
storage.
1. Log on to the file server where the share will be created using domain administrator credentials.
Log on to FileServer-1 using the TRAINING\Administrator and Password1 credentials.
2. Click File and Storage Services in the left pane of the Server Manager and then click Shares.
3. Click Tasks in the center pane and then select New Share.
4. Select a File share profile and then click Next.
Verify SMB Share - Quick is selected and then click Next.
5. Select the drive on the file server where the share will be created and then click Next.
Select E: in the Select by volume section and then click Next.
6. Type a descriptive name for the share in the Share name field and then click Next.
Type vDisks in the Share Name field and then click Next.
7. Deselect Allow caching of share and then click Next on the Configure Share Settings screen.
9. Click Add, click Select a principal, type System, click Check Names, and then click OK to add a principal to the share.
10. Select Full Control and then click OK.
11. Click Add, click Select a principal, type the name of the service account created for Provisioning Services, click Check
Names, and then click OK to add a principal to the share.
Click Add, click Select a principal, type PVS_svc, click Check Names, and then click OK.
The following considerations explain the locations to choose for the Write Cache:
2 The Write Cache can be placed on the This option frees up the Provisioning
target device RAM. Services Server and limits the network
communication to reads only on the
standard vDisk. This option provides
the fastest method of disk access since
memory access is always faster than disk
access. It requires sufficient memory for
the machine to remain operational.
4 The Write Cache can be placed on the In this option both reads and writes are
Provisioning Services Server disk. handled by the Provisioning Services
Server, which causes an increase disk
I/O and Network traffic. The write
cache on server disk is temporary
between server reboots.
4 The Write Cache can be placed on the In this option both reads and writes are
Provisioning Services Server disk handled by the Provisioning Services
persisted. Server, which causes an increase disk
I/O and Network traffic. The write
cache on server disk is persistent
between reboots.
Citrix leading practice is to use the RAM cache with overflow to the hard disk method for storing the write cache whenever
possible.
Reference the following URL for more information on write cache locations: http://docs.citrix.com/en-
us/provisioning/7-6/pvs-product-wrapper-6-2/pvs-technology-overview-write-cache-intro.html.
Discussion Question
Where can vDisks be stored for use with Provisioning Services?
SQLncX64 is the SQL native client and is required if you are using database mirroring. If the SQL native client
is already on the system, you will not be presented with this message.
9. Wait for the Citrix Provisioning Services wizard to appear and then click Next.
If the wizard does not appear on the screen, check the taskbar.
11. Specify your customer information, determine for whom the application will be installed, and then click Next.
Click Next to accept the default information.
DHCP will be used to provide instructions for starting vDisks from the network. Options 66/67 contain the
settings required for PXE booting. Options 66/67 are configured within the DHCP Manager.
18. Specify where the PXE Service is running and then click Next.
Select The service that runs on another computer and then click Next.
19. Decide whether to create a new farm or join an existing farm and then click Next.
Select Create farm and then click Next.
If this is the first Provisioning Services server in the environment, you must create a new farm.
20. Specify, in the Server name field, the name of the database server that will host the Provisioning Services database and
then click Next.
Type SQL-1 in the Server name field and then click Next.
21. Specify a name for the Provisioning Services database and a name for the farm.
Type PVS_db in the Database name field and then verify that Farm is specified in the Farm name field.
23. Determine which groups will be used for security and then click Next.
Verify that Use Active Directory groups for security and training.lab/Builtin/Administrators are selected, and then
click Next.
vDisks must be stored in a shared directory if multiple Provisioning Services servers will access the same vDisk
simultaneously. You created the \\FS-1\vDisks share earlier in this module.
26. Specify the license server in the License server name field.
Type Licenses.citrixvirtualclassroom.com.
27. Select Validate license server version and communication and then click Next.
29. Verify that Automate computer account password updates is selected and then click Next.
This ensures that Provisioning Server resets the Active Directory computer accounts of the provisioned
endpoints before the computer accounts expire in Active Directory.
30. Specify the network card to be used for streaming and management, specify the ports to use, and then click Next.
Verify that 6890 is specified as the First communications port, 54321 is specified as the Console port, and then click
Next.
You will use the network cards on this Provisioning Services server (192.168.10.31) in the lab environment.
31. Select Use the Provisioning Services TFTP service and then click Next.
32. Specify the boot servers that target devices can contact to complete their start up process and then click Next.
Click Next to accept the default Stream Servers Boot List.
33. Verify that Automatically Start Services is selected and then click Finish.
34. Click OK in the Windows Firewall message.
The message will always appear even if the firewall is turned off.
35. Wait while the configuration completes and then click Done.
36. Click the Server Manager icon in the taskbar of the Provisioning Services server and then click Tools > Services.
Service startups can fail in high-latency environments. You should configure the following Recovery settings
for the Citrix PVS SOAP Server, Citrix PVS Stream Service, and Citrix PVS TFTP Service to ensure that these
services start.
37. Right-click Citrix PVS Soap Server and then click Properties.
38. Click the Recovery tab, select Restart the Service in the First failure, Second failure, and Subsequent failures fields, and
then click OK.
39. Right-click Citrix PVS Stream Service and then click Properties.
40. Click the Recovery tab, select Restart the Service in the First failure, Second failure, and Subsequent failures fields, and
then click OK.
41. Right-click Citrix PVS TFTP Service and then click Properties.
42. Click the Recovery tab, select Restart the Service in the First failure, Second failure, and Subsequent failures fields, and
then click OK.
43. Close the Services window.
Discussion Question
How does Provisioning Services simplify the management of updating target devices?
The service account configured to access the database does not have securityadmin permissions in the lab
environment, so you must perform the following procedure.
2. Click Start, type SQL Server Management Studio, and then click SQL Server Management Studio.
If SQL Server Management Studio does not appear in the Start menu, you probably did not install SQL Server using
the TRAINING\Administrator account. You should log off and log on again using the credentials used to install SQL
Server.
3. Select the first SQL Server in the Server name field and then click Connect.
Select SQL-1 in the Server name field and then click Connect.
4. Double-click the first SQL Server and then double-click Security > Logins in the left pane.
Double-click SQL-1 > Security > Logins.
If SQL-1 does not appear in the left pane, click Connect above the left pane, select Database Engine, select
SQL-1 in the Server name field, and then click Connect.
9. Specify the service account, click Check Names, and then click OK.
Type PVS_svc, click Check Names, and then click OK.
10. Click Server Roles in the left pane and then verify public is selected in the right pane to grant server-wide security
privileges to the specified user.
11. Click User Mapping in the left pane, select the database, and then select db_owner.
Click User Mapping, select PVS_db, and then select db_owner for the role membership.
8. Specify customer information, determine for whom the application will be installed, and then click Next.
Click Next to accept the default information.
10. Determine which components will be installed and then click Next.
Verify that Complete is selected and then click Next.
11. Click Install to begin the installation of the Provisioning Services Console.
12. Click Finish.
13. Click Exit.
14. Click Eject to eject the installation media from the DVD drive.
Click Eject to the right of the DVD Drive 1 field to eject the Provisioning Services media.
Discussion Question
The Console uses the SOAP Server to communicate with which two components of the Provisioning Services
implementation?
When a target device is turned on, it is set to start from the network and to communicate with a Provisioning Services host.
The target device downloads the startup file from a TFTP server, and then the target device starts up. Based on the device
start up configuration settings, the appropriate vDisk is located, and then mounted by a Provisioning Services host. The
software on that vDisk is streamed to the target device, as needed.
Instead of immediately pulling all the vDisk content down to the target device, the data is brought across the network in real
time, as needed. The Provisioning Services host provides blocks of data from the vDisk as they are requested by the operating
system, in the same way that the operating system would normally request them from its hard drive. This approach allows a
target device to load a completely new operating system and software from the vDisk in the time it takes to restart. This
approach dramatically decreases the amount of network bandwidth required by traditional disk imaging tools; making it
possible to support a larger number of target devices on your network without impacting overall network performance,
although a dedicated storage network could be required for larger implementations.
An alternate method of network startup is available via Boot Device Manager. With Boot Device Manager, a small partition
can be automatically created on the vDisk (VHD) file by Provisioning Services. The small partition contains all of the
information needed to start the target device. The Boot Device Manager can also be used to create an ISO file which can be
loaded into the machines CD tray for booting off CD-ROM.
2. Click Tools > DHCP in Server Manager to open the DHCP console.
3. Double-click the server name and then double-click IPv4 > Server Options.
Double-click ad.training.lab and then double-click IPv4 > Server Options.
This is the IP address of the Provisioning Service server in our lab environment.
7. Select 067 Bootfile Name in the Available Options list on the General tab.
8. Type ARDBP32.BIN in the String value field and then click OK.
Discussion Question
Why might you opt to use BDM rather than PXE?
When might PXE be a better option than BDM?
4. Click the File Explorer icon in the taskbar and then click This PC.
5. Double-click CD Drive (D:) to start the installation wizard.
SQLncX64 is the SQL native client and is required if you are using database mirroring. If the SQL native client
is already on the system, you will not be presented with this message.
9. Wait for the Citrix Provisioning Services wizard to appear and then click Next.
If the wizard does not appear on the screen, check the taskbar.
11. Specify customer information, determine for whom the application will be installed, and then click Next.
Click Next to accept the default information.
This is done so provisioned machines (vDisks) know where to get instructions to start from the network.
Options 66/67 contain the settings required for PXE booting. Options 66/67 are configured within the DHCP
Manager.
18. Specify where the PXE Service is running and then click Next.
Select The service that runs on another computer and then click Next.
You will point to the VM that hosts the bootstrap file which tells the provisioned machines (target devices) to
start up from the network. In the lab environment, the bootstrap file is stored on this Provisioning Services
server.
19. Decide whether to create a new farm or join an existing farm and then click Next.
Select Join existing farm and then click Next.
If this is not the first Provisioning Services VM in the environment, you probably want to join a farm instead
of create a new farm.
20. Specify the name of database server that is hosting the database to be used by Provisioning Services and then click Next.
Type SQL-1 and then click Next.
21. Select the Provisioning Services farm that this server will join and then click Next.
Verify that PVS_db:Farm is specified in the Farm name field and then click Next.
In the lab environment, PVS_db is the name of the Provisioning Services database and Farm is the name you
gave the Provisioning Services farm.
22. Specify the site to be used by the Provisioning Services server and then click Next.
Verify that Existing site is selected and then click Next.
In the lab environment, Site is the name you gave the Provisioning Services site.
23. Specify the vDisk store to be used by the Provisioning Services server and then click Next.
Verify that Existing store is selected and then click Next.
In the lab environment, Store is the name you gave the Provisioning Services store.
25. Verify Automate computer account password updates is selected and then click Next.
This ensures that Provisioning Server resets the Active Directory computer accounts of the provisioned
endpoints before the computer accounts expire in Active Directory.
26. Specify the network card to be used for streaming and management, specify the ports to use, and then click Next.
Verify that 6890 is specified as the First communications port, 54321 is specified as the Console port, and then click
Next.
27. Select Use the Provisioning Services TFTP service and then click Next.
28. Specify the boot servers that target devices can contact to complete their start up process and then click Next.
Click Next to accept the default Stream Servers Boot List.
29. Verify that Automatically Start Services is selected and then click Finish.
30. Click OK in the Windows Firewall message.
This message will always appear even if the firewall is turned off.
31. Wait while the configuration completes and then click Done.
32. Click Exit and then eject the installation media from the DVD drive.
Click Exit and then click Eject to the right of the DVD Drive 1 field to eject the Provisioning Services installation
media.
33. Click the Server Manager icon in the taskbar of the Provisioning Services server and then click Tools > Services.
Service startups can fail in high-latency environments. You should configure the following Recovery settings
for the Citrix PVS SOAP Server, Citrix PVS Stream Service, and Citrix PVS TFTP Service to ensure that these
services start.
34. Right-click Citrix PVS Soap Server and then click Properties.
35. Click the Recovery tab, select Restart the Service in the First failure, Second failure, and Subsequent failures fields, and
then click OK.
36. Right-click Citrix PVS Stream Service and then click Properties.
37. Click the Recovery tab, select Restart the Service in the First failure, Second failure, and Subsequent failures fields, and
then click OK.
38. Right-click Citrix PVS TFTP Service and then click Properties.
39. Click the Recovery tab, select Restart the Service in the First failure, Second failure, and Subsequent failures fields, and
then click OK.
40. Close the Services console.
Discussion Question
You have virtualized your first Provisioning Services server and then added a second Provisioning Services server for
redundancy to prevent a single point of failure. Everything seems to be working as planned. One day, the Help Desk lines
light up with numerous calls from end users complaining that their desktops are not available. What might be causing the
issue?
2. Click Start, type Provisioning Services Console, and then click Provisioning Services Console.
3. Right-click Provisioning Services Console in the left pane and then click Connect to Farm.
4. Type the NetBIOS name or IP address of the first Provisioning Services server in the Server Information Name field and
then click Connect.
Type PVS-1 and then click Connect.
If you cannot access the farm, restart the Provisioning Services server and try again.
This will connect the console to the first Provisioning Services server so you can see information about the
farm, the sites, and the stores.
5. Double-click the farm name > Sites > site name, and then click Servers.
Double-click Farm > Sites > Site > Servers.
6. Right-click the name of the first Provisioning Services server in the Servers node and then click Configure Bootstrap.
Right-click PVS-1 and then click Configure Bootstrap.
The bootstrap file for the first Provisioning Services server will now include the IP addresses of all
Provisioning Services servers in the farm.
8. Right-click the name of the second Provisioning Services server in the Servers node and then click Configure Bootstrap.
Right-click PVS-2 and then click Configure Bootstrap.
The bootstrap file for the second Provisioning Services server will now include the IP addresses of all
Provisioning Services servers in the farm.
Discussion Question
How many Provisioning Services servers can be specified in the bootstrap file?
The Provisioning Services Common Image Utility allows a single vDisk to simultaneously support different
motherboards, network cards, video cards, and other hardware devices.
If target devices will be sharing a vDisk, the Master Target Device serves as a template for all subsequent diskless target
devices as they are added to the network. It is crucial that the hard disk of the Master Target Device is prepared properly and
that all software is installed on it in the following order:
1. Windows Operating System
2. Device Drivers
3. Service Packs Updates
4. Target Device Software
5. Applications, which can be installed before or after the Target Device Software is installed
Once the vDisk image is available from the network, the target device no longer needs its local hard drive to operate; the
target device starts up directly from the network. The Provisioning Services server streams the contents of the vDisk to the
target device on demand, in real time. The target device behaves as if it is running from its local hard drive. However, unlike
thin-client technology, all processing takes place on the target device.
When creating a vDisk for use with Provisioning Services, you can:
In this procedure, you will create a virtual machine that will become the Master Target Device. You will then use
the utilities to convert the workload of the Master Target Device to a vDisk (VHD) file.
2. Log on to the Master Target Device using your domain administrator credentials.
Log on to MasterTargetDevice-1 using the TRAINING\Administrator and Password1 credentials.
7. Click Target Device Installation and then click Target Device Installation again.
8. Click Next on the Welcome screen of the Installation wizard.
9. Read and respond to the license agreement.
Select I accept the terms in the license agreement and then click Next.
10. Type the customer information in the appropriate field, determine for whom the application is being installed, and then
click Next.
Click Next to accept the default selections.
16. Determine whether a new or existing vDisk will be used and then click Next.
Select Create new vDisk and then click Next.
The Fixed vDisk type allocates 100% of the space allocated for the vDisk immediately. The Dynamic vDisk
type allocates space as it is needed. A Dynamic vDisk starts out small and then grows up to the maximum
amount of space allocated as it is needed.
19. Select the Volume Licensing method to be used with the vDisk and then click Next.
Select Key Management Service (KMS) and then click Next.
20. Define the size of each volume and then click Next.
Click Next to accept the default volume sizes.
21. Type a name for the target device and then click Next.
Type Win2012R2TD and then click Next.
22. Click Optimize for Provisioning Services, click OK, and then click Finish.
23. Click No in the Reboot message and then click No again.
26. Click the General tab for the Master Target Device VM in XenCenter and then click Properties.
Click MasterTargetDevice-1 in XenCenter, click the General tab, and then click Properties.
Recall that the PXE boot option was set during the initial Provisioning Services installation.
After you log on, you will see the XenConvert progress window for the vDisk capture process. Do not restart
the VM until the XenConvert process completes. This process takes around 30-45 minutes.
32. Wait while the XenConvert process completes and then click Finish.
33. Shut down the Master Target Device VM.
Right-click MasterTargetDevice-1, click Shut Down, and then click Yes to confirm.
34. Log on to the first Provisioning Services VM using the domain administrator credentials.
Log on to ProvisioningServicesHost-1 using the TRAINING\Administrator and Password1 credentials.
35. Click Start, type Provisioning Services Console, and then click Provisioning Services Console.
36. Type the NetBIOS name or IP address of the first Provisioning Services server in the Name field and then click Connect.
Type PVS-1 and then click Connect.
37. Double-click the farm name > Sites > site name > vDisk Pool in the left pane of the Provisioning Services Console.
Double-click Farm (PVS-1) > Sites > Site > vDisk Pool.
39. Double-click Device Collections > collection name in the left pane of the Provisioning Services Console.
Double-click Device Collections > Collection.
41. Double-click Stores > store name in the left pane of the Provisioning Services Console.
Double-click Stores > Store.
Discussion Question
What does XenConvert do?
a. Using the Provisioning Services Console, type PVS-1 and then click Connect. Double-click Farm (PVS-1) >
Sites > Stores > Store.
b. Right click the Win2012R2vDisk and choose Properties.
c. Verify Access mode is set to Private Image (single device, read/write access).
d. Click Ok.
a. Using the Provisioning Services Console, browse to Sites > Site > Device Collections > Collection.
b. Right click the Win2012R2TD device and choose properties.
c. On the General tab, set the Boot from to vDisk.
d. Click Ok.
a. Using the Provisioning Services Console, browse to Sites > Site > Device Collections > Collection.
b. Right click the Win2012R2TD device and choose Active Directory > Create Machine Account.
c. Choose the Organizational Unit: Training Servers.
d. Click Create Account then click Close.
7. Create the Provisioning Services Template that you will use later in the labs to create a catalog.
a. Right click the MasterTargetDevice-1 and copy the machine naming it PVS_2012R2_template.
b. Select the PVS_2012R2_template machine and click the Storage tab.
c. Select the disk that is not the write cache disk and choose Delete. Click Yes to confirm the delete.
d. Right click PVS_2012R2_template and choose convert to template and click Convert.
2. Click Start, type Provisioning Services Console and then click Provisioning Services Console.
3. Type the NetBIOS name or IP address of a Provisioning Services server in the Name field and then click Connect.
Verify that PVS-1 appears in the Name field and then click Connect.
4. Double-click the farm name > Stores > store name to display the contents of the store.
Double-click Farm (PVS-1) > Stores > Store.
6. Click Standard Image (multi-device, read-only access) in the Access mode field and click Cache in device RAM with
overflow on hard disk in the Cache type field. Click OK.
Discussion Question
In Provisioning Services, private image mode identifies a vDisk as being available to only one target device. What term is used
in Machine Creation Services to specify that a VM is dedicated to a single end user?
In Provisioning Services, standard image mode identifies a vDisk as being available to many target devices. What term is used
in Machine Creation Services to specify that a VM can be used by many end users?
You can remove a vDisk from a target device using the Properties of the target device.
2. Click Start, type Provisioning Services Console, and then click Provisioning Services Console.
3. Type the NetBIOS name or IP address of a Provisioning Services server in the Name field and then click Connect.
Verify that PVS-1 appears in the Name field and then click Connect.
5. Right-click the site name and then click XenDesktop Setup Wizard.
Right-click Site and then click XenDesktop Setup Wizard.
9. Type the log on credentials of the host (XenServer) and then click OK.
Type root in the Username field, type the Password provided to you in the beginning of the lab and then click OK.
10. Select a VM template to use for the Master Target Devices and then click Next.
Select PVS_2012R2_template and then click Next.
11. Select a Standard image mode vDisk and then click Next.
Select Store\Win2012R2vDisk and then click Next.
12. Determine if a new or existing catalog will be used and then click Next.
Select Create a new catalog, type Win2012R2PXE in the Catalog name field, and then click Next.
13. Specify the type of operating system machines to create in the catalog and then click Next.
Select Windows Server Operating System and then click Next.
You must be careful to select the correct type of desktop at this point. Selecting the incorrect OS will result in
an unusable machine catalog.
Personal vDisk is not available, because you are creating a machine catalog based on the Windows Server OS.
15. Determine whether to use existing Active Directory accounts or to create new ones for the new target device machines in
the machine catalog and then click Next.
Verify that Create new accounts is selected and then click Next.
If you are creating new accounts, you must specify the OU where they should be created. The Active Directory
organizational units must be created before you complete this step.
16. Specify the domain and OU to which the new target devices in the machine catalog will be added in Active Directory.
Select training.lab in the Domain field and then double-click training.lab > Training Virtual Desktops > Servers.
17. Determine the account naming scheme and then click Next.
Type Win2012R2PXE-##, verify that the 0-9 enumeration scheme is selected, and then click Next.
This will be the naming scheme associated with the target devices that will use the Win2012R2vDisk vDisk.
18. Click Finish and wait for the VM (target device) to be created in the machine catalog.
19. Verify that the new target devices appear in XenCenter and then click Done.
Verify that Win2012R2PXE-01 appears in XenCenter and then click Done.
21. Click Start, type Citrix Studio and then click Citrix Studio.
22. Click Machine Catalogs and then verify that the newly created catalog appears.
Click Machine Catalogs and verify that Win2012R2PXE appears in the list.
Discussion Question
Personal vDisk can only be used with which type of desktop?
2. Click Start, type Citrix Studio, and then click Citrix Studio.
3. Select the Delivery Groups node in the left pane.
4. Click Create Delivery Group in the right pane.
If the Create Delivery Group option is not available, make sure the Delivery Group tab is selected in the center
pane. If you receive an error message stating: "There are no available machines in a compatible Machine
Catalog. You must create a new Machine Catalog or add machines to an existing one." Use Studio to verify
that a machine catalog exists and contains machines that have not been assigned to a Delivery Group. If the
machine catalog was newly created and none of its machines have been assigned through a Delivery Group
yet, the problem could be that the machine catalog did not create correctly. Create a new machine catalog and
delete the corrupted one.
5. Click Next in the Getting Started with Delivery Groups page.
If you previously selected Don't show this again, this page will not appear.
6. Select a machine catalog, determine the number of machines in the catalog that this Delivery Group will consume, and
then click Next.
Select Win2012R2PXE, type 1 in the Choose number of machines to add field, and then click Next.
Because of the limited storage in the lab environment, you only have a single machine available in the machine
catalog. In a real-world environment, you would create enough machines to satisfy the needs of the end users
in the environment.
7. Select the service to deliver in the Delivery Type screen and then click Next.
Select Desktops and then click Next.
8. Click Add users to specify which end users will be part of the Delivery Group.
Only those users added to the Delivery Group will be able to access the selected service (desktops, applications,
or desktops and applications).
9. Type the name of the user or group, click Check Names, and then click OK.
Type HelpDesk in the Enter the object names to select field, click Check Names, and then click OK.
10. Verify that the appropriate end users appear in the Assign users field and then click Next.
Verify that TRAINING\HelpDesk appears and then click Next.
11. Determine how to provide the StoreFront server address to Citrix Receiver and then click Next.
12. Type a name for the Delivery Group in the Delivery Group name field that administrators will see.
Type Win2012R2Server-HD.
13. Type a Display name in the Display name field that end users will see.
Type Win2012R2 Server.
15. Right-click the machine associated with the Delivery Group and then click Shut Down.
Right-click Win2012R2PXE-01 in XenCenter and then click ShutDown.
You are shutting down the VM only to save lab environment resources.
Discussion Question
Delivery Groups are used to assign end users and groups to machines. What methods are available for selecting the end users?
To Update a vDisk
1. Log on to a virtual machine that has the Provisioning Services Console installed using domain administrator credentials.
Log on to ProvisioningServicesHost-1 using the TRAINING\Administrator and Password1 credentials.
2. Click the Provisioning Services Console icon on the Start screen and then click Connect.
3. Browse to a site in the Provisioning Services Console.
Double-click Farm (PVS-1) > Sites > Site.
4. Click the vDisk Pool node, right-click a vDisk in the right pane, and then click Versions.
Click vDisk Pool, right-click Win2012R2vDisk in the right pane, and then click Versions.
If the vDisk does not appear, right-click vDisk Pool and then click Refresh.
13. Right-click the virtual machine in XenCenter, click Shut Down and then click Yes in the Shut Down virtual machine
message.
Right-click the MasterTargetDevice-1 virtual machine in XenCenter, click Shut Down, and then click Yes in the Shut
Down virtual machine message.
2. Double-click the Provisioning Services Console icon on the Start screen and then click Connect.
3. Browse to a site in the Provisioning Services Console.
Double-click Farm (PVS) > Sites > Site.
4. Click the vDisk Pool node, right-click a vDisk in the right pane, and then click Versions.
Click vDisk Pool, right-click Win2012R2vDisk in the right pane, and then click Versions
5. Select the latest version of the vDisk and then click Promote to promote the updated version of the vDisk.
Select version 1 and then click Promote.
6. Select the version access and availability time frame and then click OK.
Select Production, select Immediate, and then click OK.
7. Click Done.
Click Cancel if the End Snap-in window appears and then click Done.
8. Start or restart a target device to test that the update was successful.
Reboot the Win2012R2PXE-01 virtual machine in XenCenter, log on as the TRAINING\Administrator user, and
ensure that Firefox is now present.
vDisk versions are created and managed using the vDisk versions dialog box and by performing vDisk versioning tasks. Each
time a vDisk is put into maintenance mode a new version of the VHD differencing disk is created and the file name is
numerically incremented.
A merge can only occur when no Maintenance version exists for this vDisk or when the vDisk is in Private Image
mode. A merge starts from the top of the chain down to a base disk. A starting disk cannot be specified for the
merge.
Merging to a new base image is recommended when performance is more important than disk space, because a new base disk
is created for every merge performed.
Merging to a consolidated differencing disk is recommended when disk storage is limited or when the bandwidth between
remote locations is limited, which makes copying large images impractical.
2. Click the Provisioning Services Console icon on the Start screen and then click Connect.
3. Click the vDisk Pool node, right-click a vDisk in the right pane, and then click Versions.
Click vDisk Pool, right-click Win2012R2vDisk in the right pane, and then click Versions.
6. Click OK to merge the process and the click OK again. In the vDisk Versions window, periodically press Refresh until
the merge is complete and then press Done.
Issue Resolution
Streamed Services stops running. Set the service to automatically restart on failure.
End-user machine is not receiving an IP address (DCHP Verify that DHCP is accessible on the subnet. Ensure that the
issues). client device is BIOS is configured to start from the network.
You need to adjust the BIOS device startup order for the
virtual machine. It is hypervisor-specific.
Machine cannot obtain ARDBP32.bin. Ensure the settings in DHCP (67) are pointing to the correct
file. Verify that the boot file is present on the PVS machine.
Ensure that the TFTP service running points to the relevant
boot file.
When starting up a target device using Boot Device Manager Place the target device in Private image mode and change the
(BDM), the static address assigned in the boot file is not network adapter to use any statically assigned IP address.
what is reflected when the target device fully starts. Avoid using DHCP unless it is preferred, in which case you
must specify DHCP in the BDM file when running the BDM
wizard.
After updating a Provisioning Services vDisk that has There are corrupt files or directories on the Personal vDisk.
Personal vDisk enabled, a blue screen of death (BSOD) Detaching the personal vDisk from the virtual machine
appears with a STOP error indicating a corrupt file. allows it to start.
At the beginning of this module, the VMs should be in following the states:
• Controller-1 = On
• Endpoint-Internal = On
• Domain Controller-1 = On
• File Server-1 = On
• SQL Server-1 = On
• SQL Server-Witness = On
• StoreFront Server-1 = On
• Student Management Console = On
• ProvisioningServicesHost-1 = On
• All other machines = Off
Director Overview
Director is a Web-based tool that enables IT Support and Helpdesk teams to monitor a XenApp or XenDesktop environment,
troubleshoot issues before they become system critical, and perform support tasks for end users.
Director allows you to search for a particular end user and display activity associated with that end user, such as:
• Finding the status of the end user's applications and processes
• Ending unresponsive applications or processes
• Restarting an end user's machine
• Disconnecting end-user sessions
• Shadowing an end-user session
Director provides an overview of the key aspects of a deployment, such as the status of connections, sessions, and the site
infrastructure. Meaningful performance metrics and graphs are displayed, together with information about the health of the
hypervisors and Controllers. Information is updated every minute. If issues occur, details appear automatically about the
number and type of failures that have occurred. You can view more detailed information, for example, to display all the end
users affected and the associated machines.
In preparation for the exercises in this module, you will need to log on as an end user and begin a session that you
can use Director to monitor in subsequent procedures.
Module 9: Managing and Monitoring Sessions, Sites and End Users with Director 215
To Monitor an End-User Session
1. Log on to an internal endpoint using domain user credentials.
a. Log on to the EndPoint-Internal virtual machine using the TRAINING\AcctUser1 and Password1
credentials.
b. Reboot the EndPoint-Internal virtual machine to apply the policies created in the previous module.
c. Log on to the EndPoint-Internal virtual machine once the reboot has completed, using the
TRAINING\AcctUser1 and Password1 credentials.
a. Click Start and click the down arrow. Click on Citrix Receiver.
Citrix Receiver must be installed on the endpoint before an end user can access resources. If you do not install
Citrix Receiver, an .ICA file will be downloaded to the endpoint. You will not be able to open the .ICA file,
because Receiver is not installed on the endpoint. If Internet Explorer fails to open, restart the EndPoint-
Internal VM.
3. Log on to Citrix Receiver using the domain user credentials.
Log on using the TRAINING\AcctUser1 and Password1 credentials.
a. Click the + icon and select All Applications and then click Microsoft Office Word 2010 and Win8 Desktop.
To Access Director
1. Log on to a computer within the same network as your Controller using domain administrator credentials.
Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
2. Open a browser window and type the URL for Director using the following format, http://server/Director and then press
Enter.
Click Start and type Director and click on Citrix Director.
216 Module 9: Managing and Monitoring Sessions, Sites and End Users with Director
The Dashboard will give you a general overview of the current status of the environment and allow you to quickly view
unusual and irregular activity.
Monitoring Infrastructure
From the Infrastructure panel in Director, you can monitor the health status of your XenApp and XenDesktop site
components, as well as view performance alerts. This panel lists all servers with alerts in alphabetical order.
The columns list different states for each server. A green check represents that everything is working properly; an alert or
error represents a warning or failure of an infrastructure component. The panel lets you monitor the current status of the
following entities:
• Hosts
• Delivery Controllers
• Services
• Database
• License Server
• Configuration Logging Database
• Monitoring Database
a. Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
b. Click Start and type Director and click on Citrix Director
c. Log on using the Administrator, Password1, and Training credentials.
If the Infrastructure panel is not available, click Trends at the top of the Director window and then click
Dashboard again.
3. Ensure that no alerts exist. If a performance alert is indicated, click the alerts in the Infrastructure panel to read more
information.
The status of Controller-2 will be offline due to the machine being powered down.
a. Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
b. Click Start and type Director and click on Citrix Director
c. Log on using the Administrator, Password1, and Training credentials.
2. Click the number above the Sessions Connected text on the Dashboard.
Click 2 to view information about the two connected sessions.
Module 9: Managing and Monitoring Sessions, Sites and End Users with Director 217
Instead of clicking on the number of end users, you also have the option of clicking View Historical Trend in
the Sessions Connected graph on the Dashboard if you would like to view information about the past number
of concurrent sessions.
3. Click Dashboard at the top of the Director window to return to the Dashboard.
a. Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
b. Click Start and type Director and click on Citrix Director
c. Log on using the Administrator, Password1, and Training credentials.
2. Scroll the Dashboard to view the Average Logon Duration panel in Director.
3. Point your cursor at the chart and view the logon duration and logon information at the same time.
4. Click Trends at the top of the Director screen to view logon performance data across a site beyond the last 60 minutes.
5. Select the Delivery Group that you want to view logon trend information about.
Select All in the Delivery Group field.
6. Select a time period for which you want to view logon trend information.
Select Last 7 days in the Time period field.
7. Click Apply to view the logon data for the Delivery Groups and time period selected.
8. Click Dashboard at the top of the Director window to return to the Dashboard.
218 Module 9: Managing and Monitoring Sessions, Sites and End Users with Director
Monitoring and Managing End-User Sessions
You can easily monitor and manage end-user sessions within Director. Common monitoring tasks include:
• Viewing end-user sessions
• Searching for end-user sessions
• Monitoring end-user applications
• Monitoring machine processes
• Managing an end user's machine power status
• Enabling or disabling maintenance mode
• Disconnecting and logging off end users
• Shadowing end users
• Sending messages to end users
• Monitoring HDX channels
• Resetting end user profiles
These tasks may also be helpful for Helpdesk representatives to troubleshoot and resolve issues prior to escalation.
a. Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
b. Click Start and type Director and click on Citrix Director
c. Log on using the Administrator, Password1, and Training credentials.
The page displays information about all of the sessions currently running in the environment. You can reduce
the number of sessions displayed using the Filter by fields. For example, you may want to view current
sessions that exist by a particular Delivery Group, OS, machine catalog, etc.
4. Select one or more user sessions to enable the Session Control and Send Message functions for the selected user sessions.
Select the AcctUser1 session that is running on the Server2012R2-01 machine.
5. Click Dashboard at the top of the Director window to return to the Dashboard.
Module 9: Managing and Monitoring Sessions, Sites and End Users with Director 219
To Search for an End User
1. Log on to Director (http://server/Director) using domain administrator credentials.
a. Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
b. Click Start and type Director and click on Citrix Director
c. Log on using the Administrator, Password1, and Training credentials.
2. Scroll to the right within any page in Director to access the Search users field.
3. Type a specific end user's account name or a partial account name in the Search users field and then press Enter to locate
information about matching end-user sessions.
Type AcctUser1 in the Search for users field, select AcctUser1, and then click Activity Manager.
4. Select the appropriate end user to open the Activity Manager for that user.
Select AcctUser1 and then verify that Details appears below the Search users field.
This step is only necessary if a "fuzzy" search was performed using the Search users field.
a. Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
b. Click Start and type Director and click on Citrix Director
c. Log on using the Administrator, Password1, and Training credentials.
2. Scroll to the right within any page in Director to select the Search field.
3. Click Search for user.
4. Type a specific end user's account name or a partial account name in the Search users field and then press Enter to locate
information about matching end user's sessions.
Type AcctUser1 in the Search users field, select AcctUser1, and then click Activity Manager.
5. If there are multiple sessions for the user, you will have the option to select a session.
Select Office Apps.
6. Click Activity Manager below the Search users field to view the Activity Manager.
If the Details button is displayed below the Search field, then the Activity Manager screen is already displayed.
The Activity Manager screen is white and the Details screen is black.
7. Click the Applications tab menu in the Activity Manager to view a list of the applications and hosted applications being
run by the selected end user.
220 Module 9: Managing and Monitoring Sessions, Sites and End Users with Director
Monitoring End-User Machine Processes
When an end user calls the Helpdesk about a slow desktop machine, you can monitor the status of the processes on that
machine without needing to start a Remote Assistance session and shadow the end user.
One resolution for a process problem is to stop the process. If the process is successfully stopped, it disappears from the list of
processes. If the process problems continue, you can escalate by restarting the machine or by resetting the end user's profile.
a. Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
b. Click Start and type Director and click on Citrix Director
c. Log on using the Administrator, Password1, and Training credentials.
2. Scroll to the right within any page in Director to access the Search users field.
3. Search for an end-user session and then click Activity Manager under the Search users field.
Type AcctUser1 in the Search users field, select AcctUser1, and then click Activity Manager.
If the Details button is displayed below the Search users field, then the Activity Manager screen is already
displayed. The Activity Manager screen is white and the Details screen is black.
a. Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
b. Click Start and type Director and click on Citrix Director
c. Log on using the Administrator, Password1, and Training credentials.
2. Scroll to the right within any page in Director to access the Search users field.
3. Search for an end-user session and then click Details below the Search users field.
Type AcctUser1 in the Search for users field, select AcctUser1, and then click Activity Manager.
If Activity Manager button is displayed below the Search users field, then the Details screen is already
displayed. The Activity Manager screen is white and the Details screen is black.
Module 9: Managing and Monitoring Sessions, Sites and End Users with Director 221
The following power controls are available:
• Restart
• Force Restart
• Shutdown
• Force Shutdown
• Suspend
• Resume
• Start
a. Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
b. Click Start and type Director and click on Citrix Director
c. Log on using the Administrator, Password1, and Training credentials.
2. Scroll to the right within any page in Director to access the Search users field.
3. Search for an end-user session that you would like to put in maintenance mode and then click Details.
Type AcctUser1 in the Search users field, select AcctUser1, and then click Activity Manager.
If Activity Manager button is displayed below the Search users field, then the Details Manager screen is
already displayed. The Activity Manager screen is white and the Details screen is black.
4. Ensure that the appropriate desktop or application connection for the end user is displayed.
Click the machine switcher icon (Computer display icon) at the top of the Details Manager page and then select the
Office Apps (TRAINING\Server2012R2-01) resource from the drop-down menu.
The machine switcher icon is only available when the selected end user has multiple sessions running.
5. Click the Maintenance mode button under Machine Details to change the mode. If you are unsure if Maintenance mode
is enabled or disabled, hover over the Maintenance mode button and a message will appear with the status.
Ensure that maintenance mode is off.
222 Module 9: Managing and Monitoring Sessions, Sites and End Users with Director
To Reset an End-User Profile
1. Log on to Director (http://server/Director) using domain administrator credentials.
a. Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
b. Click Start and type Director and click on Citrix Director.
c. Log on using the Administrator, Password1, and Training credentials.
2. Scroll to the right within any page in Director to access the Search users field.
3. Search for an end-user session whose profile you want to reset and then click Details below the Search users field.
Type AcctUser1 in the Search users field, select AcctUser1, and then click Activity Manager.
If Activity Manager button is displayed below the Search button, then the Details screen is already displayed.
The Activity Manager screen is white and the Details screen is black.
4. Ensure that the appropriate desktop or application connection for the user is displayed.
Click the machine switcher icon (Computer display icon) at the top of the Activity Manager page and then select the
Win8 Desktop (TRAINING\Static-PVD-01) resource from the drop-down menu.
The machine switcher icon is only available when the selected end user has multiple sessions running.
5. Scroll the Details page down until you reach the Personalization panel.
6. Click Reset Profile in the Personalization panel of the Details page and then click Reset.
Discussion Question
Can you provide examples of when Director would be useful within your organization?
a. Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
b. Click Start and type Director and click on Citrix Director.
c. Log on using the Administrator, Password1, and Training credentials.
2. Scroll to the right within any page in Director to access the Search for users field.
3. Search for an end-user session whose HDX details you want to view and then click Details below the Search users field.
Type AcctUser1 in the Search for users field, select AcctUser1, and then click Activity Manager.
If Activity Manager button appears instead of Details, you are already on the Details page.
. Module 9: Managing and Monitoring Sessions, Sites and End Users with Director 223
4. Ensure that the appropriate desktop or application connection for the user is displayed.
Click the machine switcher icon (Computer display icon) at the top of the Details page and then select the Office
Apps (TRAINING\Server2012R2-01) resource from the drop-down menu.
The machine switcher icon is only available when the selected end user has multiple sessions running.
8. Click an HDX channel preceded by a green check mark to view information for an HDX channel that has no current
alerts.
9. Click Download System Report to export HDX channel information for the session to an .XML file.
10. Save the file to a location of your choice or open the file.
a. Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
b. Click Start and type Director and click on Citrix Director
c. Log on using the Administrator, Password1, and Training credentials.
2. Scroll to the right within any page in Director to access the Search users field.
3. Search for an end-user session whose HDX details you want to view and then click Details below the Search users field.
Type AcctUser1 in the Search users field, press Enter, and then click Details.
If Activity Manager button appears instead of Details, you are already on the Details page.
4. Ensure that the appropriate desktop or application connection for the end user is displayed.
Click the machine switcher icon (Computer display icon) at the top of the Details page and then select the Office
Apps (TRAINING\Server2012R2-01) resource from the drop-down menu.
224 Module 9: Managing and Monitoring Sessions, Sites and End Users with Director
The machine switcher icon is only available when the selected end user has multiple sessions running.
5. Scroll the page to the right to view the Session Details pane.
6. Click the Send Message button.
7. Type a message you would like to send the end user.
Type Thank you for contacting the Helpdesk. Your issue should now be resolved.
8. Click Send and then verify that the message was successfully sent.
a. Click Send.
b. Switch to the EndPoint-Internal virtual machine and then click OK on the message to close it.
c. Switch back to the Controller-1 virtual machine.
The selected end user must have an active session running in order to receive the message. If the end user is
disconnected or the session has timed out, the end user will not receive the message.
a. Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
b. Click Start and type Director and click on Citrix Director
c. .
d. Log on using the Administrator, Password1, and Training credentials.
2. Scroll to the right within any page in Director to access the Search users field.
3. Search for an end-user session that you want to shadow and then click Details below the Search users field.
Type AcctUser1 in the Search users field, press Enter, and then click Details.
If Activity Manager button appears instead of Details, you are already on the Details page.
4. Ensure that the appropriate desktop or application connection for the end user is displayed.
Click the machine switcher icon (Computer display icon) at the top of the Details page and then select the Win8
Desktop (TRAINING\Static-PVD-01) resource from the drop-down menu.
The machine switcher icon is only available when the selected end user has multiple sessions running.
Module 9: Managing and Monitoring Sessions, Sites and End Users with Director 225
5. Scroll the page to the right to view the Session Details pane.
6. Click the Shadow button.
7. Open the Invite.msrcincident file that is downloaded.
If the end user does not respond within 120 seconds, the connection will fail. If the user does not respond,
click OK in the Windows Remote Assistance message, on the system running Director, to end the shadowing
request.
8. Click Request control at the top of the Windows Remote Assistance window on the system running Director to ask the
end user to allow you to take control of the keyboard and mouse in the session.
9. Assist the end user from the system running Director and then close the Windows Remote Assistance window to end the
shadowing session.
Click the X in the small or full screen Windows Remote Assistance window.
The end user could also end the shadowing session by clicking the X in the Windows Remote Assistance
window displayed on the endpoint. If the administrator ends the shadowing session closing the small
Windows Remote Assistance window, they must close the full screen Windows Remote Assistance window
separately.
a. Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
b. Click Start and type Director and click on Citrix Director.
c. Log on using the Administrator, Password1, and Training credentials.
2. Scroll to the right within any page in Director to access the Search users field.
3. Search for an end-user whose session that you want to disconnect and then click Details below the Search users field.
Type AcctUser1 in the Search users field, press Enter, and then click Details.
If Activity Manager button appears instead of Details, you are already on the Details page.
226 Module 9: Managing and Monitoring Sessions, Sites and End Users with Director
4. Ensure that the appropriate desktop or application connection for the end user is displayed.
Click the machine switcher icon (Computer display icon) at the top of the page and then select the Office Apps
(TRAINING\Server2012R2-01) resource from the drop-down menu.
The machine switcher icon is only available when the selected end user has multiple sessions running.
5. Scroll the Details page to the right and then click Session Control.
6. Click Disconnect to disconnect the selected session.
7. Verify that the state of the session has changed to Disconnected.
a. Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
b. Click Start and type Director and click on Citrix Director.
c. Log on using the Administrator, Password1, and Training credentials.
2. Scroll to the right within any page in Director to access the Search users field.
3. Search for an end user whose session that you want to log off and then click Details below the Search users field.
Type AcctUser1 in the Search users field, press Enter, and then click Details.
If Activity Manager appears instead of Details, you are already on the Details page.
4. Ensure that the appropriate desktop or application connection for the user is displayed.
Click the machine switcher icon (Computer display icon) at the top of the page and then select the Office Apps
(TRAINING\Server2012R2-01) resource from the drop-down menu.
The machine switcher icon is not visible if the selected end user only has a single connection running.
5. Scroll the Details page to the right and then click Session Control.
6. Click Log Off to log the end user off the session.
Wait while the end user is logged off. Do not click Log Off again, doing so will result in an error being
displayed. After the end user is logged off the session, the session details will disappear from the Details pane.
Discussion Question
What is the difference between disconnecting a session and logging off an end user?
Module 9: Managing and Monitoring Sessions, Sites and End Users with Director 227
Monitoring Historical Trends
In Director, use the Trends page to access historical trend information for sessions, connection failures, machine failures,
logon performance, and load evaluation for each site. To locate the information, on the Dashboard or Filters page, click
Trends.
Each graph shows trend data for a specified period of time (the default is previous 24 hours) and for specified Delivery
Groups (default: all groups). You can also view data for a single point in time by pointing your cursor to that location. Click
the refresh icon at any time to update the data.
You can save the graph to a PDF file or save the data to a CSV file so that you can reuse the data in other applications. When
the data is exported, you can view more detailed information that was not visible within the graph, assisting with the analysis
of historical trends.
a. Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
b. Click Start and type Director and click on Citrix Director.
c. Log on using the Administrator, Password1, and Training credentials.
4. Select specific filters to view only important information that is relative to your analysis.
5. Click Apply.
6. Review the information for specific trends.
Issue Resolution
An error dialog is received during configuration with Citrix If an error dialog box is received while configuring
Studio. XenDesktop in Citrix Studio, a descriptive message will
display that may help you self-diagnose the issue.
If you are unable to address the issue based on the
descriptive error message, you can select the option in
Studio: "I need help from Citrix to solve this problem." When
this option is selected, the Citrix Tools as a Service (TaaS)
system searches an error reporting web service maintained by
the Citrix TaaS team. If the service locates a matching
Knowledge Base (KB) article that specifically addresses the
problem, it displays the article. If no match is found, you are
directed to a web page where you can send details to Citrix
and search Citrix Support forums.
228 Module 9: Managing and Monitoring Sessions, Sites and End Users with Director
Issue Resolution
Unable to shadow an end-user session in Director. 1. Ensure that the end user has an active session.
2. Verify that remote assistance is enabled on the virtual
desktop.
3. Verify that the administrator has the correct permissions
to shadow end users within Director.
4. Verify that the device you are trying to shadow accepts
connections on port 3389.
The HDX Panel is not available in the administrator's Verify that the end user's machine is connected using HDX.
Director. If the end user is not connected using HDX, then the panel
will not be available.
Usage graphs are not displayed in the dashboard. Ensure that the latest version of Flash is installed on the
system running Director.
An error is displayed when running Real-Time reports. Citrix Director requires that WinRM 1.1 or later be installed
and enabled on the desktop machine.
Module 9: Managing and Monitoring Sessions, Sites and End Users with Director 229
230
10
Module 10
Setting Up Netscaler
232
Setting Up NetScaler
Overview
The Configure NetScaler Gateway for Enterprise Store wizard should not be used with the NetScaler version being
used in the lab environment (NetScaler 11.0 Build 64.34). Using this wizard will result in http being used instead
of https even though you selected https in the wizard. For this reason, you should follow the steps provided in the
exercises rather than use the wizard. The steps in the exercises will bypass this issue.
The Citrix NetScaler product line optimizes delivery of applications over the Internet and private networks, combining
application-level security, optimization, and traffic management into a single, integrated appliance. You can install a NetScaler
appliance in the DMZ and route all connections from the endpoints to your managed servers through it. The NetScaler
features that you enable and the policies you set are then applied to incoming and outgoing traffic.
The features available in NetScaler are based on the license installed.
• A NetScaler Gateway Platform license allows an unlimited number of end users to access internal XenApp and
XenDesktop resources using ICA proxy without compromising the security of your internal network.
• A NetScaler Gateway Universal license enables a full VPN tunnel, endpoint analysis, policy-based SmartAccess, and
clientless access to Web sites and file shares in your internal network.
For more information about NetScaler licensing, search www.citrix.com for "netscaler-data-sheet.pdf".
After completing this module, you will be able to:
• Perform the initial NetScaler configuration.
• Configure NetScaler high availability.
• Load balance StoreFront servers through NetScaler.
• Enable remote access to the StoreFront store.
• Configure HDX (ICA) proxy.
• Configure a pre-authentication policy to scan an endpoint.
• Configure NetScaler for email-based account discovery.
Module Timing: 5.0 hours
4. Click Next.
5. Select the location where the imported VM will be placed.
Select the XS1 XenServer and then click Next.
6. Select the local storage repository on which to store the virtual appliance and then click Import to begin the import
process.
Select NFS virtual disk storage and then click Import.
8. Review the import settings and then click Finish to complete the import process.
The imported NetScaler VPX appears in XenServer after the import is finished. The imported NetScaler VPX
will be configured in an exercise later in this module.
Discussion Question
When is the default IP address of 192.168.100.1 / 255.255.0.0 used to configure a NetScaler?
Discussion Question
How many concurrent end-user connections can a NetScaler VPX support?
You should pay close attention whenever you are asked to type anything into the NetScaler interface. Check and
then double-check everything before moving to the next step in all NetScaler procedures. This can reduce the
amount of troubleshooting you need to do later.
4. Type the subnet mask for the IP address at the prompt and then press Enter.
Type 255.255.255.0 and then press Enter.
5. Type the default gateway address at the prompt and then press Enter.
Type 192.168.10.1 and then press Enter.
The StudentManagementConsole-1 VM is being used in this lab to access a browser. Any system could be
used at this point.
9. Open a browser.
Double-click Chrome on the desktop.
Do not use Internet Explorer to manage the NetScaler in this lab environment.
10. Type the IP address that you assigned to the first NetScaler VM into the Address field and then press Enter.
Type 192.168.10.33 into the Address field and then press Enter.
11. Type the user name and password into the appropriate fields and then click Login.
Type nsroot in both fields and then click Login.
12. Click Skip on the Citrix User Experience Improvement Program screen.
13. Verify that the NetScaler IP Address is correct.
15. Verify the Subnet IP Address Netmask in the Subnet IP Address NetMask field.
Type 255.255.255.0 in the Subnet IP Address field.
19. Select the correct time zone in the Time Zone field.
Select GMT-5:00-EST-America/Jamaica.
Discussion Question
How do you access the NetScaler Configuration utility?
Configuring NTP
Network Time Protocol (NTP) uses a time server to provide all devices in an environment with an authoritative source from
which to synchronize their local clocks. The time server can be private or public. If the servers in the environment do not
have their local clocks set consistently, Kerberos authentication may fail and Event Logs may not be time stamped properly.
NTP configuration should be configured on the NetScaler immediately after the initial configuration is completed. NTP
servers that have been retired or are no longer accessible should be removed from the NetScalers.
In the lab, you are using the domain controller to provide the NTP service.
2. Open a browser, type the IP address of the NetScaler, and then press Enter.
Open Chrome, type 192.168.10.33, and then press Enter.
4. Click System > NTP Servers and then click Add at the top of the NTP Servers tab.
5. Type the IP address of the NTP server in the NTP Server field and then click Create.
Type 192.168.10.11 in the NTP Server field and then click Create.
This step can be repeated to add additional NTP servers. One of the NTP servers can also be set as preferred.
6. Right-click NTP Servers in the left pane and then click NTP Synchronization.
7. Select the desired state and then click OK.
Select Enabled and then click OK.
8. Right-click NTP Servers in the left pane and then click NTP Parameters.
9. Set the desired parameters and then click OK.
Deselect Authentication and then click OK.
Discussion Question
What will happen if the time server configured to provide NTP services to the NetScaler becomes unavailable?
For more information about NetScaler High Availability with hands on experience contact your class provider and
schedule the CNS-207 course.
Setting Up DNS
NetScaler uses DNS for name resolution. In this procedure, you are adding DNS entries for the virtual servers configured on
the NetScaler and configuring NetScaler to use a DNS server for name resolution.
An Address (A) record is an entry in DNS that maps a fully qualified domain name (FQDN) to an IP address. You must set
up an A record for the NetScaler and the load-balanced StoreFront servers because you will be creating SSL certificates and
the common name will be the FQDN.
2. Click Tools at the top right of the Server Manager window and then click DNS.
3. Browse to the forward lookup zone for the domain.
Browse to AD > Forward Lookup Zones > training.lab.
4. Right-click the domain name and then click New Host (A or AAAA) to create an A record for the NetScaler.
Right-click training.lab and then select New Host (A or AAAA).
5. Type a name for the new NetScaler host in the Name field and then type the IP address of the host.
Type access in the Name field and then type 192.168.10.50 in the IP Address field.
11. Open a browser, type the IP address of the first NetScaler, and then press Enter.
Open Chrome, type 192.168.10.33, and then press Enter.
13. Expand the Traffic Management > DNS > Name Servers nodes in the left pane of the first NetScaler.
14. Click Add to add a new Name Server.
15. Type the IP address of the DNS server in the environment into the IP Address field and then click Create.
Type 192.168.10.11 in the IP Address field and then click Create.
Discussion Question
If you add another StoreFront server to the environment, how many more virtual servers (vServers) do you need to add to
NetScaler?
The wildcard character only covers one full stop (period) in the address. For example, while the certificate would
secure the accounts.training.lab and hr.training.lab FQDNs, it would not secure the new.accounts.training.lab
FQDN.
If you use a third-party and assign it to the domain, you would need to purchase additional certificates for each FQDN. This
could become expensive if you have multiple sub-domains. In addition, you would have to manage the expiration and
replacement of multiple certificates instead of just one.
2. Open a browser, type the IP address of the first NetScaler, and then press Enter.
Open Chrome, type 192.168.10.33, and then press Enter.
While this step is not a part of creating a certificate, SSL must be enabled on the NetScaler in order to use the
certificate that you are creating.
6. Click SSL in the left pane and then click Create RSA Key in the SSL tab.
7. Type a name in the Key Filename field.
Type wildcard_training_lab.key in the Key Filename field.
10. Type a passphrase in the PEM Passphrase and Confirm PEM Passphrase fields and then click Create.
Type Password1 in the PEM Passphrase and Confirm PEM Passphrase fields and then click Create.
11. Click Create Certificate Signing Request (CSR) in the SSL tab.
12. Type a name in the Request File Name field.
Type wildcard_training_lab.csr in the Request File Name field.
13. Click Browse to the right of the Key Filename field and then double-click the name of the key file created earlier.
Click Browse to the right of the Key Filename field and then double-click wildcard_training_lab.key.
15. Select the country and then type the state or province to use for the certificate.
Select United States in the Country field and then type Florida in the State or Province field.
16. Specify a name for the organization in the Organization Name field.
Type Training in the Organization Name field.
17. Type the FQDN of the company or Web site in the Common Name field and then click Create.
Type *.training.lab in the Common Name field and then click Create.
You are creating a wildcard certificate, so you are using a wildcard character in the FQDN.
18. You can click on the Click here to View link to see the CSR.
The following steps are the alternate way to view the CSR.
19. Click Manage Certificates / Keys / CSRs in the Tools section of the SSL tab.
20. Click Yes to confirm refresh, if a prompt appears.
21. Select the certificate signing request that you created and then click View at the bottom of the window.
Select the wildcard_training_lab.csr file and then click View.
Selecting the wrong file will result in you receiving an "ASN1 bad tag value met" error during the certificate
request.
22. Press Ctrl+A and then press Ctrl+C to copy all of the text to the clipboard.
23. Click Close and then click Close again.
24. Browse to the internal Certificate Authority issuer and follow their steps to generate a certificate.
If requested type TRAINING\Administrator in the User name field, Password1 in the Password
field, and then click OK.
Every Certificate Authority has slightly different steps. The lab environment uses Microsoft Enterprise
Certificate Authority Web Enrollment.
26. Click Traffic Management > SSL >Certificates in the left pane of the NetScaler Configuration utility on the first
NetScaler.
27. Click Install.
28. Type a name in the Certificate-Key Pair Name field.
Type wildcard_training_lab.certkey in the Certificate-Key Pair Name field.
29. Click the down arrow to the right of the Browse button for the Certificate File Name field and then select Local.
30. Browse to where the certificate file was saved and then double-click the certificate file.
Click Desktop and then double-click wildcard_training_lab.cer.
31. Click Browse to the right of the Key Filename field and then double-click the name of the key file you created earlier.
Click Browse and then double-click wildcard_training_lab.key.
32. Type the password for the private key in the Password field.
Type Password1 in the Password field.
There is no confirmation message. If you prematurely click Create before all of the information has been
entered, you can delete the certificate by selecting the certificate and then clicking Remove in the Traffic
Management > SSL > Certificates window.
Discussion Question
Which two fields on a certificate are used to verify the chain of trust?
You will be using an internal Certificate Authority instead of a public Certificate Authority in this procedure,
because of lab environment and monetary constraints.
2. Open a browser, type the IP address of the NetScaler, and then press Enter.
Open Chrome (located on the desktop), type 192.168.10.33, and then press Enter.
4. Click Traffic Management > SSL in the left pane and then click Create RSA Key.
5. Type a name in the Key Filename field.
Type access_training_lab.key in the Key Filename field.
8. Type a passphrase in the PEM Passphrase and Confirm PEM Passphrase fields and then click Create.
Type Password1 in the PEM Passphrase and Confirm PEM Passphrase fields and then click Create.
11. Click Browse to the right of the Key Filename field and then double-click the key file.
Click Browse to the right of the Key Filename field and then double-click access_training_lab.key.
13. Select the country and then type the state or province to use for the certificate.
Select United States in the Country field and then type Florida in the State or Province field.
15. Type the FQDN in the Common Name field and then click Create.
Type access.training.lab in the Common Name field and then click Create.
16. Click Manage Certificates / Keys / CSRs in the Tools section of the SSL tab.
17. Click Yes to refresh the configuration, if a prompt appears.
18. Select the certificate signing request that you created and then click View at the bottom of the window.
Select the access_training_lab.csr file and then click View.
Selecting the wrong file will result in you receiving an "ASN1 bad tag value met" error during the certificate
request.
19. Press Ctrl+A and then press Ctrl+C to copy all of the text to the clipboard.
20. Click Close and then click Close again.
21. Browse to the third-party certificate issuer and follow their steps to generate a certificate.
23. Click Certificates under Traffic Management > SSL in the left pane.
24. Click Install.
25. Type a name in the Certificate-Key Pair Name field.
Type access_training_lab.certkey in the Certificate-Key Pair Name field.
26. Select the down arrow next to the Browse button for the Certificate File Name field and then select Local.
27. Browse to where the certificate file was saved and then double-click the certificate file.
Click Desktop and then double-click access_training_lab.cer.
28. Click Browse to the right of the Key File Name field and then double-click the key file.
Click Browse to the right of the Key File Name field and then double-click access_training_lab.key.
29. Type the password for the private key in the Password field.
Type Password1 in the Password field.
2. Open a browser, type the IP address of the NetScaler, and then press Enter.
Open Chrome (located on the desktop), type 192.168.10.33, and then press Enter.
4. Expand the Traffic Management node, right-click Load Balancing, and then right-click to Enable Feature.
5. Expand the Load Balancing node and then click Servers to create a server for each of your StoreFront servers.
6. Click Add and type a name for the first StoreFront server in the Name field.
Click Add and then type StoreFrontServer-1 in the Server Name field.
7. Type the IP address for the first StoreFront server in the IP Address field and then click Create.
Type 192.168.10.28 in the IP Address field and then click Create.
NetScaler Gateway will use this IP address to load balance and direct connections to the StoreFront server.
10. Type the IP address for the second StoreFront server in the IP Address field and then click Create.
Type 192.168.10.29 in the IP Address field and then click Create.
NetScaler Gateway will use this IP address to load balance and direct connections to the StoreFront server.
11. Click Services under the Load Balancing node and then click Add to create a service for each of the StoreFront servers in
the environment.
12. Type a name for the first StoreFront service in the Service Name field.
Type SFService-1 in the Service Name field.
13. Select the name of the first StoreFront server in the Server field.
Click the Existing Server radio button and select StoreFrontServer-1 (192.168.10.28).
14. Select SSL in the Protocol field. The port should be 443. Then click OK.
15. Click 1 Service to Load Balancing Monitor Binding under Monitors, select the proper StoreFront monitor, and then
click Add.
Click 1 Service to Load Balancing Monitor Binding under Monitors, click Add Binding, click in the field below
Select Monitor. Select the https monitor radio button then click Select. Click Bind.
19. Select the name of the first StoreFront server in the Server field.
Click the Existing Server radio button and select StoreFrontServer-2 (192.168.10.29) from the drop down menu.
20. Select SSL in the Protocol field. The port should be 443. Then click OK.
21. Click 1 Service to Load Balancing Monitor Binding under Monitors, select the proper StoreFront monitor, and then
click Add.
Click 1 Service to Load Balancing Monitor Binding under Monitors, click Add Binding, click in the field below
Select Monitor. Select the https monitor radio button then click Select. Click Bind.
24. Select Virtual Servers in the left pane under the Load Balancing node and then click Add in the Virtual Servers tab to
create the load balancing virtual server for the StoreFront servers.
Only one load balancing virtual server needs to be created regardless of the number of StoreFront servers in
the environment.
25. Type an appropriate name in the Name field for the load balancing virtual server used by the StoreFront servers.
Type sf_training_lab in the Name field.
28. Click No Load Balancing Virtual Server Service Binding under Services and Groups tab and then select the StoreFront
services that will be load balanced by this virtual server.
Click No Load Balancing Virtual Server Service Binding under Services and Groups then click in the field below
Select Service. Check the boxes next to SFService-1 and SFService-2 then click Select. Click Bind, then click
Continue.
29. Click No Server Certificate under Certificates and then select the proper SSL certificate.
Click No Server Certificate under Certificates, then click in the field below Select Server Certificate and then select
wildcard_training_lab.certkey then click Select, click Bind, then click Continue.
35. Click the diskette in the upper-right area of the window and then click Yes to save the configuration.
8. Type a name in the User logon name field and then click Next.
Type LDAPAuth in the User logon name field and then click Next.
10. Specify the desired password settings and then click Next.
You are doing this so that the credentials you type into the NetScaler later on will not be for the domain
administrator account. This is not strictly necessary, but may reduce the potential attack surface. It is a good
practice to use a relatively long randomized password for service accounts.
12. Right-click the newly created service account and then click Add to a group to add the NetScaler LDAP service account
to the service accounts group.
Right-click LDAPAuth and then click Add to a group.
13. Specify the group to which you want to add the service account.
Type Service Accounts.
14. Click Check Names, click OK, and then click OK again.
Adding the account to the service accounts group will prevent interactive logon because you created a Group
Policy Object earlier that disallows log on locally to the service accounts group.
15. Browse to the OU that contains the end-user accounts to begin creating a security group for end users that will be
allowed remote access through the NetScaler.
Expand training.lab > Training Users.
16. Right-click the end-users OU and then click New > Group.
Right-click the Training Users OU and then click New > Group.
17. Type a name for the new group and then click OK.
Type Remote Access in the Group name field and then click OK.
18. Right-click the newly created group and then click Properties to begin adding the end users to the security group that
will be granted remote access.
Right-click the Remote Access group and then click Properties.
Do not include the hduser2 account in the security group so you can use it to verify that end users not
included in the group will not be granted remote access.
In the previous procedure you created the service account required for LDAP authentication and the security
group that identifies the end users who will be given remote access through the NetScaler. In this procedure, you
are configuring the NetScaler to use the service account and security group. The primary configuration will be the
LDAP settings.
2. Open a browser, type the IP address of the first NetScaler, and then press Enter.
Open Chrome, type 192.168.10.33, and then press Enter.
4. Right-click NetScaler Gateway in the left pane of the Configuration utility and then click Enable Feature.
5. Click NetScaler Gateway wizard in the NetScaler Gateway tab on the right.
6. Click Get Started on the Welcome page.
7. Type the IP address to use for the NetScaler Gateway virtual server in the NetScaler Gateway IP Address field.
Type 192.168.10.50 in the NetScaler Gateway IP Address field.
9. Type a name for the NetScaler virtual server in the Virtual Server Name field and then click Next.
Type access_training_lab in the Virtual Server Name field and check the box next to Redirect requests from port 80
to secure port . This redirects users to if they forget to type https to access the NetScaler virtual server.
10. Type a name for the Gateway FQDN and then click Continue.
Type access_training_lab in the Gateway FQDN field then click Continue.
11. Select the certificate action to perform and then click Continue.
Select Use existing certificate in the Server Certificate field, select access_training_lab.certkey in the Server Certificate
field, and then click Continue.
16. Type the name of the service account to be used in the form of username@domain (FQDN) in the Service account field.
Type LDAPAuth@training.lab in the Service account field.
17. Type the password in the Password and Confirm Password fields.
Type Password1 in the Password and Confirm Password fields.
18. Click Retrieve Attributes to test the connection to the LDAP server and then click OK.
If the test fails, verify that the password and the IP address of the LDAP server are correct.
Failure to specify a value in this field will result in remote users receiving an Incorrect Password error.
There must be a space between "Remote" and "Access" and "Training" and "Users". Remote Access is a group
that you created in an earlier exercise. It is used to group the user accounts that will be allowed remote access
into the environment. By specifying a group, you can limit who can access the environment remotely through
the NetScaler. For more information about configuring LDAP settings, refer to CTX111079 on the
www.citrix.com Website.
26. Specify a group attribute.
Select memberOf from the Group Attribute field.
If you receive an Add Snap-in error, click Cancel in the End Snap-in message and the console will open. Do
not click End Now.
4. Click Stores in the left pane and then select the proper store.
Click Stores and then select Store-1.
5. Click Manage Delivery Controllers in the right pane, verify that the Delivery Controllers are listed in the Servers
column, and then click OK.
Click Manage Delivery Controllers in the right pane, verify that c-1.training.lab and c-2.training.lab are listed in the
Servers column, and then click OK.
6. Click Authentication in the left pane and then click Add/Remove Methods.
7. Select the desired authentication methods and then click OK.
You are selecting Domain pass-through so that the Receiver on domain-joined endpoints can authenticate
without the end user re-entering credentials.
8. Click NetScaler Gateway in the left pane and then click Add NetScaler Gateway in the right pane.
9. Type an appropriate name in the Display name field.
Type access.training.lab in the Display name field.
Remote end users will use this name to configure Citrix Receiver preferences.
10. Type the FQDN to the NetScaler in the NetScaler Gateway URL field.
Type https://access.training.lab in the NetScaler Gateway URL field.
12. Type the FQDN to the NetScaler in the Callback URL field and then click Next.
Type https://access.training.lab in the Callback URL field and then click Next.
13. Click Add, and then type the URL to the STA in the STA URL field to add Secure Ticket Authorities (STAs).
Click Add and then type https://c-1.training.lab in the STA URL field.
/scripts/ctxsta.dll will automatically be appended to the end of the URL for the STA. Each Controller is a
Secure Ticket Authority (STA).
Discussion Question
You just configured NetScaler to load balance your StoreFront servers. What do you need to configure on your StoreFront
servers to direct traffic through the NetScaler?
Creating Beacons
You can specify URLs inside and outside your internal network to be used as beacon points. Citrix Receiver uses beacon
points to determine whether end users are connected from internal or external networks and then selects the appropriate
access method.
By default, StoreFront uses the server URL or load-balanced URL of your deployment as the internal beacon point. The Citrix
Web site and the virtual server or end-user logon point URL of the first NetScaler deployment you add are used as external
beacon points by default.
If you change any beacon points, ensure that end users update Citrix Receiver with the modified beacon information. If a
Receiver for Web site is configured for a store, end users can obtain an updated Citrix Receiver provisioning file from the site.
If a Receiver for Web site is not configured for the store, you can export a provisioning file for the store and make this file
available to your end users.
6. Verify that the URL for the second external beacon appears.
Verify that http://www.citrix.com appears.
7. Select Specify beacon address and then type the URL for the load balanced virtual server for StoreFront.
Select Specify beacon address and then type https://sf.training.lab in the Specify beacon address field.
From now on in the lab environment, internal users will use https://sf.training.lab to access resources. External
users will access resources using the https://access.training.lab URL.
Select access.training.lab.
7. Click OK.
Discussion Question
John is changing the configuration settings on StoreFrontServer-1. Kelly is changing the configuration settings on
StoreFrontServer-2. John selects Propagate Changes. What happens?
2. Open a browser, type the IP address of the first NetScaler, and then press Enter.
Open Chrome, type 192.168.10.33, and then press Enter.
4. Click NetScaler Gateway > Policies > Session in the left pane and then click the Sessions Profiles tab on the right.
5. Select the 192.168.10.50_443 Session Profile and then click Edit.
Select 192.168.10.50_443 Session Profile and then click Edit.
6. Type the URL for the Receiver for Web site using the FQDN to the Store Front load Balancing virtual server in the Web
Interface Address field.
Check the box to Override Global under the Published Applications tab and then type
https://sf.training.lab/Citrix/Store-1Web in the Web Interface Address field.
This is the load balancing virtual server for StoreFront on the NetScaler. If sf.training.lab fails to resolve, use
the IP address of 192.168.10.51 instead.
8. Click NetScaler Gateway > Virtual Servers in the left pane, click the access_training_lab virtual server on the right then
click Edit.
9. Click the Published Applications node on the right.
10. Click No STA Server under Published Applications on the left.
11. Type the URL to the Secure Ticket Authority on the first Controller and then click Bind.
Type https://c-1.training.lab in the Secure Ticket Authority Server field, select IPV4 as the Secure Ticket Authority
Server Address Type and then click Bind.
The STAs specified on the NetScaler Gateway must be identical to the ones specified in StoreFront. If you
remove an STA in the future from StoreFront, then it must be removed from NetScaler Gateway. The same
goes for adding new STAs.
The STAs specified on the NetScaler Gateway must be identical to the ones specified in StoreFront. If you
remove an STA in the future from StoreFront, then it must be removed from NetScaler Gateway. The same
goes for adding new STAs.
14. Click on 2 STA Servers under Published Applications to view the STAs.
Discussion Question
Why might you implement ICA proxy instead of a VPN?
Pre-authentication policy scans complete before the end-user's session uses a license.
For more information about NetScaler High Availability with hands on experience contact your class provider and
schedule the CNS-207 course.
If NetScaler is being used to load balance the StoreFront servers, you should specify the URL of the load
balancing virtual server for the StoreFront servers. For example: https://sf.training.lab/Citrix/Store-1Web.
Remote end users will use this URL or https://access.training.lab to access Store-1 using the Receiver for Web
site.
8. Verify https now appears in the URL bar even though you originally typed http.
At this point, the Log On page being displayed is the Log On page for the NetScaler.
11. If Receiver is not installed, select I agree with the Citrix license agreement, and then click Install.
12. Click Run.
13. Click Yes on the User Account Control window.
14. Click Install.
15. Click Finish.
16. Click Allow three times.
17. Verify that resources are available to the end user.
If resources were previously added for the end user, resources will appear in the Citrix Receiver window. If
both applications and desktops have been added, tabs will be available at the bottom of the Citrix Receiver
window, if no applications or desktops have been added for the end user, a plus sign will appear on the left
side of Citrix Receiver.
18. Verify that a resource launches successfully for the remote end user.
Click Win8 Desktop, click Allow, and then verify that it starts.
19. Close the resource and then log off of Citrix Receiver.
Click AcctUser1 in the Win8 Desktop and choose Sign out. Click the arrow to the right of AcctUser1 in Citrix
Receiver, and then click Log Off.
22. Type the URL for the NetScaler and then press Enter.
Type https://access.training.lab and then press Enter.
At this point, the Log On page being displayed is the Log On page for the NetScaler.
24. Log on to the Web site using domain user credentials for a user not in the Remote Access group.
Log on to the Web site using the HDUser2 and Password1 credentials.
25. Verify that the user is denied access to resources because they are not a member of the Remote Access group.
26. Close Internet Explorer.