Cxa 301 1i_im_spdf

Citrix XenApp 6.5 AdvancedAdministration

Citrix Course CXA-301-1I

2 © Copyright 2011 Citrix Systems, Inc.

Citrix XenApp 6.5 AdvancedAdministration

Citrix Course CXA-301-1IOctober 2011Version 1.0


Table of Contents

ModuleModule 1:1: TroubleshootingTroubleshooting thethe XenAppXenApp EnvironmentEnvironment ...................................................................... 1717Overview ............................................................................................................................... 19Troubleshooting Methodology .............................................................................................. 20Define the Issue ................................................................................................................ 21Gather Detailed Information .............................................................................................. 21Additional Data Resources ............................................................................................ 21Narrow the Scope ......................................................................................................... 22

Consider Possible Causes ................................................................................................ 23Create an Action Plan ....................................................................................................... 23Implement the Action Plan ................................................................................................ 23Observe the Results of the Action Plan ............................................................................. 24Document Changes Following Issue Resolution ................................................................ 24

XenApp Components ........................................................................................................... 26XenApp Communications ................................................................................................. 27Citrix Troubleshooting Tools .............................................................................................. 28

Logon Issues ........................................................................................................................ 30Citrix Receiver is Not Installed ........................................................................................... 30Receiver Detection Redirection Error ............................................................................. 30

No Citrix Licenses are Available ........................................................................................ 31Web Interface ................................................................................................................... 31Web Interface Communication Process ........................................................................ 32Web Interface Configuration Methods ........................................................................... 33Workspace Control ...................................................................................................... 33Client to Web Interface Communications ...................................................................... 34Web Interface Repair Option ..................................................................................... 35Requirements for the Web Server Name ................................................................... 35Account Self-Service is Unavailable ........................................................................... 35

Web Interface Authentication ........................................................................................ 35Explicit Authentication ............................................................................................... 36Applying Explicit Authentication ............................................................................. 36Explicit Authentication Testing Guidelines .............................................................. 37

Pass-Through Authentication .................................................................................... 37NTFS Permissions for Pass-Through Authentication ............................................. 38Proxy Servers and Pass-Through Authentication ................................................... 38Certificate Mapping ............................................................................................... 39

Guidelines for Smart Card Authentication .................................................................. 39Authentication Tickets ............................................................................................... 40Authentication Ticketing Process .......................................................................... 40

Determining Which Server Will Host the User Session .............................................. 41Least Busy Server Issues ...................................................................................... 42

To Enable ASP.NET Tracing ..................................................................................... 43User Sessions ....................................................................................................................... 45

© Copyright 2011 Citrix Systems, Inc. 5

User Profile Issues ............................................................................................................ 45Session Sharing ................................................................................................................ 46Session Timeout Settings ................................................................................................. 46Post-Connection Issues .................................................................................................... 47Network Connectivity ........................................................................................................ 48Application Issues ............................................................................................................. 49Application Streaming Troubleshooting ......................................................................... 50

HDX Functionality ............................................................................................................. 50HDX Experience ............................................................................................................ 51

Server Resources ................................................................................................................. 53XenApp in a Virtualized Environment ................................................................................. 53The Independent Management Architecture Service ......................................................... 54IMA Service Error Codes ............................................................................................... 54To Troubleshoot IMA Service Start Issues ................................................................. 55

IMA Service Failed Message ......................................................................................... 56To Troubleshoot IMA Service Failed Message ........................................................... 56To Change the Default Timeout Value for the Service Control Manager .................... 56

SQL Server-Related IMA Startup Issues ....................................................................... 56Server Load Uneven ......................................................................................................... 57Server Not Accepting User Connections ........................................................................... 57Health Monitoring Disallowing Logons .............................................................................. 58Memory Leaks .................................................................................................................. 58Server Troubleshooting Tools ........................................................................................... 58Data Store Replication Check ....................................................................................... 58Citrix License Check Utility ............................................................................................ 59CDF Tracing ................................................................................................................. 59

Test Your Knowledge: Troubleshooting the XenApp Environment ........................................ 61

ModuleModule 2:2: ScalingScaling thethe XenAppXenApp EnvironmentEnvironment .................................................................................................. 6363Overview ............................................................................................................................... 65Farm Configuration Recommendations ................................................................................. 66Farm Configuration Guidelines .......................................................................................... 66

Farm Scalability .................................................................................................................... 68Scripted Installation .............................................................................................................. 70Unattended Installation and Configuration ......................................................................... 70To Script Installation of a XenApp Server .......................................................................... 71

Server Build Scripting ........................................................................................................... 73To Create a Base Image ................................................................................................... 73

XenApp Server Templates .................................................................................................... 75Data Store Database Migration ............................................................................................. 76Dedicated Data Collector ...................................................................................................... 78Web Interface Planning ......................................................................................................... 79Delivery Services ................................................................................................................... 80XenApp and XenDesktop Integration .................................................................................... 82To Integrate XenApp with XenDesktop Using Delivery Services ........................................ 83

XenApp and Provisioning Services Integration ...................................................................... 84


XenApp and Merchandising Server Integration ..................................................................... 85Merchandising Server Citrix Recommendations ................................................................ 85Troubleshooting Merchandising Server ............................................................................. 86

Test Your Knowledge: Scaling the XenApp Environment ...................................................... 87

ModuleModule 3:3: CreatingCreating FarmFarm RedundancyRedundancy .................................................................................................................. 8989Overview ............................................................................................................................... 91Eliminating Single Points of Failure ........................................................................................ 92Malfunctioning Servers ...................................................................................................... 93

Business Continuity .............................................................................................................. 95XenApp Site Redundancy ................................................................................................. 95Worker Group Preference and Failover ............................................................................. 96Microsoft SQL Server Fault Tolerance ............................................................................... 96

Load Balancing ..................................................................................................................... 97LBDiag ............................................................................................................................ 97

XenApp and NetScaler Integration ........................................................................................ 98Cloudbursting ................................................................................................................... 99

Test Your Knowledge: Creating Farm Redundancy ............................................................ 100

ModuleModule 4:4: MaintainingMaintaining thethe XenAppXenApp EnvironmentEnvironment ................................................................................ 101101Overview ............................................................................................................................. 103Farm Setting Migration ....................................................................................................... 104Farm Setting Migration Inclusions and Exclusions ........................................................... 105Recommendations for Farm Setting Migration ................................................................ 105Post-Migration Tasks ...................................................................................................... 106XenApp Server Renaming ............................................................................................... 106

Data Store Database Maintenance ..................................................................................... 107Data Store Database Recovery ........................................................................................... 108Local Host Cache ............................................................................................................... 109XML Service Overview ........................................................................................................ 111XML Service Port Configuration ...................................................................................... 111XML Service Trust Configuration ..................................................................................... 112

Routine Operations ............................................................................................................. 113To Add XenApp PowerShell Commands ........................................................................ 113Publishing Applications with PowerShell ......................................................................... 113XenApp Hotfixes ............................................................................................................. 114XenApp Server Restart ................................................................................................... 115Determining a Restart Schedule .................................................................................. 116To Configure a Restart Schedule ................................................................................ 117

Power and Capacity Management ...................................................................................... 118Power Management ....................................................................................................... 118Power and Capacity Management Farm ......................................................................... 119Workloads and Profiles ................................................................................................... 119Control Modes ................................................................................................................ 120Load Consolidation ......................................................................................................... 120


Power and Capacity Management Components ............................................................. 120Schedules ....................................................................................................................... 121

Test Your Knowledge: Maintaining the XenApp Environment .............................................. 122

ModuleModule 5:5: OptimizingOptimizing thethe XenAppXenApp EnvironmentEnvironment .................................................................................... 123123Overview ............................................................................................................................. 125Performance Tuning ........................................................................................................... 126Independent Management Architecture Service .............................................................. 126Baseline with Service Monitoring ..................................................................................... 126

Windows Server Tuning for XenApp ................................................................................... 128Defragmenting Disks ....................................................................................................... 128Active Directory Recommendations ................................................................................ 128Policy Processing and Precedence ............................................................................. 129Policy Configuration Methods ..................................................................................... 130Active Directory User Permissions ............................................................................... 131

XenApp Tuning ................................................................................................................... 134Application Streaming Optimization ................................................................................ 134

Virtual Memory Optimization ............................................................................................... 136Virtual Memory Optimization Processes .......................................................................... 136Application Exclusions .................................................................................................... 138

CPU Optimization ............................................................................................................... 139CPU Utilization Management .......................................................................................... 139

Virtual Machine Sizing ......................................................................................................... 141Virtual Machine Sizing Guidelines .................................................................................... 141Additional Recommendations ......................................................................................... 142XenApp and XenServer Integration ................................................................................. 144

Multi-Streaming .................................................................................................................. 146ICA Virtual Channels ....................................................................................................... 146ICA Priority Tags ............................................................................................................. 146Multi-Streaming Functionality .......................................................................................... 147Configuring Multi-Streaming ............................................................................................ 148

Accelerating ICA Traffic with Branch Repeater .................................................................... 150Branch Repeater Benefits ............................................................................................... 150Accelerate Datacenter Servers ........................................................................................ 151Branch Repeater with Access Gateway .......................................................................... 152Network Performance Factors ........................................................................................ 152Quality of Service through Branch Repeater ................................................................... 153Quality of Service ........................................................................................................ 154XenApp Quality of Service Policies .............................................................................. 155

Test Your Knowledge: Optimizing the XenApp Environment ............................................... 158

ModuleModule 6:6: OptimizingOptimizing thethe UserUser EnvironmentEnvironment .............................................................................................. 161161Overview ............................................................................................................................. 163Access Methods ................................................................................................................. 164Application Delivery Methods .......................................................................................... 164


Installed on the Server ................................................................................................ 164Streamed to Server ..................................................................................................... 165Streamed to Desktop .................................................................................................. 166

Application Compatibility ..................................................................................................... 167To Determine Application Compatibility ........................................................................... 167

Application Streaming ......................................................................................................... 168Force Application Streaming ........................................................................................... 168Streaming Application Rules ....................................................................................... 169

Isolation Environment Rules ............................................................................................ 170Pre-Launch and Post-Exit Scripts ................................................................................... 171Streaming Debug Flags .................................................................................................. 173XenApp and App-V Integration ....................................................................................... 174

General Guidelines For Improving Application Performance ................................................ 175User Profiles ....................................................................................................................... 176Folder Redirection ........................................................................................................... 176Profile Types and Characteristics .................................................................................... 177Profile Management ........................................................................................................ 178Citrix Profile Management ........................................................................................... 179Profile Management Features .................................................................................. 180

Profile Solution Recommendations ................................................................................. 182Session Pre-Launch ............................................................................................................ 185Session Pre-Launch Process .......................................................................................... 185

User Connection Configuration ........................................................................................... 186Customize Audio Settings ............................................................................................... 186Disk Location Redirection ............................................................................................... 186Flash Redirection ............................................................................................................ 188

Test Your Knowledge: Optimizing the User Environment .................................................... 189

ModuleModule 7:7: OptimizingOptimizing PrintingPrinting .......................................................................................................................................... 191191Overview ............................................................................................................................. 193Printing Architecture Review ............................................................................................... 194Printer Types .................................................................................................................. 194Printer Provisioning ......................................................................................................... 196Citrix Print Manager Service ............................................................................................ 197

Managing Printers ............................................................................................................... 198To Replicate a Printer Driver Manually ............................................................................. 198To Replicate a Printer Driver Automatically ...................................................................... 199

Citrix Universal Printer ......................................................................................................... 200Enhanced MetaFile Format ............................................................................................. 200XPS Printing ................................................................................................................... 200Citrix Universal Printer Settings ....................................................................................... 201

Printing Performance Policies ............................................................................................. 203Printing Enhancements ................................................................................................... 203Universal Printing Settings ........................................................................................... 203

Printer Properties Retention ............................................................................................ 205Non-Native Printer Drivers .................................................................................................. 207


Printer Driver Isolation ......................................................................................................... 208Printing Tools ...................................................................................................................... 210Print Detective Tool ......................................................................................................... 210StressPrinters ................................................................................................................. 211

Troubleshooting Printing ..................................................................................................... 212Printer Auto-Creation Fails .............................................................................................. 212Sessions Do Not Show Correct Default Printer ............................................................... 212Auto-Created Printers Do Not Delete .............................................................................. 213Jobs From Auto-Created Printers Do Not Print Properly ................................................. 213To Assess Failed Print Jobs ....................................................................................... 215To Troubleshoot Printing on the User Device .............................................................. 216

Test Your Knowledge: Optimizing Printing .......................................................................... 217

ModuleModule 8:8: SecuringSecuring XenAppXenApp .............................................................................................................................................. 219219Overview ............................................................................................................................. 221Setting Rights and Permissions .......................................................................................... 222Securing the Environment with XenApp Policies ............................................................. 222Securing the XenApp Servers with Active Directory Policies ............................................ 223Data Store Permissions .................................................................................................. 224

XenVault ............................................................................................................................. 225XenVault Use Case ......................................................................................................... 226XenVault Administration .................................................................................................. 227

SSL Certificates .................................................................................................................. 228Server Communications .................................................................................................. 229Securing Internal Traffic .............................................................................................. 229SSL Relay ............................................................................................................... 229

Securing External Traffic ............................................................................................. 230Web Interface Security ................................................................................................ 232

Requesting Certificates ................................................................................................... 233To Create an SSL Certificate Request for Web Interface ............................................. 233To Create an SSL Certificate Request for Merchandising Server ................................. 233To Create an SSL Certificate Request for NetScaler/Access Gateway EnterpriseEdition ......................................................................................................................... 233

SSL Certificate Distribution and Installation ..................................................................... 234To Install an SSL Certificate on Web Interface ............................................................ 234To Install an SSL Certificate on Merchandising Server ................................................ 234To Install an SSL Certificate on NetScaler/Access Gateway Enterprise Edition ........... 235

Test Your Knowledge: SSL Certificates for External Access ........................................... 236XenApp Security with Access Gateway .............................................................................. 237SmartAccess .................................................................................................................. 237SmartAccess Process ................................................................................................. 238Access Scenario Fallback ........................................................................................... 239To Configure SmartAccess ......................................................................................... 239

Deploying Access Gateway ............................................................................................ 239Migrating from Secure Gateway to Access Gateway ...................................................... 240

Test Your Knowledge: Securing XenApp ............................................................................ 241


ModuleModule 9:9: MonitoringMonitoring XenAppXenApp withwith StandardStandard UtilitiesUtilities .................................................................. 243243Overview ............................................................................................................................. 245XenApp Monitoring ............................................................................................................. 246Network Monitoring ........................................................................................................ 246

XenApp Utilities ................................................................................................................... 248XenApp Log Files ............................................................................................................ 248AuditLog ......................................................................................................................... 249Web Interface Logs ........................................................................................................ 249Detailed Server Error Messages .................................................................................. 250To Configure Verbose Error Messages .................................................................... 250

Monitor Control Diagnostic Logging ........................................................................... 251Duplicate Log Entries .................................................................................................. 251

Data Store View .............................................................................................................. 252Query Commands .......................................................................................................... 253Informational PowerShell Cmdlets ................................................................................... 254

Citrix Utilities ....................................................................................................................... 256Desktop Director ............................................................................................................. 256To Install Desktop Director for XenApp ....................................................................... 257

MedEvac ......................................................................................................................... 258Third-Party Tools ................................................................................................................ 260Performance Monitor ...................................................................................................... 260Process Monitor ............................................................................................................. 262Resource Monitor ........................................................................................................... 263TCPView ......................................................................................................................... 263Network Protocol Analyzers ............................................................................................ 265

Test Your Knowledge: Monitoring Tools ............................................................................. 266

ModuleModule 10:10: MonitoringMonitoring XenAppXenApp withwith EdgeSightEdgeSight .................................................................................. 267267Overview ............................................................................................................................. 269EdgeSight Components ...................................................................................................... 270EdgeSight Communication ............................................................................................. 271EdgeSight Agents ........................................................................................................... 272EdgeSight Agent Workers ........................................................................................... 273Agent Metrics ............................................................................................................. 273Agent Data Upload Process ........................................................................................ 274

Real-Time Information ......................................................................................................... 276User Troubleshooter ....................................................................................................... 277Device Troubleshooter .................................................................................................... 278Farm Monitor .................................................................................................................. 279Using Information Reported by EdgeSight ...................................................................... 280Use Case: XenApp Farm Health ................................................................................. 280Use Case: Application Support ................................................................................... 281Use Case: Device Health ............................................................................................ 282

Reports ............................................................................................................................... 284Report Access ................................................................................................................ 284Filter a Report ............................................................................................................. 285


Delays ............................................................................................................................. 285Use Case: Application Support ....................................................................................... 286Use Case: XenApp Health and Capacity Planning .......................................................... 287Use Case: End-User Experience Monitoring ................................................................... 288Use Case: Application Performance and Stability ............................................................ 289Use Case: Branch Office Performance ............................................................................ 289Test Your Knowledge: Historical and Real-Time Data ..................................................... 290

Alerts .................................................................................................................................. 291Alert Guidelines ............................................................................................................... 291Alert Rules .................................................................................................................. 292

Alert Process .................................................................................................................. 293Alert Types ..................................................................................................................... 293Alert Rule Parameters ..................................................................................................... 295To Define an Alert Rule ............................................................................................... 296

Alert Actions ................................................................................................................... 296Editing Alert Actions .................................................................................................... 298

Alert Console .................................................................................................................. 298Alert List ......................................................................................................................... 298Viewing Alert Details .................................................................................................... 300

Test Your Knowledge: Alerts ........................................................................................... 300Active Application Monitoring .............................................................................................. 302Active Application Monitoring Architecture ...................................................................... 303Active Application Monitoring Controller Console ........................................................ 304

Monitoring Scripts ........................................................................................................... 305Connection Types ........................................................................................................... 306To Create an Application Monitor ................................................................................ 306Viewing Errors ............................................................................................................. 307Configuring Alerts ....................................................................................................... 307

Test Your Knowledge: Active Application Monitoring ...................................................... 308


NoticesCitrix Systems, Inc. (Citrix) makes no representations or warranties with respect to the content oruse of this publication. Citrix specifically disclaims any expressed or implied warranties,merchantability, or fitness for any particular purpose. Citrix reserves the right to make any changesin specifications and other information contained in this publication without prior notice andwithout obligation to notify any person or entity of such revisions or changes.

© Copyright 2011 Citrix Systems, Inc. All Rights Reserved.

No part of this publication may be reproduced or transmitted in any form or by any means,electronic or mechanical, including photocopying, recording, or information storage and retrievalsystems, for any purpose other than the purchaser’s personal use, without express writtenpermission of:

Citrix Systems, Inc.

851 West Cypress Creek Road

Fort Lauderdale, FL 33309

http://www.citrix.com

The following marks are service marks, trademarks or registered trademarks of their respectiveowners in the United States and other countries.

Mark Owner

Adobe®, Flash®, Acrobat® Adobe Systems Incorporated

Apache® Apache Micro Peripherals, Inc.

AutoCAD® Autodesk, Inc.

Mac® Apple, Inc.

Brother™ Brother Industries, Ltd.

Branch Repeater™, Citrix®, Citrix Access Citrix Systems, Inc.Gateway™, Citrix Education™, Citrix Receiver™,EdgeSight®, HDX™, ICA®, NetScaler®, MyCitrix™,XenApp™, XenDesktop® , Provisioning Services™,XenCenter™, SecureICA™, SpeedScreen™, CitrixDeveloper Network™, AppCenter™, IMA®,XenVault™

Mark Owner

Active Directory®, Hyper-V™, Internet Explorer®, Microsoft CorporationMicrosoft®, SQL Server®, Windows®, WindowsServer®, Excel®, Outlook®, PowerPoint®, Office®,Windows 7™, Windows XP™, Windows Vista®,Remote Desktop Services®, PowerShell®

Firefox® Mozilla Corporation

UNIX® The Open Group

Java®, JavaScript®, Oracle® Oracle Corporation

Pearson VUE® Pearson Education, Inc.

RC5™, RSA™ RSA Data Security, Inc.

Secure Computing®, SafeWord® Secure Computing Corporation

SecurID® Security Dynamics Technologies, Inc.

Toolwire® Toolwire

VMWare®, vSphere™ VMware, Inc.

Wireshark™ Wireshark Foundation, Inc.

Other product and company names mentioned herein might be the service marks, trademarks orregistered trademarks of their respective owners in the United States and other countries.

Credits

Instructional Designers: Jeremy Boehl, Dustin Clark, Ben Colborn, LydiaKellman, Karla Stagray

Product Specialist: Andrew Garfield

Graphic Artist: Joshua Jack, Nathan Jackson

Manager: Mike Young

Editor: Kathryn Morris

Subject Matter Experts: Leo Asencio, Amit Baranwal, Fernando Barbitta,Gary Barton, Jenny Berger, Rob Blincoe,Marcelo Brosiq, Ronald Brown, Blaise Cacciola,Hugh Campbell, Mattie Casper, VictorCataluna, Ruben Centeno, Hari Chowlur, MikeConnell, Diane Downie, Allen Furmanski, BillHaberkam, Jo Harder, Ann Harmison, ArndKagelmacher, Eric Land, Cris Lau, Fred Liu,Juliano Maldaner, Brad Moczik, Robert Morris,Narender Muthyala, Joseph Nord, Nischay P,Glenn Porter, Elisabeth Reynolds, AndreaRutherford, William Ryan, Guna Sekhar, BrianSheppard, Leo Singleton, Mark Simmons, JayTomlin, Karthikeyan Vasudevan, Karen Weber,Chris Wright, Norman Wright, Willie Wright,Ning Ye, Andy Zhu

Connect with Citrix EducationBecome a part of the Citrix Education community today! Stay connected with us, get the latestupdates on our offerings, and let us know how we are doing.

• Facebook - Become a fan of Citrix Education

• Twitter - Follow @citrixeducation

• LinkedIn - Join the Citrix Education group

Visit www.citrixtraining.com to find more information on training, certifications, and exams.

Module 1

Troubleshooting theXenApp Environment


OverviewA variety of factors can impact a user's ability to access resources published through XenApp. Byfollowing a troubleshooting methodology and being aware of categories of issues, you can

Timedetermine the source of a failure and resolve it.

• Module: 200 minutesAfter completing this module, you will be able to:

• Exercises (4): 120 minutes• Isolate and repair infrastructure faults in a XenApp environment.

• Total Time: 320 minutes• Investigate and resolve application delivery issues.

This module is lengthy; therefore, please ask students to• Investigate an issue using the correct utility or information source.

perform lab exercises throughout the module rather thanall at the end. The recommended order is:

• Exercise 1-1 after the Citrix licenses logon issuesection

• Exercise 1-2 after the least busy server section

• Exercise 1-3 after the application issues section

• Exercise 1-4 after completing the module

© Copyright 2011 Citrix Systems, Inc. Module 1: Troubleshooting the XenApp Environment 19

Troubleshooting Methodology

You may apply the Citrix troubleshooting methodology in a variety of different situations. Thismethodology can be used as a troubleshooting approach regardless of product, productcomponents, or product environment.

The Citrix troubleshooting methodology is comprised of the following steps:

1. Define the issue.

2. Gather detailed information.

3. Consider possible causes.

4. Create an action plan to address the issue.

5. Implement the action plan.

6. Document changes following issue resolution.

As you discover new issues through user reports or monitoring, you begin the process again.

20 Module 1: Troubleshooting the XenApp Environment © Copyright 2011 Citrix Systems, Inc.

Define the Issue

Defining the issue, by analyzing general information to find the likely cause, is the first step in theCitrix troubleshooting methodology. At this stage information is limited to user reports about theirissues.

You must create an issue statement, which is a concise and accurate summary of the known facts.Using this type of issue statement guides you toward focusing on the true issue instead oftroubleshooting issues that are outside the scope.

Gather Detailed Information

Gathering detailed information is the process of reviewing help desk reports regarding users whoare experiencing the issue and seeking additional clarity if necessary.

More detailed information may be available from tools, such as the AppCenter console andEdgeSight. This additional information should include data that serves to exclude other possiblecauses and helps to narrow the scope of the issue.

For example, by looking at the Troubleshooting tab within EdgeSight, an administrator may gleanthat the user accessed multiple sessions or that network latency was high during a specifictimeframe.

Verify that no required information is missing before proceeding to the next steps in thetroubleshooting methodology. Identify any recent changes or configurations. Issuescreated by a change made to the environment may not surface immediately.

Additional Data Resources

Additional resources for gathering data include:

• User details, which may include screen captures

• Documented steps for reproducing the issue

• Network packet traces

• Network topology diagrams and other deployment documentation

• Database status from your database administrator

• Event logs

• System logs

• Web logs

• CDF traces

• Troubleshooting logs


Sometimes the cause of an issue is not readily apparent, and researching the symptoms may berequired. A key external resource is the online Citrix Knowledge Center, which is available athttp://support.citrix.com.

The Citrix Knowledge Center is the official resource for technical information on Citrix products,including hotfixes, security bulletins, troubleshooting guides, documentation, and white papers. TheKnowledge Center contains forums through which external sources can be contacted.

For more information about troubleshooting tools, see Citrix article CTX107572 onhttp://support.citrix.com.

Narrow the Scope

Use the following tasks to narrow the scope of the issue.

Identify symptoms Further define the scope of the issue by identifying, categorizing,and documenting the symptoms of the issue.

Reproduce the issue Attempt to reproduce the issue to verify that it still exists and toobtain a clear representation of the environment.

Attempt logon by means of a standard user account, following thesame steps as the user described. For example, issues related topermissions can often be identified when a standard user account isused.

Investigate the time line Determine when the issue began and how frequently the issueoccurs.

For example, the issue occurs at 10:00 daily or started occurringimmediately after a change was recorded in the ConfigurationLogging database.

Determine the scope of the Identify the depth and breadth of the issue by determining how farissue the issue reaches. The boundary is the limit or scope of the issue.

Check baseline Review baseline information including historical data about theinformation environment and routine usage information. This information can

help determine if recent changes made to the environment may becontributing to the issue.


Consider Possible Causes

During this phase in the Citrix troubleshooting methodology, the clues gathered from the detectivework in the previous steps will help point to possible causes of the issue. Define the scope of theissue and the corresponding boundaries and create a list of possible causes. This list of possiblecauses assists in troubleshooting the appropriate areas.

Create an Action Plan

Investigate each possible cause for the issue and create an action plan based on this information.The action plan may involve actions such as configuring the user device and investigating settings.

It is important to consider how a repair to one component may cause another issue when creatingan action plan. Consider each action carefully before implementing the action plan to determine ifthe proposed repair may cause adverse side effects. Questions to consider include:

• What is the scope of the change?

• Will the change include elements other than XenApp?

• When will the change occur, and how long will it take?

• Who will be involved in the change?

• Will the change occur in a controlled environment?

• Is there a plan to roll back whatever changes are implemented, if needed?

• If the proposed solution is a workaround, or a fixing solution then do any limitations ordrawbacks that need to be taken into account?

• In what ways does the test environment differ from the production environment?

When creating an action plan, any potential changes to the environment should first be fully testedin a lab environment. For example, if you suspect that memory optimization is the cause of anissue, you should test potential corrective actions, in this case disabling memory optimization ordesignating applications that memory optimization should ignore--before implementing them intoproduction.

Once the solution is derived, create an action plan based on this information. The action planshould be based on the change control procedure and should include rollback steps in the eventthat the change is not successful. In addition, you need to know the expected benefit andimmediacy of the change.

Implement the Action Plan

The next step of the Citrix troubleshooting methodology is implementing the action plan, whichcould be an investigation leading to identifying additional action items or a full repair of the issue.When implementing action plans, Citrix recommendations making only one change at a time. Inaddition, it is best to make changes in small sets when situations require multiple simultaneouschanges. This methodology helps to track the process and the successful and failed actions.


Ideally, a change should be implemented in a test environment. This will allow trial and errorwithout impacting the whole network. The test environment should mimic as closely as possible theactual live environment to minimize the possibility of unforeseen effects happening duringimplementation. After the solution has been satisfactorily tested, it can then be implemented in thenetwork.

When implementing changes, automation should be incorporated. For example, if the change isbased on adding a hotfix, it should be added uniformly to all servers to ensure that no manual stepsare overlooked.

Because of potential unforeseen impacts, it is very important to have a thorough monitoring systemin place after any solution has been implemented. Such a monitoring solution can include:

• SNMP alarms for notification of unusual system events

• SNMP polling to gather performance data for trending analysis

• Syslogs to log events to a remote host

• Active monitoring by a XenApp or application administrator

• EdgeSight

The next step of the methodology is to observe the results of the action plan; this often occurs whileimplementing the action plan.

Observe the Results of the Action Plan

Observing results consists of monitoring the changes made to the environment during theimplementation of the action plan to determine the effectiveness of the repairs. More than onerepair may be required to resolve the issue. In addition, you must observe each repair separately toensure that the action does not create other issues. It is important to gather enough information todetermine whether a change is effective, even when the action does not solve the issue entirely.

EdgeSight is a beneficial tool for observing before and after data points. For example, if usersreported that logon time was very slow and a hotfix was supposed to provide a faster logon,EdgeSight reports can be used to compare logon times.

If the repair is successful, move on to the next step of the Citrix troubleshooting methodology.Otherwise, you must gather more information and create another action plan.

Document Changes Following Issue Resolution

Documentation is an integral part of troubleshooting and change control. Recording changes and,in some instances, the time these changes occurred provides valuable information for futurereference. Before closing a case, you must document all troubleshooting steps and actions taken. Ingeneral, while working through the initial action plan, you should consider that something that ischanged during the repair would affect something else that you failed to notice. For this reason it isimportant to maintain documentation to record the changes made. Changes made during the repairprocess can easily be retraced if necessary.


Documentation provides the following advantages:

• It explains exactly what was done to repair the issue, which can be helpful in repairing similarissues.

• It provides valuable historical information to everyone responsible for maintaining andtroubleshooting the environment.

• It includes troubleshooting steps taken and their results, reducing the likelihood ofunnecessarily repeating actions and promoting faster case closings when they are escalated.

Citrix recommends documenting all actions, including key information provided by the user, asthey occur. Doing so ensures that no vital information goes undocumented. In addition,documenting while troubleshooting or on a call reduces the time dedicated to documentation afterthe case is closed.


XenApp ComponentsTo effectively manage, optimize, and troubleshoot XenApp, you should understand the componentsin XenApp environments and the communication that occurs between them.

The following list provides a description of the components in a XenApp farm.

Citrix Receiver on User Software that allows user devices to connect to XenApp farms andDevice launch applications and content published on XenApp.

Data Collector XenApp server that contains farm-wide, dynamic data about everyserver in the zone, including:

• Load levels for each server

• Published applications

• Server status: online or offline

• Connected and disconnected sessions

Data Store Database server that contains farm-wide static data for all XenAppservers.

The data store contains persistent information that does not changefrequently and includes data such as:

• Published application information

• Printer driver reference information

• Server information such as name and service pack level

License Server Server that responds to requests for licenses from Citrix productsand issues a license to a session based on the user name or devicename so that the end user can access resources on XenApp.

Web Interface Component of XenApp that provides users access to publishedresources in one or more farms through a web browser or Receiver.


Worker Group Worker groups, which consist of servers or domain OUs, allowmultiple servers to be grouped together to ease administration.

They provide the ability to manage published applications andpolicies on multiple servers at the same time. XenApp servers addedto a worker group automatically inherit the group settings.

XML Broker The XML Broker determines which applications appear in the WebInterface, based on the user's permissions.

Do not publish applications on the server functioning as the XMLBroker.

Zone Zones can enhance performance in farms distributed across WANsby grouping geographically related servers together.

Zones collect data from member servers in a hierarchical structureand efficiently distribute changes to all servers in the farm. Eachzone contains a server designated as the data collector.

XenApp Communications

You should be aware of the communication that occurs between XenApp components to monitor,maintain, and troubleshoot the environment effectively.

Examining the communication between servers and the data store can help you optimize networktraffic and maintain access to resources on XenApp. The following list describes commoncommunication in a XenApp environment.

Initial farm setup A server initializes the IMA Service and registers with the datacollector for the zone in which it resides when it starts.


Citrix AppCenter Citrix AppCenter gathers farm information using the IMA servicewhen it is started or refreshed.

Although the MFCOM API is deprecated in favor ofPowerShell, XenApp still relies on an MFCOM service.


Server-to-server Server-to-server communication occurs within a farm when it iscommunication operating and includes coherency checks, IMA pings, and data

collector queries.

Connectivity to the data XenApp servers have a direct connection to the data store database.store

Local host cache change Configuration changes made in AppCenter are sent across the farmevents using notification broadcasts. Large changes require each member

server to request the change. The XenApp servers check with thedata store every 30 minutes to determine if they need to update thelocal host cache.

New data collector election A process is initiated to elect a new data collector when a newserver is added to a farm, when a server is restarted, or when aserver is unable to communicate with the data collector for its zone.

The election preference menu can be accessed from thetask pane of the AppCenter by selecting XenApp > Nameof Farm > Zones > Name of Zone. Right-click a server inthe middle pane and select Set server's electionpreference to set election preferences. Only a controllerserver has the set server's election preference option.

Zone updates among data Data is transmitted between data collectors during zone updates.collectors

Session-based events XenApp sends data to the data collector for the zone, which thensends data to all other data collectors in the farm for session-basedevents such as when a user connects, disconnects, or logs off.

Citrix Troubleshooting Tools

Citrix has incorporated several troubleshooting tools that are highly recommended for addressingissues within a XenApp farm.

Service Monitoring for XenApp

Service Monitoring (EdgeSight) for XenApp includes a troubleshooting mechanism that enablesadministrators to view a plethora of details regarding current and previous user sessions. By simplyentering the user ID, a wealth of information regarding the user experience can be gleaned.

For example, if a user reported that logon time was excessive this morning, it is simple to drilldown and see what else was happening within the environment at that same time. Thus, it wouldbe easy to deduce that network congestion or server resource issues occurred at that time and wereto blame for the lengthy logon.

Configuration Logging

Where multiple administrators make modifications to a XenApp farm, Citrix recommendsimplementing Configuration Logging. By tracking the changes that each administrator has made tothe system and correlating any subsequent issues reported, it is easy to identify any modificationsthat may need to be rolled back.

For example, if an administrator changes the properties of a published application at 10:00 and helpdesk associates escalate issues related to multiple sessions being launched by users, it would besimple to correlate that the modification impaired session sharing.

When implementing Configuration Logging, consider whether the Configuration Logging dataneeds to be encrypted by means of IMA Encryption, what permissions administrators need forclearing entries from the database, and whether changes can be made if the database is offline.

You can view the logged events in the History tab in AppCenter.


Logon IssuesMost commonly, logon issues are associated with one of the following:

• Citrix Receiver

• Licenses

• Web Interface

• Pass-through authentication

• User Profile

Citrix Receiver is Not Installed

The user must have the Citrix client-side software installed prior to connecting to an ICA session.While many organizations deploy Citrix Receiver by means of Web Interface or MerchandisingServer, other enterprise software deployment tools are often used.

Where Web Interface or Merchandising Server are used, ensure the following:

• The correct Receiver package is designated.

• The user accepts the download.

• The user has administrator permission to install Receiver.

Receiver Detection Redirection Error

Web Interface can automatically detect if a Receiver is not installed or the Receiver on a user deviceis not current. A download wizard allows users to download and install the latest Receiver.

Under certain circumstances, users may find that the wizard redirects them to http://www.citrix.cominstead of downloading a Receiver installer. You can troubleshoot this receiver detection error bychecking that the Receiver installer has been copied to the correct location on the Web Interfaceserver.

For example, the installer file for the Citrix Receiver should be copied to the%ProgramFiles(x86)%\Citrix\Web Interface\5.4.0\Clients directory. WebInterface should detect the presence of the Receiver installer automatically; however, if the site isstill redirecting users to http://www.citrix.com, restart the web server.


• If Prohibit User Installs is enabled in the Windows Installer option in the console treeof the Group Policy Management Console, users will not be able to install a plug-inon their user devices.

• Internet Explorer 9 is known to exhibit issues when used together with some Citrixproducts. For example, users commonly report that published applications fail toopen from Web Interface in Internet Explorer 9. For additional information,including troubleshooting tips and workarounds, see Citrix article CTX129444 onhttp://support.citrix.com.

No Citrix Licenses are Available

If the number of Citrix licenses available is exhausted or the Citrix licensing has exceeded the 30-day grace period without acquiring a proper license, users will not be able to access XenAppresources. Users may receive an error such as "Cannot find a valid license." After confirming thatthe XenApp computer policy and Citrix License Server are both using the same port number andcan communicate by using pings, you may find that the issue is related to the number of sessions inan idle state or application pre-launch; both consume licenses.

Where application pre-launch is used, a license is consumed for each pre-launch session. Wherenumerous pre-launched applications exist, a large corresponding number of licenses will also beconsumed. Similarly, user sessions that are in an idle state consume licenses in the same way thatan active session does. As such, the number of licenses in use exceed the actual number of userconnections and may exceed the number of licenses that would otherwise be expected.

As a result, when users log on to any XenApp resources, it is possible that sufficient licenses maynot be available based on those that have already been consumed by application pre-launch. Toavoid this issue, administrators should closely monitor the number of Citrix licenses in use bymeans of the License Administration Console or Service Monitoring for XenApp.

For more license troubleshooting information, see Citrix article CTX126713 onhttp://support.citrix.com.

Web Interface

Web Interface provides users with access to published resources through a standard web browser orthrough Citrix Receivers and plug-ins. Web Interface is an essential component of a XenAppenvironment in that it enables user access to the resources hosted on the XenApp servers.

Web Interface, using Java and .NET technologies, dynamically generates a list of publishedresources available to users across farms. You should maintain users' access to resources byproactively managing Web Interface, configuration files and sites. While most settings areconfigured by means of the administrative interface, additional items can be configured by meansof the WebInterface.conf file. The WebInterface.conf file contains a superset ofparameters that can be used to provide additional functionality or to customize XenApp Web orServices sites.


To properly troubleshoot Web Interface, you should be familiar with Web Interfacecommunications, configuration methods, site structure, and logging errors.

Web Interface Communication Process

The following process provides an overview of how a XenApp Web site communicates with userdevices and XenApp servers to initiate a session:

1. A user submits logon credentials through a Web Interface logon page.

2. Web Interface forwards the logon credentials to the Citrix XML Broker on the XenApp server.Point out to students that, when bookmarking is enabled,a Launcher.html file is created instead of a 3. The credentials are forwarded to a domain controller for authentication.Launch.ica file. 4. The Citrix XML Broker retrieves a list of resources from the IMA subsystem.


5. Web Interface presents the resources in a web page on the user device. The user clicks anapplication icon on the web page.

6. Web Interface contacts the Citrix XML Broker to locate the least busy server in the farm. TheCitrix XML Broker requests a secure ticket for the user from the least busy server.

7. The Citrix XML Broker returns the address of the least busy server hosting the resource andthe secure ticket for the user to the Web Interface. The Web Interface server dynamicallygenerates an ICA file (Launch.ica) and sends it to the web browser on the user device.

8. The user device initiates a connection with the server specified in the connection informationof the ICA file.

Web Interface Configuration Methods

Web Interface can be configured using the following methods:

• Web Interface Management console

The Web Interface Management console allows you to configure and manage the WebInterface sites. Configurations take effect as changes are made using the Web InterfaceManagement console.

• The Web Interface configuration file

The WebInterface.conf file is available on both Windows and UNIX platforms, as well ason NetScaler appliances, and allows you to change many of the Web Interface properties.

• Windows: \InetPub\WWWRoot\Citrix\XenApp\Conf\WebInterface.conf

• UNIX: $TOMCAT_HOME/webapps/<sitename>/WEB-INF/WebInterface.conf

• NetScaler: /var/wi/tomcat/webapps/Citrix/XenApp/WEB-INF/WebInterface.conf

You should consistently configure Web Interface using the same method. Configurationsmade directly to the WebInterface.conf file can be inadvertently overwritten byconfigurations made in the Web Interface Management console.

• Citrix plug-in configuration files

The Config.xml and WebInterface.conf files, located on the Web Interface server,allow you to configure the XenApp Services site settings.

• Web server scripts and Java servlets

You can use the Web Interface application programming interface (API) to extensivelycustomize the Web Interface site and write web server scripts using ASP.NET or JavaServerPages.

Workspace Control

The Workspace Control feature allows users to disconnect and reconnect to sessions as they movebetween different user devices. For example, in a health care environment, as doctors move aroundthe hospital, they may require access to the same sessions from different locations. UsingWorkspace Control, the doctors are able to quickly reconnect to a pre-existing session and itsapplications.

Keep the following features, requirements, limitations, and recommendations in mind whentroubleshooting Workspace Control.


• Depending on the security settings, Internet Explorer can block the download of files that donot appear to be directly initiated by the user.

Therefore, attempts to reconnect to resources using Receiver or a plug-in can be blocked. Insituations where reconnection is not possible, a warning message appears and users are giventhe option of reconfiguring their Internet Explorer security settings.

• Each Web Interface session times out after a period of inactivity (typically 20 minutes).

When the HTTP session times out, the logoff screen appears; however, any XenApp resourcesaccessed or reconnected in that session are not disconnected until the disconnect timeout limit,which is set by the administrator, is reached. Users must manually log back on to the WebInterface to access XenApp resources.

• Resources published for anonymous use terminate when both anonymous and authenticatedusers disconnect, provided that the Citrix XML Service is set to trust Web Interface credentials.

Therefore, users cannot reconnect to anonymous resources after they disconnect.

• To use pass-through, smart card, or pass-through with smart card authentication, you must setup a trust relationship between the Web Interface server and the Citrix XML Service.

• If credential pass-through is not enabled for XenApp Services sites, smart card users areprompted for their PINs for each Citrix session being reconnected.

This is not an issue with pass-through or pass-through with smart card authentication onXenApp Services sites because credential pass-through is enabled with these options.

Client to Web Interface Communications

Many components impact the communication between the user device, XenApp, and the WebInterface. When troubleshooting the communication process, you should consider taking the

Details for some of these topics are discussed later in thisfollowing actions:

module.


• Verify settings for all servers.

• Verify the web server name.

• Verify browser settings.

• Verify user authentication.

• Verify the web server name.

• Verify ICA authentication tickets.

• Verify the determination of the least busy server.

• Verify address translation configurations.

• Verify that the FQDN of the server matches the SSL certificate.

• Use the Repair option.

• Enable tracing with ASP.NET.

Web Interface Repair Option

Both the site and the Web Interface installation can be repaired. Depending on the severity of theissue, it may be necessary to repair or reinstall the site using the Web Interface Repair option.

Back up scripts and the WebInterface.conf file before proceeding.

• If you reinstall Web Interface, any pre-existing scripts and the WebInterface.conf file willnot be replaced.

Repair the installation if files were mistakenly deleted, renamed, or corrupted. Repair a WebInterface installation from the Control Panel.

• Repair the site to address any configuration issues specific to the site or corruption. If yourepair a site, pre-existing scripts and the WebInterface.conf file will be replaced.

After making a backup of scripts and the configuration file, repair a site using the SiteMaintenance > Repair Site task in the Web Interface management console.

Requirements for the Web Server Name

If the web server is accessed using a NetBIOS host name that contains the underscore character,such as WI_SERVER, user authentication will fail silently and return the user to the logon pagewith no error message. Underscore characters are permitted for Windows server names, butaccording to the RFC 1738 standard, they may not appear in web server names. When the servername contains an underscore character, a JavaScript incompatibility prevents the proper handlingof cookies, and Web Interface cannot function.

Account Self-Service is Unavailable

The Web Interface can be integrated with Citrix Single Sign-on to provide password security andaccount self-service functionality for users through a link on the Web Interface logon page.

Single Sign-on is not supported on Microsoft WindowsFor security reasons, this feature is only available to users who access the Web Interface site over XP Home Edition. For more system requirementsHTTPS. If the account self-service feature has been configured correctly, but does not appear on the information, see the Technologies > Single Sign-on >logon page, verify that users are accessing the site over HTTPS. Single Sign-on 5.0 > System Requirements topics on

eDocs at http://edocs.citrix.com.


Web Interface Authentication

Before displaying published applications for a user, Web Interface authenticates the user.

Several authentication methods are available for users to authenticate to Web Interface. Thefollowing authentication methods are available with Web Interface:

Explicit authentication The mode of authentication in which users must type their username and password to gain access to resources.

Pass-through Allows users to authenticate to Web Interface automatically usingauthentication their Windows desktop logon credentials.

Pass-through with smart Allows users to authenticate to Web Interface using a smart cardcard authentication and PIN.

Smart card authentication Allows users to authenticate to Web Interface using a smart cardand PIN. After logging on, users can access published resourceswithout further logon prompts.

Anonymous authentication Allows anonymous users to log on to Web Interface withoutsupplying a user name and password and launch applications thatare specifically published for anonymous users.

Explicit Authentication

Explicit authentication refers to the mode of authentication where users must type their user nameand password into a web form to gain access to published applications.

Explicit authentication is performed against a Windows domain and can be augmented to requirean RSA SecurID or Secure Computing SafeWord passcode in addition to the user's domainpassword.

Applying Explicit Authentication

The following list describes the authentication process for explicit authentication.

1. Web Interface produces a logon form asking for a user name, password, and domain.

You can suppress the required domain value.

2. Users click the Logon button after entering their credentials and the information is sent to theweb server using standard HTTP or HTTPS.

3. Web Interface receives the user's credentials from the HTTP POST, translates them into anXML request and sends them to the Citrix XML Service as part of the application enumerationrequest.


By default, the password is concealed, but this is not considered strong encryption. Thetraffic to the Citrix XML Service can be secured using Citrix SSL Relay for strongersecurity.

4. Before the Citrix XML Service returns applications for the user, the credentials must bevalidated.

Concealed passwords are often referred to as obfuscatedThis task is delegated to the IMA Service, which in turn calls LogonUser() and passwords.


LookupAccountSid() from the local security account subsystem in Windows (Lsass.exe).The event log shows related authentication or service errors.

Because the user authentication task is deferred to the local directory service by the Citrix XMLService, explicit logons should work as long as the user is able to log on locally on the serverrunning the Citrix XML Service.

To confirm that the user is able to log on locally to the Citrix XML Server, you can make aconnection directly to the Citrix XML Server desktop and attempt to log on using the standardWindows logon interface. Any issues that occur using the standard interface, such as issues withcustom redirectors or the inability to locate a domain controller, will similarly affect Web Interfaceauthentication.

Explicit Authentication Testing Guidelines

If authentication fails, it is possible that the user does not have the "Allow log on through RemoteDesktop Services" policy permission. In this case, an RDS session test would fail even if the user hasthe "Log On Locally" policy permission.

Locating the least busy server when the user clicks an application requires the services of a datacollector for the zone, though user authentication does not. If the Citrix XML Server is not a datacollector for the zone, application address requests are forwarded to the data collector of the zonein which the Citrix XML Server resides.

Although the Citrix XML Server does not have to be a data collector for the zone, performance isimproved if the Citrix XML Server is a data collector for the zone.

Pass-Through Authentication

Pass-through authentication allows users to authenticate to a Web Interface site using thecredentials provided during logon to the Windows desktop.

Pass-through authentication to the web server is similar to the authentication that occurs when adomain user accesses a file share or domain print server to which they have been given access inthat the user's Windows credentials do not need to be re-entered. Instead, the user accesses theWeb Interface site and the applications are displayed immediately.

The steps in the following list detail the process for pass-through authentication.

1. IIS authenticates users using Integrated Windows Authentication and is able to identify a user'sdomain and user name, but not the password.

Therefore, the standard enumeration of application icon is not possible for pass-through orsmart card authentication as it is with explicit authentication.

2. Instead, the web server determines the list of domain groups to which the user belongs.

Web Interface constructs an XML request containing all of the user's individual and groupSIDs and forwards this list of SIDs to the Citrix XML Service.

If the Citrix XML Service fails to respond, the web server enumeration script times out.

3. The Citrix XML Service queries IMA to obtain the list of resources that have been published tothe user or any of the groups in the list.

4. The list of applications and their icons is returned using the Citrix XML Service to WebInterface.

5. The Citrix XML Service enumerates the applications available to the user.

Automatic logon with user name and password may need to be enabled within InternetExplorer: Internet Options > Security > Trusted sites > Custom Level: UserAuthentication.

• Trust XML Request must be selected on the XML server for pass-throughauthentication.

• Keep this process in mind when troubleshooting application enumeration.

NTFS Permissions for Pass-Through Authentication

After successfully negotiating Integrated Windows Authentication, IIS impersonates the currentuser account when accessing files on the web server hard drive. This design mandates that theuser's domain account has at least Read permission on all scripts beneath the web server documentroot directory.

Restricting NTFS permissions on the files beneath WWWRoot to allow access only by administratorsor the IIS_IUSRS account will disable non-administrator users from being able to view WebInterface pages. In these cases, users are forbidden or cannot access Web Interface or theapplications. To correct this issue, ensure that in addition to the IIS_IUSRS account, all users whowill access the Web Interface have NTFS read permissions on all files beneath WWWRoot\Citrixon the web server.

Proxy Servers and Pass-Through Authentication

If an attempt is made to access the Web Interface through an HTTP proxy server, the NTLMchallenge/response authentication required for single sign-on will likely fail.


Integrated Windows Authentication is generally not possible through proxy servers, including thecase where SSL traffic travels by proxy through Access Gateway to Web Interface. To resolve thisissue, bypass the proxy server or Access Gateway, or use HTTPS to the IIS SSL port.

Certificate Mapping

If the metabase settings on the certificate virtual directory are modified so that client certificates areno longer required or client certificate mapping is not enabled, Web Interface cannot authenticatethe user. To correct this issue, use the Repair option for the site in the Web Interface Managementconsole.

Guidelines for Smart Card Authentication

Consider the following items when troubleshooting smart card authentication.

• Smart card authentication requires the server running Web Interface to be a member of anActive Directory domain and have connectivity to a domain controller.

• Smart card authentication is not possible when Access Gateway or another technology acts asan SSL-terminating reverse proxy for Web Interface.

Users must make an HTTPS connection directly to the IIS SSL listening port.

• Client certificates stored in the user's profile instead of on a physical smart card can work forWeb Interface authentication and application enumeration, but not for the final authenticationto XenApp.

• Smart card authentication to XenApp relies on an ICA virtual channel that relays commands tothe PC/SC compatible smart card reader.

Therefore, a physical reader on the user device is required for the XenApp logon.

• Smart card authentication is not available with Web Interface for UNIX.


Authentication Tickets

The authentication ticketing process generates a single-use, time-sensitive ticket that authenticatesthe user to a XenApp server instead of presenting the user name and password.

Ticketing eliminates a security risk by enabling the production of files that contain no reusableauthentication information. After a ticket has been redeemed, it can never be used again. If theticket is not used within the configured time-out period, it expires and cannot be used.

Authentication Ticketing Process

The following list provides an overview of the authentication ticketing process.

1. The user provides a user name, domain, and password to the server running Web Interface,and applications are enumerated.

2. The user clicks an application icon.

Web Interface sends a <RequestAddress> command to the Citrix XML Service todetermine the address of the target server. The target server will be the least busy server in thefarm hosting the selected application unless the user already has a disconnected session for thatapplication on another server.


3. A ticket request that includes the user's credentials is constructed by Web Interface

The password is obscured. In addition, the desired ticket time-out, defined by theTicketTimeToLive parameter in the WebInterface.conf file or web interface managementconsole setting, is part of the ticket request.

4. This request is sent to the Citrix XML Service.

5. The Citrix XML Service forwards the ticket request to the target server.

6. The target XenApp server receives the user's credentials. The target server generates a random30-byte ticket and returns the ticket to the Citrix XML Service.

The target server retains the generated ticket string and the user's real credentials in memoryuntil they are redeemed or have expired.

7. The Citrix XML Service returns the ticket to Web Interface.

8. The ticket is incorporated into the Launch.ica file and delivered to the user's web browser.

The ticket is divided into two halves and placed into the Domain and ClearTextPassword ICAfile parameters:

Username=maytDomain=\176A89579BC384D8ClearPassword=A4C8832C879768

The backslash character preceding the domain name is a signal to WinLogon that thepresented credentials are to be interpreted as a ticket rather than an actual domain name andpassword.

9. The ICA file is run by the Citrix Receiver, and the user initiates an ICA connection to thetarget XenApp server.

The ticket is presented to the logon service instead of the user credentials. WinLogon.exelocates the user's real credentials, which are still waiting in memory. The user's real credentialsare retrieved from memory and submitted to the WinLogon process.

If the credentials in the ticket request were invalid, failure would not occur until after theWinLogon substitution.

Determining Which Server Will Host the User Session

When a user clicks an application icon, Web Interface sends a request to the Citrix XML Serviceasking for the address of a target XenApp server to which the user should connect.

The following process provides an overview of identifying the least busy server.

Power and Capacity drain mode will not deny logons, butwill put those servers as lowest in the available server list.

1. Web Interface asks for the normal or the alternate server address depending on which


addressing method has been configured.This process does not take session sharing intoconsideration.

2. The Citrix XML Service queries the nearest data collector for the zone to retrieve a targetserver address.

For this reason, it is recommended to host Citrix XML Service and data collectorfunctionalities on the same server, except in very large farms. The data collector for the zonechecks for several conditions.

3. If it exists, a disconnected session running the current application for the user or an existingICA session on a server that is compatible for session sharing will take precedence, and thedata collector will ignore load levels and return the address of the server.

4. Worker Group preference designation is taken into consideration when configured in Citrixpolicies.

Worker Group preference is ignored when reconnecting users to a disconnected session.

5. Server load evaluators and application load evaluators are used to determine the least busyserver within the farm or preferred zone, if applicable.

Please note that application-based load evaluators are not recommended.

6. After an appropriate target server has been identified, the data collector for the zone sends it anIMA ping to ensure that it is alive before returning its address to the Citrix XML Service.

If the target server has multiple IP addresses, the data collector for the zone attempts todetermine which IP address is appropriate for the current client IP.

7. After the appropriate target server has been verified, the data collector for the zone returns anaddress to the Citrix XML Service.

8. The Citrix XML Service relays the address to Web Interface.

If a user receives the error "50: Cannot connect to server" when starting an application icon,upgrade the client software to the latest release of the Receiver. If this is not possible, you canprevent the error from occurring by editing the template .ica files as follows:

1. Open the following files using a text editor such as Notepad: default.ica,bandwidth_high.ica, bandwidth_low.ica, bandwidth_medium.ica, andbandwidth_medium_high.ica. These files are typically located in theC:\INetPub\WWWRoot\Citrix\SiteName\conf directory on IIS and the /WEB-INFdirectory of the Web Interface site on Java application servers.

2. Locate and delete the following lines in each file:

DoNotUseDefaultCSL=OnBrowserProtocol=HTTPonTCPLocHttpBrowserAddress=!

Least Busy Server Issues

When the data collector for the zone cannot reach the least busy server designated to host apublished application, users will be connected to a different, busier server. Users receive errorswhen no servers are available; otherwise, no errors are generated.


This condition can occur when:

• Logons are disabled on a target server. Administrators often set up Health Monitoring andRecovery so that they are aware of issues before they• The server is in a hung state but can still respond to pings.impact the entire farm.


• The application is in a hung state.

• There are issues with the IMA Service.

• There are issues with Remote Desktop Services on a target server.

From a user perspective, this condition may appear as an intermittent issue because if the userclicks an application icon again and is forwarded to another server that is functioning correctly, theuser session starts normally.

In large farms, determining which server is causing the issue can be challenging. To identify theserver that is causing the issue, you can use the following tools.

Network trace Reveals clues about which server is failing

QFarm /app appname Displays all servers on which the published application is available

Any server missing from the list might be causing the issue.

QFarm /load Displays the load for all servers in the farm

In addition, within EdgeSight, if the Dashboard is configured to show data such as average ICA andnetwork round-trip time (RTT), network and server issues can be detected.

To Enable ASP.NET Tracing

Web Interface uses the tracing feature for the .NET Framework, which is a built-in debuggingfeature of IIS web sites. Tracing allows an administrator to view details about each HTTP requestissued within an ASP.NET application.

1. Edit the Web.config file located in the C:\INetPub\WWWRoot\Citrix\PNAgent orC:\INetPub\WWWRoot\Citrix\XenApp folder using a text editor.

2. Locate the following line:

<trace enabled="false" requestLimit="100" localOnly="true" />

3. Change the line to read as follows:

<trace enabled="true" pageOutput="true" localOnly="false"requestLimit="100" />

4. Save the changes and close the text editor.

It is not necessary to restart the web server. After changes are saved, extended information iswritten to the bottom of each page, including client cookies, session variables, and HTTP servervariables.


User SessionsWhen users report session issues, these are often related to:

• Profile issues

• Session sharing Though Citrix recommends configuring settings throughpolicies, some settings can also be configured within the• Session timeout settingsICA listener on each XenApp server. Verify that these• Network connectivitysettings do not conflict with user and business needs.


• Application issues

• HDX functionality

User Profile Issues

It is common to shadow user sessions whileRegardless of the user profile solution used, each user profile must be available to the XenApptroubleshooting to better understand the issue andserver during logon. Where the user profile data is not accessible, either a temporary profile is useddetermine client-side configuration settings.or the user logon fails, depending on the profile type and configuration. For example, a network

issue may cause the user profile copy to initiate and then time out, and if the environmentalconfiguration designates that no alternative profile can be used if the regular user profile cannot beaccessed, the user logon will fail.

When a temporary profile is used as the basis for a user session, the user sees an error message andan error is recorded in the event viewer. The user session initiates but a temporary profile is usedinstead of the regular user profile. The user may report that some settings were not consistent withthe typical user experience. Upon logoff, any changes made during the session are not synchronizedwith the regular user profile.

Where inaccessibility of the user profile causes the user logon to fail, the user is not alwayspresented with an error message; this is dependent on the profile solution in use. The user will onlyreport that an ICA session could not be initiated.

In cases where the user profile load failed and the user could not start a session, an error messageof some type will be generated. However, where and how the error message is logged depends onthe specific solution in place.

To narrow down profile-related issues, look at the time stamp of the last user profile access in orderto ascertain the last successful write of the user profile. For example, where Microsoft roamingprofiles are used, this would be the time stamp of the NTUser.dat file that is stored in thedesignated network-based repository.

If a user profile becomes corrupted, you may need to restore the user profile to a last known goodversion based on a backed up copy. Exactly how to do this varies based on the user profile solution.

Session Sharing

When viewing user sessions in the AppCenter, if a user is consuming multiple sessions asevidenced by two or more session numbers on distinct servers, session sharing may not befunctioning properly.

By its very nature, session sharing ensures efficiency and minimizes resources on the server. Forthis reason, the AppCenter should show a single session number assigned to multiple applications.By default, when a user accesses multiple published applications, these will be shared within a singlesession so long as those applications are available from the same server.

However, there are some specific reasons why session sharing does not function this way:

• Published applications have different settings, such as display, audio, client drive mapping orencryption

All applications should have the same settings in order to ensure that subsequent applicationlaunches share the existing session.

Printer auto-creation timing: When applications differ in• Session sharing has been specifically disabled within the registry, such as may be required forthe synchronous or asynchronous printer creation setting,

non-Citrix WAN optimization technologies.session sharing will failing.


• Key: HKLM\SYSTEM\CurrentControlSet\Control\Citrix\Wfshell\TWI

• Type: REG_DWORD

• Value: SeamlessFlags = 1

• If users access multiple applications in succession.

Web Interface by default includes a two-second delay as part of the MultiLaunchTimeoutparameter, which specifies the time for which resource icons are inactive following the initialclick by the user to start the resource. This behavior is designed so that the first application canstart launching and subsequent applications can partake of session sharing. This behavior iscontrolled within Web Interface; however, depending on the network connection andenvironmental conditions, the default setting may need to be adjusted.

Session Timeout Settings

Connection, disconnection, and idle timeout settings are available for configuring the length of timea user connection can stay in a particular state. In most cases, a maximum connection period is notdefined; however, disconnection and idle timeout settings are often used.

When a user ceases activity in a session, it falls into an idle state. Idle states are common as usersattend to other work tasks. Thus, when considering the maximum time for idle states, sufficienttime should be allocated for meetings, lunch breaks, and the like. Idle timeouts are typically in therange of one to several hours. User sessions consume a XenApp license when in an idle state.

After the period of time allocated for an idle state is reached, the session falls into a disconnectedstate. Disconnected sessions are held in memory and do not consume a XenApp license. When auser accesses an application that is in a disconnected state, the connection is made to the serverthat held the disconnected state.

In most cases, a maximum disconnect timeout is set so that user connections do not remain inmemory for a lengthy period. Disconnect timeouts are typically several hours.

In versions earlier than XenApp 6, it was necessary to configure connection, disconnection, and idletimeout settings by means of Active Directory GPOs. As a result, many organizations have thesesettings pre-configured. However, if these settings are also administratively defined within Citrixpolicies, a conflict may arise. Thus, setting timeouts within only one area is recommended tominimize troubleshooting.

With XenApp 6.5, Session Pre-Launch and Linger are introduced, which also incorporatedisconnect and terminal timer intervals. These settings are only configurable by means of Citrixpolicies but may impact the behavior of other timeout settings.

As a result, if user sessions are involuntarily disconnecting or logging off, re-evaluate these settingsto ensure that the resultant behavior is not caused by the policy rules described above.

Post-Connection Issues

After a user successfully connects to a XenApp server, it is possible that issues related to the sessionmay arise. Assuming that no environmental changes are the root cause, session issues mostcommonly pertain to the network, application, or server.

Because network, application, and server can vary from one user session to the next, it is possiblethat one of more of these factors can cause the user session to fail or provide a poor experience. Forexample, if an application database contention arises, a data fetch requested by an application maytime out, causing the user to believe that the application fails to respond.

When an administrator is uncertain as to whether a user issue may be related to the network,application, or server, EdgeSight can be used to quickly search data regarding the user session.Accessing the Troubleshooting tab, enter the user logon, and open a present or previous usersession. Note any anomalies in the Flash-based interface, such as high CPU usage, and click formore details.

Alternatively, Performance Monitor can be used to track many metrics related to user sessions. Inparticular, the ICA Session and Citrix MetaFrame XenApp counters can provide detailed datapoints regarding environmental health. This data could be used in conjunction with server eventlogs to track warnings and errors.

Unless disabled for security or other reasons, auto-reconnection is a valuable feature to reconnectinvoluntarily disconnected sessions. Where reconnections occur frequently or require

Auto-reconnect and session reliability are mutuallytroubleshooting, the Auto client reconnect logging policy should be configured to log events, which

exclusive.are then written to the event log. However, where a server failure occurs, an involuntarily


disconnected user will not be able to reconnect because the user session no longer exists. This isbecause the ICA session is not in a disconnected state.

Network Connectivity

While ICA is an efficient protocol, a good network connection is required in order to maintain aXenApp session. To determine whether an issue may be related to the network, an administratorcan look in the following areas:

• AppCenter

Right-click the user session and view the Session Information. Note the IP address of the user.Send large ping packets, such as ping -l 1000, to determine latency between the server and userdevice.

• Citrix Connection Center

Instruct the user to right-click the Citrix Receiver icon and select Online Sessions >Connection Center. Select the server and click Properties on the right side of the screen. Viewthe Client Connection Status, noting any frame errors or stagnant number of frames.

• HDX Monitor for XenApp

Where the HDX Monitor for XenApp is installed, the user may be able to self-assess whethernetwork latency is causing an issue. Alternatively, an administrator can shadow the user sessionand view latency data shown.

Where a user session fails intermittently, it is especially difficult to ascertain the reason for thefailure. As a result, network data from all affected components must be reviewed. For example, anSTA check which occurs approximately every five minutes may cause a failure that is difficult todiagnose. Because the CSG_UseTwoTickets parameter is not enabled by default within WebInterface and is not configurable in the administrative interface, it would be easy to overlook anSTA check failure impact on the network.

By design, ICA packets are typically several hundred bytes or fewer. Although it may seem moreefficient from a network perspective to generate packets that are closer to the standard 1500-bytemaximum transmission unit (MTU) used by most networking equipment, the delays encounteredby waiting for additional data hamper the user experience. As such, adjusting the queue forkeyboard and mouse data is rarely beneficial.

Third-party network analyzers are often helpful in diagnosing network issues related to droppedpackets, retransmissions, and other problems. While a simple tool such as Microsoft NetworkMonitor can be used, it is often advantageous to involve the network administrator to providecomplex troubleshooting.

Where network data is viewed by means of a network analyzer, ensure that the correct data isassessed. ICA uses TCP port 1494 for inbound data to the XenApp server and a randomlygenerated protocol for outbound data. By default, Session Reliability is enabled, and thus ICA datais tunneled through the Common Gateway Protocol (CGP), which uses TCP port 2598. If multi-streaming is enabled, the additional port numbers configured within that policy should also bemonitored.

Test connectivity to the server over TCP port 1494 or 2598 by using the telnet command. Formore information about using the telnet command, as well as additional tips for troubleshootingnetwork connectivity, see Citrix articles CTX106250 and CTX075552 on http://support.citrix.com.


If insufficient network bandwidth causes involuntarily disconnected sessions, a WANoptimization tool such as Citrix Branch Repeater may assist with providing a better userexperience.

Application Issues

Application issues can be broken into two categories:

• Functionality

• Performance

Assuming that application functionality issues are addressed prior to deployment, problems relatedto multiuser application access may occasionally arise when a user performs an action that extendsbeyond pre-production testing or that triggers other, unexpected actions to occur. For example, acomplex PowerPoint presentation may rely on embedded Excel spreadsheets that cause Excel to gointo an endless loop when recalculating a formula and then fail. Other user sessions that areaccessing Excel may also see the application fail while Outlook and other applications continuefunctioning normally.

Application functionality issues can often be detected within Event Viewer. In addition, severalEdgeSight reports related to process failures can pinpoint the issue quickly.

Performance issues can sometimes arise as a result of another change within the environment,which can be tracked through Configuration Logging. For example, an update applied to a servermay cause an application to fail or behave differently.

Most commonly, application performance issues are the result of communications with a backenddatabase. For example, if users complain that Outlook is sluggish but all other applications areperforming normally, the backend Exchange server may be the culprit. Particularly where a largedatabase locks and unlocks records, the application may be slow because the data communicationsare slow.

Application pre-launch works slightly differently than standard published applications. While a pre-launched application takes on the pre-configured settings of the published application used as thebasis, CtxPreLaunch.exe is actually the executable that appears in the Properties. Pre-launchedapplications can be based on either when the user credentials are authenticated or at a scheduledtime. By default, the application pre-launch disconnect and terminate timer interval is based on 60minutes and may need to be adjusted. In particular, the disconnect timer interval controls theamount of time that a XenApp license is consumed.

Seamless session settings may impact applications. For more information, see Citrix articleCTX101644 on the http://support.citrix.com web site.


Application Streaming Troubleshooting

Streamed applications are subject to different types of issues than applications that run on XenAppservers. Issues may occur in one of the three distinct phases of application streaming:

1. Profiling the application.

2. Publishing the application.

3. Streaming the application to user devices or servers.

To isolate an issue with an application while it is streaming, take the following steps:

• Verify expected behavior with a locally installed instance of the application if necessary.

• Check if other programs (such as an antivirus scanner) are conflicting with it.

• Ensure that the Citrix Streaming Service is started or restart it to ensure that it is not hung.

• Ensure correct permission to the file share or Web server directory.

• Enable the debug console to trace application launch by adding the following registry key:

• Key: HKLM\Software\Citrix\Rade\EnableDebugConsole (for 32-bit systems)

• Type: DWORD

• Value: 1

For more information about the streaming debug console, see Citrix article CTX112472 onhttp://support.citrix.com.

HDX Functionality

HDX MediaStream is designed to give XenApp and XenDesktop users a smooth, seamlessexperience when accessing multimedia content. To accomplish this, HDX MediaStream uses theprocessing power of the user device to render multimedia streams. On the datacenter side, thecompressed multimedia information is sent directly to the endpoint in its native format. Themultimedia stream is rendered and played back on the user device, providing excellent performancewhile reducing the workload on the servers and the network.

HDX MediaStream currently appears in the administrator user interface of XenApp andXenDesktop as SpeedScreen Multimedia Acceleration. By default, SpeedScreen MultimediaAcceleration is enabled at the farm level.

The correct codecs for rendering the media must be installed on the user device. Windows PCsusually have the most common codecs installed, but if you need additional ones, you can downloadthem from the media player manufacturer’s web site. Thin clients and desktop appliances typicallyship with a minimal subset of codecs, so it is more likely that additional codecs will need to beinstalled, depending on the media formats that users will be accessing.


How to Confirm Whether HDX MediaStream is Functioning

Observing the quality of the video playback is the most direct method of determining whetherHDX MediaStream is functioning. When it is working correctly, the following signs will be visible:

• A black rectangle will quickly flash by as the video begins to play.

• The server CPU usage will be much lower than if the video were being rendered on the server.

For comparison, you can disable SpeedScreen Multimedia Acceleration on the console and tryplaying the same video.

• Process Explorer will show that FilterInt.dll is loaded by the media player's process.

HDX MediaStream is designed to automatically revert to server-side rendering if the client is notequipped with the necessary codec to decode the multimedia stream. This requires that all codecsneeded by the user community are available on the XenApp server or XenDesktop VDA platform.

HDX Experience

While most HDX capabilities work without the need for set up or can be configured within Citrixpolicies, sometimes HDX does not perform as expected. The most straightforward way to ascertainHDX functionality is by means of the HDX Experience Monitor for XenApp. The HDX ExperienceMonitor provides status information with regard to graphics, USB devices, and much more.


For more information about HDX Experience Monitor for XenApp, see Citrix article CTX126491on http://support.citrix.com.

For example, if a user reports that Flash content plays slowly, an administrator can ask the user toreport the details of the Adobe Flash item in order to determine whether Flash is being redirectedand played on the user device or played on the XenApp server. On the user device, the executablePseudoContainer2.exe must be running in order to provide Flash redirection.

In addition, the status of HDX Flash can be administratively ascertained by means of the following:

• Event Viewer: Under Applications and Services Logs > Citrix > Multimedia > Flash >PseudoContainer2.exe supports Flash v2.


Admin

• Performance Monitor: ICA Session > Input/Output HDX MediaStream for Flash DataBandwidth

You can customize HDX Flash, both client-side and server-side, with Citrix user policies.

Data points regarding HDX Broadcast, which includes compression functionality, as well as Plug-n-Play, which encompasses USB and SmartCard functionality, can be useful for understanding the

ADM templates are no longer used.health of the HDX functionality. Specifically, open the ICA Session counter items withinPerformance Monitor or the related ICA/HDX EdgeSight reports.

Server ResourcesInsufficient server resources are a likely candidate for causing a poor user experience. In particular,the following server-related issues are common:

• Overcommitment of virtual server resources

Where CPU and memory are grossly overcommitted, insufficient resources are allocated toservers. XenApp servers cannot subsequently bear the expected user load. Check the resourceutilization on the hypervisor host to ascertain that resources are properly allocated.

• CPU optimization

In general, CPU optimization is a beneficial feature; however, it is important to determinewhich of the two CPU optimizations is best suited for the environment. Fair sharing genericallyworks best; however, where an application has significant CPU requirements, limiting theamount of CPU designated to a fair share may not be sufficient. Where additional CPU isrequired, Preferential Load Balancing may be considered in conjunction with ApplicationPreference to provide the optimal setting for the environment. Within Performance Monitor,view the ICA Session > Resource Shares counter to ascertain the metrics associated with theconfiguration.

• Memory optimization

Memory optimization is also generally a beneficial feature, but with some applications, the DLLrebasing that occurs can have a negative impact on the user experience. When DLLs arerebased in a multiuser environment, application startup is more efficient because multipleapplications do not attempt to start in the same memory space that is already in use. However,some applications do not function properly when memory optimization is enabled and musttherefore be excluded. To view application rebasing output view the repair.sfo file locatedunder %ProgramFiles(x86)%\Citrix\Server Resource Management\MemoryOptimization Management\Data.

In order to confirm that the desired user density can be supported on each server, EdgeSight forLoad Testing can be used.

XenApp in a Virtualized Environment

Running XenApp on virtualized servers is becoming commonplace; however, some unique issuesrelated to virtualization may arise occasionally.

In a virtualized environment, resource availability is the most common issue. All hypervisors allowfor overcommitment of resources, and minimal use of this feature may be beneficial in order tofully use hardware resources. However, severely overcommitting CPU and memory can have adetrimental impact because individual virtual machines may be starved for resources.

For example, where XenServer is the hypervisor used to host virtualized XenApp servers,approximately 1 GB of memory is used for XenServer core functionality. Thus, the total amount ofmemory available is reduced by this amount. If memory is overcommitted beyond the total amountinstalled, memory would be further strained based on the memory required for the hypervisor.


Where memory issues exist on XenApp virtual machines, Optimize for Citrix XenApp should beselected within the advanced options. By selecting this option, memory is more efficiently usedwithin a XenApp environment. Because a significant number of processes are active and changingwithin a multiuser environment at any given time, thrashing can occur and cause shadow pagetable memory to operate inefficiently.

Virtual CPU priority can impact the resources allocated to a XenApp server. Within XenServer, anormal priority is assigned by default. However, where a higher or lower priority has been assignedto servers, the availability of available CPU resources to XenApp servers can be impacted.

If an issue arises in which virtualized XenApp servers created by different server deploymentmethods experience issues, review all differences between the two builds. In particular, focus on anydifferences in the agents installed and whether any of these agents need to be excluded fromXenApp virtual memory optimization.

Additional areas to review include:

• Network.

The allocation and configuration of network interface cards can impact how XenApp performs.Where possible, multiple 1-GB Ethernet cards or faster should be deployed to ensure thatnetwork throughput is not a bottleneck. Review hypervisor network and NIC settings.

• Storage.

The storage configuration and allocation plays a critical role in XenApp functionality andshould be reviewed especially when no hard disks are present on the host machines.

• High availability and balancing servers within hypervisor pool.

Depending on the hypervisor used, the options vary slightly. XenApp servers should beconfigured to be automatically moved to less-used hosts.

The Independent Management Architecture Service

The Independent Management Architecture (IMA) Service is a core component of XenApp andruns on all servers in a farm. In the event of data store issues, troubleshooting the IMA service isan important part of restoring communications. In addition, no new connections can be made to aserver where the IMA service is stopped or hung.

IMA Service Error Codes

The following is a list of some common IMA Service error codes that can appear in the event log.

• IMA_RESULT_SUBSYS_NOT_FOUND

An IMA service subsystem failed to load during IMA service startup.

• IMA_RESULT_DBCONNECT_FAILURE


The XenApp server failed to connect to the data store. ODBC connectivity to the databaseshould be verified. If necessary, recreate the local host cache.

• IMA_RESULT_PS_NOTINITIALIZED

The IMA service failed to initialize permanent storage during installation. This error usuallyindicates that the IMA service is unable to create objects in the data store.

Verify that the user account for the database has permissions to create tables, stored proceduresand index objects.

For SQL Server:

• Set the permission to db_owner.

• Use the original account that created the database objects to access the existing tables. Forfurther information about SQL Server database ownership objects, see the SQL Serverdocumentation.

For Oracle:

• Set the permission to resource.

• Verify the system tablespace is not full.

• IMA_RESULT_ODBC_NO_CONNECTIONS_AVAILABLE

The ODBC connection failed. ODBC connectivity is required for proper operation of the IMAservice.

To Troubleshoot IMA Service Start Issues

1. Examine the following registry setting:HKLM\SOFTWARE\Citrix\IMA\Runtime\CurrentlyLoadingPlugin

• If the value is blank, the IMA service could not connect to the data store, or the local hostcache is missing or corrupted.

• If a value exists, the IMA service made a connection to the data store. The value displayedis the name of the subsystem that failed to load.

Using Registry Editor incorrectly can cause serious problems that can require anadministrator to reinstall the operating system. Citrix cannot guarantee that problemsresulting from incorrect use of Registry Editor can be solved.

2. Verify that ODBC connectivity exists when connecting directly to the data store.

3. Review the entries in the event log for the IMA Service error code that is returned.

4. Review the alerts in the AppCenter for specific recorded events.

5. Verify that the Print Spooler service is started in the System context rather than for a user.


IMA Service Failed Message

If the "IMA Service Failed" message is displayed when restarting a server, the local system accountmay be missing the %Temp% directory, which is required for the IMA service to run.

To Troubleshoot IMA Service Failed Message

1. Change the IMA service startup account to the local administrator.

2. Check for a missing %Temp% directory if the IMA service starts under the local administratoraccount.

3. Switch the service back to the local system account and try manually creating the%SystemRoot%\Temp directory.

4. Verify that both the %Tmp% and %Temp% environment variables point to this directory.For more information about checking for a missing %Temp% directory, see Microsoft article251254 on http://support.microsoft.com.

To Change the Default Timeout Value for the Service ControlManager

1. Open HKLM\SYSTEM\CurrentControlSet\Control and create a new DWORD valuenamed ServicesPipeTimeout (if it does not already exist).Using Registry Editor incorrectly can cause serious problems that can require an administratorto reinstall the operating system. Citrix cannot guarantee that problems resulting fromincorrect use of Registry Editor can be solved.

2. Select the ServicesPipeTimeout DWORD value and click Edit > Modify.

3. Click Decimal in the dialog box.The value of this field is entered in milliseconds; for example, a value of 600000 is equivalent to10 minutes.

4. Type a value that corresponds to the needs of the environment and click OK.The server must be restarted for this change to take effect.

SQL Server-Related IMA Startup Issues

During the start phase, the IMA service attempts to connect to the SQL data store. If theconnection to a SQL database fails, the IMA service continues attempts to connect for up to 60seconds. This time limit ensures that retry attempts do not cause an excessive delay when startingthe IMA service. The IMA service will start regardless of data store connection.


Server Load Uneven

This functionality is new. Older versions of XenAppWhen the results of QFarm /load indicate that the server load is grossly uneven, the solution isretried to connect to the data store up to 20 times. Thistypically found within the Load Evaluator functionality.caused IMA start-up delays for up to 15 minutes.


By default, the default load evaluator is assigned to each new XenApp server. This load evaluatordesignates that the server will report full load at 100 users and load throttling is set to High,indicating that the server load is artificially increased significantly when a few users log on at thesame time. This prevents a multitude of users from being directed to a single server when it firstcomes into service.

In many cases, the default load evaluator is not appropriate for a production environments basedon XenApp 6.5 for Windows Server 2008 R2. In particular, many XenApp servers, whether basedon physical or virtual hardware, can support more than 100 user sessions. Most commonly, theadvanced load evaluator or a custom load evaluator are more appropriate for a XenAppenvironment.

A server-based load evaluator that is working incorrectly could be the result of either a loadevaluator applied to applications or inconsistent resource utilization for hosted desktops. Eventhough it is not recommended, you may apply load evaluators based on application. However, thismay skew the load evaluator results and cause server load to appear unbalanced. For example, if aload evaluator is applied to Visio, when users launch this application, the additional load metricsare applied, which may seemingly cause the load to appear incorrect. Any time that a load evaluatoris applied to an application, an additional column named App Load appears when QFarm /app isexecuted.

In addition, if a hosted desktop is presented to users, the CPU and memory resources consumed byeach user can vary considerably. For example, a user accessing a hosted desktop with a multitude ofgraphical applications will use more server resources than a user accessing a single session based onWord, for example. Where the default load evaluator is used, the weight of each session wouldappear equal, but it would not be from a resource perspective.

Server Not Accepting User Connections

Servers may not accept user connections for a variety of reasons. The most common reason is thatlogons have been prohibited on the server. Within the AppCenter, server logons can be prohibitedin the following ways:

• Prohibit logons and reconnections

• Prohibit logons only

• Prohibit logons until server restart

The status is shown on the information pane under Logon Control Mode.

Logons can be disabled through Remote Desktop policies or the Change Logon command. PCM drain mode puts servers at lower on the priority list.Unavailability of a XenApp server when modified like this would not be visible through AppCenter. Therefore, users may connect to a different server than

the one they expected.Logons may be intentionally disabled for an amount of time preceding a planned server restart bymeans of the Reboot logon disable time policy. Also, depending on the configuration of a custom

load evaluator, it is possible that server logons are disallowed at all times or during specific timeperiods.

Health Monitoring Disallowing Logons

By default, Health Monitoring is enabled and will disallow logons for as many as 10% of the serversin the farm if the Ticket Test, which confirms functionality of the XML Service ticketing, fails. Anyservers impacted would automatically be set to prohibit logons and connections to the server;however, any existing sessions continue to function. Any other Health Monitoring tests could alsobe configured to similarly prohibit new user logons.

To verify whether logons have been disabled as a result of Health Monitoring, execute Queryfarm /load. The logon mode will be shown within the output.

When this occurs, it is necessary to manually re-enable logons to the affected server or servers. Thisis done by right clicking the server in the AppCenter and enabling logons.

Memory Leaks

A memory leak is a bug in a program that prevents it from freeing up memory that it no longerneeds. Over time, this results in process growth in memory and slow operation. Eventually, theapplication fails or stops responding.

You may notice system services leaking memory and causing heap expansion in which a serviceprocess consumes more and more memory, sometimes up to 500 MB or 1.5 GB.

Server Troubleshooting Tools

Troubleshooting tools are discussed throughout the course, as appropriate. The DSRepCheck, CitrixLicense Check Utility, and CDF Tracing are additional tools that administrators often use whentroubleshooting.

Additional troubleshooting tools are discussed in the CTX107572 Citrix article on thehttp://support.citrix.com web site.

Data Store Replication Check

DSRepCheck is a SQL replication test tool designed to troubleshoot issues with SQL immediateupdating transactional replication. The tool is a script run through Query Analyzer and must beexecuted using Database owner permission.

For more information about DSRepCheck, see Citrix article CTX124815 onhttp://support.citrix.com.


Citrix License Check Utility

The Citrix License Check Utility verifies that a license of the specified type can be checked out fromthe license server. The following command tests for a XenApp Platinum CCU license:

CtxLicChk ctxlicsrv MPS_PLT_CCU

The output indicates whether a license of the specified type is available.

For more information about the License Check utility, see Citrix article CTX123935 onhttp://support.citrix.com.

CDF Tracing

The Citrix Diagnostic Facility is used to select components to trace, create trace logs, and collectsystem information. You can package the data and send it to Citrix Technical Support for further

View support videos atanalysis and assistance. The Citrix Diagnostic Facility is an effective tool for troubleshooting many

http://blogs.citrix.com/2010/07/09/cdfmarker-different-different aspects of the environment containing XenApp.

scenarios-same-tool/ andProviders are components that generate events or event trace messages. Depending on the type of http://www.citrix.com/tv/#videos/1593.


issue you are troubleshooting, you need to select one or more of the over 300 CDF providers inXenApp.

The following utilities work with the Citrix Diagnostic Facility:

CDFControl Captures and displays CDF trace messages that are output from thevarious Citrix tracing providers.

CDFAnalyzer Processes and displays CDF traces.

CDFMarker Sends a customizable CDF trace statement into a running CDF traceon either XenApp servers or XenDesktop Virtual Desktop Agentswhenever a specific event occurs.

CtxTrace Powershell Capture CDF trace messages.cmdlets • Get-CtxTraceProvider

• Start-CtxTraceSession

• Get-CtxTraceSession

• Stop-CtxTraceSession

For more information about CDF tracing, see the following Citrix articles onhttp://support.citrix.com:

• How CDF works: CTX117426

• CDFControl: CTX11961

• CDFAnalyzer: CTX12274

• CDFMarker: CTX124577

• CDF Tracing with PowerShell: CTX126987

• Identify large writes to the local host cache: CTX125634

• Troubleshoot application streaming issues: CTX113491

• Troubleshoot printing issues: CTX108338


Test Your Knowledge: Troubleshooting theXenApp Environment1. Logon issues are often associated with which of the following two settings? (Choose two.)

a. License settings

b. Firewall settings

c. Desktop settings

d. Self-service settings

e. User profile settings

2. A user attempts to reconnect to an existing session from a new user device but receives anerror message. Which of the following options is a possible reason for causing WorkspaceControl to not function correctly?

a. Receiver configuration

b. Internet Explorer security settings

c. XenApp exclusions of Workspace Control

d. Web Interface requires anonymous connections

3. If a resource availability issue arises in a virtualized environment where two XenApp serversare created through different server deployment methods, you should focus on any differencesin the agents installed and whether any of these agents need to be excluded from XenAppvirtual memory optimization.

a. True

b. False

4. Web Interface can be configured using which of the following options?

a. AppCenter

b. Merchandising Server

c. XenApp Management console

d. Web Interface Management console

5. Which of the following options can prevent the Citrix Receiver from installing on the userdevice?

a. The user device is not configured for XenApp

b. The Receiver download requires Flash on the user device

c. The user does not have administrative permissions on the user device

d. The XenApp administrator must configure the Receiver to be installed on the requiredoperating system



Module 2

Scaling the XenAppEnvironment


OverviewCitrix XenApp 6.5 simplifies application management and provides scalability that increases costsavings and datacenter efficiency. A common task is to plan an enterprise XenApp farm and

Timeinfrastructure for future growth and the flexibility to accommodate a larger-scale implementation.

• Module: 110 minutesXenApp provides the foundation for managing many servers within a single management scope.

• Exercises (4): 75 minutesFrom this central point of management, XenApp administrators can oversee the configuration ofXenApp servers in an environment and distribute Citrix Receiver to users for accessing virtual • Total Time: 185 minutesdesktops and applications on any device.

Break up the module as follows:After completing this module, you will be able to:

• Plan a XenApp farm for maximum scalability and flexibility.Day 1 Module content: 60 minutes

• Expand the capacity of a XenApp farm with minimal manual work.

• Manage the configuration of XenApp servers.Day 2 Module content: 50 minutes• Distribute Citrix Receiver and plug-ins from a central location.

Exercises: 75 minutes

© Copyright 2011 Citrix Systems, Inc. Module 2: Scaling the XenApp Environment 65

Farm Configuration RecommendationsA XenApp farm setup that is in accordance with the recommended farm configuration can improvethe user experience and result in fewer help desk calls and reduced server downtime formaintenance and troubleshooting. XenApp farms using the recommended farm configuration alsoallow for maximum scalability and flexibility, accommodating future expansion needs.

Before you configure the farm, Citrix recommends the following:

• Create a segregated lab environment (one or two servers) and test your settings.

• Determine which, if any, applications will be delivered to users.

Associated tasks include the following:

• Perform testing to determine the method that will be used to deliver applications beforeconfiguring the farm.

• Determine the number of servers needed for applications.

• Perform testing on applications before implementing them in the environment.

• Review the network infrastructure design for the environment before farm configuration.

• Evaluate the number of servers needed for the farm and hardware requirements.

• Define the installation processes for applications and components.

• Create and test a pre-production pilot farm before releasing into production.

Farm Configuration Guidelines

During farm configuration, Citrix recommends the following:

• Configure a dedicated data collector and backup data collector.

• Configure off-site users to access applications through secure access, such as Citrix AccessGateway.

• Minimize the number of zones in the farm.

If all farm servers are in one location, configuring only one zone for the farm does not reduceperformance or make the farm harder to manage. Use only one zone if possible.

• Access the AppCenter as a published application to administer the farm remotely.

By connecting to the console through an ICA session or RDP, the static and dynamicinformation is queried from the console locally, dramatically increasing the performance.

• Create separate worker groups based on Active Directory hierarchy.

• Assign policies to groups rather than individual users.

When policies are assigned to groups, assignments are updated automatically when users areadded or removed from the group.

66 Module 2: Scaling the XenApp Environment © Copyright 2011 Citrix Systems, Inc.

• When possible, keep RDS host configuration settings and Citrix policy settings consistent(enabled or disabled) for ease of troubleshooting.


Farm Scalability

Farm scalability determines the number of XenApp servers that can perform successfully togetherin a given environment. Scalability should be a strong consideration when planning, configuring,and maintaining a XenApp farm. Scalability for your environment is based on the ability to quicklyadd additional users, applications, and resources.

When planning for farm scalability, be aware of the amount of disk space that common XenAppobjects consume. For example, ensure that your environment has enough disk space to handle adata store database that will grow in size.

Hardware requirements, whether virtual or physical, are another important part of farm scalabilityplanning. Dual-processor or dual-core server deployments combine overall efficiency and a lowertotal cost of ownership. However, once a system has a dual-core processor, implementing additionalprocessors does not necessarily increase server scalability linearly. Scalability gains level off whenbetween 8 and 18 CPU cores are used.

Proper zone design is the most important factor in designing a well-performing, scalable farm.Zones should also be designed based on the network topology of the environment to ensure ascalable and resilient farm. Citrix does not recommend having more than one zone in a farm unlessmajor datacenters are located in geographically distributed regions. Citrix regularly tests farmscalability based on one zone with 1,000 servers. The following diagram depicts the decision makingprocess for zone design.

For more information about zone replication traffic formulas, see Citrix articlehttp://community.citrix.com/display/xa/The+Definitive+Guide+to+Zone+Design.

The following diagram depicts an environment containing multiple zones.


Figure 2-1: Multiple Zones

Once the farm is designed and configured, the delivering method for applications can affectscalability. For the most scalable delivery method, install applications on the server.

Finally, when maintaining a XenApp farm, you can enhance the performance and scalability of thefarm by improving virtual memory utilization for a server using the Citrix memory optimizationservice. The service improves how DLLs are shared among applications running on the server,saving virtual and real memory. To enable memory optimization, configure the Citrix policy settingfor Memory/CPU > Memory optimization and enable the feature. For more information aboutmemory optimization, see the Deploying virtual memory optimization topic on Citrix eDocs athttp://edocs.citrix.com.


Scripted InstallationWith the increase in power management practices and cloud deployments, the size of XenAppfarms and the farm users change with much greater frequency. Because of these changes in howinfrastructure is managed, a scripted installation of XenApp is often more efficient than a manualinstallation when scaling the capacity of a XenApp farm.

Options for performing a scripted installation include the following methods:

• The XenApp Server Configuration Tool.

• The XenAppSetupConsole.exe utility on the command line.

For command-line installations, you must install the prerequisite software and Windows rolesbefore initiating XenApp installation. On the server where you want to install XenApp or otherroles, from the XenApp Server Setup\bin directory on the XenApp media, type thefollowing at the command prompt:

XenAppSetupConsole.exe options_properties

Prerequisites can be deployed with PowerShell cmdlets, the MicrosoftServerManagerCmd.exe or the Microsoft Deployment Image Servicing and Management(DISM) tool.

• An answer file to respond to XenApp Setup prompts.

Performing an unattended installation with an answer file involves using the Windows SystemImage Manager tool. For more information about this tool, see technet.microsoft.com.

Once the answer file is created, you run the UnattendedInstall.exe utility from thecommand line, referencing your answer file and the installation is performed using yourinstructions from the answer file.

• The XenApp 6 Service Provider Automation Pack, which can be downloaded athttp://www.citrix.com.

The pack contains PowerShell scripts for the setup and configuration of a Windows 7 DesktopExperience for Desktop as a Service (DaaS) and a hands-free deployment of a completeXenApp farm.

For more information about scripted installation, see the following resources:

• Citrix eDocs at http://edocs.citrix.com.

• Citrix articles CTX124295 and CTX126471 on http://support.citrix.com.

• Citrix Developer Network located at http://community.citrix.com/p/cdn.

Unattended Installation and Configuration

You have the option of performing an unattended, scripted installation by usingXenAppSetupConsole.exe at the command line. You can also perform an unattended,


scripted configuration using the XenAppConfigConsole.exe utility. These utilities are inXenApp Server Setup\bin on the XenApp installation media.

For more information about specific syntax or help installing or configuring XenAppfrom the command line, see Citrix eDocs at http://edocs.citrix.com.

You can also run the utilities with the /? option to view the available commands.

Provisioning tools and disk imaging can also be used for XenApp installation and configuration.Startup scripts can install, configure, or modify a configuration of XenApp.

For more information about provisioning and imaging Citrix products, see the Provisioningservices documentation on http://support.citrix.com.

To Script Installation of a XenApp Server

Copy the XenApp DVD to a shared location. This is the value of $xenapp_dvd.

Create a PowerShell script that contains the following instructions. The value of$xenapp_utilities is$Env:ProgramFiles(x86)\Citrix\XenApp\ServerConfig.

1. Disable the firewall.

netsh advfirewall set allprofiles state off

2. Add the necessary roles and restart the server.

servermanagercmd -install GPMC -restart servermanagercmd -installAS-NET-Framework -restart servermanagercmd -install RDS-RD-Server-restart

3. Install Citrix Receiver.

$xenapp_dvd\Citrix Receiver and Plug-ins\CitrixReceiverEnterprise.exe /silentADDLOCAL="ICA_Client,PN_Agent,SSON"SERVER_LOCATION=http://xenapp/Citrix/PNAgent/config.xmlENABLE_SSON="Yes" ENABLE_DYNAMIC_CLIENT_NAME="Yes"ENABLE_KERBEROS="No"

4. Install XenApp.

$xenapp_dvd\XenApp Server Setup\bin\XenAppSetupConsole.exe"/install:XenApp /exclude:XA_Console /Enterprise/logfile:c:\ctxsetup.log


5. Restart the server.

shutdown -r -t 0

The server is now an unconfigured XenApp server.

6. Join the server to the farm.

$xenapp_utilities\XenAppConfigConsole.exe" /ExecutionMode:Join/FarmName:"Your Farm Name"/LicenseServerName:YourLicenseServer.domain.local/LicenseServerPort:27000 /ZoneName:"Default Zone"/AddUsersGroupToRemoteDesktopUserGroup:True/AuthenticationType:sql/DsnFile:c:\sql.dsn /OdbcUsername:sqlusername/odbcPassword:sqlpassword /log:c:\joinfarm%1.log

7. Restart the server.When it starts, it is joined to the farm and appears in AppCenter.


Server Build Scripting

Following installation, a XenApp server can be prepared for imaging and provisioning before,during, or after configuring XenApp. A provisioned, clean base image of a XenApp server build canbe used to expand the XenApp farm as necessary with little time spent installing and configuring.

Imaging and provisioning requires the XenApp Server Configuration Tool (SCT). The SCT containsan option in the user interface to Prepare a server for imaging and provisioning.

If an existing image requires updating, for example with a service pack or hotfix, the SCT providesextended wizard and command-line interfaces to re-seal the base image after the image restarts. Theextended functionality includes an option to prepare the server for imaging and provisioning. Youcan also choose to remove the current server instance from the farm.

For more information preparing a server for imaging and provisioning, see Citrix eDocs athttp://edocs.citrix.com and Citrix article CTX124981 on http://support.citrix.com.

To Create a Base Image

1. Install the XenApp role only.

2. Run Sysprep to clear the unique Windows features and Active Directory account.

3. Shut down the server.

4. Run the cloning process for the hypervisor.


You can then use this cloned server as a Provisioning services vDisk, or use it to create new uniqueXenApp servers. You will still need to add the appropriate Windows server roles and join the serverto the domain and XenApp farm. These tasks can be performed manually or with a script.


XenApp Server TemplatesXenApp 6.5 enables template-based management of XenApp servers. A XenApp server template is acopy or image of the configuration settings for an existing XenApp server that can be reused fornew servers. Instead of configuring individual servers, using templates simplifies commonmanagement tasks and eliminates unwanted configuration differences between servers in a farm.

You can assign XenApp servers to a designated Active Directory GPO or worker group, then createpolicies and apply them to all of the servers in that group. Once the GPO or worker group iscreated, policies are filtered to that group, and servers are assigned, you could add a XenApp serverto this group and it would automatically configure the settings and publish the appropriateapplications on that server.


Data Store Database MigrationMigration is the process by which the data store is switched from one database platform to another.Most database maintenance requires running the DSMaint and DSCheck server utilities onXenApp servers. The XenApp Server Utilities Reference, located in Citrix eDocs, contains syntaxand use details. The DSMaint migrate and DSMaint config commands can be used to movethe data in the data store to a different database server. For more information about the databasessupported for Citrix product versions, see Citrix article CTX114501 on http://support.citrix.com.

Options and considerations for data store database migration include the following:

Moving from SQL Express When planning for an increase in XenApp farm size or scope, ato SQL Server common task is migrating the data store to an enterprise-class

database. For example, an organization that has implementedMicrosoft SQL Express may decide to move to Microsoft SQLServer or another database technology such as Oracle. For moredetailed information about data store migration between differentdata base products, see Citrix articles CTX121888 and CTX123111on http://support.citrix.com.

Clustering High availability server clustering ensures that if a server fails, thevirtual machines are automatically restarted on an alternate serverwithout disrupting operations for users. This prevents a data storeserver failure from negatively impacting the XenApp environment.A server cluster is a group of independent servers running as acluster service and working collectively as a single system. Allservers in the cluster have a single identity and the data is consistentacross nodes. Clustering software, such as Microsoft Cluster Service,keeps the application data updated on both servers and restarts thebackup server in the event of a failure on the primary server. Anoption for configuring data store databases is to use clustering forincreased redundancy. For more information about clustering, seeCitrix article CTX124650 on http://support.citrix.com andwww.microsoft.com.


Backup You can create a backup copy of the data store by using theDSMaint backup command. Without a backup, you mustmanually recreate all of the farm policies, settings, accounts, andother persistent data in the data store if the data store is unavailable.For more information about backup up a data store database, seeCitrix article CTX677542 on http://support.citrix.com.

When using a Microsoft SQL Server or Oracle database,consult the database server product documentation forscheduling automated backups of the data store. In mostcases, daily backup is sufficient to prevent loss of farmdata.

For WAN environments For WAN environments, use database replication. Since data storeaccess consists primarily of servers reading the information in thedata store, and writing to the data store is infrequent, usingdatabase replication avoids high latency reads across the WAN.


Dedicated Data CollectorThe performance of the data collector can be impacted by the number of users connected to thefarm, the number of simultaneous logons, required load implementation, and the number ofapplications. For example, in large farms, heavily used data collectors can become overloaded whileperforming logon utilizations. This problem is caused when the data collector worker threads areoverworked by processing IMA maintenance items such as IMA pings, gateway updates, and loadupdates while also performing utilizations.

In large farms, higher IMA traffic may impact the overall farm performance because users' sessionsmight not be distributed evenly. Indications that a dedicated data collector is strongly neededincluding slow enumeration, connection to applications, and application display.

Large farms are defined as farms containing more than 100 XenApp servers.

Be aware of the following considerations for configuration of a dedicated data collector:

• Only XenApp controller servers can become data collectors.

• A dedicated data collector and a backup data collector are recommended for large farms. Adedicated data collector is a XenApp controller server with the sole responsibility ofcommunicating with other servers and data collectors in the environment; it does not hostapplications. This configuration speeds up load balancing decisions and improves session logontime while providing sufficient capacity for future growth and redundancy across the XenAppenvironment.

• The decision to use a dedicated data collector should be based on the size of the environmentand a thorough design.

• The backup data collector should be configured to handle a lighter load on a daily basis,thereby avoiding an overload in the event it becomes the data collector.

• A dedicated data collector typically hosts AppCenter and is the primary server for the CitrixXML Service.

• Small farms do not require a dedicated data collector.

Use AppCenter to set the election preference of the primary data collector to MostPreferred and the backup data collector to Preferred.

For more information about dedicated data collectors, see Citrix article CTX126335 onhttp://support.citrix.com.


Web Interface PlanningPlanning for a new XenApp farm or an increased size farm will likely involve Web Interface. Aquestion to consider is whether the servers in the environment can support additional users or CPUallocation. When planning for the Web Interface, plan for the server hosting the Citrix XMLservice, which determines which applications appear in the Web Interface based on userpermissions. The XML service is the real challenge in Web Interface scalability, as Web Interfaceversion 5 or later automatically scales to IIS specification.

If the organization is scaling the XenApp environment for a larger environment, Citrixrecommends the following:

• Configure the XML service on data collectors or dedicated servers. In very large farmscontaining more than a few hundred servers, use a dedicated server for the XML service.Otherwise configure the XML service on a data collector.

• Run the Web Interface on dedicated web servers with the most recent version of Web Interfaceinstalled.

• Always deploy two Web Interface servers for redundancy.

• Web Interface is best located on the internal network with the XML service. However, the WebInterface can also be located in the perimeter network in certain configurations containingSecure Gateway. Shielding the XML service from the external Internet protects the XMLService and the farm from security threats.

• Use a hardware load balancer if possible, such as Citrix NetScaler, which contains intelligentmonitoring of Web Interface availability and the XML service.

For more information about Web Interface planning and design, see Citrix eDocs athttp://edocs.citrix.com and Citrix articles CTX126335 and CTX129106 on http://support.citrix.com.


Delivery ServicesCitrix Delivery Services authenticates users of Citrix Receiver with the Citrix Self-service Plug-in toXenApp farms. The resources available are enumerated and aggregated by Delivery Services intostores that are displayed in the self-service view of Citrix Receiver. The Delivery Services databaserecords details of user subscriptions and resource shortcuts to enable application synchronization.

Delivery Services includes the following features:

Authentication Service Communicates with XenApp farms to authenticate users. Once usercredentials are validated, the Authentication Service handles allsubsequent interactions with the servers to ensure that users do notneed to log on again.

Stores Delivery Services stores enumerate the resources available to eachauthenticated user from XenApp farms and send the results to theCitrix Receiver self-service view. Stores are also responsible forrecording and retrieving user application synchronization data andpassing the information to the self-service view so that anydifferences can be resolved.

Application Subscribed resources follow users from one Windows system to thesynchronization next, so that they do not need repeatedly to make the same changes

each time they use a different Windows system. When a user adds,removes, renames, or moves a resource in a store with applicationsynchronization enabled, details of the change are recorded in thestore. Subsequently, whenever the user accesses the store from adifferent device running Citrix Receiver with the Citrix Self-servicePlug-in for Windows, the same changes are automatically applied tothe new device.

Integration with Citrix Delivery Services stores can be configured to include Citrix OnlineOnline products products, such as GoToMeeting, GoToWebinar, and GoToTraining,

along with the other resources. When users subscribe to a CitrixOnline product, the associated client application is installed locally.Where Citrix Online accounts are not already available, users can beprompted to set up a trial account or to request an account fromthe IT department.


Citrix Delivery Services The Citrix Delivery Services Management console is a MicrosoftManagement console Management Console (MMC) 3.0 snap-in that enables you to create

and configure stores and the Authentication Service hosted onDelivery Services. The Citrix Delivery Services Management consoleenables you to perform day-to-day administration tasks quickly andeasily.

For more information about Delivery Services, see Citrix articles CTX128041 and CTX129385 onhttp://support.citrix.com and Citrix eDocs at http://edocs.citrix.com.


XenApp and XenDesktop Integration

Integrating XenApp with a XenDesktop implementation provides the flexibility of separatingapplications from the desktop, thus reducing the number of desktop images to be managed.

For integrating XenApp together with XenDesktop, Citrix recommends the following:

• Do not install XenApp and XenDesktop on the same server. The XenDesktop Controllercannot co-exist on the same server as XenApp.

• Calculate network impact and ensure that sufficient bandwidth is available.

• Use separate databases for XenApp and XenDesktop.

XenApp and XenDesktop cannot share the same database; however, the XenApp data store andXenDesktop site database can reside on the same server.

• Implement a thoroughly planned profile management strategy to manage user personalizationsettings.

Depending on the environment, it might be necessary to use separate organizational units(OUs) for each published application that creates Citrix user profile data. The profilemanagement strategy may also contain plans for handling folder redirection, group policies,and persistence.

• Implement an application virtualization strategy for delivering applications to virtual desktopswith XenDesktop, along with the XenApp environment. For example, the diagram shows thethree main options for application deployment in a XenDesktop environment. In the firstvirtual desktop, the application is installed on the master image; in the second desktop, theapplication is streamed from XenApp to the local hard disk; in the third desktop, theapplication is available as a hosted application from XenApp.

For more information about integrating XenApp and XenDesktop, see Citrix article CTX126190 onhttp://support.citrix.com.

For training on integrating XenApp and XenDesktop, attend the virtualization architect Citrixcourse. Find schedule information at http://training.citrix.com.


Delivery Services can be used in the first phase of integrating XenApp with XenDesktop. You needto create a link into the XenApp environment so XenDesktop users can receive their applicationswithout requiring numerous authentications.

To Integrate XenApp with XenDesktop Using DeliveryServices

1. Create a new XenApp Services site as a dual-mode streaming site on the Web Interface servercurrently used for the XenApp environment.

2. Set up the XenApp Services site with the appropriate XenApp farm configuration, allowing thesite to enumerate and launch hosted and streamed applications to the virtual desktop.

3. Configure the authentication for the site correctly to eliminate repetitive authentications for theusers. The site should be configured with pass-through authentication, utilizing the usercredentials entered into the initial Web Interface site for the virtual desktop launch.


XenApp and Provisioning ServicesIntegrationIntegrating Citrix Provisioning Services into a XenApp environment enables organizations to realizeseveral benefits, including:

• Consistency in the configuration of XenApp servers

• Ease of maintenance and updating of servers

• Dynamic capabilities and reduced time spent re-imaging and re-building servers

• Greater scalability

• Simplified disaster recovery

Organizations can take advantage of these benefits to successfully expand the capacity of theXenApp farm. However, before implementing Provisioning services, or when you are preparing toimplement Provisioning services, Citrix recommends the following:

• Build a valid and stable XenApp server image to provision.

• Build servers utilizing the provided Windows 2008 R2 optimized template.

Windows virtual machines can be installed by cloning an appropriate template using CitrixXenCenter or from the command line. The Windows Server 2008 R2 (x64), optimized forCitrix XenApp, can be used to install all editions of Windows Server 2008 R2 64-bit, and thetemplate is specifically tuned to optimize XenApp performance.

• Run the XenApp Server Role Manager and select Edit configuration.

This opens the Server Configuration Tool where an option exists for preparing a server forimaging and provisioning.

• Install the Provisioning services role and Provisioning services Target Device on separateservers.

The Provisioning services Target Device software resets your network connection duringinstallation. As a result, environments may experience interface failures and other issues ifthe Provisioning services component is installed from a remote location.

• If hosted applications vary based on worker groups, create a distinct vDisk for each. However,be aware that the number of unique vDisks streamed simultaneously greatly affects scalability.

• Do not stream Provisioning services targets across a WAN.

For more information about these recommendations, see Citrix articles CTX120513 andCTX116063 on http://support.citrix.com.


XenApp and Merchandising ServerIntegrationAlong with Citrix Receiver, Citrix Merchandising Server is recommended for an enterprise XenAppenvironment.

Citrix Receiver and Citrix Merchandising Server are components of the Citrix Delivery Centersolution. While Citrix Delivery Center provides the application delivery infrastructure to the ITadministrator, Citrix Merchandising Server and Citrix Receiver streamline the installation andmanagement of application delivery to the user desktops. Citrix Receiver and Citrix MerchandisingServer provide two very important features. First, the Merchandising Server allows you to configure,deliver, and upgrade plug-ins for your users. Second, Citrix Receiver manages all the operations ofits managed Citrix plug-ins for your users.

Merchandising Server is packaged as a virtual appliance image. The virtual appliance imageincludes the operating system and other components required to deliver plug-ins to your clients.The image is installed as a virtual machine on your XenServer or VMWare server virtualizationinfrastructure. Merchandising Server uses HTTPS to provide secure connections for data transferprotection.

Rules within Merchandising Server control client distributions and updates. You can configure rulesbased on user, group, operating system, machine name, or IP address range. You then determinehow the clients are distributed based on these rules.

The Merchandising Server manages the complete process of application delivery by performing thefollowing functions:

• Retrieves user and group information from your corporate Active Directory, loads them into itsdatabase, and uses this data to manage users

• Creates tokens for user authentication to ensure security while minimizing interruptions to theuser

• Polls the Citrix Update Service for plug-in updates and presents them to you throughAdministrator Console

• Broadcasts plug-in to your users and groups according to the configuration and schedule youdefine

Merchandising Server Citrix Recommendations

The following Citrix recommendations allow you to deploy and update clients to various userdevices most effectively:

• Configure LDAP to communicate with an Active Directory server in the domain.

Connecting to Active Directory populates the user database, which provides the ability toassign clients to various user groups.


• Enter support e-mail, web site, phone number, and GoToAssist information for the supportdesk in Merchandising Server options.

This information is provided to users when they experience client issues.

• Set an appropriate polling interval to determine how often clients will broadcast for updates.

The appropriate interval depends on how often the majority of your users are connected to theLAN.

• Configure two internal beacon addresses, which the user device uses the internal beaconaddress to determine if it is connected to a Domain.

• Configure the first internal beacon address with the FQDN of the domain (not anindividual domain controller).

• Configure the second internal beacon address with an HTTP probe to the FQDN of theMerchandising Server.

• Only provide the FQDN of services that are accessible on Port 80; SSL is not supported.

• Control distribution primarily using the operating system rule.

This rule allows you to separate the clients for the appropriate user device. Control distributionby user groups when there are different sets of requirements for different departments oroffices.

Troubleshooting Merchandising Server

Communication issues can cause clients to be deployed improperly or to cause issues with clientconnectivity. Several tools can be used to assist in troubleshooting.

• Configure logging of delivery and deployment issues to focus only the users or groupsexperiencing an issue.

• Ensure that the %ProgramFiles%\Citrix\Receiver\Receiver.cfg is updated withthe new Merchandising Server address if the location is changed. Changes to the serverlocation can interrupt the delivery of plug-ins to your client.

• Capture and analyze network traffic to determine if there is an issue with broadcast traffic.

• Verify that DNS is functioning properly on the client.

To trigger the retrieval of client log files, in the Merchandising Server Console select Reports >Trigger Log Collection.

To view client log files, in the Merchandising Server Console select Reports > Log Files.


Test Your Knowledge: Scaling the XenAppEnvironment1. Which of the following options is not a recommendation or guideline for configuring your

XenApp farm for maximum scalability?

a. Create a new zone for each group of users.

b. Assign policies to groups rather than individual servers.

c. Create and test a pre-production pilot farm before releasing into production.

d. Review the network infrastructure design for the environment before farmconfiguration.

2. In which management console or tool can you prepare a XenApp server for imaging andprovisioning?

a. AppCenter

b. XenApp Server Role Manager

c. Web Interface Management Console

d. XenApp Server Configuration tool

3. True or False: Any XenApp server can function as the data collector.

a. True

b. False



Module 3

Creating FarmRedundancy


OverviewAdvanced administrators of Citrix XenApp need to adequately address single points of failure in aCitrix environment and avoid them if possible. Sufficient redundancy is necessary to ensure that

Timeusers can access their applications, desktops, or content without interruption. The importance of

• Module: 70 minutesthe application to the business dictates the level of redundancy required, including additionalinfrastructure and disaster recovery. • Exercises (3): 65 minutes

A greater risk to availability exists in virtualized environments. Users require infrastructure • Total time: 135 minutesavailability and IT must provide end-to-end availability focusing on applications, desktops, fault

Less experienced students have required additional timetolerance, high availability, and disaster recovery. To avoid outages, examine all possibilities for

to complete these exercises.redundancy.

© Copyright 2011 Citrix Systems, Inc. Module 3: Creating Farm Redundancy 91

After completing this module, you will be able to:

• Identify and mitigate single points of failure in an existing XenApp farm.

• Load balance across multiple instances of a service.

• Integrate technologies that increase fault tolerance.

Eliminating Single Points of Failure

A single point of failure in a XenApp environment is when a single component fails and preventsusers from accessing resources. Single points of failure can undermine an otherwise successfulimplementation of XenApp. Redundancy needs to be incorporated into the XenApp environmentfor users to successfully access their resources in the event of an individual failure.

While virtualization technologies enable virtual servers to be moved automatically to anotherphysical server, this is not a total redundancy solution. Where individual servers fail due to blue-screens or other software-related issues, a sufficiently redundant environment ensures that userscontinue accessing resources.

In most environments, it is advisable to follow these guidelines for eliminating single points offailure:

Deploy XenApp resources Regardless of your virtualization infrastructure, you should alwaysto two or more session deploy XenApp resources to two or more session host-only servershost-only servers to ensure failover and that users have access to resources.

Deploy XenApp You should also deploy XenApp components based on two or morecomponents based on two servers—in particular the Web Interface servers, XML brokers andor more servers XenApp controller servers—to mitigate single points of failure.

XenApp controllers, in contrast to session host-only servers, need tobe configured to fail over to another server in the farm. If multiplezones are used, you should have two or more controllers for eachzone in the farm to ensure failover.

License Server failover Redundancy surrounding the license server is less important from afailover perspective, because the license server functionalityautomatically fails over to the individual servers for a 30-day graceperiod.

92 Module 3: Creating Farm Redundancy © Copyright 2011 Citrix Systems, Inc.

Data store failure While the farm can continue operating without data storeavailability, no configuration changes will update in the data storeduring an outage. Depending on the environment, a brief failuremay be acceptable or database clustering may be required.

Web Interface failover With a separate farm, the same resources are published anddelivered to the same users. The disaster recovery farm mirrors theproduction farm. If Web Interface servers with the sameconfiguration are used, the additional farm should be added underthe farms setting. Further, within the WebInterface.conf file,use the RecoveryFarm parameter to designate the recovery farm. Inaddition, the Suppress Duplicate Resources parameter should beused to hide resources with the same name. This functionality mustbe configured within the WebInterface.conf file as it is notpresent in the administration interface.

Access Gateway failure If your environment includes Access Gateway, a redundantconfiguration is highly recommended. If Access Gateway fails, userscannot access any resources. Inherently, when Web Interface andAccess Gateway are employed, a single Secure Ticket Authority(STA) is used for the session ticket for each user session. The STAfunctionality is embedded within the Citrix XML Service. While thisis not an issue in most cases, there are instances, due to networktraffic or other reasons, that the STA check cannot be processed,and the user connection will fail. To avoid this, explicitly enableCSG_UseTwoTickets within the WebInterface.conf file.

Another option is to configure this in the Web InterfaceManagement Console. After selecting a Web Interface site in themiddle pane, edit the Secure Access settings. In the SpecifyGateway Settings menu, check the Request tickets from two STAs,where available option.

Malfunctioning Servers

Beyond eliminating single points of failure, ensure that servers do not appear to be functioningcorrectly when they are not. By configuring Health Monitoring policies, issues such as animproperly functioning print spooler or logon failures can be identified. The policies can beconfigured to prevent new users from being directed to malfunctioning servers.

By default, four Health Monitoring tests are included within the Computer > Server Settings >Health Monitoring and Recovery > Health Monitoring tests policy. These policies are:

• Citrix IMA Service test


• Logon Monitor test

• Ticketing test

• Terminal Services test

By opening this policy and selecting Add Citrix, six additional tests can be added:

• Check DNS test

• Check LHC test

• Check XML Threads test

• MS Print Spooler test

• ICA Listener test

• Citrix Print Manager Service test

By default, all of these tests use the "alert only" recovery action, with the exception of the ticketingtest, which prohibits logons and connections to the server. When the maximum percent of serverswith logon control has been exceeded, which is 10 percent by default, logons and connections willnot be prohibited. Additional recovery action options include shut down IMA service, restart IMAservice, and restart server.

Where alerts are enabled for the Health Monitoring tests, these alerts are generated through CitrixService Monitoring (EdgeSight). If Citrix Service Monitoring is not implemented within yourenvironment, alternative recovery actions should be selected.

By selecting the full array of tests available and customizing for recovery action for theenvironment, you can identify and address servers that appear to be healthy, but are functioningimproperly.


Business ContinuityBusiness continuity requirements are important to consider when you are operating or designing aXenApp environment. While configuring redundancy addresses single points of failure in a farm,business continuity planning is necessary to ensure that users can access the necessary resourcesdespite a major service interruption due to a natural disaster such as a fire, flood, or earthquake.

For complete business continuity, an additional datacenter location is required to handle the load oftraffic from users. Your organization needs to evaluate whether the entire load of user traffic will besupported for business continuity, or if only a specific portion of the farm resources should bemade available.

When setting up an additional location, backend databases will be required. For example, ifMicrosoft Outlook will be published as an application in the backup location, an Exchange servermust be available.

Determining the extent of configuration for business continuity is a business and technical decisionthat requires strategic planning. However, in many situations, organizations require 100%redundancy for their XenApp farm in order to avoid disruption of daily business operations.

XenApp Site Redundancy

There are several methods for implementing a business continuity solution for the XenAppenvironment. A completely replicated XenApp site can be created in the additional datacenter. Inthis solution, organizations need to determine whether they want to use an additional farm, zone,or worker group. Either the farm or worker group option should be selected because adding a zoneincreases the amount of intra-zone communications within a farm and may have a negative impact.When using XenApp 5 and earlier, additional zones were required as part of the Zone Preferenceand Failover policy. Using worker groups removes the need to create an additional zone for thispurpose.

Business Continuity Example

For example, Company XYZ determines that its business continuity plan is best implementedby means of two distinct XenApp farms. A datacenter in Miami is established, and serverresources are allocated to 100% of the production farm so that users can access the XenAppfarm in Miami in the event that the Los Angeles XenApp farm is unavailable. In order toconsolidate both farms with Web Interface and hide the disaster recovery farm and itsapplications from users, the RecoveryFarm and SuppressDuplicateResources parameters withinthe WebInterface.conf file should be designated within the Web Interface servers at bothlocations. When the primary farm in Los Angeles is unavailable due to a water main break,users will access resources in the Miami datacenter.


Worker Group Preference and Failover

The worker group feature of XenApp can help with disaster recovery and business continuity. Youcan configure Worker Group Preference and Failover in the AppCenter through load balancingpolicies. Using this feature, you can specify that if servers in a worker group go offline, XenApp willredirect user connections to a backup worker group.

A worker group preference list can be used to ensure that users are directed to the appropriateservers. You can prioritize worker groups (example: 1 is the highest priority) and when usersrequest an application or desktop, the load balancing policy, which is applied to a worker groupusing a filter, directs it to a server in the highest priority worker group first. If the highest priorityworker group is at maximum capacity, then the next highest priority worker group (example: 2)accepts the connection.

Worker Group Preference is helpful for farm redundancy and disaster recovery because you candesignate user groups for worker groups. For example, if your organization has offices in London,New York, and Sydney and the London site fails, users are directed to the New York farm forresource access. It is not necessary to configure multiple zones.

Microsoft SQL Server Fault Tolerance

Microsoft Clustering is supported for recovery of data stored in a Microsoft SQL Server database,such as the data store. Where clustering is used, SQL Server is installed on both servers in thecluster and if the primary node fails, the secondary node is immediately made available. MicrosoftSQL Replication and SQL mirroring can also be used for disaster recovery of SQL Server databasesacross multiple locations. For more information about clustering, see Citrix article CTX124650 onhttp://support.citrix.com and Microsoft article 254321 at http://support.microsoft.com.


Load BalancingXenApp load balancing policies can be used to direct users to a backup server in the event of anoutage, or to direct users to the least-loaded server for the optimal experience. Load-balancingpolicies can also route a specific group of users to a group of dedicated servers.

Other options for load balancing XenApp include filtering load balancing policies by user name orIP scheme, for users in different geographical areas. In a distributed farm, the load balancingpolicies you implement can mimic the Global Server Load Balancing feature of Citrix NetScaler byconnecting users to the server located closest to their location.

LBDiag

The LBDiag utility simulates a user launching an application. The output of the commanddescribes the result of the load balancing process for specified applications, servers, domains, users,and groups. The following command calculates the load balancing policy for user TestUserlaunching the Notepad published application:

LBDiag Notepad /User TestUser /Pass Password1 /Domain CCH/ClientName TestClient /ClientIP 10.2.0.42

LBDiag can also be used to verify the load balancing configuration of your farm. For moreinformation about LBDiag, see Citrix article CTX124446 at http://support.citrix.com.


XenApp and NetScaler Integration

Integrating XenApp and Citrix NetScaler can increase fault tolerance for your environment bycombining server load balancing and global server load balancing.

In a XenApp environment Web Interface can be integrated with NetScaler. Some advantages ofintegrating Web Interface with NetScaler include the following:

• Redundancy with load balancing of the XML service and Web Interface servers.

• Security when Web Interface runs on the hardened platform of NetScaler.

• Increased performance with NetScaler SSL offload.

A three-phase approach for integrating NetScaler in a XenApp environment is possible.

• Phase 1. Configure NetScaler to load balance the Web Interface, XML service, and AccessGateway.

• Phase 2. Reconfigure Access Gateway, the XML service, and the secure ticket authority to usethe server load balancing completed in phase 1.

• Phase 3. Enable multisite fault tolerance with NetScaler Global Server Load Balancing (GSLB).

A consideration for integrating XenApp or Web Interface with NetScaler is that DNS round robinwill not function with Web Interface. Also, data collectors cannot be load balanced with NetScaler.


For more information about XenApp and NetScaler integration, see Citrix article CTX117934 onsupport.citrix.com, and the Citrix Synergy presentation "Guaranteeing 100% Availability to Scale for

Web Interface for NetScaler is available as a generalXenDesktop and XenApp" at http://www.citrix.com/tv/#videos/4179.

availability feature of NetScaler version 9.3, but requiresFor training on global server load balancing, attend the Citrix NetScaler course. Find schedule the use of NetScaler MPX or VPX with nCore. Webinformation at http://training.citrix.com. Interface version 5.4 or later is supported. For more

information about NetScaler version 9.3, see thedownloads page at www.citrix.com.


Cloudbursting

One method of disaster recovery is cloudbursting, or the storage of all farm components and datain the datacenter and replicating it in a cloud, or virtual, environment. A link is required using anIPSec tunnel Citrix CloudBridge is a solution that can be used to provide access across private andpublic clouds. For more information about CloudBridge, see http://www.citrix.com.

Test Your Knowledge: Creating FarmRedundancy1. True or False: An additional datacenter location is required for business continuity in all

XenApp environments.

a. True

b. False

2. A worker group preference list is used for what purpose?

a. To assign users to groups

b. To increase the scalability of the farm

c. To ensure that users are directed to the appropriate servers

d. To set the preference and failover for servers in farms with multiple zones

3. Which is NOT an advantage of integrating Web Interface with Citrix NetScaler?

a. DNS round-robin

b. Increased security

c. Increased performance

d. Redundancy by load balancing the XML service and Web Interface servers


Module 4

Maintaining the XenAppEnvironment


OverviewThrough ongoing monitoring of performance, usage, overall server health, and data storage, youcan more effectively maintain the XenApp environment, including identifying demand for

Timeadditional resources before it negatively impacts the user experience.


• Exercises (4): 55 minutes• Manage the life cycle of XenApp farms and servers.

• Total Time: 105 minutes• Recover a farm after data loss.

Less experienced students have required additional time• Ensure the continued health of controllers. to complete these exercises.

© Copyright 2011 Citrix Systems, Inc. Module 4: Maintaining the XenApp Environment 103

• Ensure the continued health of session hosts.

Farm Setting MigrationMigration is the process of moving XenApp farm settings from one farm to another farm with anewer version of XenApp installed. For example, when moving from a XenApp 5 farm to XenApp6.5, migration is necessary because mixed farms and direct upgrades (installing a new version overan existing version) are not supported in XenApp 6 or later. The target is a new farm with a newdata store; the original farm remains intact.

You cannot upgrade a XenApp 6.0 server role to a XenApp 6.5 server role. For moreinformation about installation and migration, see Citrix eDocs at http://edocs.citrix.com.

Before performing a migration, the XenApp server role must be installed on one or more WindowsServer 2008 R2 or Server 2008 R2 SP1 servers using the XenApp 6.5 installation media. TheXenApp Server Configuration Tool is then used to create a new farm or join servers to the newfarm. If the source farm is XenApp 5, it must be running XenApp 5 for Windows Server 2003 withHotfix Rollup Pack 5 (HRP5) or XenApp 5 for Windows Server 2008.

Once the new XenApp 6.5 farm is created, the XenApp Migration Center, installed with theproduct, facilitates the exporting of settings from a XenApp 5 or XenApp 6 farm into a newXenApp 6.5 farm. Migration Center provides an easy-to-use wizard interface that guides youthrough the various steps required for migration. Migration Center provides two options formigrating settings: direct and indirect.

• The direct options exports the settings in one step from the source farm to the XenApp 6.5farm.

Direct is the default and recommended option, and it requires that the same administratoraccount is valid in both environments.

• The indirect option exports settings to XML files from the source farm for later import to theXenApp 6.5 farm.

The indirect option allows you to manually fix the contents of the XML files, for example,application names and user accounts. By tracking the changes, you can record differencesbetween the legacy farm and the new farm.

Another option for migrating is to use the PowerShell migration cmdlets. The PowerShellcommands provide the ability to important all objects or values from the source farm or toselectively include or exclude specific objects. It is also possible to use both the Migration Centergraphical user interface and PowerShell interfaces as part of a single migration. The primary cmdletis Set-XAMigrationOption.

For more information about requirements for migration and PowerShell migration cmdlets, seeCitrix eDocs at http://edocs.citrix.com.

For more information about migration, see the following Citrix articles on http://support.citrix.com:

• XenApp 6.5 migration guide: CTX130888

• XenApp 6.0 to 6.5 upgrade utility: CTX130614

104 Module 4: Maintaining the XenApp Environment © Copyright 2011 Citrix Systems, Inc.

Farm Setting Migration Inclusions and Exclusions

Many farm settings can be imported into the data store of the new XenApp farm, including thefollowing:

• Applications

• Application and server folders

• Load evaluators

• Policies configured with XenApp management

• Server settings

• Farm settings

• Farm administrators

• HMR tests

• Session printers

Farm settings can also be transferred into a single worker group using the Migration Center.

The following settings are not transferred:

• Zones

• Printer drivers and related settings

• Configuration logging

• Server registry settings

• Citrix policies that are configured in Active Directory using the Group Policy ManagementConsole

Recommendations for Farm Setting Migration

For migration, Citrix makes these recommendations:

• Document and test a design as part of the project plan.

• Gather and incorporate feedback from all stakeholders.

• Verify that the policies to migrate are appropriate for the new farm; if they are not appropriate,remove them.

• Use a segregated lab environment to systematically test the planned implementation.

For example, when using the XenApp Migration Center to import settings from a XenApp 5farm, verify the farm settings within a lab environment before putting them in production.

• Perform migration during a maintenance period where no users are connected to the XenAppfarm.

• Back up the data store and other critical data before performing migration.


• If the source farm uses file type associations for published applications, ensure that they areupdated by running the Update file types from registry option in AppCenter beforemigration.

• Run the DSCheck command on the source farm to ensure consistency.

Post-Migration Tasks

Post-migration tasks include the following:

• Attach load evaluators to servers.

• Associate application folders with published applications.

• Associate servers or OUs with worker groups.

• Assign server objects to folders.

• Assign zones.

• Configure printer settings.

• Enable configuration logging within the new farm.

• After migrating a 32-bit XenApp 5 farm, rebuild profiled applications to enable streamed-to-server applications to launch.

XenApp Server Renaming

Although it is possible to rename a XenApp server, Citrix recommends installing XenApp on a newserver, adding the new server to the farm, and removing the old server from the farm.

Once the server is removed from the farm, disconnect the server from the network. Do notreconnect the server to the network until you re-image it or remove its XenApp software. If itreconnects to the network, it can corrupt the farm.

To repair any consistency errors in the data store that may have been caused by removing servers,run the DSCheck command on the data store.

If you plan to reuse the server hardware, perform a clean installation (not an upgrade) of theoperating system and a clean installation of XenApp.

For more information about renaming XenApp servers, see Citrix eDocs at http://edocs.citrix.com.


Data Store Database MaintenanceThe data store is critical to the operation of a XenApp environment, tracking both staticinformation about the servers in the farm and static configuration information for the farm. Thedata store also contains information about the applications, printers, Citrix administrator accounts,and users. Each server in the farm must communicate with the data store.

It is important to maintain and optimize the data store to ensure availability, as the continuedhealth of all controller servers is important to the success of the environment. Supported databasesinclude Microsoft SQL Server, Microsoft SQL Server Express, and Oracle. For more informationabout specific versions of supported databases, see Citrix article CTX114501 onhttp://support.citrix.com.

Citrix recommends the following for maintenance of the data store:

• Back up the data store regularly.

If the data store becomes damaged, you must ensure that a recent, restorable backup of thedatabase exists. Failure to have a backup that can be used to recover the data store can result infailure of the farm and the need to recreate the farm. You cannot recreate the data store froman existing farm.

• Allow SQL Server to grow automatically rather than designate specific caps for each database.

• Monitor disk resources to ensure space for growth.

• Use Windows authentication.

• Place the data store on a database server that hosts only Citrix core databases.

• Do not host the data store on a XenApp server.

• Enable hyper-threading on the SQL Server acting as the data store to increase performance.

The data store can also be maintained from the command line using the DSMaint command. Youcan perform maintenance tasks such as backing up the data store, migrating the data store to a newserver, compacting the XenApp data store or the Streaming Offline database. Not all DSMaintcommands apply to all database types. For more information about the DSMaint command, seeCitrix eDocs at http://edocs.citrix.com.

For more information about migrating a XenApp 6 or 6.5 data store to another server, seehttp://blogs.citrix.com/2010/06/03/how-to-move-or-migrate-data-store-on-xenapp-6-to-another-server/.


Data Store Database RecoveryAs the XenApp administrator, it is often your responsibility to ensure that a recent, restorablebackup of the data store exists in case of an event that damages or corrupts the data store. If thedata store fails, the farm cannot be updated and eventually becomes unusable. If a backup does notexist, it can cause the entire farm to fail.

In the event of a disaster or catastrophic failure, and you need to recover a XenApp farm after adata loss, the DSMaint recover command restores a SQL Server Express data store to its lastknown good state. Run this command directly on a XenApp server while the Citrix IMA service isnot running.

If the database server is a virtual machine, repairing the virtual machine or restoring it from abackup is available as an option for recovering from a failure.

When using Microsoft SQL Server or Oracle databases, Citrix recommends consulting productdocumentation about scheduling automated backups of the data store to assist with preventing dataloss. In a situation where a data store must be restored to another server because the original is nolonger available or has failed, the most effective method is to use a full backup of the data store andrestore it to the new database server. For more information about recovering a Microsoft SQLServer or Oracle database, see Citrix article CTX77542 on http://support.citrix.com.


Local Host CacheThe local host cache (LHC) contains a subset of the data contained in the data store and exists oneach XenApp server in the farm, providing each member server with quick access to frequentlyaccessed data store information. The LHC contains information about all servers in the farm, allapplications published within the farm and their properties, and all Windows network domain trustrelationships within the farm. This information allows XenApp servers to continue to enumerateapplications and resolve requests for published resources if the server loses contact with the datastore.

The DSMaint verifylhc command verifies the integrity of the LHC. If the LHC is corrupt,which can be caused by communication issues after major updates, you are prompted with theoption to recreate the LHC. With the verifylhc /autorepair option, the local host cache isautomatically recreated if it is found to be corrupted.

A utility for validating the integrity of the data store database is the DSCheck command. Ifinconsistencies are found, they can be repaired. The DSCheck command is often used after

Most issues causing LHC corruption occurred in XenApprunning DSMaint. Dscheck performs tests to validate the integrity of the data store. When run

5 or previous legacy versions of XenApp. This is nowithout parameters, only the tests are run. When you run the DSCheck /clean command, the

longer a common issue.tests are run and inconsistent data is removed from the data store (typically servers and


applications). Since removing this data can affect farm operations, back up the data store beforeusing the "/clean" option. After running DSCheck /clean, you may need to run the DSMaintrecreatelhc command on each farm server to update the local host caches.

In the event that the Citrix IMA service fails to start, you also have the option to recreate the LHCfrom the command line using the DSMaint recreatelhc command. You can recreate the localhost cache from any server in the farm. To recreate the LHC, stop the IMA service and run theDSMaint recreatelhc command from the command line. Considerations for running theDSMaint recreatelhc command include the following:

• Run only if prompted after running the DSMaint verifylhc command.

• Stop the IMA service before running the DSMaint recreatelhc command.

• After running the recreatelhc command, restart the IMA service. When the IMA servicestarts, the local host cache is populated with fresh data from the data store.

• The data store server must be available for DSMaint recreatelhc to work. If the datastore is not available, the Citrix IMA Service fails to start.

Running the DSMaint recreatelhc command performs the following actions:

• Sets the value of the registry keyHKLM\SOFTWARE\Wow6432Node\Citrix\IMA\RUNTIME\PSRequired to 1.

• Deletes the existing local host cache (ImaLhc.mdb)

• Creates an empty local host cache (ImaLhc.mdb)

To improve performance of the farm and the data store database, you may compact the localdatabase file or the local host cache by running the DSMaint compactdb command. Duringdatabase compaction, the database is temporarily unavailable for both reading and writing. The

compacting time can vary from a few seconds to a few minutes, depending on the size of thedatabase and the usage.

Using the /ds (data store) parameter specifies that the database will be compacted immediately.The /lhc (local host cache) parameter is a useful maintenance task after your farm has beenrunning for a long period of time.


XML Service OverviewThe Citrix XML service is installed by default on all XenApp servers. XenApp uses the Citrix XMLservice to supply Web Interface servers or plug-ins configured to use the TCP/IP+HTTP orSSL/TLS+HTTPS protocol for browsing, with the names of servers hosting published applicationsin the farm.

If you want the Citrix XML service to send the fully qualified domain name (FQDN) of a serverinstead of the IP address of a server, Domain Name System (DNS) address resolution can beenabled. When DNS address resolution is enabled in the farm, plug-ins request the FQDN of aserver in the farm. DNS address resolution is a policy setting located under Computer Policies >Server Settings. For more information about DNS address resolution, see Citrix article CTX128436on http://support.citrix.com.

The XML Broker is a function of the Citrix XML Service. By default, the XML service is installedon every server during XenApp installation. However, only the XML Service on the server specifiedin the Web Interface functions as the broker.

The XML service on other farm servers is still running but is not used for servicing userconnections.

When the XML Service functions as the intermediary between the Web Interface and the IMAservice, it is referred to as the XML Broker, regardless whether it is hosted on a dedicated server orco-located with other controller functions.

In a small farm, the XML Broker is typically designated on a server dedicated to severalinfrastructure functions. In a large farm, the XML Broker is often configured on one or morededicated servers. In larger XenApp farms, Citrix recommends configuring the XML Broker ondata collectors or dedicated servers. In deployments with dedicated servers for infrastructurefunctions, dedicate a server to the XML Broker to accommodate authentication traffic.

When users change their Windows password through Web Interface, a local profile is created onthe XML Broker. These profiles should be removed periodically. For more information about userprofile creation on the XML Broker, see Citrix article CTX106533 on http://support.citrix.com.

XML Service Port Configuration

The Citrix XML service acts as the contact point between the Web Interface and the XenApp farm.You can use the Manage Server Farms task to specify the TCP/IP port used by the Citrix XMLservice and the protocol used to transport Web Interface data between the web server and theXenApp server. By default, the port number used for Web Interface is the value entered during sitecreation. This port number must match the port number used by the Citrix XML Service.

The typical port number for the XML service is 80. This port may not be available in certainenvironments because of corporate policy or conflicts with other services. In such cases, the portnumber will have to be changed.


You can use the ctxxmlss command to change the Citrix XML service port number. For moreinformation about the ctxxmlss command, see the XenApp Server Utilities Reference in CitrixeDocs at http://edocs.citrix.com.

Citrix recommends changing the XML service port using the Citrix computer policy XML Service> XML service port. By setting the port with a policy, the configuration is centralized and easier totrack. For more information about this method, see Citrix article CTX125153 onhttp://support.citrix.com.

If you change the port used by the Citrix XML service on the XML Broker, set the correctport in the plug-in.

XML Service Trust Configuration

The Citrix XML Service can also be configured in a policy setting to trust requests sent to it. By thedefault, the XML service does not automatically trust requests.

Before enabling this rule, avoid security risks by using IPSec, firewalls, or another technology thatensures only trusted services communicate with the Citrix XML Service.

In addition to the benefit of great security, XML service trust configuration is necessary when usersneed the ability to:

• Move freely between different user devices and reconnect to their applications at the pointwhere they previously stopped. This functionality is typically referred to as Workspace Control.

• Connect to sessions through the Web Interface using either pass-through authentication orsmart cards. After disconnection, the users also need to be able to reconnect to the sessionswithout specifying their user credentials.

• Access applications through Citrix Access Gateway.

If you plan to use Active Directory Federation Services (ADFS) with XenApp, Citrixrecommends setting up a trust relationship between the Web Interface servers and anyother servers in the farm communicating with the Web Interface through the Citrix XMLBroker. The Web Interface must be able to access the certificate revocation list (CRL) forthe Certificate Authority used by the federation servers.


Routine OperationsDuring the life of a XenApp environment, certain operations recur frequently.

To Add XenApp PowerShell Commands

1. Open a PowerShell session as an administrator.

2. Show the permissions for running PowerShell scripts by typing the following command:

Get-ExecutionPolicy

3. If the policy is "Restricted", enable scripting by typing the following command:

Set-ExecutionPolicy -force RemoteSigned

4. Load the Citrix modules by typing the following command:

Add-PSSnapIn Citrix.*

Publishing Applications with PowerShell

XenApp administrators can manage the configuration of XenApp server farms using PowerShell,including publishing applications.

To create a new application, use the New-XAApplication, for example:

New-XAApplication ServerInstalled Notepad -CommandLineExecutable notepad.exe

To verify the application is published, use the following command:

Get-XAApplication | Format-Table DisplayName,Enabled,ApplicationType

Locate the newly published application in the list.

To enable the application, use the Set-XAApplication cmdlet, for example:

Set-XAApplication Notepad -Accounts CCH\CitrixAdmin -Servers XAC-1,XAC-2 -Enabled $true


XenApp Hotfixes

Hotfix Management for XenApp is located in the Configuration Tools node under Citrix Resourcesin the AppCenter and is used to manage and monitor hotfixes for Citrix products. With hotfixmanagement, you can check which hotfixes have been installed, search for updates on a system,identify servers where hotfixes need to be applied, create a list of hotfixes and identify servers thatdo not match the list, and monitor hotfixes for the farm. The Hotfix Management feature does notdeploy hotfixes.

There are several types of hotfixes available from Citrix:

• General release hotfixes: available to the general public.

• Limited release hotfixes: addresses a user issue specific to a customer's environment and isavailable through Citrix Technical Support.

• Private fixes: addresses a user issue specific to a customer's environment and is only availablethrough the Citrix Escalation Team.

• Hotfix rollup packs (HRP): a single package that includes all previously released general releasehotfixes as well as some limited release hotfixes.

For a major XenApp release, Citrix supports the most recent HRP. In addition, Citrixsupports the HRP released prior to the most recent HRP for 12 months, provided therequests are commercially viable. However, public hotfixes for security vulnerabilities willonly be provided for the most recent HRP.

Citrix recommends the following considerations for managing hotfixes:

• Only the hotfixes necessary to address a particular issue should be installed.

• Examine the readme that accompanies the HRP.

It can provide necessary information on the prerequisites and known installation issues. Somecommon installation prerequisites might include an updated version of the license server or aparticular redistributable (such as Java or .Net). Readme files are kept up to date even after theHRP is released.

• On occasion, installing a HRP can invalidate certain hotfixes.

For a list of invalidated and replacement Hotfixes, see the HRP readme file. You may obtain orrequest the corresponding replacement hotfix for any invalidated hotfixes by contacting CitrixTechnical Support.

• Take note of the release dates of different HRPs and components (such as plugins or consoles)and attempt to install these in the order they were released.

You can find the release dates on the download page of each HRP or component.

• Install hotfixes on the data collector first, database connection server second, and memberservers third.

• Ensure that no existing XenApp sessions are on the server before installing hotfixes.

• Only install hotfixes and HRPs after thoroughly testing them on member servers.


• If installing hotfixes remotely, you should use an "admin" session instead of an RDP session.

For more information about managing hotfixes, see Citrix article CTX120842 onhttp://support.citrix.com.

XenApp Server Restart

Publishing resources through XenApp enables you to provide applications to users in a secure andoptimal environment. However, unstable applications with memory leaks can cause unpredictableissues on a system. Scheduling server restarts is part of managing the life cycle of XenApp serversand helps alleviate issues caused by memory leaks and other complications. Restarts also helpimprove the stability of XenApp servers and their resources. Additionally, the best time to installnew applications or update existing applications is immediately after a server restart, before userslog on.

Typically, application instabilities on user devices are not evident when the user devices arerestarted regularly and memory is cleared. However, in an application virtualization environment,the danger of memory leaks caused by applications increases because the same application is runmultiple times on the server by multiple users. Although XenApp does not need to be restarted torun effectively, restarting the server can prevent some of the application instabilities by clearingmemory leaks. Any server on which one or more applications are installed is a potential candidatefor regularly scheduled restarts to release memory consumed by memory leaks.

The AppCenter or Group Policy Management Console can be used to create a restart schedule forservers in a farm. Using this feature, you can configure the dates and times to restart the server,send a warning message to users, prevent users from logging on to the server for a period of timebefore the scheduled restart, and stagger restarts over a defined time period.

XenApp also contains policy settings that can be used to restart servers. Restart Behavior PolicySettings of note include:

• Restart logon disable time.

This setting specifies the number of minutes before a scheduled server restart that logons to theserver are disabled.

• Restart schedule frequency.

This setting specifies the frequency, in days, that scheduled server restarts occur.

• Restart schedule randomization interval.

This setting specifies the interval, in minutes, in which servers are restarted before or after thescheduled restart time. This interval prevents all servers in the farm from restartingsimultaneously.

For more information about policy settings for server restarts, see Citrix eDocs athttp://edocs.citrix.com.


Determining a Restart Schedule

It is important to be aware that restarting servers can have a negative impact on users because ofserver downtime. Citrix recommendations for restarting XenApp servers include:

• Restart XenApp servers at least weekly.

More frequent restarting of these servers might be necessary based on the information collectedfrom monitoring the servers.

• Monitor the memory object counters for your servers using Service Monitoring (EdgeSight).

• Avoid restarting all XenApp servers at the same time.

Staggered restarting ensures that the farm remains available to users should an issue ariseduring the restart process.

Staggering the restarting ensures that the farm remains available to users should an issue ariseduring the restart. Staggering the restart schedule involves creating a worker group for eachgroup of servers that will be restarted at the same time interval, creating a policy with thescheduled restart settings for each worker group and applying the policy to each respectiveworker group.

For more information about staggering a restart schedule, see Citrix article CTX126043 onhttp://support.citrix.com.

• Restart the dedicated data collector first during the restart process.

This avoids data collector election conflicts once the server restarts are complete.

• Limit the number of servers being restarted at a single time.

This limitation keeps the amount of traffic generated during the startup of the servers to amanageable amount. You need to determine the number of servers to restart at one time basedon the specific requirements of their environment. For large implementations, allow at least 10minutes between the restarting of groups of servers.

• Schedule restarts during low usage hours so the impact to users is minimal. In an idealsituation, there is no service interruption or impact to users.

Use Power and Capacity Management to put servers to be restarted into maintenance mode.

• Use environment specific scripts to automate tasks such as dumping spooler files inpreparation for restarting servers.

• Warn users at least 60 minutes before the restart so they have enough time to save their dataand log off sessions.

The Restart Warning policies include an option to warn users of a server restart. The optionautomates a functionality that was previously available as a manual option through AppCenteronly.

• Isolate any offending applications with memory leaks to specific servers so that not all serversin the farm need to be frequently restarted.


To Configure a Restart Schedule

Restart schedules are also often used when performing Windows updates or installing hotfixes onmultiple servers. The computer policies under Server Settings > Restart Behavior control how theXenApp servers are restarted.

Worker groups should be used in conjunction with the restart policies.

1. Determine if all servers can be restarted at the same time or if server restarts need to bestaggered.

Staggered restarts are recommended for environments that have users connected at all times(24/7 environments). In these cases, restart policies and worker groups should be created.

2. Create "restart" worker groups containing a few servers from each existing worker group.

This will prevent simultaneously restarting all servers in an existing worker group.

3. Create multiple "restart" policies to apply to the "restart" worker groups.

4. In the policy, stagger the restart schedules, randomize the restart time, and disable logons for aperiod of time before restart.


Power and Capacity ManagementPower and Capacity Management helps to reduce power consumption and manage server capacityby dynamically increasing or decreasing the number of physical and virtual XenApp servers that areonline. This is accomplished by consolidating user sessions onto fewer servers to improve serverutilization so that unnecessary servers can be shut down or turned off.

In addition, Power and Capacity Management can be used to observe and record utilization andcapacity levels through monitoring and report generation.

Power and Capacity Management is available in Platinumand Enterprise editions.

Power and Capacity Management configuration is managed according to farms andA 64-bit installer is available in the XenApp 6.5 release. workloads. These are distinct from XenApp farms and worker groups.Previous releases included only a 32-bit installer, whichran on 64-bit systems.

Configure Power and Capacity Management using the Power and Capacity Management computerIf the Power and Capacity farm name is changed through policies. For more information about Power and Capacity Management, see the Citrix eDocs weba group policy, the agent will pick up the new name and site at http://edocs.citrix.com.place that server into the new farm. This functionality isnew in the XenApp 6.5 release.


Power Management

Power Management turns the servers on or off in a workload or farm using the power controllerpreferences set in the server properties.

In previous releases, the agent did not always obtainTo select a server to turn on, the selection algorithm chooses a server with the highest poweraccurate power readings of the XenApp servers. Withcontroller preference before selecting a server with a lower preference.XenApp 6.5, the agent communicates directly with the

hypervisor or machine manager and can now obtain theTo select a server to turn off, the algorithm chooses a server with a lower power controller

correct state of the server at any time. Additionalpreference before a server with a higher preference. If that server is currently hosting sessions, the

information, such as that a server is in the process ofserver is placed into drain mode. While in drain mode, the server does not accept new sessions but

powering on and not connected yet, as opposed to a "notallows the reconnection of disconnected sessions. A server in drain mode turns off only when no

connected" status, is now available. You can nowsessions remain.

manually turn on and off servers that are in theunmanaged state. This functionality is new in XenApp6.5.

Also, show students a demonstration of Power andCapacity Management. The following video demonstrateshow to reduce power consumption and manage servercapacity using Power and Capacity Management:http://www.citrix.com/tv/#videos/1409.

Power and Capacity Management Farm

XenApp servers being managed by Power and Capacity Management are called a farm. Members of Power and Capacity Management can manage differenta Power and Capacity Management farm can include some or all of the XenApp servers in a versions of XenApp, but consoles should be the mostXenApp farm and even XenApp servers from multiple XenApp farms. recent version.


Agents automatically obtain farm name change information and do not need to be restarted.

Workloads and Profiles

A workload is a group of servers, defined by you, that are managed as a common pool. Workloadsoften consist of servers that all host the same application or set of applications, referred to as anapplication silo. A Power and Capacity Management farm can contain one or more workloads.

Within a workload, servers are grouped by profiles. A server profile contains information the agentdiscovers and information provided by the administrator to measure server capacity.

The agent discovers hardware information, such as the CPU type and the amount of memory, andsends it to the concentrator. The concentrator creates a profile entry in the database for a newprofile, or if the profile values are the same as those in an existing profile, the existing profile isreused.

If the hardware configuration changes (for example, more RAM is added to a server), Power andCapacity Management creates a new profile. The original profile is not altered, because otherservers may still be using it.

As new servers connect and report their profiles, they inherit any existing configured capacity valueif they have the same profile as an existing configured server.

Control Modes

In Power and Capacity Management, servers are assigned a control mode. The control modedetermines whether the server is eligible for power management or is participating in loadconsolidation. Control modes include:

Unmanaged Servers assigned this control mode are not controlled by Power andCapacity Management.

Managed (base load) Servers assigned this control mode contribute to the capacity of theworkload but are not controlled by Power and CapacityManagement. Servers that contribute essential services and shouldnot be taken offline, such as the data collector and the serverhosting the data store, should be assigned this control mode.

Managed Servers assigned this control mode are fully controlled by Powerand Capacity Management.

Load Consolidation

Load consolidation has the opposite effect of traditional XenApp load balancing. It aims toconsolidate sessions onto fewer servers instead of spreading load evenly across many servers. Byconsolidating sessions, there is greater opportunity to turn off excess servers, saving power, andreducing running costs. Greater consolidation of sessions equates to higher levels of utilization foreach server while online.

Load consolidation works by continually monitoring the number of active sessions and remainingcapacity for each server. It aims to load up small groups of servers with new sessions to an optimalload level that each server can effectively handle. Once a server reaches its optimal load, loadconsolidation enables an additional server in the workload to accept new session load. When usedin conjunction with Power Management, this additional server will be turned on automatically if itis currently turned off.

Power and Capacity Management Components

Power and Capacity Management consists of the following components:


Agent The agent is a Windows service that reports the capacity and systemstate of the XenApp server. In addition, the agent acts on operationsand commands issued by the concentrator. The agent is installed onXenApp servers.

As of XenApp 6.5, agent statistics are gathered throughPowerShell, not MFCOM.Concentrator The concentrator is a Windows service that coordinates the system


states and operations for the managed XenApp servers. As many astwo concentrators can be installed, in which case they form acluster. In a cluster, one concentrator will be the masterconcentrator. The Power and Capacity Management consoleconnects to the master concentrator to obtain its data. The secondconcentrator will assume the master role if the master concentratorfails.

As of XenApp 6.5, there is no limit on the number ofconcentrators; however testing has been limited to threeDatabase The database uses Microsoft SQL server to store information suchconcentrators.as the inventory of servers being managed, workload assignments,

schedules, metric data, and configuration settings.

Reporting The reporting component uses Microsoft SQL Server Reportingservices to provide workload reports for historical system loads,capacities, and utilization summaries.

Management Console The management console is an MMC snap-in and is used tomanage, monitor, and configure Power and Capacity Management.

Schedules

Throughout the day and week, different demands are placed on a XenApp environment. As aresult, different setpoints must be used so that Power and Capacity Management can ensure that

Administrators can also manually initiate turning on andthe appropriate number of servers are online to handle the expected load and that servers are

turning off servers in the unmanaged state.turned off or shut down during periods of low demand. This can be accomplished with schedules.Schedules allow you to assign values to the setpoints based on the time of day and day of week.

A setpoint defines either a target capacity level (number of sessions) or a target number of onlineservers. Setpoints are used to determine how many servers should be turned on.

Test Your Knowledge: Maintaining theXenApp Environment1. Complete the following sentence. The XenApp Migration Center __________.

a. Is not compatible with XenApp 6.5

b. Provides an easy-to-use wizard interface that guides you through the various stepsrequired for migration

c. Uses Microsoft PowerShell cmdlets to migrate legacy farms automatically to the latestversion of XenApp

d. Upgrades all XenApp 6.0 server roles to XenApp 6.5 server roles and transfers all zoneand policy settings to the new data store

2. Which of the following are recommendations for maintaining the data store database? (Choosetwo.)

a. Use Windows authentication.

b. Back up the data store regularly.

c. Host the data store on a XenApp server.

d. Designate data growth caps for each database.

3. True or False: XenApp servers should be restarted at least once a week.

a. True

b. False


Module 5

Optimizing the XenAppEnvironment


OverviewBy optimizing the XenApp environment you can enhance XenApp functionality, improve userexperience, and minimize the risk of perceived failure. You can optimize and tune the environment,

Timeincluding the network itself, the server operating system, and XenApp.


• Exercises (2): 30• Isolate the source of poor performance in an environment.

• Total Time: 230 minutes• Determine which components of an environment to tune based on data.

Less experienced students have required additional time• Improve performance by tuning system components. to complete these exercises.

© Copyright 2011 Citrix Systems, Inc. Module 5: Optimizing the XenApp Environment 125

• Improve performance by modifying network quality of service.

• Manage the lifecycle of XenApp servers.

Performance TuningAfter a XenApp environment is made operational, you need to monitor performance and makenecessary changes to provide end users with the best experience. Performance tuning should bebased on understanding the environment and modifying specific parameters to enhanceperformance. Tools such as Service Monitoring (EdgeSight) capture a baseline and allow you toanalyze the performance over a set period of time. Performing this analysis helps you to determinewhich changes to make. Because each environment is different, there is no general recommendedset of performance-tuning decisions.

Independent Management Architecture Service

Proper operation of a farm, including availability to users, depends on the IMA service functioningproperly. Health Monitoring options are an effective method of preventing IMA issues fromcausing any interruptions in service.

To allow the IMA service to be monitored and maintained properly, set a Citrix policy todetermine how the test will be performed and what actions the system will take if there is a failureof the test. In the policy, set the following parameters:

• Enable Health Monitoring.

• Select Citrix IMA Service test.

• Define the test interval and the number of failures that indicate a failure.

• (Optional) Change the recovery action from the default of alert only to restart.

Based on the needs of your environment, determine whether automatic restarts are necessaryor if manual intervention based on alerts is sufficient.

Baseline with Service Monitoring

Service Monitoring (EdgeSight) gathers baseline performance of the XenApp farm. This baselinecan provide you with data that can be used when enhancing performance and stability of the farm.Once a baseline is gathered under normal operating conditions, it can be reviewed when aperformance issue arises.

The following counters are most relevant for gathering baseline data.

• Generic application performance alert

• High application resource usage alert

• Thrashing application alert

• Device restart alert

• Generic system performance alert

• System disk bottleneck alert

• System low resources alert

126 Module 5: Optimizing the XenApp Environment © Copyright 2011 Citrix Systems, Inc.

• System slowdown alert

• System thrashing alert

• Network connection performance exceeded SLA

• Network socket error

• Network transaction failure

• Network transaction performance exceeded SLA

The value of these counters at two points in time can be compared to determine the source ofperformance issues. Likewise, comparing historical data with data gathered after you make a changeto the environment can validate whether the change had the desired effect.


Windows Server Tuning for XenAppThough there are many ways to optimize a Windows Server, the areas that relate to diskdefragmentation and Active Directory configuration also optimize XenApp.

Microsoft provides a guide for improving performance for the Windows Server 2008 R2 operatingsystem at the http://msdn.microsoft.com/en-us/windows/hardware/gg463394.aspx web site.

Additional optimization articles at http://support.microsoft.com include:

• How to configure the paged address pool and system page table entry memory areas: 247904

• Server is unable to allocate memory from the system paged pool: 312362

• How to troubleshoot Event ID 2021 and Event ID 2022: 317249

• Terminal Server and connected Terminal Services clients pause when a Terminal Services clientlogs on or logs off: 324446

• Virus scanning recommendations for enterprise computers that are running currentlysupported versions of Windows: 822158

• Service overview and network port requirements for the Windows Server system: 832017

Defragmenting Disks

Disk fragmentation can slow down the responsiveness of a server. Every time a file is saved to orremoved from a disk, the files on the disk can become fragmented. The more fragmented the filesare on the disk, the longer it takes to access the data. To keep the disks running optimally, theyshould be defragmented on a regular basis.

Defragmentation utilities locate the non-contiguous fragments of the files on the disk and rearrangethem optimally, resulting in fewer disk reads, faster file access times, less wear and tear on thephysical disk, and less wasted drive space.

You can use Performance Monitor to determine which servers might require disk defragmentationby monitoring the % Disk Read Time and % Disk Write Time counters in the PhysicalDisk andLogicalDisk objects on the servers. You can use Task Scheduler to schedule disk defragmentation.

If your XenApp servers are virtualized, follow defragmentation recommendations from thehypervisor and storage vendors.

Active Directory Recommendations

Citrix recommends the following configurations for XenApp farms with Active Directory in theenvironment:

• XenApp servers are in their own Organizational Units (OUs).

• All servers reside in the same domain.


• The farm domain has no trust relationships with non-Active Directory domains. Theserelationships can affect operations requiring trusted domains.

• The farm is in a single Active Directory forest. Multiple forests can prevent users from loggingon using user principal names (UPNs) because the same UPN identifier may exist in twodomains in separate forests.

Policy Processing and Precedence

The GPOs and IMA-based policies that apply to a user or computer do not all have the sameprecedence. If there are no conflicting settings configured within the policies, the settings are

This concept is fundamental to how XenApp works.merged into the Resultant Set of Policy for the computer or user. However, settings in policies that

Ensure that students have a clear understanding beforeare applied later can override earlier applied settings. Policies are processed and applied in the

proceeding.following order:


1. Local GPOs

Each server has exactly one Group Policy object that is stored locally. Both Computer and Userconfiguration settings are processed.

2. IMA-based policies

IMA-based policies configured in the AppCenter are processed after local GPOs.

3. Site GPOs

GPOs that have been linked to the site that the user or computer belongs to are processed next.Processing is in the order that is specified by you within the Linked Group Policy Objects tabfor the site in the GPMC. The GPO with the lowest link order is processed last and, therefore,is highest in the order of precedence.

4. Domain GPOs

Multiple domain-linked GPOs are processed in the order specified by you in the Linked GroupPolicy Objects tab for the domain in the GPMC. The GPO with the lowest link order isprocessed last and, therefore, is highest in the order of precedence.

5. OU GPOs

GPOs linked to the OU highest in the Active Directory hierarchy are processed first followedby GPOs that are linked to its child OU and any OUs beneath that. Finally, the OU thatcontains the specific user or computer are processed last. Zero, one, or many GPOs can belinked to each Organizational Unit level in the Active Directory hierarchy. If several GPOs arelinked to an OU, they are processed in the order that is specified by you in the Linked GroupPolicy Objects tab in the GPMC. The GPO with the lowest link order is processed last and,therefore, is highest in the order of precedence.

Policy Configuration Methods

There are three ways to create policies for a XenApp environment. Although all three are valid, allCitrix policies should be configured using only one of these methods. If a combination of methodsis used, the recommended order is:

1. Group Policy Management Console

2. AppCenter

3. Local Group Policies

Use the following guidelines to determine the most appropriate method for your environment.

Group Policy Management Use the Group Policy Management Console (GPMC) if:Console • Active Directory exists and a Citrix administrator has control

over the Active Directory infrastructure.

• The organization needs to use group policy features such asinheritance, enforcement, or loopback.

GPMC stores policy configurations in Active Directory.

Citrix recommends configuring policies with GPMC wherepossible. Most small and medium organizations allowCitrix administrators control of the Active Directoryinfrastructure, while large enterprise-level organizationslimit control to a small group.

AppCenter Use AppCenter if Active Directory exists but control is notpermitted to Citrix administrators or when Active Directory doesnot exist in the environment.

AppCenter stores policy configurations in the data store.


Local Group Policy Editor Use Local Group policies as the last option when Active Directoryand worker group memberships are not possible because you needsettings to apply to a particular server only.

The local group policy editor stores policy configurations on thelocal server. Policies must be manually exported and imported topropagate settings to other servers.

Active Directory User Permissions

Active Directory security groups can affect authenticating to published applications or themanagement console.

Network configurations do not affect authentication to the management console because thatconsole allows only pass-through authentication.

The following sections include user permission recommendations.

Domain Global Groups

Definition A domain global group is a groups that can be used in its owndomain, in member servers and in workstations of the domain, andin trusting domains.

Member permissions can be assigned in any domain.

Authenticating to No adverse effects. Therefore, if domain global groups arepublished applications configured for applications, the applications will function correctly.

Authenticating to No adverse effects.management console


Domain Local Groups

Definition A domain local group is a security or distribution group that cancontain universal groups, global groups, other domain local groupsfrom its own domain and accounts from any domain in the forest.

Member permissions can be assigned only within the same domainas the parent domain local group.

A user from the domain local group must log on to a user device inthe same domain to ensure that the group is in the user's securitytoken.

Trust-based routing does not guarantee that a user's logon request issent to a server in the same domain as the domain local group.

Authenticating to • Recommendation: All servers that load balance an applicationpublished applications must be in the same domain if a domain local group is

authorized to use the application.

• Rationale: Domain local groups assigned to an applicationmust be from the common primary domain of all the loadbalancing servers. When you publish applications, domain localgroups appear in the accounts list if the condition above is metand accounts from the common primary domain are displayed.If a published application has users from any domain localgroups and you add a server from a different domain, domainlocal groups are removed from the configured users list. Thisbehavior occurs because all servers must be able to validate anyuser with permission to run the application.

Authenticating to • Recommendation: If a user is a Citrix administrator bymanagement console membership in a domain local group only, the user must

connect the console to a server in the same domain as thedomain local group.

• Rationale: If the user connects the console to a server in adifferent domain than the domain local group, the user isdenied access to the console because the domain local group isnot in the user's security token.


Universal Groups

Definition A universal group is a security or distribution group that containsusers, groups, and user devices from any domain in its forest asmembers.

Member permissions can be assigned in any domain in the forest.

Authenticating to • Recommendation: If universal groups are assigned permissionpublished applications to the application, all servers that manage the application must

be in an Active Directory domain.

• Rationale: A server in a non-Active Directory domain couldauthenticate the user to run the application. In this case,universal groups are not in the user's security token, so the useris denied access to the application. It is possible for a server in anon-Active Directory domain to load balance an applicationwith servers in an Active Directory domain if the domains havean explicit trust relationship.

Authenticating to • Recommendation: If a user is authenticating to the console andmanagement console is a Citrix administrator by membership in a universal group

only, the console must connect to a server that belongs to anActive Directory domain in the universal group's forest.

• Rationale: Non-Active Directory domain controllers anddomains outside a universal group's forest have no informationabout the universal group.


XenApp TuningXenApp server optimization begins with tuning the primary XenApp components, such as datacollectors. Additional tuning is performed as necessary to the environment, and may include virtualmemory and CPU optimization.

Data Collectors

Use the following Citrix recommendations to optimize data collectors:

• Each zone should have a designated Most Preferred data collector.

• Each zone should have a backup data collector; keep this server lightly loaded.

• Published applications should run on servers that are not data collectors.

Application Streaming Optimization

Application streaming delivers applications to servers or user devices by retrieving a configured filepackage from a file server or web server. Streamed applications run on the user devices or servers,using local system resources instead of those on the XenApp server.

Optimization of application streaming depends on environmental variables; however, looking atcommon locations of high traffic issues provides a good starting point. Consider the followingwhen optimizing your environment.

Cache Size

Streaming cache is located in the install root and the user root.

Install Root The install root is the local cache directory and is located in%ProgramFiles%\Citrix\RadeCache

The default Install Root cache size is 5% of disk space or 1 GBminimum. Older files are deleted to make room for files to bestreamed when the cache is full. To change the cache size orlocation, use the ClientCache.exe utility located in%ProgramFiles%\Citrix\Streaming Client. This utilitymodifies the install root, not the user root.

User Root The user root is the location to which user modifications to anapplication are saved. The default location is%AppData%\Citrix\RadeCache.


File Server and Network Latency

The file server from which the package is copied can cause a high traffic problem because eachapplication profile package must be copied from the file server to the user device. Network latencybetween the file server and the user device can also cause slow application streaming.

File Size

The size of the application being streamed impacts the streaming speed.

Application Type

By default, files are streamed to the user device when they are explicitly requested, which can oftensave considerable network bandwidth. However, some applications require that all files be availablebefore opening. In such cases you must specify that all files be streamed and pre-extracted on theuser device. This configuration can be completed using a RadeRun.exe command or theApplication Streaming Launch Utility, which is a graphical user interface for RadeRun.exe.

For more information about optimizing application streaming, see Citrix articlesCTX113304, CTX115191, and CTX126674 on http://support.citrix.com.


Virtual Memory OptimizationThe Virtual Memory Optimization feature of XenApp is designed to decrease virtual memoryconsumption of applications, improve application initialization time, and reduce page file usage.The Virtual Memory Optimization feature rebases DLLs to an optimized virtual address. RebasingDLLs modifies a copy of the DLL so that it loads at a memory address that is optimized for thesystem. This address is used by the application at startup, thereby avoiding collisions and thesubsequent relocation of the DLL. The result is a faster application load time. In addition, therebasing process reduces overall virtual memory utilization and allows for more users to connect tothe servers or for the servers to host more applications.

Configure Virtual Memory Optimization in the Server Settings > Memory/CPU Citrix Computerpolicies.

Virtual Memory Optimization Processes

The following table provides an overview of the processes that occur when the Virtual MemoryOptimization feature rebases DLLs.

Process Description

Monitor When enabled, the virtual memory optimizationfeature monitors all DLLs on the system forDLL collisions and relocations.


Process Description

Notice When a DLL collision occurs, the virtualmemory optimization feature detects thecollision and writes the DLL name in theRepair.sfo file. The Repair.sfo file islocated in the%ProgramFiles(x86)%\Citrix\ServerResource Management\MemoryOptimization Management\Data folderon the server.

Rebase At server startup, CtxBace.exe reads theRepair.sfo file to optimize the DLLs listed.

Citrix XenApp:

• Makes a hidden copy of the DLL using analternate data stream

• Modifies the base virtual memory addressin the hidden copy of the DLL

• Loads the alternate data stream in thehidden copy of the DLL

• Tests the functionality of the alternate datastream

The original DLL is not modified duringrebasing. The output of the rebasing process canbe viewed in the Repair.sfo file.

Bind XenApp binds the rebased DLL and updates thebound import table that holds the memoryaddresses for the functions called by theexecutable.

CtxTestDll.exe tests each DLL to ensurethat it is functional.

For more information about virtual memory optimization, see Citrix article CTX106023 onhttp://support.citrix.com.


Application Exclusions

While most applications can be rebased through virtual memory optimization, some applicationscannot use this feature. Applications with the following characteristics will not benefit from thisfeature:

• Reside on network shares (automatically excluded)

• Have digitally signed components (automatically excluded)

• Include DLLs that are protected by Windows Rights Management (WRM), such as antivirusagents

• Require that the application executable programmatically checks the DLL after it has beenloaded

• Require fixed DLL addresses


CPU OptimizationWhen multiple sessions are running on a server, the performance of some sessions can be impactedwhen one or more sessions dominate the CPU time on the server. This is because the operatingsystem shares the CPU between processes. For example, if user A is running multiple CPU-intensive applications and user B is running only one CPU-intensive application, the operatingsystem will grant user A access to much more CPU time than user B.

You can configure XenApp to monitor resources and normalize CPU peaks when the performanceof the farm becomes limited by CPU-intensive operations.

Enable CPU utilization management by configuring the Memory/CPU > CPU management serverlevel policy. The policy ensures that users are allocated equal amounts of CPU time.

CPU Utilization Management

The CPU utilization management feature ensures that CPU resources are equitably shared amonguser sessions through CPU shares and CPU reservation.

The default number of shares assigned to each user wasCPU Shares CPU shares are portions of the CPU resource.eight prior to the release of XenApp 6.


The proportion of the total CPU resource that a share valuerepresents is dynamic and is calculated at regular intervals. Thedefault number of shares assigned to each logged-in user is four.The available range is 1-64.

CPU Reservation CPU reservations are a percentage of the available CPU resource ona server that is guaranteed to be available to a session.

If all of the CPU reservation allocated to a session is not being used,other sessions can use the allocated CPU reservation until it isneeded by the original user. The total CPU reservation cannotexceed 99%.

CPU reservation behavior can be modified only in the registry foreach user and server, meaning that if there are 1,000 users, 1,000registry settings would have to be made on all servers.

By default, CPU utilization management entitles each user session to an approximately equalamount of CPU shares, with each allocation being a relative percentage of the available CPU. Whena new connection is made to the server, the CPU allocation for each user on the server is adjustedto ensure that all users have access to their fair share of CPU resources.

CPU utilization management only takes effect when a processor is fully used.

• For more information about CPU utilization management, see Citrix eDocs at thehttp://edocs.citrix.com.

• For more information about how to configure CPU shares and reservations, see Citrix articleCTX106021 on http://support.citrix.com.


Virtual Machine SizingWhen virtualizing XenApp, appropriate virtual machine sizing is critical to optimizing theenvironment. Appropriately sized virtual machines can maximize the number of users connectingto the server while ensuring a high-quality user experience.

Determining the specifications for each virtual machine requires a proper balance betweenperformance and allocation. XenApp only needs certain amounts of resources in order to beproductive. Providing too many resources results in under-used hardware or degraded applicationperformance, while allocating too few resources results in underperforming systems. For eachunique virtual machine or group of virtual machines, administrators should be aware of thefollowing specifications:

• Server count: Identify the number of virtual servers a particular group requires.

• Memory allocation: Identify the amount of RAM allocated for the particular server.

• Processor allocation: Identify the number of virtual CPUs allocated for a particular server.

It is important to follow recommendations from the hypervisor vendor. For more complete Citrixrecommendations for virtualizing XenApp, see Citrix article CTX129761 onhttp://support.citrix.com.

Capacity Planning

Assessing the right amount of hardware required for the environment is crucial for creating thelowest cost solution while providing acceptable performance for the user. Adding unnecessaryhardware increases the overall hardware, support, and power costs.

Additionally, you should take into account the geography of users when determining the hardwarerequirement for simultaneous startups. If users are in different time zones and connecting atdifferent times, scalability in the farm can be increased. However, designing for peak demand isrecommended.

Virtual Machine Sizing Guidelines

Citrix recommends the following virtual machine (VM) configurations for XenApp.

Thin-provisioning XenApp servers is not recommended.Sockets Cores / Hyper- Logical Logical VM vCPU RAM


Socket Thread Cores / Cores / Count per VM per VMSocket Server

2 2 No 2 4 2 VMs 2 vCPUs 8 GB

2 2 Yes 4 8 2 VMs 4 vCPUs 16 GB

Sockets Cores / Hyper- Logical Logical VM vCPU RAMSocket Thread Cores / Cores / Count per VM per VM

Socket Server




• Page file estimates are typically either 1X or 1.5X RAM for 32-bit servers. For 64-bitservers, the same formula can be used, but this will most likely result in an excessivelylarge page file size. For 64-bit servers, it is best to monitor the server and followingpage file recommendations in Microsoft article 2021748.

• The 64-bit operating system specifications assume there is a need for flexibility withlive migration capabilities. Larger virtual machines are also valid if flexibility is not arequirement.

Additional Recommendations

Citrix recommends the following hypervisor configuration options with virtualized XenApp servers.

Decision Justification Hypervisor

Overcommit CPU: No It is advisable not to allocate Hyper-V, XenServer, vSpheremore vCPU than there arephysical cores within the givenhardware. Greater levels ofscalability are achieved bymaintaining appropriate CPU.

Overcommitting with virtualmachines that have the sameworkload will not be helpful;however, if the workloads vary,some overcommitting may bebeneficial.



Use Hyper-threading: Yes Newer processors have the Hyper-V, XenServer, vSphereability to do hyper-threading,where each core is two logicalcores. Hyper-threading in aXenApp environment oftenimproves user density.

Disable ASLR: No As many organizations try to Hyper-V, XenServer, vSphereprotect their XenApp serversfrom viruses, malware, andother OS threats, it is advisableto keep Address Space LayoutRandomization enabled, whichis the default setting. Thefunctionality is included withWindows 2008, Windows 2008R2, Windows Vista, andWindows 7.

Optimize for XenApp: N/A On systems with pre-Nehalem XenServerprocessors, the XenServersetting Optimize for XenAppprovided increased scalability.With the release of theNehalem processors, much ofthe functionality has beenplaced on the hardware;therefore, this setting can beignored.



Memory Allocation: Fixed As users are dynamically load Hyper-V, XenServer, vSpherebalanced across XenAppservers, memory usage betweendifferent virtual machinesshould be similar, helpingnegate the need for dynamicmemory allocation techniques.

Use of virtual machinemigration strategies could causememory overcommitmentresulting in aggressive pagingand poor performance acrossall XenApp virtual machines. Itis advisable to set fixed valuesfor memory reservations forXenApp virtual machines.

Host Swapping: No In most environments, all vSphereXenApp servers are activelyhosting users at the same time.Swapping out memory fromone XenApp host will degradeperformance for all virtualmachines because the memoryis transferred to and from thedisk.

XenApp and XenServer Integration

Implementing XenApp with Citrix XenServer provides great scalability and redundancy to aXenApp implementation by virtualizing XenApp. A major benefit of integrating XenApp withXenServer is the possibility of having a single server image for all XenApp servers, which would notonly reduce administrative maintenance and management costs, but also greatly reduce storagerequirements for the XenApp farm.

Citrix recommends the following practices for integrating XenApp and XenServer.

• Keep the number of server images to a minimum to limit maintenance and support costs.

• Keep the number of XenApp streamed or hosted application profiles to a minimum.

If possible, use image personalization to configure profiles for specific user groups, avoidingprofile sprawl.


• Use caution when allocating more vCPU than physical cores within the provided hardware.Greater levels of scalability are achieved by not overcommitting CPU.

• Use Hyper-threading to improve user density.

• Optimize the disk subsystem to improve performance and scalability.

• Set fixed values for memory reservations for XenApp virtual machines to maximizeperformance.

• Apply all updates and hotfixes to the golden image.

• Save the golden image as the farm template.

• Be aware of the limitations of your solution, such as the XenServer pool size.

For training on integrating XenApp with XenServer and other Citrix technologies, attend the Citrixvirtualization engineer and architect courses. Find schedule information at http://training.citrix.com.

For more information about integrating XenApp with XenServer, see the following Citrix articleson http://support.citrix.com:

• XenApp Planning Guide - Virtualization Best Practices: CTX129761

• XenApp and XenServer - Implementation Guide: CTX117921

• XenApp and XenServer - Reference Architecture: CTX117922

• XenServer for XenApp - Design Considerations: CTX117898

• XenDesktop Design Handbook: CTX120760


Multi-StreamingMulti-streaming provides the option of delivering ICA traffic over as many as four TCP/IP streams.This enables full flexibility for Quality of Service (QoS) routing over the network and providessuperior audio/visual quality without disrupting other network traffic.

For more information about multi-streaming, see Citrix blog articlehttp://blogs.citrix.com/2011/08/25/enhanced-qos-via-multi-stream-ica/.

ICA Virtual Channels

The ICA protocol functions at Layer 6 (Presentation) of the OSI Model and is segregated intoindividual functional units called virtual channels.

The ICA protocol supports up to 32 virtual channels, which provide the full array of functionalityneeded for a robust user session. For most user sessions, only about 10-12 virtual channels areemployed.

Virtual channels provide such functionality as audio, clipboard, and USB redirection. While most ofthe virtual channels are based on unique virtual driver DLLs, some are incorporated intowfica32.exe. For example, the virtual channel that controls USB redirection is namedCTXGUSB, and the associated virtual driver is vdgusbn.dll, whereas the virtual channel thatcontrols printer mapping is named CTXCPM and wfica.exe controls the related functionality.

ICA Priority Tags

Each virtual channel is assigned a decimal priority tag from 0 to 3, with 0 being the highest priorityand 3 being the lowest priority.

Priority Name Priority (Binary) Priority (Decimal)

High or Realtime 00 0

Medium or Interactive 01 1

Low or Bulk Transfer 10 2

Very Low or Background 11 3

Although the default virtual channel priority can be altered by simply modifying the prioritynumber, this is not commonly done. Virtual channel priorities are stored in the registry underHKLM\System\CurrentControlSet\Control\TerminalServer\Wds\icawd\Priority.


The virtual channels used by XenApp and XenDesktop are not exactly the same; these vary slightly.The default virtual channels used for XenApp 6.5 and specifically in support of Multi-Streaming arefound in the registry under HKLM\System\CurrentControlSet\Control\TerminalServer\Wds\icawd\MultiStreamIca.

When ICA traffic is transmitted across the network, similar priority group traffic types compriseeach packet; different priority groups are not assimilated together. Thus, an ICA packet comprisedof low/bulk transfer packets (Priority 2) could include USB, clipboard, and client drive data.

Multi-Streaming Functionality

Each of the four default priority groups is used to map directly from Layer 6 (Presentation) toLayer 4 (Transport) and a TCP port is designated. Most commonly, this would be done in order toimplement Quality of Service or Prioritization across the network.

Multi-Streaming requires Session Reliability, which is based on the Common Gateway Protocol(CGP). Session Reliability is enabled by default and uses TCP port 2598.

Priority Group TCP Port Virtual Channels

Very High Determined by administrator • Audio

High 2598 (default) • ThinWire/DX CommandRemoting

• Seamless

• Terminal Services licensing

• SmartCard redirection

• Control

• End-user experiencemonitoring

Medium Determined by administrator • MediaStream: WindowsMedia and Flash

• USB redirection

• Clipboard

• Client drive redirection


Priority Group TCP Port Virtual Channels

Low Determined by administrator • Printing

• COM port mapping

• LPT port mapping

• Legacy OEM virtualchannels

Configuring Multi-Streaming

By default, Multi-streaming is not enabled. Citrix Branch Repeater automatically invokesfunctionality similar to Multi-Streaming and is configured within the Branch Repeater console.Thus, when Branch Repeater is implemented, configuration of Multi-Streaming within XenApp isnot necessary.

Multi-streaming requires that the two policies above it are enabled.

The first step is to enable the Multi-Port policy under Computer policy. This is where the prioritygroups (called CGP ports) are mapped to a CGP port priority. The CGP port priority is not the

The Mutli-streaming policies can be configured in anysame as the priority name that Citrix has traditionally used to describe the virtual channel groups.

order.


The CGP default port (2598) is used by default to map to the CGP default priority named high andcannot be altered.

When configuring this policy, the drop-down options will only allow each CGP port priority to beused once. It is possible that the random assignment of port numbers could result in TCP portconflicts. For a complete list of TCP port number reservations that may be in use within yourorganization, see http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml.

The other step for configuring Multi-Streaming is enabling the Multi-Stream policy underComputer policy. If additional detail is required, the Multi-Stream policy under User policy shouldbe enabled. When configuring Multi-Streaming, it may be necessary to designate a unique user orcomputer policy to segregate and apply the functionality desired. By default, these policies aredisabled.

The server must be restarted for policies to take effect because these are computer policies.


Accelerating ICA Traffic with BranchRepeaterBranch Repeater (BR) technology allows you to accelerate, control, and prioritize network trafficthat traverses the WAN. It provides local caching across multiple XenApp user sessions.

The following resources may be of use as you prepare toSpecifically, this means that if a dozen users access an ERP application that displays the same initial

teach this portion of the class.logon screen, only the first set of bitmaps for this screen paint will be sent over the network for thefirst user session. Subsequent users will receive the bitmaps cached on Branch Repeater since they• "Citrix Branch Repeater Product Demo":are exactly the same. The screen bitmaps that are the same, such as the logo, background color, andhttp://www.citrix.com/tv/#videos/1403logon boxes will not be resent across the network.• "SYN326: Branch Repeater 6.0":

http://www.citrix.com/tv/#videos/4183 In addition to standard functionality, Branch Repeater with Windows Server can be used to locallystage XenApp streamed applications at the office site. For example, if Microsoft Office is deployed• "SUM304: Best practices for troubleshooting Branchto users as a streamed application, the profile can be housed on Branch Repeater with WindowsRepeater deployments": Citrix article CTX129668 onServer. By housing the profile on this server within the branch office, the profile is not streamedhttp://support.citrix.comacross the WAN and saves bandwidth.

• "HTTPS/SSL-specific compression in BranchRepeater": Citrix article CTX127952 on Branch Repeater automatically senses real-time network and traffic conditions and adaptivelyhttp://support.citrix.com orchestrates ICA and other data optimizations. These limited capabilities allow IT to provide a


better user experience within the existing bandwidth and potentially to support more users in eachbranch office without upgrading WAN links.

Where Branch Repeater is added to an environment, XenApp automatically senses its presence andoffloads compression, encryption, and some optimizations. In addition, within Citrix User policies,Branch Repeater is a filter in XenApp 6.5 that can apply specific policies based on environmentswith and without Branch Repeater.

Citrix Branch Repeater products include Branch Repeater appliances for branch offices, Repeaterappliances for datacenters, Branch Repeater VPX software-based virtual appliances for the branchand the datacenter, and the Acceleration Plug-in for Citrix Receiver.

Branch Repeater Benefits

Use the following guidelines to determine whether a Branch Repeater hardware appliance or VPX isthe right solution for your environment.

Hardware Appliance VPX

Less complex than managing a virtual server Manage using the preferred server or hypervisormanagement tools

For branches or datacenters with greater than For branch offices with less than 45 Mbps WAN45 Mbps WAN links links

Hardware Appliance VPX

Number of connections needed exceeds 500 Number of connections is fewer than 500 users.users.

Built-in high availability and fail-to-wire for VPX instances can be quickly provisioned andbusiness continuity de-provisioned dynamically, including in remote

offices without locally present IT staff.

Consistency required for WAN optimization Performance depends on multiple factors,Service Level Agreements. including server sizing and disk subsystem

performance.

Accelerate Datacenter Servers

Branch Repeater optimizes network traffic in multiple ways. While all WAN optimization solutionsprovide additional compression and other features, Branch Repeater is specifically tuned tooptimize Citrix traffic as it traverses the network.

Within a XenApp environment, the presence of Branch Repeater is automatically detected. As partof this detection process, native compression and encryption are automatically offloaded ontoBranch Repeater. The administrator does not need to make any configuration changes in order forthis functionality to be realized.

It is not uncommon for Branch Repeater to exist within the main datacenters and larger branchoffices, with some small branch offices and remote users not having the benefit of either BranchRepeater appliances or VPX devices. In these cases, Branch Repeater at the datacenter automaticallyrecognizes that the far end of the network cannot support the compression and encryption, andthat traffic traverses the network in its native format. Thus, the administrator does not need toconfigure any settings to specifically indicate which locations can use the encryption andcompression functionality of Branch Repeater as compared with those that cannot.

Individual users that access XenApp resources from a remote location, such as a telecommuter ortraveling salesperson, can benefit from Branch Repeater functionality by using the AccelerationPlug-in for Citrix Receiver on a Windows-based computer. Although the Acceleration Plug-in doesnot provide full Branch Repeater benefits, it does provide a subset of features that will improve theuser experience.

In order to deploy the Acceleration Plug-in, the designated MSI is installed on the Windows device.If not pre-configured, the installation requires the Branch Repeater installation address(es). Oncethe user device is restarted, network traffic, including ICA/CGP, is accelerated and compressed.

The Acceleration Plug-in is not able to take advantage of caching to the extent that a BranchRepeater appliance or VPX does because multiple users are not accessing the same data. By the verynature of a single device with the Acceleration Plug-in, the same bitmaps are typically not accessedmultiple times by multiple users. As a result, the caching benefits of the Acceleration Plug-in arenot as robust as that of the Branch Repeater appliance or VPX with access by multiple users.


Branch Repeater with Access Gateway

XenApp performs best with HDX WAN Optimization powered by Branch Repeater. Thistechnology is extended to SSL-encrypted ICA, which is the recommended mode when usersconnect from a public network. All benefits—such as bandwidth reduction, faster response times,and dynamic priority for interactive traffic—are available for basic encryption mode, secure ICAmode, and ICA over SSL.

Many deployments use Citrix Access Gateway for users to securely access published applicationsand desktops without connecting to a full VPN. Specifically on private Multiprotocol Label

This functionality used to be called "ICA proxy mode,"Switching (MPLS) networks and other branch scenarios in which Access Gateway does not open to

but Access Gateway (other than Enterprise edition) nothe Internet, Branch Repeater may be deployed on the external facing side of Access Gateway to

longer uses this term.optimize ICA traffic. Branch Repeater transparently accelerates ICA traffic, and there are no


configuration requirements for the user devices or Access Gateway.

For more information about:

• Deploying Access Gateway, see Citrix article CTX121035 on http://support.citrix.com.

• Accelerating ICA proxy mode, see Citrix article CTX126301 on http://support.citrix.com.

Network Performance Factors

Performance of the Branch Repeater VPX can be affected by:

• CPU

• Memory

• Storage location

• Network throughput

The type and amount of other virtual machines running on the same hypervisor with BranchRepeater VPX may affect the performance of the VPX. If you are running multiple Branch RepeaterVPX appliances on the same hypervisor they will compete for hard disk access time and otherresources. Unfortunately, there is no formula to calculate or no rule to apply to figure out theperformance of the Branch Repeater VPX in the presence of other virtual machines.

Branch Repeater VPX performs best with very fast, very low-latency local hard disks. In the case ofnetwork storage, which in addition to Branch Repeater VPX are accessed by other devices, theperformance of Branch Repeater VPX as well as other devices accessing the network storage couldsuffer. To obtain optimum performance, Citrix recommends using the local hard disk of thevirtualized server. However, one drawback of using local hard disks is that advanced hypervisorfeatures like migration and failover are not available.

Citrix supports production implementations of Branch Repeater VPX based on a minimum of twovirtual CPUs and 2 GB of RAM. If additional resources are available, these should be allocated asnecessary to Branch Repeater.

Network throughput is also a consideration for Branch Repeater VPX. Depending on the numberand speed of NICs, other virtual machine traffic, as well as switch/router configuration, bandwidthto the Branch Repeater VPX may be limited.

Quality of Service through Branch Repeater

Branch Repeater functions that optimize XenApp environments include:

VoIP protection The Partial Bandwidth mode ensures that this non-acceleratedtraffic counts towards the configured bandwidth limit and is,therefore, not dropped.

Limiting unwanted traffic Branch Repeater limits certain traffic to open up bandwidth forimportant traffic.

XenApp virtual channel Branch Repeater adaptively allocates bandwidth across XenAppprioritization virtual channel types.

XenApp embeds a dynamic, four-level priority level into its datastream. These priority levels can be assigned to Branch Repeaterquality of service (QoS) queues on the Configure Settings > ServiceClass Policy page.


ICA acceleration Branch Repeater optimizes performance for printer, client drivemapping, and common applications by:

• Decrypting and encrypting XenApp traffic to allow the XenAppprotocol to be parsed and compressed

XenApp compression is automatically disabled on theXenApp servers and plug-ins and is offloaded to theBranch Repeater.

• Disabling the print virtual channel reducer

• Enabling Repeater driven flow control

ICA acceleration works between Repeater and Branch Repeaterappliances with supporting appliance software and XenApp serversoftware. Sites without Repeater or Branch Repeater appliances orthose with older, unsupported software will use the compressionand encryption functionality available with XenApp.

Branch Repeater supports basic and advanced encryptionlevels.

Quality of Service

Quality of Service (QoS) refers to prioritization of network traffic such that some types receivepreference where other types are forced to wait or may be dropped. When QoS is implemented, noadditional bandwidth is created, although prioritization may make it appear as if the networkoperates more efficiently.

QoS can be implemented by a number of mechanisms, including Branch Repeater. XenApp usertraffic can be prioritized based on Layer 4 (Transport), Layer 6 (Presentation), or Layer 7(Application). Layer 4-based QoS is typically implemented on routers and is beyond the scope ofthese materials.

Layer 6-based QoS is based on the ICA priority tag assigned to each virtual channel. Within BranchRepeater, the administrator can designate the traffic shaping priority and bandwidth allocated toeach priority group.


XenApp Quality of Service Policies

XenApp provides a high definition user experience (HDX) by default, but also allows you toconfigure additional settings to improve the quality of service.

The Multi-Stream policy section includes policies that can configure ICA connection prioritization.By default, port 1494 is configured for XenApp traffic and a high prioritization. Additional portscan be created for specific ICA traffic and can be prioritized. For example, video conferencing canbe configured at the highest setting (Very High), while printing can be configured at the lowestsetting (Low).

By default, Multi-Stream is not enabled. For more information, see the XenApp 6 forWindows Server 2008 R2 > Administration > Policy Settings Reference section of CitrixeDocs at http://edocs.citrix.com.

The HDX policies provide additional QoS enhancements, including:

Multimedia Acceleration By default, the MediaStream Multimedia Acceleration policy is notenabled; therefore, when multiple user sessions require multimediacontent, such as video and audio, the simultaneous requests causethe server CPU usage to increase. In addition, the uncompressedfiles are sent over the network to the user devices, consuming alarge amount of bandwidth.

MediaStream Multimedia Acceleration streams multimedia contentto the user devices in the original, compressed format, therebyreducing the server CPU utilization and bandwidth consumption.Server memory usage for these sessions is slightly increased.


Flash Optimization The Flash quality adjustment Citrix User policy improves usersession responsiveness by forcing the Flash Player to use simplergraphics. This reduces the amount of processing power that isrequired to render Flash content.

By default, HDX MediaStream server-side Flash functionality isenabled at the farm level. However, if HDX MediaStream client-sideFlash functionality is enabled, server-side rendering is overridden.

Image File Optimization This policy allows you to configure image quality and how imagesare displayed to optimize session performance.

Keyboard and Mouse Optimize keyboard and mouse responsiveness for high latencyResponsiveness connections by configuring SpeedScreen Latency Reduction.

For more information about HDX policies, see the XenApp 6 for Windows Server 2008R2 > Administration > Managing Session Environments and Connections section of CitrixeDocs at http://edocs.citrix.com.

Branch Repeater Traffic Shaping Policy for ICA Traffic

Branch Repeater 6.0 introduced application-based QoS, which functions at Layer 7 of the OSImodel. This functionality, configured under Application Classifiers, causes ICA sessions to beprioritized based on the first application that the user accesses. Thus, an administrator should keepin mind typical user behavior when determining that application-based QoS provides the bestsolution.


Using Branch Repeater to Configure Application-Based QoS

For example, if a typical user accesses Outlook as the first published application each morning andthen accesses an engineering application, the QoS decision will be based on Outlook, and anysubsequent applications are irrelevant for the purposes of prioritization. Even if the engineeringapplication has been designated a higher priority, it will not be elevated unless it accessed first. Thisis because only the initial application is used to identify prioritization.

Alternatively, session sharing can be disabled in order to prioritize each application separately.Session sharing causes each application to run within a unique ICA session; thus if a user has fiveapplications opened, five ICA sessions would also be opened when session sharing is disabled. Withsession sharing enabled and functioning properly, those five applications would be opened within asingle ICA session.


Test Your Knowledge: Optimizing theXenApp Environment1. All of the following counters should be used when gathering baseline performance data of a

XenApp farm, except __________. (Fill in the blank.)

a. Device performance alert

b. Network transaction failure

c. System disk bottleneck alert

d. Generic application performance alert

2. When optimizing a Windows server, which area may also optimize XenApp?

a. IIS

b. Active Directory

c. Devices and Printers

d. Microsoft Management Console

3. Which two Performance Monitor counters should be used to determine which servers requiredisk defragmentation? (Choose two.)

a. % Disk Idle Time

b. % Disk I/O Time

c. % Disk Read Time

d. % Disk Write Time

4. Citrix recommends which three of the following configurations for XenApp farms with ActiveDirectory in the environment? (Choose three.)

a. All servers should reside in the same domain.

b. The farm should span multiple Active Directory forests.

c. XenApp servers should be in their own Organizational Units (OUs).

d. The farm domain should have no trust relationships with non-Active Directorydomains.

5. Citrix recommends the following for optimizing data collectors, except __________ and__________. (Fill in the two blanks.)

a. Each zone should have a backup data collector.

b. At least 50% of the hard disk space should be free.

c. Two NICs should be available for each data collector.

d. Published applications should run on servers that are not data collectors.

6. Which application type would benefit from virtual memory optimization?

a. Reside on network shares

b. Have digitally signed components


c. Require that DLL memory addresses are temporary

d. Entail the application executable programmatically checks the DLL after it has beenloaded

7. When sizing VMs, you should be aware of the following specifications, except __________.(Fill in the blank.)

a. Server count

b. Processor allocation

c. Memory allocation

d. Free hard disk space



Module 6

Optimizing the UserEnvironment


OverviewAlthough the XenApp infrastructure is a key focus for optimizing a XenApp implementation, anumber of factors on the user side also require attention.

TimeAfter completing this module, you will be able to:

• Module: 105 minutes• Improve reliability and speed of user access components. • Exercises (2): 40 minutes• Manage centralized applications. • Total time: 145 minutes• Consider a variety of application delivery mechanisms for a scenario.

Less experienced students have required additional time• Implement the best of application delivery mechanisms for a scenario. to complete these exercises.

© Copyright 2011 Citrix Systems, Inc. Module 6: Optimizing the User Environment 163

• Provide an appropriate environment to different types of users.

• Manage user settings.

Access MethodsXenApp can deliver applications to user devices, servers, and virtual desktops with:

Server-side application Applications running inside the datacenter are presented to the user,virtualization and changes on the user device, such as keystrokes and mouse

actions, are relayed back to the application.

Client-side application XenApp streams applications to the user device from the datacentervirtualization and runs the application on the user device.

VM hosted application Resource-intensive applications, such as graphical applications, thatvirtualization require dedicated resources, as well as problematic applications or

those requiring specific operating systems run inside a desktop inthe datacenter. XenApp presents the applications to the user deviceand relays user actions from the device back to the application.

Application Delivery Methods

Applications can be delivered to users in a number of different methods, including streaming theapplications and making them available offline. A XenApp environment is not limited to a singlemethod of delivery to all users; you can specify how each application is delivered based on businessand user requirements. Delivery options include applications installed on the server, streamingapplications to the server, streaming applications to the user desktop, and dual-mode delivery.

Installed on the Server

Applications are installed on and processed from the server. This is the traditional XenAppapplication delivery model. This method often provides the lowest cost of ownership for ITresources because it provides the greatest scalability.

164 Module 6: Optimizing the User Environment © Copyright 2011 Citrix Systems, Inc.

Advantages • Provides a consistent user experience regardless of the userdevice.

• Allows you to manage applications centrally.

• Reduces the need for extensive user device resources.

User devices do not require extensive resources, such asmemory or hard drive space; therefore, this method supportsdelivering applications to thin clients.

• Is effective for applications with components that are based onspecific dependencies, such as a .NET framework.

• Provides the ability to control application license usage bylimiting the number of times an application can be opened atany time.

Considerations • Servers require sufficient resources to support the applications.

• Users must be connected to the server or network to run theapplications; offline access is not available.

• Some applications conflict with other applications; thoroughtesting for application compatibility is necessary.

Streamed to Server

Executables for applications are put in profiles and stored on a file server or Web server. Whenapplications are started they are streamed to the server, where processing takes place. Unlikeinstalled applications, streamed applications are stored in the file server and provide applicationisolation by design.


Advantages • Provides similar advantages as for installed applications,including a consistent user experience, central management,and use of server resources instead of those of the user device.

• Allows conflicting applications, such as multiple versions of thesame application, to run on the same server without needing toisolate them.

• Simplifies application updates because you update only a singleapplication profile.

Considerations • Servers require sufficient resources to support the applications.

• Users must be connected to the server or network to run theapplications; offline access is not available.

• Some applications are not candidates for profiling, such asthose using a .NET framework.

Streamed to Desktop

Executables for applications are put in profiles and stored on a file server or Web server. Whenstarted, the files required to execute the application are streamed to the user device. Applicationprocessing takes place on the user device instead of the XenApp server. Offline access of theseapplications is possible after applications are cached on the user device.

Advantages • Provides users a local application experience, but you managethe applications centrally.

• Enhances the user experience for resource-intensiveapplications, such as graphics applications, by streaming theapplications to desktops.

• Allows you to control the applications and users that haveoffline access, as well as the license period for offline use.

Considerations User devices must:

• Have sufficient resources to run the applications locally; theuser devices cannot be thin clients.

• Run Windows operating systems, including Windows 7, XP, orVista.


Application CompatibilityDelivering applications in a multiuser environment uses shared system components and resources,which can lead to compatibility issues. Depending on the compatibility issue, you can configureapplication streaming or virtual IP addresses to minimize conflicts.

In many cases, applications do not have compatibility issues with XenApp; however, compatibilityissues may arise when running multiple instances of the application or because of conflicts betweenthe application and other applications installed on the server.

You need to determine whether an application is compatible with the current XenApp environmentbefore publishing the application.

To Determine Application Compatibility

This topic is regarding application compatibility in a1. Build a test environment.XenApp environment and is not referring to the WindowsA laboratory environment should be built using the same process used to build the productionprogram compatibility wizard.environment to ensure that all server configurations and security settings are consistent.


All testing should be done in a separate farm to ensure that there is no impact to theproduction environment.

2. Install the first application in the test environment.

3. Install the second application in the same test environment.

4. Run both applications using an account without administrative rights to determine whether theapplications can be co-located on the same server.

Application StreamingApplication streaming sessions contain an application that is either streamed to a XenApp server orto a user device. For applications streamed to a XenApp server, an ICA session is created andstreaming is completed within the session. These sessions can be shadowed and are treated asstandard sessions.

Applications that are streamed to a user device do not use standard ICA sessions. These sessionsare displayed as RADE (Rapid Application Deployment Environment) sessions in the AppCenter,instead of ICA. These types of sessions cannot be shadowed or administered through theAppCenter because they are established between the file server hosting the profile and the userdevice.

If you want to provide offline access to centrally-managed applications or reduce resource usage onXenApp servers, streaming to a user device may meet your needs.

Force Application Streaming

The Streamed App Delivery rules within the load balancing policies can override the method fordelivering published applications; therefore, it is important to know the available options and theconsequences of selecting them.

When publishing a streamed application, you can choose one of the following streamed applicationtypes:


• Streamed to client

• Accessed from a server: streamed to server

• Streamed if possible; otherwise accessed from a server: installed application

• Streamed if possible; otherwise accessed from a server: streamed to server

The load balancing policy Streamed App Delivery settings include:

• Allow applications to stream to the client or run on a Remote Desktop Server (default).

• Force applications to stream to the client.

Plug-ins that do not support streaming or do not match the profiled operating system will notbe able to open the application.

• Do not allow applications to stream to the client.

If this option is selected and server access is not allowed for an application, such as when it isconfigured to stream to the client only, the application connection will fail.

If no Streamed App Delivery policy is configured, then the application delivery methodspecified in the published application properties is used.

Streaming Application Rules

Use the following table to determine the published application and policy settings that areappropriate for your environment.

Application type No policy (default With policy: Do With policy: Forcedelivery) not allow stream stream to client

to client

Streamed to client Citrix Offline Plug-in Connection fails. Connection works.streams application tothe user device.

Accessed from a server: Citrix Receiver delivers Policy does not apply. Policy does not apply.the application

Installed applicationinstalled on XenApp(not streamed).

Accessed from a server: Offline Plug-in streams Policy does not apply. Policy does not apply.application from file

Streamed to servershare to XenApp andany online plug-indelivers the applicationfrom XenApp.


Application type No policy (default With policy: Do With policy: Forcedelivery) not allow stream stream to client

to client

Streamed if possible; Dual mode: Offline Online plug-in always Offline Plug-in alwaysotherwise accessed Plug-in streams connects to application streams application tofrom a server (dual application to the user installed on server. desktop.mode): device.

Installed application Without dual mode:Online plug-inconnects to theapplication installed onserver (not streamed).

Streamed if possible; Dual mode: Offline Offline Plug-in always Offline Plug-in alwaysotherwise accessed Plug-in streams streams application to streams application tofrom a server (dual application to the user the server. desktop.mode): device.

Streamed to server Without dual mode:Offline Plug-in streamsapplication to theserver.

Web Interface must also be configured to allow application streaming.

Isolation Environment Rules

The default rules created by the Offline Plug-in for isolation environments are typically sufficientfor most IT needs. However, you can add new rules to fine-tune application interactions withoperating system resources on the user device.

Isolation environment rules are based on file or registry key paths. Rules are matched by the mostspecific path to the resource being accessed.

A rule applies to the object specified and all the children of the specified object, unless a morespecific rule exists. An object is a file, registry, or named object.

The isolation environment rules are Isolate, Strictly Isolate, Ignore, and Redirect.


Isolate This rule ensures that when a streamed application requests accessto a system resource, a version of the file or key is created for eachuser.

By default, the Streaming Profiler uses this rule while profilingapplications.

Add this rule to ensure that there is one copy of a resource in eachisolation environment. For example, create a rule that isolates the

The Citrix Offline Plug-in, version 5.2 and newer, uses theregistry hive HKLM\SOFTWARE\classes when you install

Ignore rule by default. Earlier versions of the Offline Plug-Microsoft Office. Because each user does not require a separate

in use the Isolate rule by default.version of this hive, create a rule that isolates this particular registry


hive for the isolation environment.

Strictly Isolate This rule prevents the application from accessing the objects in thephysical layer of the user device. When this rule is applied to anobject, the object cannot be detected unless it was created within theisolation environment. This rule is commonly used to supportmultiple versions of an application running on the user device.

Ignore The Ignore rule allows the rules engine to define "holes" in theisolation environment so that an application can write to theunderlying system. This rule allows a streamed application runninginside an isolation environment to share data with an applicationoutside the isolation environment.

This rule is the default behavior for streamingapplications.

Redirect This rule redirects an application request for a file or registry key toa specified location.

Use the Rules page of Target Properties in the Profiler to modify the isolation environment rules.

For more information about isolation environment rules, see the Application Streaming > CreatingApplication Profiles > Managing Isolation Environment Rules section of Citrix eDocs athttp://edocs.citrix.com.

Pre-Launch and Post-Exit Scripts

The following table lists some commonly used application streaming command-line utilities.

Command Description

Changes the client cache location or theClientCache maximum cache size on the system with the

Online plug-in installed

The default client cache is 5% of disk size or 2GB, whichever is greater.

Recreates the streaming offline license databaseDSMaint RecreateRade that exists on each XenApp server

The IMA service must be stopped to run thiscommand.

Flushes all cached files, the install root, andRadeCache -i /flush:"appname" registry entries on the user device

Pre-deploys streamed application packages to aRadeDeploy -m XenApp server or user device/deploy:"\\fileshare\filename"

Pre-deployment helps avoid overloading the fileservers and network by extracting the profiletarget and copying it so it can be executedlocally.

The file name can be either a .profile or.rad file.

Manually streams an application to the systemRadeRun "radefile" with the Online plug-in installed

Available options:

• -m: Monitors the deployment until it iscompleted

• -p: Deletes locally stored profiles

This command is run from the target systemwhere the application will be streamed.

Filenames with embedded spaces should bequoted.

Lists the streaming offline licenses for theRadeMaint offlinelicense specified user/l:username

The /r option removes the offline license.


You can obtain more detailed information for each command by typing the command at acommand line followed by the /? parameter.

For more information about application streaming commands, see Citrix articles CTX115137 andCTX11591 on http://support.citrix.com.

Streaming Debug Flags

The RadeRun utility can be used at the command line to clear cached files from the user device.These parameters are set by creating the following REG_SZ registry key:HKLM\Software\Wow6432Node\Citrix\Rade\RadeRunSwitches.

Additional RadeRun parameters are detailed in the following table.

Parameters Function

-c Clears the execution cache before theapplication opens

-C Clears the execution cache and per user cachebefore the application opens

-d Clears the execution cache after the applicationterminates

-D Clears the execution cache and per user cacheafter the application terminates

-x Executes a command prompt for every launchedapplication

-e Pre-streams all files for the application to theuser device

This parameter is used when allcomponents of an application areneeded before it can start. Adding thisswitch uses a considerably larger spaceon the hard drive.


XenApp and App-V Integration

A full deployment of App-V, an application virtualization solution from Microsoft, requires amanagement server with console, SQL Server, a web server, and Active Directory. The managementserver publishes and streams applications to authorized users.

XenApp can perform the application publishing, management, and security functions of the App-Vmanagement server. In such an infrastructure, an App-V streaming server is required but an App-Vmanagement server is not. The App-V components must have the appropriate Microsoft licenses.In addition, App-V sequenced applications can be deployed to XenApp servers by means of SystemCenter Configuration Manager.

You can publish the App-V sequence either as content or as a dual-mode application (streamed ifpossible, otherwise accessed from a server). For end users to stream App-V sequences publishedthrough XenApp to local systems, they must have an App-V agent. Merchandising Server candeploy the App-V agent to Receiver. If no App-V agent is available, the application runs on theXenApp server.

The AppStreamingToAppVConduit utility enables XenApp to publish App-V sequences. Theconduit is an application streaming profile that checks for the presence of an App-V agent on theuser device. You must use the streaming profiler to create a streaming profile for the conduit. Formore information about AppStreamingToAppVConduit, see Citrix article CTX124860 onhttp://support.citrix.com.

File type associations must be configured in the App-V management server or in the App-Vsequence, not with content redirection in XenApp. For more information about configuring filetype associations, see Citrix article CTX126741 on http://support.citrix.com.

For more information about publishing App-V sequences through XenApp, see the following:

• Citrix eDocs at http://edocs.citrix.com.

• Citrix article CTX126423 on http://support.citrix.com.

• Microsoft article 931576 on http://support.microsoft.com.


General Guidelines For Improving ApplicationPerformanceUse the following general guidelines to improve application performance:

• Cap the appropriate bandwidth based on users’ needs, if necessary.

• Disable the following application features on the XenApp server to decrease the frequency of For information about optimizing applications forupdates that are sent to the user device and improve application speed: mobility, see the

http://community.citrix.com/display/xa/Optimizing+Existin• Windows Index serviceg+Apps+for+Mobile+Delivery Citrix Developer Network• Windows themespost


• Smooth scrolling

• Animations

• Blinking cursors, wallpapers, and screensaver

• Background spelling and grammar checks

• Configure the appropriate published applications for printing.

Some applications require printers to be auto-created before they start. This pre-launchconfiguration entails knowing the font support or the default printer, a process which requiresextra time and causes a delay for users opening the application. An asynchronous auto-creationsetting opens the application while printer configuration continues in the background.

• Do not configure a XenApp server as a file server.

• Configure published applications with consistent settings. Inconsistencies in settings like colordepth, resolution, audio, and encryption can prevent session sharing from being invoked.

• Increase the application priority within the properties of the published application, as needed.

• Use the ICA > Visual Display user policy rules, as well as the ICA > Graphics and ICA >Multimedia computer policy rules to optimize media.

• Test all applications in a qualified test environment before delivery in the productionenvironment. This includes service packs, hotfixes, and other application modifications.

• Test the application resource requirements with a monitoring tool, such as Citrix EdgeSight.

User ProfilesThe user profile provides personalization of the user experience, including many areas controlledwithin the Control Panel settings, such as mouse and keyboard settings. User profiles have aprofound impact on the user experience, and the importance of a suitable and efficient user profilesolution is often overlooked.

Where no user profile is designated within a XenApp environment, a local user profile is used bydefault. This means that the default profile on the XenApp server is copied as the individual userprofile for each user. This is seldom an optimal solution for a XenApp environment because itimplies that each user maintains an existing and likely different user profile on each XenApp server.

For example, if User1 is directed to Server3 on Monday and makes a change that impacts her userprofile, it is only stored on Server3. If this same user access Server2 on Tuesday, the user profilestored on that server from the previous user session is accessed by the user, not the user profileaccessed yesterday. As a result, the user experience is inconsistent, and User1 is frustrated becausesessions behave slightly different based on the server accessed.

Settings recorded within NTUser.dat are copied to the HKey_Current_User subtree in theregistry of the XenApp server at logon. This copy operation is typically the lengthiest part of thesession logon. Depending on the user profile solution, interim writes of the user profile settings areoften saved to the user profile while the user session is open but not active, as well as a final saveupon logoff. The interim writes are usually only "delta" changes, which are small data blocksrepresenting one or few modifications to the user profile. The final save can also be a comprised of"deltas" or may be a complete write of the user profile. For example, Microsoft roaming profiles,whether based on all user profiles (all network-based computers that a user accesses) or RemoteDesktop user profiles (Remote Desktop sessions only), perform a complete rewrite of the userprofile at logoff.

Where multiple XenApp servers are accessed by a single user, the impact of "delta" changes andlogoffs to roaming user profiles become more complex. Starting with Active Directory based onWindows Server 2008 R2, interim saves to the user profile can be configured; however, a completewrite of the user profile is always stored upon logoff. For example, if a user accesses applications onthree distinct XenApp servers, for example, Server1, Server2, and Server3, and makes minorchanges within each session that impact the user profile, each time the user logs off a server, thatcomplete profile is written to the network-based repository. Thus, if the user logs off Server2, thenServer1, then Server3, changes recorded on Server2 and Server1 are overwritten upon the finallogoff from Server3.

Because user profiles are such a critical aspect of a XenApp deployment, any potential solutionsshould be fully tested in a lab environment prior to implementation.

Folder Redirection

All user profile solutions provide the ability to redirect folders such as Documents and Desktopto a centralized network location. The specific folders that can be redirected vary based on theversion of Active Directory in use. Folder redirection reduces the amount of data retained withinthe user profile and keeps the core user profile smaller.


However, consideration should be given as to whether the AppData folder should be redirected.This data is accessed often by many applications, and where it is loaded onto the XenApp servers aspart of the user profile, it typically provides a better user experience. Where the contents of theAppData folder must traverse the network each time called, applications may appear sluggish. Forexample, Outlook user signatures are stored in AppData, and a user may perceive Outlook to beslow because every time a new message is initiated, the signature is not immediately availablewithin the user profile but instead accessed from the centralized AppData folder and displayedafter some delay.

Special Folder Redirection can be enabled within a XenApp environment. This functionality pointsusers to the Documents and Desktop folders on the local computer, rather than a centralizednetwork location. Only these two folders can be redirected.

When considering Special Folder Redirection, consider whether these folders could be restored inthe event of an issue with the user device. If these folders are not backed up, users could experiencedata loss being that the data is stored on the local user device. In addition, if users access XenAppresources from multiple devices, the data stored on each local device would vary, and the userexperience would differ based on the user device.

By default, Special Folder Redirection is enabled within Citrix user policies but must be enabledwithin the Session Settings screens of Web Interface. Access to the local drives on the user devicemust not be disabled within Citrix policies or Citrix Receiver in order for Special FolderRedirection to function properly.

Profile Types and Characteristics

Use the following table to determine whether a basic user profile fits your environment's needs.

Criteria Local Mandatory Roaming

Where is the profile Local device Network Networkdata stored?

Where are user Local device No changes are saved Networkchanges saved?

How much data is All None Allsaved when a user logsoff?

Use the following table to determine whether a Terminal Services or Citrix Profile Managementprofile solution fits your environment's needs.


Criteria Terminal Services Terminal Services Citrix ProfileMandatory Roaming Management

Where is the profile Usually network Network Networkdata stored?

Where are user Not saved Network Networkchanges saved?

How much data is None All Deltas onlysaved when a user logsoff?

If no user profile is administratively designated, a local profile is used. This type of scenario is notrecommended because the following occurs:

First Logon A new profile is created on that server from a local default user.

Subsequent Logon Existing profile on that server is accessed and modified in thatsession.

Issue User settings are not accessible from other XenApp servers.

For more information about selecting a user profile type, see Citrix article CTX124799 onhttp://support.citrix.com.

Profile Management

Profile management is a profile solution for XenApp servers, virtual desktops created withXenDesktop, and physical desktops. Profile management addresses user profile deficiencies inenvironments where simultaneous domain logons by the same user introduce complexities andconsistency issues to the profile. You should install Profile management on each system whereprofiles need to be managed.

Citrix streamed user profiles can further reduce logon times because the logon processdoes not have to wait for the entire profile to finish copying.


Complex Environment Scenario Example

The environment for the CCH company includes the use of roaming profiles. Ben, a CCHemployee, opens Microsoft Word and AutoCAD, two different virtual resources hosted ondifferent servers. Ben now has two active XenApp sessions based on his roaming user profile.Ben makes changes to his preferred settings in each application. He logs off of AutoCAD andhis new preferences are saved to his roaming profile. Ben finishes writing a report in Word andlogs off. His preferences from this session are saved in his roaming profile, overwriting thepreferences configured in the AutoCAD session, even though the two session changes do notconflict. Therefore, when Ben logs on to AutoCAD next time, he will not see the changes hespecified in his last session; instead, the preferences will have reverted back to the previousconfiguration. This problem, known as "last write wins," discards any personalization settingsthat the user makes in the first session.

There are two options for resolving this issue:

Separate profiles Use separate profiles for each resource silo. This option results inincreased administration overhead and storage capacityrequirements. In addition, users will experience different settingsdepending on the resource silo they access.

Citrix Profile management Use Profile management to optimize profiles by saving registrychanges, files, and folders in the profile at interim stages and atlogoff. Changes are saved to the user store for each user.

At logon, users' registry entries and files are copied from the userstore. If a locally cached profile exists, the two sets are synchronized.This makes all settings for all applications and worker groupsavailable during the session and it is no longer necessary tomaintain a separate user profile for each worker group.

Citrix Profile Management

Citrix Profile Management provides an alternative to built-in Microsoft profiles. Generally, non-Microsoft profiles override GPO settings for Microsoft profiles. For information about Citrix Readyuser profile vendors, see http://www.citrix.com/ready.

Citrix Profile Management is comprised of two principal elements:

• Profile Management GPOs (ADM template): Imported into Active Directory and the basis forconfiguring the 34 GPOs

• Computer/server installer (MSI file): Installed onto each XenApp server and includes theWindows service


Citrix Profile Management supports interim writes of changes to the user profile when the ActiveWriteback policy is enabled. At logoff, only changes are written to the user profile. This isadvantageous not only from the standpoint of the time necessary for logoff, but also where a useraccesses multiple XenApp servers. For example, if a user accesses applications on three distinctXenApp servers (Server1, Server2, and Server3), and makes minor changes within each session thatimpact the user profile, each time the user logs off a server only those individual profile settings arewritten to the user profile. Thus, if the user logs off Server2, then Server1, then Server3, each set ofchanges is properly recorded upon logoff, provided that the settings are distinct, as is usually thecase.

Streamed user profiles minimize user logon time. When profile streaming is enabled, only theminimum necessary portion of the user profile is copied to the XenApp server during logon, asopposed to the entire user profile. Thus, user logon is more expeditious.

While local INI files can be used to configure Citrix Profile Management, this is seldom done infavor of centralized Active Directory-based configuration. For a proof-of-concept or labenvironment, the ADM file can be imported into the local server policy.

Prior to enabling Citrix profiles, all of the related GPOs should be reviewed and configuredaccording to environmental needs. By default, Citrix Profile Management is not automaticallyenabled after installation; this is done within the Enable Profile management policy.

Platform Support

Citrix Profile Management includes functionality to support cross-platform integration, as well asstreamed profiles. Cross-platform integration refers to user profiles that can be used for both v1(Windows XP and Windows Server 2000/2003) and v2 (Windows Vista/7 and Windows Server2008 R1/R2) environments. For example, if a user accesses applications based on an environmentthat includes XenApp 5 for Windows Server 2003 and XenApp 6.5 for Windows Server 2008, userprofile settings will not only support the differences in the x86/x64 platforms, but also v1/v2operating systems. Specifically, Internet Explorer, Office 2007/2010, and wallpaper cross-platformsettings are supported.

Profile Management Features

Primary features of Citrix Profile management include:


Citrix streamed user Offers alternative options for speeding up logons and logoffs byprofiles obtaining parts of users' profiles from the user store when they are

needed only. Files and folders are fetched from the user store to thelocal computer only when they are accessed by users after they havelogged on. Registry entries, items specified using the extendedsynchronization feature, and any files in the pending area areexceptions. They are fetched immediately.

One of the options is to use the cache entire profile feature, whichpulls all of the files, but staggers their delivery in the background.

Offline profiles Benefits laptop and mobile device users who roam. Citrix offlineprofiles have minimal configuration and reduce disruption whennetwork connections are lost by caching files locally until thenetwork (and therefore the user store) is available again. Thisfeature works with domain-joined computers only.

Cross platform settings For several common applications, this feature allows you to migrateusers' profiles and to roam them when the users connect to thesame application running on multiple operating systems. Withoutthis feature, if users connect to an application that creates a Version1 profile on one platform and a Version 2 profile on another, theywould have to duplicate the application's settings.

Support for Folder Allows you to avoid duplicate items in local profiles when folderredirection redirection is used. In addition, Profile management can mirror

folders, allowing the correct processing of transactional folders. Forexample, mirroring the Internet Explorer cookies folder means thatindex.dat is synchronized only with the latest version of the cookiesthat it references, not earlier versions that are no longer required.Without mirroring, multiple copies of the referenced files (cookiesfrom multiple sessions, for example) can cause profile bloat.

Support for pre-launched Uses the session pre-launch feature of XenApp to enhance theapplications launching of published applications by starting a session

automatically when a user logs on to a farm. No configuration ofProfile management is required.


Active write back Improves profile integrity if sessions terminate abnormally.

Files that are modified on the local computer can be backed up tothe user store during a session, before logoff.

Deleting stale cookies Deletes stale cookies.

Profiles in some deployments can become bloated with stalebrowser cookies when web sites are revisited. A setting in the ADMfile can be used to delete the stale files.

For more information about Profile management, see Citrix eDocs at http://edocs.citrix.com.

Profile Solution Recommendations

Use the following Citrix recommendations when implementing a profile solution:

Avoid local profiles Implement a user profile solution other than local profiles. Whilelocal profiles may suffice in a few instances, this is typically not anoptimal solution. Consider environmental factors and requirementswhen determining a user profile solution.

Keep it simple Implement the simplest user profile solution that addressesrequirements. In many cases, a mandatory profile with folderredirection may address user requirements. This type of profile iseasy to configure and maintain. Alternatives to a mandatory profileinclude a roaming profile or a non-Microsoft solution.

Use the correct user name Use the correct user name variable when configuring the uservariable repository. Microsoft uses the variable %UserName%, whereas

Citrix Profile management uses #SamAccountName#. Verify thatthe user name variable points to the correct location.


Incorporate folder Incorporate folder redirection where feasible. Folder redirectionredirection reduces user profile maintenance because it removes specific folders

from the profile and the profile is centralized on the network. Inaddition, folder redirection reduces logon time and prevents profilesfrom accumulating unnecessary cookies.

The AppData folder should not be redirected. Becauseapplications make frequent calls to it, users may bedissatisfied with application performance if it is redirected.

Test applications Ensure that applications work properly with the user profile. Thatis, they are presented correctly and function appropriately.

Review the Active Review the Active Directory structure and configuration to ensureDirectory structure that GPOs are applied optimally. In most instances, Citrix

recommends that all Citrix-related resources be located under adistinct parent OU.

Review GPO interaction Review the configuration of all user profile-related GPOs to ensurethat these do not introduce unexpected behavior. The user profile-related GPOs, such as those found under AdministrativeTemplates > System > User Profiles, interact with Microsoft userprofiles and may interact with non-Microsoft user profiles.

Consider logon time Address all aspects of the logon, including authentication, logonscript processing, and resource availability as part of the user profiledecision.

Monitor user logon Review session startup data with a tool such EdgeSight to betterunderstand each aspect of the user logon process and identify delaysassociated with loading the user profile.

Consider costs Consider costs such as administrative time, financial costs, storage,and help desk calls when determining the user profile solution.


Test profile changes Test all changes to the user profile in a lab environment beforeimplementing the changes in the production environment. Useracceptance testing should be the priority when considering anyproposed user profile changes.

Consider user experience Prioritize the user experience when determining the optimal userprofile solution.


Session Pre-LaunchWhen a user starts an application hosted on XenApp, a session is created. Creating a sessionrequires loading the user profile and running logon scripts, each of which may take noticeableamounts of time. Perception of application start time is a key factor in end-user satisfaction.

Session pre-launch addresses the perception of application start time by creating a session on theXenApp server before the user starts an application. The user's profile will load and the logonscripts will run. When the user starts an application, it starts in the existing session using thesession sharing capability of XenApp.

Applications can be configured to start a pre-launch session in one of two ways:

• When the user logs on with Receiver (just-in-time pre-launch)

• At a specified time if the user is logged on to Receiver (scheduled pre-launch)

For an application to take advantage of session pre-launch, you must create a pre-launch version ofthe application. To create a pre-launch version, select the application and click Other Tasks >Create pre-launch application. This operation creates a copy of the application with "PreLaunch-"prepended to the name. You can manage the pre-launch application just as you would any otherapplication hosted on XenApp.

Session Pre-Launch Process

1. The user logs on to Receiver, or the user is already logged on to Receiver and the scheduledpre-launch time is reached.

2. Receiver sends an application enumeration request with a scope of "Prelaunch."

3. Receiver instructs XenApp to start the pre-launch application.

4. XenApp creates a session for the user.

a. Checks out a license.

b. Loads the user profile.

c. Runs logon scripts.

The session remains active for the length of time that is specified in the pre-launch terminatetimer interval (60 minutes by default).

5. The user starts a standard application.

6. The application starts in the existing session.


User Connection ConfigurationYou can improve session performance, launch speed, reconnection speed, and user experience byconfiguring XenApp policies to fine-tune connections, audio, and multimedia. New features inCitrix XenApp 6.5 improve performance and user experience, either by default or by configuringsettings.

Customize Audio Settings

You can improve server performance and user experience by controlling the settings for the audiofeatures through the following Citrix User policy settings:

• Audio Plug-n-Play

• Audio quality

• Client audio redirection

• Client microphone redirection

• Audio redirection bandwidth limit

• Audio redirection bandwidth limit percent

Generally, higher sound quality requires more bandwidth and server CPU time. You can use soundcompression to balance sound quality and overall session performance. Use policy settings toconfigure the compression levels you want to apply to sound files.

Consider creating separate policies for groups of dial-up users and for those who connect over aLAN or WAN. Over dial-up connections, where bandwidth typically is limited, users likely caremore about download speed than sound quality. For such users, create a policy for dial-upconnections that applies high compression levels to sound and another for LAN or WANconnections that applies lower compression levels.

• The default audio redirection setting is "allowed." Client audio mapping may causemore load on the servers and the network than is preferred. If this occurs, you mayneed to set audio redirection to "prohibited."

• Configure either the audio bandwidth limit or the bandwidth limit percent, but notboth. When using the percent policy, the maximum bandwidth must be specified.

Disk Location Redirection

Other settings that can be used for ICA client connections allow us to handle different types ofconnections. We configure the connection settings on both the XenApp Server and Web Interfaceservers to apply to these connections.


Client Drive Redirection

Client drive redirection allows applications running on the server to access physical and logicaldrives configured on the user device; this feature is enabled by default.

When enabled, users can save files to all their client drives. When disabled, all file redirection isprevented, regardless of the state of the individual file redirection settings such as Client floppydrives and Client network drives.

Redirected drives are not searchable by applications because they are classified as Other drives, asopposed to Network drives and can be accessed through a UNC path. If an application depends

This feature was called client drive mapping in XenApp 5on searching a network drive, the desired drive must be manually mapped from within the session.

and earlier. The underlying architecture of the feature wasA script can also be used to map the drive within a session.

rewritten for XenApp 6; drives are no longer mapped, butIf Client drive redirection is not enabled, the published application opens and displays an error are redirected.because the application is unable to access the local content that initially triggered the application to

The client C: drive will no longer appear as the V: drive;start. The ICA > File Redirection > Client drive redirection User policy rule must be enabled to

instead, it appears as Local Disk.allow published applications access to client drives.


Special Folder Redirection

This setting allows or prevents Citrix Receiver and Web Interface users to see their localDocuments and Desktop special folders from a session. By default, special folder redirection isallowed.

This setting prevents any objects filtered through a policy from having special folder redirection,regardless of settings that exist elsewhere. When you allow this setting, any related settings specifiedfor the Web Interface or Citrix Receiver are ignored.

To define which users can have special folder redirection, select Allowed and include this setting ina policy filtered on the users you want to have this feature.

Because special folder redirection must interact with the user device, policy settings that preventusers from accessing or saving files to their local hard drives also prevent special folder redirectionfrom working. If you enable the Special folder redirection setting, make sure the Client fixed drivessetting is enabled as well.

Flash Redirection

In the context of Citrix HDX technologies, multimedia configuration refers primarily to Flashredirection. Adobe Flash is used on many multimedia web sites. HDX technologies provide a high-resolution experience even with the most advanced graphical web sites. Flash redirection moves theprocessing from the server to the user device.

The client-side process, PseudoContainer2.exe, must be running when the user attempts touse HDX MediaStream for Flash.

The Adobe Flash Player version must be identical on both the user device and theXenApp server. If the server has a newer version than the user device, then the streamingfails and falls back to server-side fetching.

Adobe Flash Player does not currently support 64-bit Internet Explorer, although 32-bit InternetExplorer running on a 64-bit operating system is supported. Flash on a 64-bit operating systemmust be opened from within 32-bit Internet Explorer.

HDX MediaStream for Flash v2 is enabled by default when the server-side service component isinstalled and running. The Client or Server side HDX GPO template does not need to be enabledor configured for HDX to work.

The Citrix XenApp Group Policy for HDX settings are located under the both ComputerConfiguration and User Configuration as Administrative Templates > HDX MediaStream forFlash-Client (or Server).


Test Your Knowledge: Optimizing the UserEnvironment1. When determining application compatibility, you should test with an account with which

rights?

a. System

b. XenApp power user

c. Non-administrative

d. Local administrator on the user device

2. Applications that are streamed to a user device display as what type of sessions?

a. ICA

b. HDX

c. RDP

d. RADE

3. Which of the following features will not improve performance if disabled?

a. Animations

b. Wallpapers

c. Windows themes

d. User Account Control

4. Why should roaming user profiles be centralized with UPM in a XenApp environment?

a. To auto-create appropriate printers

b. To allow monitoring of user sessions

c. To provide connectivity to all XenApp servers

d. To ensure user settings are accessible from all XenApp servers

5. All of the following are profile solution recommendations, except __________. (Fill in theblank.)

a. Avoid local profiles

b. Consider logon time

c. Disable folder redirection

d. Implement the simplest user profile solution that addresses requirements



Module 7

Optimizing Printing


OverviewPrinting is a key requirement for XenApp users. The varied needs of end users and printer typesmake printing an administrative challenge. Although most printing behavior is controlled by

Timepolicies, administrators must manage printer drivers.


• Exercises (3): 50 minutes• Manage printers for centralized applications.

• Total time: 115 minutes• Manage printing policies.

Less experienced students have required additional time• Isolate and resolve printing issues. to complete these exercises.

© Copyright 2011 Citrix Systems, Inc. Module 7: Optimizing Printing 193

Printing Architecture ReviewXenApp offers robust support for printing while centralizing and simplifying management. Anunderstanding of the components involved in printing and the various options available forconfiguring printing can help you manage the printing environment.

XenApp printing capabilities build upon Windows Server and Remote Desktop Services printingfunctionalities. To design and manage printing solutions, as well as troubleshoot printing problems,Citrix recommends that you first understand where print jobs are spooled and routed and howprinters are provisioned to users within sessions.

For more information about XenApp printing, see Citrix articles CTX 113261, CTX107137, andCTX113555 on http://support.citrix.com.

Printer Types

One of the first steps in determining the best method for configuring printers is to determine thetypes of printers that must be supported.

Windows networks generally consist of two types of printers: local printers and network printers.XenApp introduces a third type of printer, the redirected client printer.

194 Module 7: Optimizing Printing © Copyright 2011 Citrix Systems, Inc.

The type of printer determines where the print metafile containing the print job is processed(spooled). Understanding where the job is spooled can be useful, should an issue arise with thespooler service.

Local (Client and Server) • Spooling Location: Local printers are connected to a user deviceor server and the local operating system directly spools theprint job.

• Connection Port: Local printers can be connected to a userdevice or a server by local ports, such as LPT and USB, ornetwork ports, such as TCP or SMB.

Network (Client and • Spooling Location: Network printers are connected to a printServer) server and the server operating system directly spools the print

job to the print server.

• Connection Port: Network printers can be connected to a printserver by local ports, such as LPT and USB, or network ports,such as TCP or SMB.

Redirected Client • Spooling Location: Printers are defined on the user device usinga UNC path or as local printers. The server operating systemspools the print job to the user device for processing.

• Connection Port: Redirected client printers are connected to auser device by local ports, such as LPT and USB, or networkports, such as TCP or SMB.

When enabled, these printers are auto-created within a user’s session and made available to hostedapplications.


Printer Provisioning

XenApp print environments are highly dynamic because they are typically built during sessioninitialization or application start. The process by which XenApp makes printers available in asession is known as printer provisioning.

You can control printer provisioning and configure which printers users see in their sessions. Youcan also specify the method by which printers are provisioned to users:

Explain the different ways that printers can beprovisioned to users.


Auto-creation If you do not want to specify and administer user printers, you canallow users to self-provision the printers that are visible from theiruser devices.

If you want to ensure that printers are available when users starttheir sessions, provision printers through auto-creation. Any printerdefined on the user device can be auto-created at the beginning of asession.

In order for client printers to be auto-created in user sessions, theClient printer redirection policy rule must be enabled in the Citrixpolicies node of the Group Policy Management Console or thePolicies node of the AppCenter. This is the default setting.

The user self-provisioning and auto-creation methods areconsidered dynamic. Dynamic provisioning is used todescribe printers that appear in a session but are notpredetermined and stored. Rather, the printers that areavailable in a session are determined as the session is built.As a result, you can allow printing configurations tochange according to changes in policies, user location, andthe network.

Network printer You can automatically provision network printers to users withinprovisioning XenApp sessions by adding the network printers and configuring

the Session printers policy.

There are other ways in which printers can be provisioned, such as through ActiveDirectory policies and logon scripts. These methods are outside the scope of this course.

Citrix Print Manager Service

The Citrix Print Manager Service (CPSvc.exe) centralizes and controls the creation, deletion,and management of all client printers. The Citrix Print Manager Service logs on and handles service

The Local Service account replaces the ctx_cpsvcuser andrequests using the built-in Local Service account. The Local Service account has sufficient privileges

ctx_smauser accounts from previous versions of XenApp.in the operating system and ICA listener to perform the required tasks. This design helps prevent


problems where Group Policy Objects (GPOs) are in place to lock down the local accounts.

Managing PrintersUse the Microsoft Print Management Console, installed by the Print and Document Services role asan MMC plug-in, to manage printers and drivers on local and remote print servers.

Exporting Printer Data

You can export printer server drivers, printers, and print processors from the Print ManagementConsole into a file and import the data into other servers. You can opt to keep or overwrite existingprinter information, as well as adjust printer listings in Active Directory.

Replicating Printer Drivers

Use PowerShell to replicate printer drivers in environments with Citrix XenApp 6 and later. Youcan replicate printer drivers manually or add them to a list to be replicated automatically.

As of XenApp 6.5, PowerShell is the only method toreplicate printer drivers. It is no longer available inAppCenter.


To Replicate a Printer Driver Manually

1. Ensure that the needed driver is available by typing the following command:

Get-XAPrinterDriver –ServerName XASource

Replace XASource with the name of the XenApp server that has the driver.

2. Replicate the printer driver by typing the following command:

Start-XAPrinterDriverReplication -DriverName "driver_name" -SourceServerName XASource -TargetServerName XADest

Replace driver_name with the exact name of the printer driver, XASource with the sourceserver, and XADest with the destination server. Multiple destination servers can be specifiedby separating them with commas.

Wildcards may be used for driver names and target servers.

3. Verify that the printer driver was replicated by typing the following command:

Get-XAPrinterDriver –ServerName XADest

Replace XADest with a destination server.

If the replicated printer driver is not displayed after a few minutes, force an update by typing thefollowing command:

Update-XAPrinterDriver

You can use this cmdlet to update the driver information in the data store at any time. When thereplication event is completed or errors occur, an event log message is entered.

Administrators with minimal PowerShell experience are encouraged to manually installdrivers on XenApp servers.

To Replicate a Printer Driver Automatically

1. Register the printer driver to be replicated automatically by typing the following command:

Add-XAAutoReplicatedPrinterDriver–DriverName "driver_name" –SourceServerName XASource

Replace driver_name with the exact name of the printer driver and XASource with thesource server.The output returned confirms the driver name, source server, and that the driver will not beoverwritten if it exists. Running the Get-XAAutoReplicatedPrinterDriver cmdletproduces the same output.

2. Verify that a member XenApp server had the printer driver replicated by typing the followingcommand:

Get-XAPrinterDriver –ServerName XADest

Replace XADest with the name of a XenApp server that was just added to the replication list.

To remove a printer driver from the automatic replication list, type the following command:

Remove-XAAutoReplicatedPrinterDriver –DriverName "driver_name"–ServerName XASource

Replace driver_name with the exact name of the printer driver and XASource with the sourceserver.


Citrix Universal PrinterWhile there are some use cases, such as multifunction printers, that require the native driver to beinstalled, in many cases the Citrix universal printer drivers can address the vast majority of printingrequirements. By using this common denominator, printing issues associated with drivers areminimized, and user print jobs are generally successful.

The Citrix universal printer is a generic universal printer that can be used with almost any printingdevice and is not tied to the printing devices themselves.

The Citrix universal printer is created at the beginning of each session for that session only. Whenused, it can greatly reduce the overhead at the start of a session for printer auto-creation. A singleinstance of the universal printer can typically manage all print jobs for all printers.

The printer name for the Citrix universal printer remains the same when users reconnect, whichcan prevent problems for some applications.

When enabling the creation of the generic universal printer, an extra printer is created in thesession with the name "Citrix UNIVERSAL Printer in session <number of session>."

Citrix universal printer drivers and printers are printing solutions that allow users to printregardless of whether the correct printer drivers and printers are installed on the XenApp server.There are two types of Citrix universal printer drivers: EMF-based and XPS-based. The EMF-baseddriver is used by default.

Enhanced MetaFile Format

The universal printer driver is installed automatically with XenApp, supports nearly all commonprinter capabilities, and forms and can discover underlying client printer capabilities. When theEMF-based universal printer driver is used for client printing, the printer output is sent inEnhanced MetaFile (EMF) format using the Citrix Print Manager service.

XPS Printing

XPS, or XML Paper Specification, is a page description language that describes graphics and textthat appear in pages of a document. The descriptions are consistent, regardless of operating system,printer, or viewing application; therefore, the appearance of the pages is consistent from system tosystem. A similar page description language is PDF.

XPS files are ZIP archives containing the XML markup for the document and may be extracted toview contents. The spool file format contains an .SHD file with the job settings and an .SPL filewith the drawing commands.

XPS Benefits

Some of the benefits of the XPS standard are:


• XPS is included with current Windows operating systems; therefore, additional software is notrequired.

• Resources, such as images and fonts, are shared, leading to smaller files.

• XPS supports color, gradients and transparency.

• XPS supports 3D images, preventing artifact rendering and reducing computational load.

• XPS supports native graphics, as opposed to bitmaps.

• XPS documents can be digitally signed.

XenApp uses the Citrix EMF Universal Printer driver when it is available. If it is not available,XenApp uses the XPS Universal Printer driver. The XPS Universal printer driver can be configuredas the default by configuring the Universal driver preference Citrix policy.

Citrix Universal Printer Settings

Citrix Universal Printer settings are hard-coded defaults, but can be changed by manually settingregistry keys on the XenApp server.

Use the following format to configure the registry keys:

• Location: HKLM\SOFTWARE\Citrix\Print\UPDDevmode

• Value Name: See table

• Type: REG_DWORD

• Value Data: See the following table for appropriate values

This procedure requires you to edit the registry. Using Registry Editor incorrectly cancause serious problems that may require you to reinstall your operating system. Citrixcannot guarantee that problems resulting from the incorrect use of Registry Editor can besolved. Use Registry Editor at your own risk. Back up the registry before you edit it.

The following table includes some of the default settings that can be adjusted.

Value Name Value Data

dmOrientation 1 = portrait

2 = landscape

dmPaperSize 1 = letter

9 = A4

through

118 = last paper defined in paper table


Value Name Value Data

dmCopies 1 – 9999

dmPrintQuality 1 = draft

4 = high

dmColor 1 = monochrome

2 = color

dmDuplex 1 = simplex

2 = horizontal

3 = vertical

For more information about adjusting default settings and additional settings, see Citrix articleCTX113148 on http://support.citrix.com.


Printing Performance PoliciesXenApp includes policies to optimize printing performance, reduce bandwidth consumption, andimprove the user experience.

You can improve the user experience by configuring:

• Network session printers

• Workspace control

• Printing preferences, including printing properties and retention of those properties

Printing Enhancements

Printing optimization enhancements were created to supplement Citrix XenApp 6 and wereavailable for download from the MyCitrix web site as the Printing Optimization Pack. The featuresand enhancements included in the Printing Optimization Pack are now included as part of theCitrix XenApp 6.5 release. The enhancements improve printing speed, reduce bandwidth requiredfor printing, and improve the user experience when printing to redirected client printers and usingthe universal printer driver. These benefits can be configured further by configuring new printingpolicy settings.

Specifically, the enhancements add:

• Settings to the Universal Printing Citrix policy, controlling: The DefaultPrnFlags registry key is no longer used.


• Enhanced Metafile Format (EMF) processing mode

• Image and font caching, limits and defaults for print quality and image compression, andusers' ability to modify these settings

• Options to the Session printers Citrix policy, controlling default printer settings for sessionprinters

• Options to the Printing driver mapping and compatibility Citrix policy, controlling defaultprinter settings for mapped client printer drivers

You can specify print quality, orientation, color, duplex, scale, copy count, TrueType option,and paper size for session and mapped printers.

• Dynamic printer discovery, automatically reenumerating and updating XenApp session printersafter roaming to a different location

This feature eliminates the need to restart XenApp sessions to obtain updated printer lists.

Universal Printing Settings

The printer list is updated, including deleted printers andThe Citrix XenApp 6.5 printing enhancements add new settings to the Universal Printing policies.changed default printer. This feature applies to pass-The new settings support EMF printing only, except the Desired image quality option whichthrough sessions, too.supports both EMF and XPS printing.

The following table describes the functions of the new settings.

Setting Functionality

Universal printing EMF processing mode Controls whether to inject the EMF spool fileinto the spooler on the user device or reprocessthe EMF records on the client

By default, EMF records are spooled directly tothe printer. Spooling directly to the printerallows the spooler to process the EMF recordswithout prompting the user for additionalinformation, minimizing the occurrence ofillegible output.

Use this option for special drivers and print jobsthat would require client-side reprocessing bythe device-specific driver.

Universal printing print quality limit Specifies the maximum dots per inch (dpi)available for generating printed output in thesession

By default, no limit is specified.

Universal printing image compression limit Defines the maximum quality and the minimumcompression level available for images printedwith the Citrix universal printer driver

By default, the image compression limit is set toBest Quality (lossless compression).

If No Compression is selected, compression isdisabled for EMF printing only. Compression isnot disabled for XPS printing.

Universal printing optimization defaults Specifies default settings for the Citrix universalprinter driver when it is created for a session

Universal printing optimization defaults > Controls the level of image compressionDesired image quality

By default, Standard quality is selected.

Universal printing optimization defaults > Enables or disables reducing bandwidth beyondEnable heavyweight compression the compression level set by Desired image

quality, without losing image quality

By default, heavyweight compression is disabled.


Setting Functionality

Universal printing optimization defaults > Allows or prevents embedded images to beAllow caching of embedded images cached

By default, image caching is allowed.

Universal printing optimization defaults > Allows or prevents embedded fonts to be cachedAllow caching of embedded fonts

By default, font caching is allowed.

Universal printing optimization defaults > Allows or prevents non-administrative usersAllow non-administrators to modify these from modifying any of these options throughsettings the printer driver's printing preferences

By default, users cannot modify these options.

The following table describes scenarios when both Universal printing image compression limit andUniversal printing optimization defaults settings are used.

If... Then...

The compression level in the Universal printing Images are compressed at the level defined inimage compression limit setting is lower than the Universal printing image compression limitsthe level defined in Universal printing setting.optimization defaults setting

The Universal printing image compression limit The Universal printing optimization defaultssetting is set to No Compression settings for the Desired image quality and

Enable heavyweight compression options haveno effect in the policy.

Each environment differs. Test in your environment for optimal settings.

Printer Properties Retention

Printer properties retention allows users to modify the settings of their auto-created printers fromwithin the Printers folder on a Citrix server and make the changes persist in future settings. Thesettings are saved in one of the following locations:

• Held in profile only if not saved on the user device

• Saved on the user device


• Retained in user profile only

How settings are retained can be determined by configuring the "Printer properties retention"policy. The default behavior is that XenApp first attempts to save in the profile on the user device.If this fails, XenApp attempts to save the preferences in the user profile on the XenApp server.

Printer properties retention can also be disabled by adding a registry key and value to the XenAppserver. For more information about disabling printer properties retention, see Citrix articleCTX120621 on http://support.citrix.com.

Some settings can also be taken from your local printer and applied to your auto-created printers.For more information about which settings and the conditions that must be met, see Citrix articleCTX119691 on http://support.citrix.com.


Non-Native Printer DriversCitrix recommends using the Citrix universal printer drivers or native printer drivers. In addition,Citrix recommends that you avoid installing non-native drivers.

Non-native drivers can cause a variety of issues in multiuser environments. Issues include print jobsthat are garbled or fail to print, as well as printer auto-creation failures. The failures occur becausethese faulty drivers fail the Print Spooler service.

All printer drivers are listed inHKLM\System\CurrentControlSet\Control\Print\Environments\Windowsx64\Drivers\Version-3 in the Microsoft Windows Server 2008 R2 registry. The driverinformation is listed within the manufacturer data.

Native drivers include the driver version in the MinInboxDriverVerVersion value, such as6.1.7600.16385. The 0.0.0.0 value data indicates a non-native driver.


Printer Driver IsolationPrinter Driver Isolation is a feature introduced by Microsoft with the releases of Server 2008 R2 andWindows 7. The primary responsibility of this feature is to execute some printer driver componentsseparately from the print spooler. Isolating printer driver components ensures that if the driver failsor encounters issues, the print spooler will not be affected. Therefore, the print spooler will not failalongside the faulty driver. You can use printer driver isolation to stabilize your environment, aswell as troubleshoot existing drivers and test new drivers.

Applications may still fail or experience performance problems due to faulty drivers. Thissituation may occur if an application loads a faulty printer driver into its own processspace and the driver fails.

Isolation is determined for each driver and can be set to one of the following options:

Option Description

None No isolation

Use this option for drivers that call spoolerfunctions or a printer configuration moduledirectly.

By default, the universal printerdrivers are set for no isolation andshould not be isolated.

Shared A single common isolation space and thedefault setting for native drivers

Non-native drivers must support isolation.Supportability is specified in the driver .INFfiles.

Isolated An individual isolation space is created for thedriver

Use of this option protects drivers from oneanother.

Alternatively, isolation can be configured by Group Policy to control the isolation mode of driverson systems to which the policy applies. Two policies are available, both of which are located inComputer Configuration > Administrative Templates > Printers:


Execute Printer Drivers in • Disabled: No isolationIsolated Processes

• Enabled or Not Configured: Isolation is allowed

Override Printer Driver • Enabled: Forces drivers flagged as incompatible with printerExecution Compatibility driver isolation to run in shared modeSetting Reported by

• Disabled or Not Configured: Follows the isolation settingsPrinter Driverspecified in the .inf file for the driver


Printing ToolsThe two primary tools for printing are the Citrix Stress Printers utility and the Print Detective tool.

The Citrix Printing Tool, which uses the obsoleteDefaultPrnFlags registry key, will not function in 64-bit

Print Detective Toolenvironments.


Print Detective is a utility that can be used to gather printer driver-related information as part ofthe troubleshooting process.

Print Detective:

• Enumerates all local printer drivers or those from remote systems from the specified Windowssystem

• Deletes specified printer drivers (requires Windows administrator privileges)

• Includes export capabilities

• Allows to filter on non-native drivers

• Provides a command-line interface

For more information about Print Detective and to download the utility, see Citrix articleCTX116474 on http://support.citrix.com.

StressPrinters

Many issues in XenApp environments are caused by poor multithreaded performance, such asdriver isolation, in streaming. In addition, poorly coded drivers can cause print spooler issues andprint jobs to fail, especially in Remote Desktop Services environments.

The Citrix StressPrinters utility tests printer drivers by simulating the creation of multiple auto-created printers using the same printer driver. The test results show the time consumed for auto-creation, as well as CPU load while creating a printer using the driver.

For more information about the StressPrinters utility and to download it, see Citrix articleCTX109374 on http://support.citrix.com.


Troubleshooting PrintingMany printing issues stem from the large number of printers and printing use cases that must besupported in the XenApp environment. To avoid issues and simplify troubleshooting, you shouldcarefully plan printing configurations and be aware of common problems, such as unexpectedresults due to conflicting settings.

When troubleshooting printing, investigate whether the issue occurs with:

• Remote Desktop Services connections

• Connections from other operating system

That is, if an issue is reported from a Windows-based user device, test from a Mac user device.

• Other users, including administrators

Confirm that the Print Manager service or Spooler is not stopped or hung as part of yourtroubleshooting steps. In addition, the event logs may provide useful information whentroubleshooting.

Printer Auto-Creation Fails

Printer auto-creation issues are often caused by non-native printer drivers that are faulty. In thesesituations, use either a native printer driver or a Citrix universal printer driver.

A common reason for printer auto-creation to fail is misconfigured printing policies. If multiplepolicies apply, especially those that prevent policies from autocreating, confirm that the settings andpriorities are appropriate for your environment.

View the resultant set of policies for a server, user, or session to identify policies that maybe preventing printer auto-creation.

If a policy specifies to use native drivers only and does not allow drivers to be installed,printers will not auto-create if the drivers do not exist on the XenApp server.

Sessions Do Not Show Correct Default Printer

By default, the client default printer is created as the default printer inside the XenApp session. ACitrix policy can be used to modify this behavior. Unlike other policy types, Session Printer policiesare cumulative. Therefore, all policies applied to a user will take effect.

For more information about troubleshooting default printers, see Citrix article CTX104375 onhttp://support.citrix.com.

This issue may also be caused by corrupt profiles.


Cumulative Policies Example

Two session policies exist that apply to members of the Finance department: Finance_All andFinance_Audit. Finance_Audit has the higher policy priority. Default printers are specified inboth policies. Angela is a member of the Finance department's Audit team. When she begins aXenApp session, both policies are applied and all the printers specified in the policies areavailable to Angela. Because the Finance_Audit policy has a higher priority setting, the defaultprinter specified in that policy is the one that is configured as the default printer within Angela'ssession.

Auto-Created Printers Do Not Delete

When a client printer is auto-created, the comment field for the printer within the Printers windowon the XenApp server indicates that the printer is auto-created. XenApp uses this field to determineif this printer object is to be deleted at logoff. If the printer was manually created, there will not bea comment field.

To troubleshoot:

• Check to see if the comment field has been altered.

The printer comment field is located within the printer properties.

• Note whether print jobs were pending in the print queue; these jobs may not have been set tobe deleted at logoff or users were not able to delete the pending jobs before logoff.

• Manually delete the printer objects from theHKLM\System\CurrentControlSet\Control\Print\Printers registry key on theserver.

These printer objects are orphaned or stuck, and the spooler will continue tracking them untilthey are deleted or the system runs out of resources.

The Print Spooler service must be restarted after deleting the printer objects. This restartwill affect other users.

For more information about ensuring that auto-created printers and print jobs are deleted at userlogoff, see Citrix article CTX051476 on http://support.citrix.com.

Jobs From Auto-Created Printers Do Not Print Properly

If print jobs from auto-created printers do not print or are garbled, verify that the job is beingspooled on the server.

• Pause the job in the print queues on both the server and user device.

• Determine if the job enters the server queue.


If the job enters the server queue, cancel "pause" for the job and determine if it enters the userdevice queue by monitoring the “Output - Printing Bandwidth” counter in PerformanceMonitor.

• Confirm that the virus scanner is not interfering with the print job. Failed print jobs also canbe caused by virus scan conflicts.

• Confirm Citrix policy settings for print job routing.

• Confirm that printer mappings are configured correctly and that wildcards are not includingtoo many printers as part of the mappings.

Troubleshooting Failed Print Jobs

Because of the complexity of printing in a client-server environment, it is important tosystematically check the components and services involved in printing.

Health Monitoring and You can proactively determine the health of the print service byRecovery configuring the Health Monitoring and Recovery feature to run the

Microsoft Print Spooler test. The Microsoft Print Spooler test(SpoolerTest.exe) enumerates printers on the local server,printer drivers, and printer processors to ensure Microsoft printspooler reliability.

Assessing Failed Print Jobs If a job is not printing, you must determine where in the printingpath the issue is occurring. A failed print job could result fromissues with one of the following:

• Driver

• Permissions

• Server or client spooler

• Network connection

• Temporary file created by WFICA32.exe


To Assess Failed Print Jobs

1. Monitor the printer output bandwidth using Performance Monitor.

2. Pause the server and client spoolers by opening each spooler and selecting Printer > PausePrinting.By pausing the print spoolers, you can ensure that print data is not passed down the print pathbefore troubleshooting can be performed on each component.

3. Print a document from the user device.

4. View the print queue on the server to determine if the print job is spooled on the server.If the job is not spooled on the server, verify that the Print Spooler Service and Citrix PrintManager Service are started.

5. Cancel pause on the server print spooler to determine if the print job is sent to the user device.


To Troubleshoot Printing on the User Device

1. Verify that the Print Spooler service is started on the user device.

2. Monitor the printer output bandwidth for the user's session using Performance Monitor.

3. Determine if the real-time graph spikes.If the graph does not spike, you will need to research possible network communication issues.

4. Run Process Monitor from within a session to find permission issues and contentions accessingfiles or print jobs.

5. Filter the results for Spl*.tmp and clear the display.

6. Initiate a session print job.

7. Verify that whether WFICA32.exe created a temporary file in the %Temp% directory.

8. Note whether Process Monitor indicates an access denied error.If an access denied error is not reported, you will need to research possible networkcommunication issues. Another possible reason for an access denied error is a conflict withantivirus software. For more information about configuring antivirus software on XenAppservers, see Citrix article CTX127030 on http://support.citrix.com.


Test Your Knowledge: Optimizing Printing1. Which utility is used to manage printer drivers on print servers?

a. Microsoft Role Manager

b. Citrix Print Policies Console

c. Citrix Delivery Services Console

d. Microsoft Print Management Console

2. Which mechanism is used to replicate printer drivers across all XenApp servers?

a. PowerShell

b. AppCenter

c. Print Detective

d. Printer driver policies in Active Directory

3. Which Universal Printing setting should be used for special drivers and print jobs that requireclient-side reprocessing by the device-specific driver?

a. Universal printing print quality limit

b. Universal printing optimization defaults

c. Universal printing EMF processing mode

d. Universal printing image compression limit

4. Users report that print jobs appear garbled. Which two of the following options should beinvestigated? (Choose two.)

a. Whether a non-native printer driver being used

b. Whether the Citrix Universal Printer is being used

c. Whether PowerShell scripts were executed correctly

d. Whether a Citrix universal printer driver is being used

e. Whether the driver mapping is not configured correctly for the affected printer

5. A user reports that his printers are not visible from within a published instance of MicrosoftWord. Which of the following questions would you investigate?

a. Is a non-native printer driver being used?

b. Are printers available in other published applications?

c. Are there policies prohibiting auto-creation of printers for this user?

d. Are other users, such as others in the same department, experiencing the same issue?

e. All of the above

6. A user reports that the wrong printer shows as the default printer within her XenApp session.Which of the following options is likely the reason for the issue?

a. The default printer is defined in a policy

b. No default printer is specified on the user device

c. No default printer is specified on the XenApp server


d. The session uses the default printer specified on the XenApp server to which the userconnected


Module 8

Securing XenApp


OverviewSecurity is a critical consideration for any XenApp environment. While legitimate users must haveaccess to the applications and data they are entitled to, unauthorized users must be prevented from

Timeaccessing these same applications and data. Security threats can originate either inside or outside

• Module: 65 minutesthe organization. No single technique or technology provides complete security. In addition tostandard security procedures, securing a XenApp environment requires a variety of approaches. • Exercises (4): 70 minutesEach approach has its own function, and security requirements must be assessed from a broad

• Total time: 135 minutesperspective.

© Copyright 2011 Citrix Systems, Inc. Module 8: Securing XenApp 221

After completing this module, you will be able to:

• Provide flexible access to authorized users.

• Prevent unauthorized access to the XenApp farm.

• Choose the correct security function to implement organizational security policies.

• Harden the backend infrastructure against unauthorized access.

Setting Rights and PermissionsCitrix recommends that the following security restrictions be in place.

• Restrict AppCenter by removing execute permission on the program for users that are notadministrators.

• Apply the trusted server configuration Citrix policy on user devices. This policy, which isavailable in ICAClient.adm, instructs Receiver to connect only to XenApp servers on thetrusted list.

For more information about enabling trusted server policy in Receiver, see Citrix eDocs athttp://edocs.citrix.com.

• Enable the Trust XML requests setting in computer policy XML Service > Trust XML requestsonly on XenApp servers that are contacted by Web Interface, listed in Server Farms in theWeb Interface Management Console.

Securing the Environment with XenApp Policies

XenApp provides a limited number of policies that are specific to security.

Purpose Policy

Prompt user for password regardless of access Computer policy ICA > Security > Prompt forscenario password

Set minimum encryption level for SecureICA User policy ICA > Security > SecureICAminimum encryption level

Use Single Sign-on User policy Server Session Settings > SingleSign-On

Specify Single Sign-on password central store, User policy Server Session Settings > Singleoverriding the Single Sign-on plug-in Sign-On central storeconfiguration

However, other types of policies have security implications.

• Shadowing

Shadowing may be required for certain users, or it may be prohibited by organizational policiesor governmental regulations. If shadowing is enabled, limit it to users who have a specificbusiness need, such as IT staff.

• User device redirection

222 Module 8: Securing XenApp © Copyright 2011 Citrix Systems, Inc.

Allowing access to client drives, audio/video devices, or clipboard in a XenApp session presentsthe possibility of confidential data leaving the secure environment. Depending on thesensitivity of the data and ownership/management of the device, you may need to limit userdevice redirection.

• Concurrent logon

If a user is not expected to have multiple devices, you may wish to set the number of sessionsthat the user is allowed to have at the same time to a low number.

• Workspace control

The reconnection and log off settings allow users to manage their sessions. Workspace controlsettings are not a Citrix policy but rather a configuration on Web Interface.

Securing the XenApp Servers with Active Directory Policies

XenApp servers should be placed in their own Active Directory OU. In addition, GPOs should beconfigured to restrict user permissions on the servers so that users do not negatively impact otheruser sessions. If a XenApp server is not appropriately secured, a single user could intentionally orunintentionally disrupt hundreds of other users. For example, if a user were to access a commandprompt and execute TSKill, a process used by one or perhaps many users would be instantlyterminated.

GPOs provide extensive control for constraining the XenApp environment. While items such asRegEdit.exe and Cmd.exe should be restricted for all users, a published XenApp serverdesktop requires even more scrutiny. Where the server desktop is made available to users, manyitems within Control Panel and Administrative Tools areas should be inaccessible to users. Inaddition, users should not be permitted to shut down a XenApp server; they should only be able tolog off.

If you are using a security template, ensure that it provides the full user functionality and limitedaccess needed. Oftentimes, additional changes are required in order to customize or further securean environment.

However, security must be balanced with user requirements and application access. If anapplication must run an operating system executable or requires elevated access in order tofunction correctly, minimize the potential impact to the extent possible. For example, if a customapplication requires full user access to core operating system functionality, it would likely be betterto alert the developer and modify the application rather than open a potential security risk.

When you are securing the XenApp environment, log on to the farm as a standard user andattempt to access resources and core operating system areas that a user should be denied. Becausepower user or administrative logons provide greater access, they should not be used for thisexercise. For example, confirm that the command prompt has been removed from the Accessoriesfolder and that core operating system functionality is inaccessible.


Data Store Permissions

All servers in a farm connect to the data store using the same database user. If the data store usesMicrosoft SQL Server, the database user has public and db_owner roles. The db_owner role isrequired only for creation of the database. After initial creation, you can replace the db_owner rolewith db_writer and db_reader roles.

Before you install a service pack or feature release, you need to change the role back todb_owner.


XenVault

XenVault is a Receiver plug-in that creates a password-protected, encrypted virtual hard drive(VHD) on the user device. Read and write access to this area can be restricted to an application orapplications delivered through XenApp. XenVault consists of the following components:

Component Function

XenVault plug-in • Integrates with Receiver.

• Presents password UI.

• Initiates access to XenVault.

• Notifies users of events.

• Implements configuration changes.


Component Function

XenVault service • Creates, initializes, formats, attaches,detaches, and deletes VHD.

• Encrypts, locks, and unlocks VHD.

• Manages trusted application policies.

XenVault driver • Intercepts read/write request to VHD.

• Enforces "trust corporate applications only"policy.

DiskCryptor driver • Encrypts and decrypts file system.

For more information about XenVault, see Citrix article CTX129613 on http://support.citrix.com.

XenVault Use Case

Organizations face a challenge at the beginning and end of an employment term or a contract. Thestandard procedure is for IT to provide contractors and new employees with a corporate-ownedand -managed asset. Relying on a corporate asset presents an obstacle to starting the contract: theorganization may not be able to purchase the asset right away. In addition, contractors and newemployees may prefer a "bring your own computer" (BYOC) approach.

Although in some cases an organization also may prefer that contractors bring their own userdevices, devices that are not owned and managed by the organization present an informationsecurity challenge. If IT does not manage the asset, it cannot ensure that the asset has adequatesecurity measures are in place, and it cannot ensure that proprietary information is removed afterthe term of the contract or employment.

With XenVault, IT can encrypt only corporate data that is accessed through applications onXenApp and can protect corporate data from access by local applications. When a contract oremployment term is finished, the corporate data is safe from unauthorized access.


XenVault Administration

XenVault uses Merchandising Server as its administration console. Once XenVault is uploaded,configuration options are available. As with other plug-ins, rules target the delivery of the plug-in.The delivery rules are based on characteristics of the connection, such as user or device AD groupmembership or device operating system. Other configuration options include the following:

• Name of encrypted space

• Limit access to the encrypted space to online and offline applications delivered by XenApp

• Lock or delete client's encrypted data when certain conditions are met

• Parameters for backup key

For more information about delivering XenVault with Merchandising Server, see Citrix articleCTX127644 on http://support.citrix.com.


SSL CertificatesSecure Sockets Layer (SSL) is a protocol designed to enable applications to transmit informationback and forth securely. Applications that use the Secure Sockets Layer protocol inherently knowhow to exchange encryption keys with other applications, as well as how to encrypt and decryptdata sent between the two.

Some applications that are configured to run SSL include web browsers like Internet Explorer andFirefox and Citrix products such as Access Gateway and XenApp SSL Relay. These programs areautomatically able to receive SSL connections.

To establish a secure SSL connection, however, your application must first have an encryption keyassigned to it by a Certification Authority (CA) in the form of a Certificate. Once it has a uniquekey of its own, you can establish a secure connection using the SSL protocol.

Generating certificate requests and applying certificates can sometimes be a complex processdepending on the CA that you use. Try to always use a common CA such as Thawte, VeriSign, orNetwork Solutions. These CAs are usually trusted by all Windows and Mac operating systems andtherefore require less administrative overhead. Although self-signed certificates save the cost ofpurchasing a certificate from a commercial CA, they have limitations. When using self-signedcertificates, be aware that only internal clients will trust those certificates. Any external client that isnot a member of the issuing server’s domain will have to add the trusted root before a trustedconnection can be established.

Root certificates are available from the same CAs that issued the server certificates. You can installserver and client certificates from a CA that is bundled with your operating system, an enterpriseCA (a CA that your organization makes accessible to you), or a CA not bundled with youroperating system. Consult your organization’s security team to find out which of the followingmethods they require for obtaining certificates.

Certificates are valid for a defined time period, and it is crucial that the certificate is renewed beforethe expiry date so that connectivity is not broken. The renewal process is different for each CA.Contact your CA to find out the exact process and most importantly the time frame to completethe renewal process.

If you need to revoke a certificate for any reason, the CA can add it to a certificate revocation list(CRL). When a certificate is found on a CRL, the client will no longer trust it.


Server Communications

Before applying SSL certificates, it is crucial to define how users will be connecting to XenApp. Forinstance, are users going to be external and internal? Do you need to secure all traffic or justexternal traffic? How sensitive is the data being accessed? Although it may seem desirable to addsecurity measures at every step of the process, security measures add complexity to theenvironment. This complexity includes incurring administrative overhead to maintain the securityand address user issues. Before deciding on security measures for your environment, carefullyconsider the organizational requirements and define the costs. Proper firewall and switch/routerconfiguration also play an integral part in securing the XenApp farm as well.

Securing Internal Traffic

To secure only traffic originating from the internal network, SSL relay is often adequate. SSL relaysecures traffic between Web Interface and the XML service. Each XenApp server requires an SSLcertificate. The server certificate identifies a specific server, so you must know the fully qualifieddomain name (FQDN). Certificates must be signed by a trusted entity called a Certificate Authority(CA). In addition to installing a server certificate on each server, you must install the rootcertificate from the same CA on each Web Interface server that will communicate with the XMLservice using SSL relay.

SSL relay uses the same registry-based certificate store as IIS, so you can install certificates using IISor the Microsoft Management Console (MMC) Certificate Snap-in. When you receive a certificatefrom the CA, you can restart the Web Server Certificate wizard in IIS and the wizard will install thecertificate. Alternatively, you can view and import certificates on the computer using the MMC andadding the certificate as a standalone snap-in.

SSL Relay

Citrix SSL Relay is a XenApp component that uses SSL to secure communication between the WebInterface servers and XenApp farms. Citrix SSL Relay provides server authentication, dataencryption, and message integrity for a TCP/IP connection. SSL Relay is provided by the CitrixXTE service. Citrix SSL Relay is more secure than other methods and provides security for internalnetworks if the server running Web Interface is located in the perimeter network. Although SSL


Relay enhances the security of one communication channel, it is only one aspect of acomprehensive security solution.

Citrix SSL Relay operates as an intermediary in the communication between the server running theWeb Interface and the Citrix XML Service. When using Citrix SSL Relay, the web server firstverifies the identity of the Citrix SSL Relay by checking the Citrix SSL Relay server certificateagainst a list of trusted certificate authorities.

After authentication, the web server and Citrix SSL Relay negotiate an encryption method for thesession. The web server then sends all information requests in encrypted form to the Citrix SSLRelay. The Citrix SSL Relay decrypts the requests and passes them to the Citrix XML Service. Whenreturning the information to the web server, the server sends all information through the Citrix SSLRelay server, which encrypts the data and forwards it to the web server for decryption. Messageintegrity checks can verify that there was no tampering with the communication.

Securing External Traffic

Access Gateway integrates with XenApp to secure external traffic. Access Gateway works with thefollowing components of Citrix XenApp for logon and authentication:

Component Purpose

Web Interface Provides user access to published resources in afarm from a web browser

Web Interface works with the Access Gatewayto provide a logon interface and facilitatesauthentication and authorization of connectionrequests to the farm. Access Gateway cancommunicate with Web Interface either in theperimeter network (for external users only) orin the secure network (for both internal andexternal users).


Component Purpose

Secure Ticket Authority (STA) Issues session tickets in response to connectionrequests for published resources on CitrixXenApp

These session tickets form the basis ofauthentication and authorization for access topublished resources. During installation ofCitrix XenApp, the STA is installedautomatically.

Citrix XML Service Enumerates published resources availability andlocation and provides an HTTP interface to theuser device

Citrix Receiver Provides end-user access to resources availablefrom XenApp

If your secure network contains Citrix XenApp with Access Gateway in the perimeter network,servers and clients need the following certificates:

• Root certificates on all user devices that connect to Access Gateway.

• Root certificates on every Access Gateway component that connects to a secure server. Forexample, a root certificate must be present on Access Gateway to verify the server certificateinstalled on the server running the STA.

• A server certificate on Access Gateway.

• (Optional) A server certificate on XenApp servers running the STA.

All Access Gateway components support the use of digital certificates. Citrix recommendsencrypting the communication links between the Access Gateway and other servers in theperimeter network or secure network.

Access Gateway Enterprise Edition

For large farms with multiple zones and geographical locations, the best security option is AccessGateway Enterprise Edition (AGEE). Along with the standard Access Gateway functionality, AGEEprovides SSL offload for better performance, caching for better graphic response, and support fortablets and mobile devices. High availability and geographical traffic segmentation are available withmultiple AGEE physical or virtual appliances. Using AGEE requires an SSL certificate for eachvirtual server created for remote or internal access.


Web Interface Security

Web Interface is compatible with industry standard security protocols, including Secure SocketsLayer (SSL) and Transport Layer Security (TLS). Citrix SSL Relay, as well as the security inherent inthe ICA protocol, can be used to secure the communication between user devices and servers.

A comprehensive security plan must include the protection of data at all points in the applicationdelivery process. When using the Web Interface, you can put in place the following configurationsto secure client-to-server communication:

• Use HTTPS to connect to Citrix Web Interface and Services sites.

• Configure Web Interface to use the Secure Ticket Authority in conjunction with AccessGateway to further secure the direct communication between the user device and the servers.

Secure communication between Web Interface and XenApp servers by one of the following means:

• Configure the Web Interface to use Citrix SSL Relay for encryption between the server runningthe Web Interface and XenApp.

• Configure Web Interface to communicate with the XenApp Server over HTTPS.

XML Service

Communication between the Web Interface and XenApp involves passing user credentials andapplication set information between the Web Interface and the Citrix XML Service.

In a typical Web Interface session, user credentials are passed to the Citrix XML Service for userauthentication and the Citrix XML Service returns application set information. The server and farmuse a TCP/IP connection and the Citrix XML Service to pass the information.

The Citrix XML Service uses clear text to exchange all data with the exception of passwords.Passwords are concealed but not securely encrypted. The XML communication is vulnerable to thefollowing attacks:

• An attacker can intercept the XML traffic and steal application set information and tickets.

• An attacker with the ability to crack the obfuscation code can obtain user credentials.

• An attacker can impersonate the server and intercept authentication requests.

Secure XML traffic by one of the following means:

• Use Citrix SSL Relay as a security intermediary between Web Interface and farm. Citrix SSLRelay performs host authentication and data encryption.

• Install the Web Interface on the XenApp server that hosts the Citrix XML Service indeployments that do not support Citrix SSL Relay, unless the server running Web Interface isin the perimeter network.

• Use the HTTPS protocol to send Web Interface data over a secure connection if the CitrixXML Service is sharing a port with IIS.


Requesting Certificates

Regardless of which CA issues SSL certificates for your organization, an order for a certificate mustinclude a certificate signing request (CSR). Depending on what product you are using there aredifferent methods to generate the CSR.

To Create an SSL Certificate Request for Web Interface

For Web Interface SSL certificates, the Internet Information Services Certificate Creation Wizardallows you to generate a certificate signing request to send to the Certificate Authority.

1. In IIS Manager click Server Certificates > Create Certificate Request.

2. Enter the information specific to your environment.

3. Choose the appropriate encryption properties.

4. Specify the file name and location and click Finish.

To Create an SSL Certificate Request for Merchandising Server

Merchandising Server secures all communication with Receiver using SSL. Although MerchandisingServer includes a temporary certificate, a certificate signed by a CA is required to ensure continuedoperation.

1. Log on to the Administrator Console as administrator and select Configurations > SSLCertificate Management.

2. Select Export certificate signing request from the Select an action list to create the certificatesigning request.

3. In Common Name, enter the Merchandising Server host name or IP address and complete therest of the fields. Use the on-screen hints to guide your input. If you have questions aboutcompleting these fields, contact your company’s certificate expert.

4. Click the Export button to download the CSR file.

The CA provides an SSL server certificate as well as the root certificate.

Some CAs require that you specify the server platform. For Merchandising Server, the serverplatform is "Apache" and the certificate usage is "Web Server."

To Create an SSL Certificate Request for NetScaler/AccessGateway Enterprise Edition

The NetScaler management console and command-line interface allow you to create a CSR. Thecommand is:


create ssl certreq <reqFile> -keyFile <keyFileName> [-keyForm (DER | PEM)]

An alternative method is to use a CSR generated by IIS. For more information about using an IISCSR with NetScaler, see Citrix article CTX109031 on http://support.citrix.com.

1. Log on to the NetScaler appliance by using the nsroot credentials.

2. In the Navigation pane, select the SSL node.

3. Click the Create Certificate Request link.

4. Set the following parameters:

• Request File Name: Name of the CSR file

• Key File Name: Name of the SSL key file

• Key File Password: Password that was specified when the key file was created

• Key Format: PEM

• Distinguished Name Fields: Values specific to your environment

SSL Certificate Distribution and Installation

Once you have generated the SSL certificate requests and have received the certificates from theCA, you now need to distribute them to the various systems that require them. Depending on thedesign, you need both Server and Root Certificates throughout your environment to ensure secureconnections.

To Install an SSL Certificate on Web Interface

1. On the Web Interface server, install the SSL certificate using IIS and make sure the site is set touse port 443. Make sure that the Fully Qualified Domain Name matches the name of the WebInterface site.

2. Configure all the proper external DNS and firewall options to allow the correct traffic to flowto the proper locations.

3. Test and verify that you can authenticate and launch applications.

To Install an SSL Certificate on Merchandising Server

Merchandising Server includes an SSL certificate that is valid for 30 days. For production use, acertificate issued by a CA is required.

1. Log on to the Administrator Console as administrator and select Configurations > SSLCertificate Management.

2. Select Import certificate from a certificate authority from the Select an action list.


3. Specify the files to be imported, based on the type of certificate you are using.

4. Next to the public cert file, click Browse to locate the certificate file on your local computer.

5. If you have an intermediate certificate file, click Browse to locate the intermediate file.Merchandising Server already has the private key file needed for the certificate requests that itgenerates. Do not upload a private key file for this type of certificate.

6. Click Submit to upload the certificate or certificates.The Certificate Status text box displays information about the certificate upon successfulcompletion.

To Install an SSL Certificate on NetScaler/Access GatewayEnterprise Edition

1. Copy and paste the Server Certificate (including the BEGIN and END tags) into a text editorsuch as Notepad and save it on your local computer.

2. Use a program such as WinSCP (http://winscp.net) to copy the Server Certificate file from theLocal Computer to the NetScaler appliance. Certificate files are stored in the folder/nsconfig/ssl on the appliance.

3. From the NetScaler GUI, select NetScaler > SSL > Certificates.

4. From bottom of the NetScaler GUI, click Add In the Install Certificate window, supply thefollowing information:

• A Certificate-Key Pair Name.

• The Certificate File Name. Browse to the location of your Server Certificate file.

• The Private Key File Name. Browse to the location of the private key file that was used tocreate the certificate-signing request.

• Select PEM for the Certificate Format.

5. Click Install to install the Server Certificate and close the window.

6. Find the Server Certificate that you just installed in the list of SSL Certificates. Right-click thecertificate and select Link.

7. Select the L1C Chain Certificate from the drop-down menu

8. Click OK to link the certificates. You should see a dialog box confirming that the certificateswere linked successfully. Click OK.The Server Certificate is ready to be bound to an SSL Virtual Server within the NetScaler. Fromthe NetScaler GUI, select NetScaler > Access Gateway > Virtual Servers.

9. From the Certificates tab, select the Server Certificate from the list of Available certificates.Click Add to add the certificate to the Configured list.

10. Click OK and save the configuration.

If you are using the Access Gateway feature to secure Web Interface and securing thecommunication between the NetScaler and Web Interface, you need to apply a Certificate to theWeb Interface Server.


Test Your Knowledge: SSL Certificates for External Access

Match each component in an external access scenario with the type of SSL certificate or certificatesthat it requires.

• None

• Root certificate only

• Server certificate only

• Both root and server certificates

Component SSL Certificate Type

User devices

Access Gateway

XenApp controller

XenApp session-only host


XenApp Security with Access GatewayAccess Gateway offers SSL VPN capabilities. The SmartAccess feature of Access Gateway enablessecure access to applications published by XenApp. SmartAccess integrates with XenApp by meansof policy passing.

SmartAccess

SmartAccess coordinates Access Gateway policies and Citrix policy filters. This functionality allowsyou to control user access to applications published in XenApp. For example, by configuringSmartAccess, you can deny users access to published applications if they fail an antivirus endpointanalysis scan. For another example, you can use SmartAccess to allow users access to only a limitedsubset of published applications based on whether the user device is connecting from the internalnetwork or an external network.

SmartAccess allows for detailed access control based on all Access Gateway policy expressions,including endpoint analysis (EPA) scans and SSL certificate checks.

SmartAccess uses Citrix policy filters to control user access to published applications. If an AccessGateway policy evaluates to true based on the results of an EPA scan, the name of the sessionpolicy is sent to XenApp. XenApp compares the policy name with the policy filter namesconfigured in the Access Control properties for a published application. Depending on the policyconfiguration, if the names match, the application will or will not appear in the list of applicationsavailable to the user.

If an Access Gateway policy does not evaluate to true, the Access Gateway policy name is not sentto XenApp. Again, depending on the configuration, the application will or will not appear in thelist of applications available to the user.

In addition to controlling application access, policy filters can be used to apply XenApp policies touser sessions. If an Access Gateway policy evaluates to true based on the results of an EPA scan, thecorresponding Citrix policy will be applied to the user session. If an Access Gateway policy doesnot evaluate to true, the corresponding Citrix policy will not be applied to the user session. Forexample, an administrator can configure policies so that if a user passes an EPA scan for antivirussoftware, client drive redirection is enabled for the user’s ICA session. Conversely, if the user didnot pass the EPA scan, client drive redirection is disabled.


SmartAccess Process

1. The user connects to Access Gateway.

2. Access Gateway installs the endpoint analysis plug-in on the user device.

3. The endpoint analysis plug-in does a pre-authentication scan of the user device and sends theresults to Access Gateway.

4. If the pre-authentication scan is successful, Access Gateway displays the logon page.

5. The user enters logon credentials.

6. Access Gateway validates the credentials with the authentication server (for example, ActiveDirectory).

7. (Access Gateway Enterprise Edition only) If the credentials are valid, the endpoint analysisplug-in does a post-authentication scan of the user device and sends the results to AccessGateway.

8. Access Gateway passes logon credentials and a SessionToken to Web Interface.

9. Web Interface validates the credentials with the authentication server.

10. If the credentials are valid, Web Interface retrieves the endpoint analysis results from AccessGateway by making an XML callback with the SessionToken.

11. Web Interface sends the logon credentials and endpoint analysis scan to the XML service in theXenApp farm.

12. XenApp applies the configured policies and returns the SmartAccess application set to WebInterface.


13. Web Interface generates the SmartAccess application set page and presents it to the user.

Access Scenario Fallback

Access scenario fallback extends the SmartAccess capability that automatically determines theallowed methods of access based on an endpoint scan. Access scenario fallback allows a user devicethat fails an endpoint scan to connect with Web Interface rather than the secure access plug-in.This is accomplished by creating a quarantine group for a post-authentication endpoint scan andenabling Web Interface access for users in that quarantined group.

To Configure SmartAccess

1. Configure Web Interface for Access Gateway connections.

2. Enable Access Gateway authentication.

3. Configure Access Gateway for SmartAccess.

4. Configure Access Gateway policies.

5. Configure Citrix policy filters.

Deploying Access Gateway

Citrix recommends having at least two Access Gateway devices in a fault tolerant configuration.Redundancy is called "high availability" for Access Gateway Enterprise Edition and "appliancefailover" for Access Gateway 5.0.

If you want to more effectively use computing resources in addition to removing single points offailure, you can use a load balancer, such as NetScaler, to direct traffic to multiple active AccessGateway devices.


Migrating from Secure Gateway to Access Gateway

Secure Gateway provides a subset of the features required for secure application access from outsidethe enterprise network. Citrix recommends replacing Secure Gateway with Access Gateway, which

Synergy 2010 session SYN412D covers setting up Accesshas the following advantages over Secure Gateway:

Gateway VPX and migrating from Secure Gateway.


• It runs on a secure physical or virtual appliance, rather than a Windows server.

• It can be configured for high availability.

• It offers complete SSL VPN capabilities in addition to XenApp/XenDesktop security.

• It supports Citrix Receiver.

• It integrates with authentication servers such as RADIUS.

• Its total cost of ownership is about 50% less than Secure Gateway.

Two options are available for migrating from Secure Gateway to Access Gateway.

In-Place Migration Transfer the Secure Gateway SSL certificate and FQDN to AccessGateway and shut down Secure Gateway.

Parallel Migration Obtain a new SSL certificate and FQDN for Access Gateway andtransition users before shutting down Secure Gateway.

Citrix recommends using parallel migration. Although it incurs the cost of extra SSL certificates, itallows a phased approach to ensure that users experience no service disruption.

For more complete instructions about migrating from Secure Gateway to Access Gateway, seeCitrix eDocs at http://edocs.citrix.com.

Test Your Knowledge: Securing XenApp1. What is the minimum level of SQL server permissions a XenApp farm requires to install a

service pack?

a. db_owner

b. db_reader

c. db_writer

d. public

2. SmartAccess coordinates Access Gateway policies with what on XenApp?

a. Policies with filters

b. Policies without filters

c. XML service requests

d. SSL certificate checks

e. Endpoint analysis scan results



Module 9

Monitoring XenApp withStandard Utilities


OverviewA number of utilities give you insight into aspects of a XenApp environment. Some of these utilitiesare part of XenApp; others are provided by Citrix but not as part of XenApp; still others are

Timepublished by organizations other than Citrix. Each utility monitors or reports on a specific piece of

• Module: 100 minutesthe environment, and they are not integrated. Knowing how to use the utilities and which utility touse in a given situation enables you to operate more efficiently, to understand the state of a • Exercises (3): 40 minutesXenApp farm, and ensure that it is functioning properly.

• Total time: 140 minutes

Less experienced students have required additional timeto complete these exercises.

For more information about using utilities with XenApp, see Citrix article CTX122827 on

© Copyright 2011 Citrix Systems, Inc. Module 9: Monitoring XenApp with Standard Utilities 245

http://support.citrix.com.This article contains a lengthy list of tools that can be

After completing this module, you will be able to: used in a XenApp environment.

• Determine the health of a XenApp environment.

• Gather information about a XenApp environment using the correct tool.

• Gather system run-time and network traffic details.

XenApp MonitoringA XenApp environment consists of many services and server roles that each provide specificservices.

The XenApp components in the following table should be monitored to ensure that the XenAppfarm is capable of servicing user needs.

Component Impact of failure

Data store Users can continue to start applications, butAppCenter cannot launch and the farmconfiguration cannot be changed.

ICA listener The XenApp server cannot accept applicationrequests or start new application sessions.

Remote Desktop Services Users cannot start applications.

Web Interface IIS Users cannot start applications through abrowser or Receiver.

XML service Users cannot authenticate; applications do notenumerate, so users cannot see the list ofapplications or start applications.

IMA service A XenApp server is not able to communicate itsstate to the data collector and may be removedfrom load balancing determinations.

License server XenApp enters a 30-day grace period, afterwhich time user sessions cannot start.

Print manager service Users are not able to print.

Microsoft print spooler service Users are not able to print.

Network Monitoring

The following network characteristics and core network services should be monitored.

Because XenApp relies on DNS and Active Directory, they should be monitored for availability aspart of a XenApp monitoring strategy. If DNS is unavailable or resolving records incorrectly,XenApp servers in a farm cannot connect to each other and XenApp may therefore be unavailable.If Active Directory is unavailable or responding slowly because of high load, new sessions cannot beestablished, though existing sessions continue to function.

246 Module 9: Monitoring XenApp with Standard Utilities © Copyright 2011 Citrix Systems, Inc.

If ports for connections that originated inside the farm are blocked, the farm will not be able tooperate normally. The following ports are critical for farm operation.

• Web Interface to XenApp servers: 80 or 443

• XenApp servers to SQL Server or Oracle data store: 1433 or 1521

• XenApp servers in a farm to other servers in the farm: 2512

• Remote AppCenter to XenApp server: 2513

If ports for connections that originate outside the farm are blocked, users will not be able toestablish sessions. The following ports are critical for user connections.

• User device to Web Interface: 80 or 443

• Receiver to XenApp server: 1494

• Receiver to XenApp server when the connection is with session reliability: 2598

For more information about ports used by Citrix technologies, see Citrix article CTX101810 onhttp://support.citrix.com.


XenApp UtilitiesAppCenter offers the capability of monitoring certain aspects of a XenApp environment. Eachserver that is listed in the Servers folder displays information about current users, sessions, andprocesses. The Users tab of the farm shows user and session information.

In addition to AppCenter, XenApp contains a number of built-in utilities for monitoring theenvironment.

XenApp Log Files

Installation Log

XenApp installation logs are written to %Temp%. If installation fails, the log files indicate whatcaused the installation to fail. Because the logs are lengthy and verbose, you should process themwith the Windows Installer Log Analyzer. For more information about viewing the log files withthe Windows Installer Log Analyzer, see Citrix article CTX106727 on http://support.citrix.com.

Event Log

The following information can be logged to the Windows Event Log when the corresponding policyis enabled.

Log Information Policy

Client reconnections Computer policy ICA > Auto client reconnect> Auto client reconnect logging

Offline application events Computer policy Server settings > Offlineapplications > Offline app event logging

Connections denied because of connection Computer policy Server settings > Connectionlimits limits > Logging of logon limit events

Flash events User policy ICA > Adobe Flash Delivery >Flash Redirection > Flash event logging

Shadow attempts, successes, and failures User policy ICA > Shadowing > Log shadowattempts

Printers that are not autocreated User policy ICA > Printing > Printer auto-creation event log preference


Secure Ticket Authority Log

The Secure Ticket Authority (STA), which runs on XenApp controllers, logs fatal errors to itsapplication log. The log is located in the %ProgramFiles(x86)%\Citrix\logs folder. The

Citrix article CTX101997 on http://support.citrix.comfirst time the STA is loaded, it creates a log file using the following naming format for the log file:

discusses the Secure Ticket Authority in the context ofSTAyyyymmdd-xxx.log, where yyyy is the year, mm is the month, and dd is the day of the log

Secure Gateway.file creation. The log file is in plain text.


If the STA does not create a log file, it may be because it does not have permission to write to thelog folder.

Administrators also can log each ticket and data request received by the STA. A ticket request isgenerated by an application enumeration server such as Web Interface, and a data request isperformed by Access Gateway. The STA log file shows this pair of requests as in the followingexample:

Request Ticket - Successful 8DE802AE5A2F561233450B6CFD553035Request Data - Successful 8DE802AE5A2F561233450B6CFD553035

If the log file shows several ticket requests but no data requests, this implies that the applicationenumeration server can reach the STA, but Access Gateway cannot. It can also imply that userscannot reach the gateway server.

To enable STA ticket and data request logging, add LogLevel=3 to the%ProgramFiles(x86)%\Citrix\System32\CtxSta.config file using a text editor andrestart the Citrix XML service.

AuditLog

The AuditLog command can be used to generate reports of XenApp logon and logoff activitybased on the Windows Server Security Event Log. The output can be directed to a file. To use theAuditLog command, logon and logoff accounting must be enabled. Logon/logoff accounting isenabled with the Audit Policy in Windows.

Web Interface Logs

Web Interface provides a logging facility that allows you to diagnose activity on the server. For WebInterface hosted on Windows, you can access these logs with Event Viewer underWindows Logs >Application. The Source value is "Citrix Web Interface." For Web Interface hosted on Unix(including NetScaler), the log files are written by the JSP servlet engine and the location will vary.

The system error logging feature of the Citrix XML Service reports IMA errors, as well ashexadecimal error codes reported by the IMA Service. Web Interface contains a list of commonIMA error codes to error message mappings that allows it to log the error description. If the errordoes not contain a description, you can identify the error by the hexadecimal error code.

Users receive one of a few generic error messages, which contain the basic classification of theissue. The detailed system error messages are not presented to the user. This is done to preventconfusion or the availability of information that would allow access to the system for maliciouspurposes. The error message is intentionally vague.

Below is an example of the error message displayed to the user:

An error has occurred while connecting to the requested resource.

Detailed system error descriptions, including errors reported by the underlying system, along withan error code and timestamp, are logged to the event log. In addition, the error code is displayed tothe user, along with the generic error message. Administrators can use the error code for easieridentification of the error message in the log. This behavior is by design and cannot be configuredby an administrator.

Users may report that they are prompted to download the ICA file when opening publishedresources from Web Interface. No error or event is logged for this issue. For more informationabout this issue, including causes and resolutions, see Citrix article CTX804493 onhttp://support.citrix.com. A similar issue includes the error "ICA File Not Found" and isdocumented in the Citrix article CTX395275.

For a complete list of Web Interface error messages, see the Citrix eDocs Web InterfaceAdministration > Configuring Sites Using the Configuration File > Logged Messages andEvent IDs topic at http://edocs.citrix.com.

Detailed Server Error Messages

Detailed error messages are not enabled by default. You can enable detailed error messages to assistin troubleshooting Web Interface. For example, the following error message indicates a seriouserror preventing the .NET scripts from compiling:

An internal error occurred. Please contact your administrator (errorcode).

A full compilation report from the .NET Framework is returned when detailed server errormessages are enabled. You should turn off the detailed server error messages after the report iscompiled to prevent sensitive information from being made available.

To Configure Verbose Error Messages

You can enable verbose error messages to assist in troubleshooting Web Interface.

1. Go to the C:\INetPub\WWWRoot\Citrix\XenApp folder.

2. Open the Web.config file with a text editor and locate the following line of code:

<customErrors mode="On"defaultRedirect="~html/serverError.html" />


3. Set the value of the customErrors mode to Off.

4. Save the changes.Changes take effect immediately after the file is saved.

Disable verbose logging after you have resolved the issue.

Monitor Control Diagnostic Logging

Control diagnostic logging allows you to optimize error logging within Web Interface. You can:

• Suppress duplicate events from being logged repeatedly.

• Configure how many duplicate events will be logged.

• Configure how often duplicate events will be logged.

• Specify the URL for error redirection.

Specifying a customized error callback URL produces the following behavior:

• All error IDs are managed by this URL including the error messages provided to users.

• The error callback URL replaces the user’s log off page, even when users are logged offsuccessfully.

Duplicate Log Entries

To control the number of duplicate log entries that are written for a single event, Web Interfacemonitors the log entries it writes over time. This prevents the server log from filling up, which canresult in large scale failure.

The configuration settings for this functionality are reflected in the WebInterface.conf file asfollows:

• DuplicateLogInterval

• DuplicateLogLimit

If duplicate log entries exceed the "DuplicateLogLimit" within the time frame specified by"DuplicateLogInterval," then further attempts to log the same message will not be committed to theserver log.


Data Store View

The DSView command, which is available in the Support\debug folder of the XenAppinstallation media, displays the value of records in the data store. Because the data store records arein binary large object (BLOB) format, retrieving records with SQL queries will not yield readableinformation. DSView must be run on a XenApp server.

Back up the data store before running DSView.

For more information about DSView, see Citrix article CTX106232 on http://support.citrix.com.

DSView Case Study

When a XenApp administrator assigned a load evaluator, the operation failed. They used thefollowing steps to resolve the problem:

This case study is taken from a real scenario contributed1. Back up the data store.by Citrix Technical Support.


2. Run DSView to display the data store properties.

3. View the load evaluators, including the custom load evaluators.

4. Compare the custom load evaluators with the default options.

After examining the database, they determined that the load evaluator had duplicate rules andwas therefore corrupted. The load evaluator had to be removed from all servers in theenvironment. Removing the nodes was accomplished by determining the node ID of the corruptload evaluator and removing the records that match this node ID. All XenApp servers assignedto the invalid load evaluator had to be reassigned to a new load evaluator.

Query Commands

Query commands display information about aspects of the XenApp environment. The followingtable contains examples of options for these commands.

Command Example

Query farm or QFarm List published applications on server XAW-1.

Query farm XAW-1 /app

Query process or QProcess List processes on server XAW-1.

Query process /server:XAW-1

Query session List sessions on server XAW-1.

Query session /server:XAW-1

Query termserver List terminal servers in domain CCH.

Query termserver /domain:CCH

Query user or QUser List sessions for user CitrixAdmin on serverXAW-1.

Queryuser CitrixAdmin /server:XAW-1

Many more options are available for these commands. For more information about each of thesecommands, see Citrix eDocs at http://edocs.citrix.com.

The Support\debug folder in the XenApp installation media contains additional commands thatare not installed by default.

Command Example

QueryDC Show the data collector name for the DefaultZone.

QueryDC -z "Default Zone"


Command Example

QueryDS List the contents of the dynamic store (datacollector) server load table.

QueryDS/table:LMS_ServerLoadTable

QueryHR List the host records for the Default Zone.

QueryHR -z "Default Zone"

Usage information is displayed if you run any command with the /help option.

Informational PowerShell Cmdlets

The XenApp PowerShell SDK includes cmdlets that provide information about a XenApp farm.Following the PowerShell naming conventions, the cmdlet names start with Get-. The followingtable lists examples of some of the cmdlets.

Cmdlet Example

Get-XAApplication List published applications on server XAW-1.

Get-XAApplication -ServerNameXAW-1

Get-XASessionProcess List processes on server XAW-1.

Get-XASessionProcess -ServerName XAW-1

Get-XASession List sessions on server XAW-1.

Get-XASession -ServerName XAW-1


Cmdlet Example

Get-TSServers List terminal servers in domain CCH.

Get-TSServers -DomainName CCH

This cmdlet is not part of XenApp. Itis included in the Terminal ServicesPowerShell Module athttp://psterminalservices.codeplex.com/.

Get-XASession List sessions for user CitrixAdmin.

Get-XASession -ServerNameCCH\CitrixAdmin

Get-XAServerLoad Show the load for online servers.

Get-XAServerLoad

For a complete list of Citrix PowerShell cmdlets, type the following commands at a PowerShellprompt that has the Citrix.XenApp snap-in loaded:

Get-Command -Module Citrix.*

PowerShell cmdlets return objects, not strings. The object-oriented nature makes it possible toselect certain pieces of data to list or manipulate. For example, the Get-XASession cmdletreturns nearly 40 pieces of information for each session. You may be interested in a small subset ofthis information, which you can filter with the Select cmdlet.

Get-XASession | Select SessionId, SessionName, AccountName,ServerName, Protocol

The Citrix Community Code Share at http://community.citrix.com contains scripts contributed byCitrix customers and partners.


Citrix UtilitiesCitrix provides some utilities for virtualized environments that are not a part of XenApp.

Desktop Director

Desktop Director is a web-based administration tool for Citrix products that is ideal for help desks.It is designed for daily operations, such as:

• Monitoring

• Disconnecting or logging off user sessions

• Troubleshooting user sessions, including HDX

Desktop Director supports both XenDesktop and XenApp.

XenApp Session Management

Desktop Director displays the following characteristics of user sessions:

• Applications

• Server details

• Session details

• Profile details

• Policies

• SmartAccess filters

• HDX

• CPU, memory, and network activity

Authorized administrators can terminate or disconnect a session or send a message using DesktopDirector.


HDX Monitor

Desktop Director includes a view similar to the standalone HDX Monitor tool. HDX Monitorprovides details for each HDX channel, including errors, warning, hints, and performance.

To Install Desktop Director for XenApp

Desktop Director cannot be installed on a XenApp server.

1. Enable the IIS feature on the server where Desktop Director will run. The Desktop Director installation process for XenApp isfar more involved than for XenDesktop.2. Run the following program on the XenApp 6.5 Additional Components media:


DesktopDirector\x64\XenDesktop Setup\XenDesktopServerSetup.exe.

3. In the IIS Manager, go to Sites > Default Web Site > Desktop Director > ASP.NET >Application Settings.

4. Click Add.

5. Type Service.AutoDiscoveryAddressesXA in the Name field and the names of theXenApp servers to monitor, separated by commas, in the Value field.

6. Click OK.

7. On the XenApp servers, start the XenApp Commands Remoting Service.

8. Give remote management permission to the users that run Desktop Director by running thefollowing command on the XenApp 6.5 Additional Components media:DesktopDirector\tools\ConfigRemoteMgmt.exe.

For example, if you wanted to grant access to the HelpDesk user, run the following command:

ConfigRemoteMgmt.exe /ConfigWinRMUser CCH\HelpDesk

MedEvac

MedEvac is a standalone utility that checks the health of XenApp services. Although it checks thesame characteristics of a XenApp server as Health Monitoring and Recovery policies, Medevacpresents results of tests on demand.

Service Checks

XML service • Verifies that the XML service is able torespond to XML, Web Interface, and Citrixonline plug-in requests

• Verifies that the XML Brokers are able tocontact the data collector

Data collector • Verifies that the data collector is able toprovide a least-loaded server for thespecified application

• Verifies that the IMA service on the datacollector is functioning properly

• Verifies that the IMA service can read thelocal host cache on the data collector

• Verifies that the IMA service can read itsdynamic store data

• Verifies that at least one server in the farmhas this application published


Service Checks

Least-loaded server • Verifies that Terminal Services (now calledRemote Desktop Services) is functioning

• Verifies that the Remote Procedure Call(RPC) service is functioning

For more information about how to use MedEvac, see Citrix articles CTX107935 and CTX119899on http://support.citrix.com.

MedEvac Case Study

XenApp end users reported that applications were failing to launch. When the XenAppadministrators investigated, they found that one XenApp server responded to pings but that theapplications failed to launch intermittently. The MedEvac log file contained the following:

XML/Least Loaded Server Test on server has failed with error10879520XML/Ticketing Test on server has failed with error 10061:No connection could be made because the target machine activelyrefused it. XML/Least Loaded Server Test on server has failedwith error 0:The operation completed successfully.Terminal Services Test on server has failed with error 7007: Aclose operation is pending on the session.Terminal Services Test on server has failed with error 1722: TheRPC server is unavailable.Terminal Services Test on server has failed with error 7022: Thespecified session cannot be found. Terminal Services Test onserver has failed with error 1726: The remote procedure callfailed. RPC Test on server has failed with error 53: The networkpath was not found

Further investigation showed that XML requests to the Secure Ticket Authority (STA) were timingout even though the server was still answering TCP requests. Web Interface therefore consideredthe server to be available and did not fail over to the next available XML broker. The server wastaken out of service until the networking issues were resolved.


Third-Party ToolsTools provided by Microsoft and other organizations can be useful in determining the state of aXenApp environment.

The Microsoft Sysinternals web site at http://technet.microsoft.com in particular contains many toolsfor Windows environments.

Performance Monitor

Performance Monitor provides access to Windows performance counters, such as processor activity,memory usage, disk space allocation, and process memory size. Performance Monitor can be usedto monitor the health of a XenApp environment, to send alerts if defined thresholds are met, and torecord historical information for assessing the need to expand a XenApp environment.

XenApp adds performance counters to gather information about the following aspects of a XenAppenvironment:

• CPU usage

• IMA networking

• Licensing

• Application access

• Data store activity

• IMA local host cache activity

• Zone elections

• ICA session input, output, and network latency

• Secure ticket authority activity


For more information about Performance Monitor in general, see Microsoft Windows ServerTechCenter at http://technet.microsoft.com, in particular the Performance Monitoring GettingStarted Guide.

For a complete list of XenApp performance counters and instructions on adding PerformanceMonitor counters, see Citrix eDocs at http://edocs.citrix.com.

For more information about using Performance Monitor with XenApp, see Citrix articleCTX118742 on http://support.citrix.com.


Process Monitor

Process Monitor is a Windows monitoring tool that shows real-time file system, registry, andprocess/thread activity. It displays a process tree that shows the relationship of all processes in atrace. For each event listed in Process Monitor, you can display more information about the event,including process details and the call stack.

Process Monitor Case Study

A XenApp administrator encountered the following issue. When users started any one of threeThis case study is from Citrix technical support.


applications through Web Interface, that application failed to start. All users had the sameaccount type. The administrator performed these steps:

1. Log on to a specific XenApp server.

2. Run Process Monitor on the server, filtering by user name.

3. Launch the application with Process Monitor running in the background.

4. Identify where the application stopped running.

The process log showed that no logon scripts were executed and that the user environment hadno auto-created printers. In addition, it showed that Active Directory authentication failed. Theadministrator found that the user did not have access to mapped drives, which caused theActive Directory account to be locked. When the administrator disabled client drive mapping,the applications started.

Resource Monitor

Resource Monitor displays usage of CPU, memory, disk, and network. You can filter and sort byprocess or service. Resource Monitor is useful in XenApp environments to determine which serviceor process is consuming disproportionate resources.

TCPView


TCPView displays all TCP and UDP connections on a system and the process that owns theconnection. The information is equivalent to what netstat displays, but in a graphical windowthat updates at intervals and can be sorted by column. The information that is provided includesthe following:

• Process and numerical process ID

• Protocol (TCP, TCPv6, UDP)

• Local address and port

• Remote address and port

• Connection state

• Number of sent packets and bytes

• Number of received packets and bytes

TCPView allows you to save a copy of the connection table to a file and to delete the local processthat owns a connection.

In an XenApp environment, TCPView is useful to determine the following:

• That only the appropriate services are available on a XenApp server.

• That XenApp servers and user devices are properly closing network connections.

• Which user devices have open connections to a XenApp server.

• Which processes are servicing open connections from a user device.

To download TCPView, see Windows Sysinternals at http://technet.microsoft.com/en-us/sysinternals/default.

Network Connection States

A network connection is in one of a series of states at any given time, although it passes throughseveral of the states rapidly. Some of the states that are frequently shown in TCPView are definedin the following list.

LISTEN The local host is waiting for connections to arrive. This state doesnot have a remote address and port.

ESTABLISHED The local host has an active connection with a remote host.

TIME_WAIT The local host has requested to close the connection and is waitingto ensure that the remote host has received the close request.

For more information about connection states, see RFC 793 at http://www.faqs.org/rfcs.


Network Protocol Analyzers

Network protocol analyzers capture all network traffic to or from the system for a specified periodof time. Once the traffic is captured, you can filter the results based on a variety of criteria, such asprocess name, source or destination IP address, or protocol. A variety of network protocol analyzersare available, and how to capture and process traffic differs depending on which one you are using.

A network protocol analyzer is useful in a XenApp environment to determine what communicationis taking place between components of an environment. Some use cases are as follows:

• Run on Web Interface to capture user requests.

• Run on a XenApp server to capture XML service requests and responses.

• Run on a license server to capture license requests.

• Run on a data collector to capture farm information updates.

Network Monitor is a network protocol analyzer from Microsoft. For more information aboutNetwork Monitor, see Microsoft Knowledge Center article 933741 at http://support.microsoft.com.

Wireshark is a free and open-source network protocol analyzer from the Wireshark Foundation.For more information about Wireshark, see http://www.wireshark.org.


Test Your Knowledge: Monitoring ToolsBased on each scenario, choose the appropriate solution from the following list:

• Medevac

• Event Log

• Secure Ticket Authority log file

• Desktop Director HDX Monitor

Scenario 1

A user can launch applications when connected to the internal network, but not when connectingthrough Access Gateway.

Scenario 2

A user's primary printer is not auto-created. You suspect it is because the printer is not compatible.

Scenario 3

A group of users at a branch office is complaining about video performance.

Scenario 4

A XenApp server is apparently running, but no user requests are directed to it.


Module 10

Monitoring XenApp withEdgeSight


OverviewDetailed monitoring of XenApp is available with Service Monitoring (EdgeSight). EdgeSight gathersperformance and availability data that is available as reports and sends alerts when certain

Timeconditions (such as an error event or a threshold) are met. By using these reports, you can verify

• Module: 100 minutesthat service-level agreements are being met or identify corrective steps.

• Exercises (2): 15 minutesAfter completing this module, you will be able to:• Total time: 115 minutes

• Monitor a XenApp environment with EdgeSight.Less experienced students have required additional time• Choose the correct EdgeSight report to investigate an issue and then interpret the report.to complete these exercises.

© Copyright 2011 Citrix Systems, Inc. Module 10: Monitoring XenApp with EdgeSight 269

• Proactively monitor the end-user experience.

• Define monitor thresholds.

• Receive notification when monitors exceed the threshold.

• Subscribe to EdgeSight reports.

EdgeSight Components

The EdgeSight console displays information about XenApp farms, servers, sessions, and users in anenvironment. An EdgeSight for XenApp environment consists of the following components:

• EdgeSight agents

• EdgeSight server

• Web Component for the EdgeSight server console

• Microsoft SQL Server Database

• Microsoft SQL Server Reporting ServicesThe EdgeSight Console requires Internet Explorer 7 andMicrosoft Excel for real-time reports. However, Microsoft • Citrix License ServerExcel 2010 is not supported. • SMTP server

270 Module 10: Monitoring XenApp with EdgeSight © Copyright 2011 Citrix Systems, Inc.

• SNMP server

The greatest performance advantage is in an adequate database server.

EdgeSight Communication

XenApp agent data is aggregated and uploaded according to the following schedule:

• Every 15 seconds, data is collected and stored in the local agent database. The detailed data is Endpoint agents collect data every five seconds andretained for approximately four hours, depending on the volume of data generated. upload once a day.


• Approximately every 20 minutes, the collected data is aggregated into five-minute data sets.This interval may vary up to several hours under system load.

• The five-minute data set is retained in the agent database for three days so that historicalinformation can be displayed. The time that the data is retained can be extended by as many as29 days.

• Twice each day (at 05:00 and 17:00 local time by default), the agent contacts the EdgeSightserver to determine if data needs to be uploaded. The agent re-aggregates the data into one-hour sets and then uploads it to the EdgeSight server, which adds it to the database. Theschedule and frequency are configurable.

If the XenApp agent software cannot reach the EdgeSight server, the aggregated data isretained for as many as five days, or until the data is uploaded to the server. After fivedays, the agent begins to remove data older than five days.

You can configure the data retention time with the "Max Days to Keep in DB" agentproperty.

EdgeSight Agents

The EdgeSight agent is a service that runs on a user device or XenApp server and collects data,which it writes into a database on the system. At intervals the agent aggregates the data into apayload, sends the payload to the EdgeSight server and issues alerts if certain criteria are met. Datacan also be displayed directly from an agent database for use in issue resolution.

The EdgeSight agent monitors the following types of data:

• Device

• Network

• Process

• Published application

• Session

• User

• XenApp

• XenDesktop

The following list describes the types of EdgeSight agents available.

XenApp agent The XenApp agent is designed for use on Citrix XenApp servers.The agent records information about user sessions, client and serverperformance, application usage, and network connections. TheXenApp agent can run in one of two modes:

• In the advanced mode, the agent records the complete set ofdata available in EdgeSight.

• In the basic mode, the agent records a limited set of data thatincludes session, farm, and server performance counters butexcludes logon performance and full ICA channel monitoring.Basic agent functionality requires only a XenApp EnterpriseEdition license, while advanced agent functionality requires aXenApp Platinum Edition or EdgeSight for XenApp license.


Virtual Desktop agent The Virtual Desktop agent is designed for XenDesktop virtualdesktops. It monitors session, system, application, and networkperformance.

Endpoint agent The endpoint agent is designed for user devices. The agent operatescontinuously and discreetly on user devices collecting performance,resource, application, and network data.

EdgeSight for NetScaler uses an agentless mechanism for collecting data. For more informationabout EdgeSight for NetScaler, see Citrix articles CTX126420 and CTX126418 onhttp://support.citrix.com.

EdgeSight Agent Workers

The EdgeSight agent consists of workers that run periodically to perform functions such asuploading system data to the EdgeSight server. The agent log file is%ProgramData%\Citrix\System Monitoring\Data\Sys_Event_Txt.txt. This logfile is a summary log of each worker thread that runs on the agent. If an agent completessuccessfully, the status will consist of a series of 0s.

Worker 104 is the worker responsible for registering with the server. If an agent does not registerwith the EdgeSight server, check the agent log for "worker 104."

For a complete list of EdgeSight workers, see Citrix article CTX112209 on http://support.citrix.com.

Agent Metrics

EdgeSight agents gather two primary types of metrics.

Performance Data Performance data includes system metrics that are not linked to aspecific event but to normal system operation. EdgeSight capturesdata related to system, network, application, and XenApp sessionperformance.

Event-Driven Data Event-driven data includes metrics that are generated by an eventoccurring on the user system for example, when the user invokesand starts to use an application or when a socket connection ismade.

For complete lists of individual metrics, see Citrix eDocs at http://edocs.citrix.com.


Agent Data Upload Process

Data is uploaded from the agent database to the associated EdgeSight server by default twice eachday for XenApp servers.

The data upload process is as follows:

1. The EdgeSight agent contacts the EdgeSight server to find out which data is requested based onwhen the last successful upload occurred.

2. The EdgeSight server responds with instructions for the data upload.

3. Based on the instructions, the agent aggregates its data into hourly chunks, bundles theaggregated data into a compressed payload, and sends that payload to the configured EdgeSightserver over HTTP/S.

4. The server stores the data in the local data folder; from there, it is retrieved and processed bythe EdgeSight Script Host (RSSH).

5. The EdgeSight Script Host uploads the payload data to the Microsoft SQL Server database.

If you are troubleshooting an issue, the most recent data may not be available to view in reports. Toforce the agent to upload data, run the Performance Upload worker on the XenApp server. Oncethe upload is complete, you can view reports that are relevant to the issue.


Each performance upload consumes system resources on the XenApp server. Do not forcethe agent to upload data more frequently than is necessary.


Real-Time InformationRequests for real-time information directly query agent databases. The data is sent directly from theagent database to the EdgeSight user's browser; real-time data is not stored on the EdgeSight server.

For an EdgeSight user to access real-time data, the browser must be able to contact theEdgeSight agent on port 9035.

The user viewing the real-time information must have appropriate permissions to query the real-time data from the EdgeSight agent. This is usually managed by creating a remote security group.

Real-Time Report Usage Example

A XenApp server in the environment is at risk of experiencing performance problems. Theseproblems manifest when the XenApp server appears as a leader in a memory usage report, orwhen there is a sharp increase in the number of memory-related alerts, or when a user calls andcomplains of a problem. You can take the following actions:

• View the device summary report as the first step to inspect the overall state of the XenAppserver.

Adjust the time frame of the report to show more data as required. Spikes in resource usagemay indicate a specific area and time frame for further investigation.

• Display the system performance report and look at memory-related performance counters.

Double-click data points in the chart to display process performance for the related timeperiod which may expose high memory usage by a particular process. After displayingprocess performance data, select another counter from the counter list or change thenumber of processes displayed by changing the value in the Top field. Adjusting thesevalues enables you to broaden the investigation to look at different aspects of performanceand a larger set of applications.

• Display the alert list report and double-click a memory-related alert to display performancecounters and device context before and after the alert is generated.

Three graphs are displayed showing CPU and memory, I/O, and network statistics. The redline on the graphs indicates the time that the alert condition occurred. A table ofapplications and tasks below the graphs indicate the applications that were in use beforeand slightly after the alert occurred.

• Use the system compare report to display data for multiple XenApp servers when you needto compare performance to determine whether the problem is specific to a particularXenApp server.

First compare the overall performance of the XenApp servers and then directly comparespecific counters on both XenApp servers.


User Troubleshooter

The User Troubleshooter displays detailed performance data for sessions across a farm for aspecified user over the previous three days.

The troubleshooter looks for sessions based on the following information:

• The domain and username (domain\user). This field is required.

• A device name (optional). This field is the name of the XenApp server hosting the session.

• Session status options, which include:

• All Sessions

• Active Sessions

• Logged Off Sessions

The User Troubleshooter displays the following panes.

Pane Contents

System Summary System performance counters for the server,including CPU, memory, and the network

Process Detail Process performance counters, which showresource usage by the various applicationsrunning while the session is active


Pane Contents

Session Summary Session performance counters including thosefor the user experience, CPU, memory, and thenetwork

Session Start Detail Server startup and client startup counters,including both the initial application and anyother applications in a shared session

Channel Detail ICA channel counters, which show wherechannel bandwidth is being consumed

Stability Alert data, including the type of alert, thesystem entity causing the alert condition, theuser logged on to the device when the alertcondition occurred, and the time of the alert

System Network Summary System performance counters for the network,including session duration, delay, round-triptime, and errors

Device Troubleshooter

The Device Troubleshooter displays detailed real-time performance data for a device that is runningan EdgeSight agent. You can either search or browse for a device. The search function is dynamic;as a device name is entered, the device list is updated to show matching devices. Wildcardsearching is not supported.


The Device Troubleshooter displays the following panes.

Pane Contents

System Summary System performance counters concerning CPU,disk, and memory

Process List Processes with counters concerning resourceusage

Session List Sessions with counters concerning resourceusage, round-trip time, and bandwidth

Stability Alert data, including the type of alert, thesystem entity causing the alert condition, theuser logged on to the device when the alertcondition occurred, and the time of the alert

System Network Network performance counters concerningdelay, round-trip time, volume, and errors

Network Summary Processes accessing the network with countersconcerning delay, round-trip time, volume, anderrors

Farm Monitor

The Farm Monitor allows you to browse through a XenApp farm and display real-time data aboutalerts for one or more servers. It does not display any information about endpoints.

The Farm Monitor supports multiple farms. The structure of each farm in EdgeSight reflects theServer folder structure in AppCenter.

The top portion of the Farm Monitor displays recent alert information. The lower portion of theFarm Monitor displays detailed contextual data about activity on the device at the time of a selectedalert, including performance counters, sessions, processes and network usage. Because the FarmMonitor operates on alerts, no information will be displayed if no alerts have been triggered.

You can display alerts for varying time periods ranging from 15 minutes to 6 hours. Alert detailsinclude a description of the alert condition, the specific parameter in the alert rule, and the alertcount.

The alert report contains details about the alert and the system context at the time of the alert. Onthe Process and System tabs, two charts are displayed on each counter. The left chart shows thevalue at the time of the alert (5 minutes before and 5 minutes after by default) and the right chartshows the current value (from the present time to 10 minutes in the past by default). The timewindows are configurable from the chart. Click either chart to show an expanded version.


Using Information Reported by EdgeSight

EdgeSight provides a window into the user experience. With this view comes a slice of informationthat is used to diagnose and troubleshoot user issues. The following use cases provide real-worldscenarios where EdgeSight is used to collect vital information.

Use Case: XenApp Farm Health

EdgeSight can be used as a tool to support the XenApp farm environment in a number of keyareas, including monitoring:

• Infrastructure health

• Logon time

• Printing issues

• Real-time capacity planning

Scenario

Overall XenApp health is a function of both the XenApp servers and the applications that usersrun. The Farm Monitor provides a direct view into the operation of the XenApp farm and itsoverall health. The user interface is organized around the farm and the folder structure containingall published applications and desktops as observed by the EdgeSight agents in the farm.

Alerts for Common XenApp Health Conditions

The default EdgeSight alert configuration provides alerts for common XenApp health conditions.When triggered, these alerts are sent to the EdgeSight server and can be viewed in both the alert listand in the Farm Monitor. The alerts are assigned to the XenApp farms that report to the EdgeSightserver.

The default XenApp health alert rules are as follows.

• Configuration logging database unavailable

• Farm data store connection failure

• Health monitoring and recovery action failure

• Health monitoring and recovery test failure

• IMA service unresponsive

• License server connection failure

• Number of servers in a zone is too high

• Print services failure

• Published applications concurrent usage limit

• Session in a "down" state


• Terminal server client connection error

• Terminal server license server discovery failure

• Zone data collector election triggered

• Zone elections too frequent

You can create additional alert rules or modify the alert rules that EdgeSight provides.

XenApp Infrastructure Health Guidelines

You can use the following guidelines to monitor XenApp infrastructure health:

• View the alerts regarding XenApp health conditions in the Farm Monitor. The farm on whichthey occur and the server on which they occur is highlighted.

• Select the event from the list to view the server performance at the time of the event. Thedevice information is retrieved from the EdgeSight agent running on the XenApp server.

The data in the System tab is the current performance information, as presented in the rightchart column, and the performance around the event time, as presented in the left chartcolumn. A vertical red bar denotes the time of the actual event.

• Configure health monitoring and recovery tests so that they create alerts when error conditionsoccur.

• Select a chart to open a window that allows you to inspect all data points for the time period.Critical counters for diagnosing XenApp health include:

• Processor Queue Length

• Current Disk Queue Length

• Reset Connections

• Failed Connections

• Processor Time

• Define custom alert rules, in addition to the standard EdgeSight XenApp health alerts, for avariety of health issues including:

• Client update errors

• Configuration logging database unavailable

• Print services error

Use Case: Application Support

Application support requires visibility into the user device and the network as well as theapplication. All executables, regardless of vendor or function, are monitored without requiring anychanges to the application or specific configurations in EdgeSight.


Scenario

IT department personnel of varying levels are responsible for supporting an enterprise:

• The Help Desk responds to user requests for assistance, gathers problem context, and escalatesproblems as required.

• Application support investigates application issues using device-specific data and configurationinformation, escalating problems as required.

• The application developer or vendor investigates application issues using detailed application-specific data such as failure reports.

This scenario assumes the following:

• An EdgeSight alert rule has been created for Process Fault conditions.

• The alert rule has an associated alert action that results in a notification e-mail being sent tothe Help Desk.

• The Help Desk and application support personnel have been granted appropriate privileges(such as membership in a remote security group) on the remote device.

Reactively Responding to Application Issues Guidelines

Reactive response to application issues is required when:

• A user places a call to the help desk.

• An alert has been triggered.

You can use the following guidelines to reactively troubleshoot application issues:

• Examine the alert in the Alert List that corresponds to the issue of the user.

• Run the Performance Upload worker to force the agent on the affected server to upload data.

• Examine the Asset Changes historical report to see what recent software and hardware changeshave been made to the device.

• Examine the failure analysis (Process Faults) reports when investigating application failures.

Use Case: Device Health

Good performance on a device does not necessarily indicate that the system is healthy. Performancemetrics can be used to determine the physical strain on a device or process, but these metrics donot determine the overall health.

Scenario

A XenApp server operates consistently at 30% CPU utilization when hosting 40 users. During pilottesting, the load is increased to 60 users and the CPU utilization only jumps to 50%. The deviceappears to be handling the load, but the number of process faults and errors on the device triples.


The device is not healthy. EdgeSight can be used to review device stability reports as well as theCPU and Memory performance reports.

Managing Device Health Guidelines

You can use the following guidelines to determine device health and manage capacity planning:

• Use the Real-Time Dashboard to create a group of devices for analysis. This group can include:

• Devices exhibiting issues (if troubleshooting the environment)

• Devices undergoing testing (if performing a health check)

• Devices queued for optimization (if determining capacity planning)

• Identify the metrics to examine, including:

• Device stability

• Process stability

Correlate the stability metrics with performance metrics to validate the physical load on thedevices for capacity planning. If performance metrics show that devices have insufficientresources to manage their workloads, you may need to increase capacity.


ReportsThe EdgeSight Console displays reports based on the data that is stored in the EdgeSight agent andEdgeSight server databases. A wide range of standard reports are available.

EdgeSight includes two primary categories of reports:

• Historical reports display data that has been consolidated to one-hour slices and uploaded toMicrosoft SQL Server Reporting Services can also be usedthe server database. These reports help identify trends across groups of devices.to design custom reports based on data collected by

EdgeSight. How to create custom reports is not covered inThe majority of available reports are historical reports.

this course.


• Real-time reports display data directly from an EdgeSight agent database. Real-time reportsprovide detailed information that helps you resolve performance problems on specific devices.

Report Access

The EdgeSight console displays information about the status of devices in the EdgeSightenvironment. Specific reports can be found by navigating to the associated folder or by displayingand filtering the entire list of EdgeSight reports. Reports that you use on a regular basis can beadded to the Favorite Reports page to provide quick and convenient access.

You can use one of the following methods to access a report:

• Click the Plan and Manage tab and select a report from the list.

• Click the Track Usage tab and select a licensing, published application, or session report.

• Click the Browse tab and select a report from the list.

The displayed reports can be narrowed by selecting the Time Frame, Data Type, Object Type,or Report Type.

• Click the Browse tab and search for a report.

• This feature searches for the keywords in report descriptions and labels as well as reportnames.

• Subscribe to a report.

• Export a report.

When subscribing to or exporting a report, the following file formats are available:

• XML file with report data

• CSV (comma delimited)

• TIFF file

• Acrobat (PDF) file

• Web archive

• Excel

Excel and CSV format subscriptions and export do not work if the report has multiplecharts on the same page. In these cases, subscribe to each chart instead or use the XMLoption to create a file for import into another application.

Filter a Report

At the top of every report page is a Filter bar which enables you to filter and control which data isdisplayed in the report.

Depending on the report, different attributes are available for filtering. Reports can be filtered onone or more of the following attributes:

• Department or Group

• Device

• Process, Filename, and Version

• Host

• Port

• Site Type

• Start and End Dates

• User

• User Group

In some reports, some of these attributes are listed in the Optional Parameters section. If desired,you can enter optional parameters to select subsets of the report data to include in the results.

The Group By and Then Group By attributes determine the order in which EdgeSight presents thereport data.

For example, the "Not Responding Alerts" report can be grouped by device, process, user, date, orhour. If the grouping is by device then by process, the resulting graph shows not responding alertsfor each device, followed by a list of alerts for each device and a list of processes under each device.If the grouping is by process then by device, the resulting graph shows not responding alerts foreach process, followed by a list of alerts for each process and a list of devices under each process.

Delays

EdgeSight reports differentiate the following types of delays.

Network delay The number of round trips multiplied by the round-trip time anddivided by the average total delay associated with each requestresponse operation.


Client delay The amount of time taken by the user device to process the networkbuffers which make up the network operation. In the case of amultitier application where the interface tier is hosted on XenApp,the XenApp server is the client.

Server delay The amount of time taken by the server (including backendservices) to process the network buffers which make up the networkoperation.

Use Case: Application Support

Application issues typically indicate an issue with the user device, the network, or the application.EdgeSight reports can be used to locate and diagnose application issues both reactively andproactively.

Scenario

The application administrators in an enterprise are working to optimize the performance of theirenvironment. They would like to be able to answer the following questions:

• What are the performance and usage trends for a key application?

• Which active users will be affected when an application is updated or upgraded?

• Why does a thoroughly tested custom application that worked on the test system fail for aparticular user?

• Which of the two versions of an application is performing better in the environment?

EdgeSight reports provide the information to enable them to answer these questions.

Proactively Responding to Application Issues Guidelines

You can use the following guidelines to identify potential issues before they arise:

• Examine the following historical reports:

• Process Performance Summary by Process

• Process Stability Summary by Process

• Process Network Delay

These reports provide a starting point for investigating application behavior.

• Review published application reports on the Track Usage tab.

• Examine the Process Usage report for a particular application to determine which users arerunning the application and may be affected by an update or upgrade.


• Examine the Top N report category and filter the reports by the Processes area.

• Compare device information between test and production environments if a particular user orgroup of users is experiencing trouble with an application that has been tested. The ProcessSummary and Network Summary reports may also reveal a pattern of errors.

• Compare reports for different versions of a process to determine differences in behavior.

Depending on the area under investigation the report will differ, but it may be Process CPU,Process Errors, Process Faults, Process Memory Usage or Process Network Delay.

• Look for points of interest in the reports and then examine the data details for moreinformation.

Use Case: XenApp Health and Capacity Planning

You can use EdgeSight reports to determine the health of XenApp servers and to determine whenadditional computing capacity is required.

Scenario

The IT department for an engineering firm has been requested to provide the latest version of CADapplication to its user base. The suite is currently published on XenApp servers. Before rolling outthe new version to everyone, the XenApp team wants to pilot it with a small set of volunteers and asubset of the available XenApp capacity. By conducting this pilot and monitoring reports and alerts,they can determine if any additional capacity is required before publishing the application to theentire user community.

Manage XenApp Health and Capacity Planning Guidelines

You can use the following guidelines to determine XenApp server health and manage capacityplanning:

• Identify which metrics to examine. This includes:

• Application stability for the specific application.

• CPU and memory utilization.

• Balance these with the performance metrics to assist in validating the physical load on thedevices for capacity planning considerations.

• Correlate increase in session count and process count to increase in CPU and memoryutilization.

• Estimate how frequently the application is used with Track Usage Published Applicationsreports.

• Gain an overview of the environment with the XenApp Summary and XenApp User Summaryreports.


Use Case: End-User Experience Monitoring

Lack of quantitative data on the user experience is a frequent source of friction between ITdepartments and the users they support. XenApp users may complain of a problem without firmevidence that it exists, and XenApp administrators may doubt the existence of the problem withoutevidence. EdgeSight provides visibility into the user experience so that problems can be verified,isolated, and resolved.

Scenario

A user contacts the help desk complaining that during the last week, the logon process has beentaking an unreasonable amount of time. The administrator accesses the session startup reportswithin EdgeSight and finds that the logon process has in fact slowed over a period of time.

Analyzing User Experience Dissatisfiers Guidelines

You can use the following guidelines to diagnose session problems that occurred in the past:

• Gather the following information from the user:

• Logon name, including domain

• The date and approximate time of the session

• A description of the problem

• Locate the session and view the detailed performance information.

• Compare the session performance information against other sessions with:

• Different users at the same time

• The same user at different times

• Different user devices at the same time

• The same user device at different times

• Differentiate between client startup time and server startup time.

• Correlate the session performance information with server and network performanceinformation from the same time period.

• Correlate the behavior of the published application to resource usage of the processes with theProcess Usage and Process Summary reports.

• Correlate the user activities with the utilization of ICA virtual channels using the sessionreports such as ICA Session Latency, Session Login Time, Session Server Startup Duration, ICAClient Version.


Use Case: Application Performance and Stability

You can access information about applications from the perspective of the application and of theuser. EdgeSight provides performance summaries for individual applications and which resourcesthose applications use.

Scenario

An enterprise relies on a number of different groups to provide applications to business users:

• Datacenter Operations is responsible for maintaining the server infrastructure.

• Network Operations is responsible for maintaining routers, switches, load balancers, and WANaccelerators.

• Infrastructure Operations is responsible for maintaining the XenApp infrastructure.

• Human Resources IT is responsible for the human capital management system whose userinterface tier is hosted on the XenApp farm.

• Services IT is responsible for the customer relationship management system whose userinterface tier is hosted on the XenApp farm.

• Desktop Operations is responsible for the productivity applications that are hosted on theXenApp farm.

If any of the applications experiences a degradation in performance, isolating the root cause of theproblem is difficult without specific data that can be compared to historical data. Instead, thegroups are likely to blame another component of the environment for the problem. For all partiesto be able to provide the appropriate support, the location of the incident must be evident.

Analyze Application Performance Guidelines

You can use the following guidelines to analyze application performance:

• In interpreting reports, differentiate among server delay, client delay, and network delay.

• Focus on time periods during which a spike in some metric appears.

• For performance questions, focus on Process Performance and Process Summary reports.

• For stability questions, focus on Process Faults and Process Errors reports. Also view the alertconsole to see historical information about application failures.

• Subscribe administrators of a particular application to a weekly report for the processesassociated with the application.

Use Case: Branch Office Performance

You can gain visibility into the experience of branch office users using EdgeSight reports.


Scenario

A medium-sized business has a branch office in a neighboring region. This branch office is home to10 users. One of these users has some technical skill and sometimes helps with routinetroubleshooting and minor maintenance. However, she does not have the skills or the time toprovide full IT support, so most IT support is provided remotely from the main office. EdgeSightenables the remote support staff to monitor the experience of the branch office users withouthaving to be on site.

Analyze Branch Office Performance Guidelines

Use the following guidelines to analyze branch office performance:

• Create a user group (under Configure > User Groups) for each branch office that includes allusers at that branch.

• Measure overall performance with the User Summary for a User Group report.

• Measure XenApp performance with ICA reports and the User Troubleshooter.

• Determine the location or nature of the problem: with an individual user, with all users in onebranch office, with all users in all branch offices or with some component of the environmentthat could affect all users regardless of location.

Test Your Knowledge: Historical and Real-Time Data

1. A user is complaining of a slow logon time experienced within the last hour. Which tool wouldyou likely use to troubleshoot the issue?

a. User troubleshooter

b. Farm monitor

c. Device troubleshooter

d. Alert list

2. Which report type shows the reports that include high values for metrics?

a. Archive

b. Comparison

c. List

d. Summary

e. Top N


AlertsAlerts allow you to monitor mission-critical applications, network services, and devices and notifydesignated people in the enterprise in the event of a problem. Alerts should be used for criticalevents that support staff need to know about immediately.

By default, the EdgeSight agent on each system collects alert data and statistics and uploads them tothe EdgeSight server on a scheduled basis. When an alert condition is triggered, however, the agentdoes not wait to upload data but immediately notifies the EdgeSight server that a critical eventrequiring immediate attention has occurred. If a notification alert action has been configured, thealert event will cause the EdgeSight server to send an e-mail message or an SNMP trap.

Alert Overhead

Each rule configured on an EdgeSight server incurs some overhead. At a minimum, the agent hasto determine if the alert should be generated and, if so, has to send the alert to the EdgeSightserver.

Performance alerts require the agent to run a query against the agent database to determine if alertconditions are present. If these conditions are too broad, the agent is required to process large datasets to generate the alerts and subsequently send them to the server.

Alert Guidelines

Configured alerts should be both specific to a single condition and able to be corrected throughhuman intervention. If an alert does not meet both these criteria, a report is a better way to capturethe data.

Certain performance alert configurations consume resources without offering any benefit. Followthese guidelines to avoid unnecessarily consuming resources:

• Do not define more than three performance alerts in each category.

• Do not create a performance alert that is triggered by a common condition such as CPU usageof 5%.

• Do not create a performance alert that is triggered by a very complex condition such as morethan two performance thresholds.

• Do not create a performance alert with a "not like" operation.

• Do not create a performance alert with multiple textual "like" or "not like" operations.

• Do not create a performance alert for conditions that will never be reached such as a processperformance alert for an application which is blocked/prevented from executing by a grouppolicy.


Alert Rules

Alert rules describe the conditions that generate an alert. The parameters offered in alert typesenable you to express those conditions. Defining the alert rules depends highly on the needs of aparticular environment.

Proper alert rule configuration is critical to effective alert notification about the health of serversand applications.

Alert rules should be well defined and targeted. General alert rules consume system resources andmake determining the nature of the problem more difficult. Each alert rule that is created requireswork to be performed by the agent, so configuring excessive numbers of alerts can adversely affectsystem performance.

Limit alerts to those that are truly critical. Having too many alerts can causeadministrators to ignore notifications.

To create an effective alert rule configuration, an alert strategy must be in place. When designing astrategy, consider the following aspects.

Planning

• Delete default alerts that are not applicable to the particular environment.

• Identify which departments have mission-critical applications running on their servers.Associate alerts with only those departments or groups in which the alert condition is mostcritical. This step allows you to isolate and respond to problems that are relevant to a specificportion of the enterprise.

• Ensure that any default alert parameter values are appropriate for your environment, changingthem if necessary. An appropriate alert parameter value for an user device may differ from theappropriate value for a XenApp server.

Acting

• Identify which applications are critical and then define alerts for problems which must beresolved in a short period of time.

• Define the response that is required to resolve specific alerts. A response to an alert may be toperform a specific set of actions or to notify responsible individuals in the associateddepartment. If no response can be identified for a condition, the event does not require analert.

• Identify who is responsible for responding to the alert.


Maintaining

• Establish and publish guidelines for alert rule creation. Determine who is responsible for newalert rule creation and define best practices, such as creating descriptive names for alert rulesand avoiding the creation of duplicate alert rules. A user must have the Edit AlertConfiguration permission to create or edit an alert rule.

• Determine the alert parameter values based on historical data from your environment.

• Identify which alert types are most important. Some alerts, such as NT log alerts, are generatedin large numbers by some applications and are generally transparent to the user.

Alert Process

1. The agent records metrics on system state.

2. The agent runs a query on the agent database to compare the recorded data to conditionsspecified in the alert rule. If no alert conditions are detected, the agent returns to step 1.

When an event occurs, the agent checks event alert conditions.

If an alert condition is detected from either an event or a query, the agent proceeds to step 3.

3. The agent queues an alert to be sent to the EdgeSight Server and sends all queued alerts to theEdgeSight Server as a batch every 15 seconds.

4. The EdgeSight server saves the alert in the Microsoft SQL Server database.

5. The EdgeSight server:

• Displays the alert in Monitor > Alert List.

• Takes an action: Sends an e-mail, generates an SNMP trap, runs a program, or forwards toMicrosoft System Center Operations Manager

6. An administrator receives notification of the alert and corrects the condition.

Alert Types

Each alert rule has the following properties:

• A description of the condition that triggers the alert

• An action (usually notification) that EdgeSight takes when the condition occurs

• An association with one or more departments

If an alert rule is not associated with a department that contains devices, it will never be triggered.

Alert Categories

The following table describes the categories of alerts.


Category Description

Application alerts Process performance and availability problemssuch as errors, non-responsiveness, andexcessive paging

System alerts Device performance and availability problemssuch as low resources, disk bottlenecks,slowdowns, and excessive paging or swapping

Network alerts Network errors such as connection slowdown orfailure

XenApp performance alerts XenApp performance and availability problemssuch as excessive disconnected sessions

XenApp error alerts XenApp configuration, health, and reliabilityproblems

Session performance alerts XenApp and XenDesktop session problems suchas slow ICA connections

XenDesktop error alerts XenDesktop configuration and reliabilityproblems

Each alert category includes several alert types to cover common situations.


Alert Rule Parameters

After selecting an alert rule, you must supply one or more parameters to define when an alert istriggered. The following syntax is used to define alert rule parameters:

• The value entered in a text field triggers an alert when the detected value matches theconfigured value. If the "Not like" option is selected, an exclusionary match is performed andthe alert is triggered if the detected value does not match the configured value.

The "Not like" parameter modifier should be used with care in performance alerts.Because the agent is directed to search for parameters which do not match the condition,resource usage may be high and the resulting set may be large.

• When the value entered in a numeric field is equal to or greater than the configured value, analert is triggered.

• The wildcard character (%) can be used with partial string values.

• The red dot indicates a required parameter. You must supply a value or accept the defaultvalue for these parameters.

• The blue dot indicates a parameter from a set where at least one value is required.

Comma-separated lists are not allowed. When designing an alert, look for commonalitiesamong the set of devices, applications, or events for which the alert is intended.


To Define an Alert Rule

1. Configure the alert rule parameters at Configure > Alerts > Rules. Select an alert rule categoryfrom the list and input the required parameters.

2. Map the alert rule to an alert action in the Alert Rule Creation Wizard or by editing an existingrule.

3. Assign the alert rule to a department in the Alert Rule Creation Wizard or by editing anexisting rule.

The Alert Rules Creation Wizard is also available to assist with alert modifications. In the wizard,you can:

• Edit an alert rule.

• Assign an alert rule to a department.

• Change an alert rule to alert action mapping.

The Wizard is displayed when you edit an alert rule at Configure > Alerts > Rules.

The alert rule is delivered to the agents the next time they contact the EdgeSight server for aconfiguration check, which is hourly by default for XenApp servers. If you need the alert to beavailable immediately, run the Configuration Check worker after creating the alert rule.

Alert Actions

Alert actions allow you to configure an action when an alert is triggered. Actions are typically anotification that enables you to quickly identify issues that are truly critical and require immediateattention as opposed to issues that can wait.

EdgeSight provides the Alert Actions Creation Wizard to create and configure alert actions. Alltypes of alert actions can be managed within this wizard.

Send an E-mail Notification

The body of the message varies depending on the alert type.

An e-mail notification requires the following parameters:

• A name for the action

• A list of e-mail addresses to receive the alerts

• A subject line for the e-mail

The length of time to queue the message is an optional parameter. Setting a queue time causes theEdgeSight server to deliver all alerts generated in the specified time period in a single e-mail.

Send alerts to addresses that are checked by a person, not to a general administrator address wherethe alert may not be seen.


Generate an SNMP Trap

You must configure the SNMP manager to catch the trap. The data sent in the trap is described inthe MIB file, which is installed as part of the EdgeSight server installation. The default MIB locationis %ProgramFiles%\Citrix\System Monitoring\Server\EdgeSight\Citrix-EdgeSight-MIB.mib

Before creating an alert action to generate an SNMP trap, you should be familiar with SNMP, aswell as the specific implementation for the EdgeSight environment. The EdgeSight server usesSNMPv2.

An SNMP trap alert action requires the following parameters:


• A community name

• The trap destination

Launch an External Executable Process

An executable to launch when an alert condition is met can be any custom or commercial program.EdgeSight provides a number of parameters that can be passed to the executable. The executableruns on the EdgeSight server with the environment and arguments supplied in the alertconfiguration.

Ensure that an external process is able to handle the potential volume of alerts that mightbe delivered to it and test the process thoroughly.

An external executable alert action requires the following parameters:


• The path to the executable on the EdgeSight server

• The working directory in which to run the executable

• The name and password of the user that should run the executable

• The timeout in seconds for the execution

• Command-line arguments to pass to the executable

Forward to Microsoft System Center Operations Manager

An SCOM notification requires the following parameters:

• The name or IP address of the Root Management Server

• The credentials for authentication to the Root Management Server


Editing Alert Actions

After the alert action is created, it can be modified by:

• Clicking the edit icon next to the action listed in the Alert Actions screen

• Running the Alert Rules Wizard

Alert Console

The Alert Console provides a graphical overview of recent alert activity. This overview allows youto identify trends in alert conditions in or throughout the environment. The Alert Console showsstability monitoring information that EdgeSight always monitors, for example event log errors, notthose defined by alert rules.

By default, the console displays the last three days of alert activity for all devices. Alert data isavailable on the Alert Console for three days if the default database grooming configuration is used.

Some alerts require extensive data collection, such as process faults or snapshots. Although the alertmay be displayed on the console, the associated files containing the error information are only

Emphasize that the uploading of associated files may takeavailable on the console after the data collection is completed and the files have been uploaded to

time, and therefore only partial data may be available.the server, which may take several minutes. In some cases, depending on the event, the state of the


machine running the agent may not allow for data collection. In these cases, the alert appears onthe console, but the files containing the error information are not available.

Alert List

The Alert List displays information about incoming alerts from XenApp servers and user devices.When an abnormal condition for which an alert rule has been configured is detected, the agent onthe device generates an alert and sends the alert to the associated EdgeSight server.

To view the alert list, go to Monitor > Alert List.

Current Alerts List

The following table identifies the information that is displayed in the Current Alerts list.

Heading Name Description

Alert type Identifies the type of alert condition

The alert condition is visible in the listonly if an alert type is selected.

Alert name Identifies the specific name of the alert ruleassociated with the condition

Source Identifies the system entity causing the alertcondition, such as:

• Application

• Process

• Web site

• System service

Device Identifies the device on which the alertcondition occurred

User Identifies the user logged on to the device whenthe alert condition occurred

Server time Identifies the time at which the alert is deliveredto the EdgeSight server

The device and the server times are generallythe same. In the case of an application faultwith files containing failure information, thetimes may differ because of the time required tocreate and to deliver the files.

Device time Identifies the time at which the alert isgenerated

If the time zone for the device is different fromthe time zone for the EdgeSight server, thedevice time is converted and displayed in localcompany time.


Viewing Alert Details

Alert details displays information about incoming alerts from XenApp servers. More descriptivealert details can be viewed when an alert is expanded.

The following table describes the fields included in the alert details.

Field Description

Description Identifies the text of the error message for thealert condition

Context Displays the application or process for whichthe alert is generated

Alert family Identifies the alert family to which the specifictype of alert belongs

Associated alert rules Identifies the alert rule type that matches thecondition for which the alert is triggered

If multiple alert rules were satisfied bythe alert condition, the alertoccurrence displays all the conditions.If you delete an alert rule that isassociated with an alert that hasalready occurred, this field may beblank.

Alert count Identifies the number of alerts

• For performance alerts, the alert count isthe number of separate occurrences of thealert detected during the polling window.

• For NT event log alerts, the alert count isthe number of occurrences of a particulartype of alert.

• For all other alert types, the alert count istypically 1.

Test Your Knowledge: Alerts

1. Which character functions as a wildcard in alert rules?

a. *

b. ?


c. &

d. %

2. True or False: When an alert is displayed in the console, it is possible that the associated filescontaining the errors might not be available for download if data collection has not occurred.

a. True

b. False

3. Which alert action is not available in EdgeSight?

a. E-mail notification

b. SNMP trap

c. Run external executable

d. SMS message

4. What is the maximum number of performance alert conditions an alert rule should have?

a. 2

b. 3

c. 5

d. 10

5. How should you determine performance threshold values?

a. Investigate historical reports from your environment.

b. Investigate the alert list from your environment.

c. Accept the EdgeSight default values, which are normally correct.

d. Choose values based on best practices for your industry.


Active Application MonitoringActive Application Monitoring is an automated performance testing tool that monitors the userexperience in XenApp environments.

The following table identifies the key features.

Feature Description

Recording and replay of visual scripting You can run a script on any applicationpublished in XenApp.

Service-level monitoring You can define and monitor applicationresponsiveness against agreed service level goals.

Application-centric monitoring You can experience system performance fromthe users’ perspective and analyze the resultsusing preconfigured EdgeSight reports.

Alerts You can set alerts to send notification whenservice quality degrades.

Three reports rely on data reported by Active Application Monitoring. These are ApplicationResponse Failure, Application Response Time, and Application Response Time for a Test.


Active Application Monitoring Architecture

The architecture of an EdgeSight environment that includes Active Application Monitoring Each launcher can simulate only one session. If morecontains additional components not described previously. sessions are required, use EdgeSight for Load Testing.


The following table describes the additional components of Active Application Monitoring.

Components Description

Controller The controller is the central managementconsole for Active Application Monitoring. Thiscomponent is used to create virtual users and torecord, manage, and monitor the scripts.

Launcher The launcher creates the virtual user sessions byconnecting to the server that is being tested. Itre-enacts the transactions that a user wouldperform and records the responsiveness of thesystem.

You can use the controller to connect to multiple launchers on different systems in any location totest responsiveness while simulating multiple locations across the organization. The launcher shouldnot be run on the XenApp server it is monitoring, because the results will not be representative ofend-user experience. Each launcher can simulate only one session at a time.

The following table describes the ports used for communication between the Active ApplicationMonitoring components.

Source/Destination Port Usage

Controller/Launcher 18747 Used to upload the scripts, ICAsettings, and credentials to beexecuted by the launcher andto communicate statistics forreporting purposes to thecontroller

Launcher/XenApp server 1494/2598 Used by ICA during virtualuser simulation

Active Application Monitoring Controller Console

The Test tree, which contains all of the components of an Active Application Monitoring test, islocated in the upper left pane of the console. The test consists of one or more monitoring scripts,each of which comprises one or more users and a set of instructions.


Monitoring Scripts

Scripts define individual tasks that are executed by virtual users in a test to create virtual useractivity. You can run multiple scripts in a single test. A script consists of two components:

User Identifies the user device, the applications being accessed, and theserver on which the applications are running.

If the environment contains multiple launchers, for examplelaunchers in each branch office, Active Application Monitoringshould be configured to execute scripts with the user appropriate tothe location of the launcher.

Instructions Represent user actions (a task or group of tasks) that virtual usersperform during the test.

By pressing the Record button in the Controller, you act as a virtual user and can interact with theapplication using Citrix Receiver. You perform tasks that a user would typically perform. Duringthis activity, Active Application Monitoring automatically captures the user’s interactions andinserts them into a script. These scripts can be edited if needed and organized into a series offolders.

Test Planning and Design

Before creating an Active Application Monitoring script, you must carefully consider two items:

• The usage pattern of the application

• The point in the usage pattern that indicates a particular problem

These considerations will be different for every application and every environment, so theresponsibility of determining them depends on you working with application owners to defineservice-level points and with users to analyze the usage profile.

Although Active Application Monitoring scripts should represent the actual usage patternof the application, carefully consider the impact of writing data into applications. Ensurethat files or database records created by a monitor do not negatively impact theapplication or XenApp servers and that they are removed periodically.


The Active Application Monitoring script should exercise all of the functions identified in the usageprofile. These functions and the meaning of failure conditions must be identified for the ActiveApplication Monitoring monitor to be useful to the IT staff.

Usage Pattern Example

Sales managers may use a sales lead application with the following pattern:

1. Log on to the application.

2. View sales lead records.

3. Select and view a sales lead record.

4. Generate a sales report.

5. Log off from the application.

Connection Types

Part of the configuration of virtual users defines how the user should connect to the XenAppserver. Three connection types are available:

• ICA File

• XML Service

• Server

The procedures to create and use ICA files are highly dependent on the environment, including theversions of XenApp and Web Interface and the presence of Access Gateway. The server option isnot available if applications are set to allow only ICA connections.

Citrix recommends configuring users to connect with the XML service. The following parametersare required when creating a user:

• XML server address and port

• Username and password

• Domain

To Create an Application Monitor

1. Create the virtual users.

2. Define server connections.

3. Record the virtual user instructions.

4. Organize, refine, and enhance the script.

5. Schedule script execution.

6. Configure script alerts.


Viewing Errors

If an error occurs while virtual users are running the scripts, a description of the error is displayedin the Message tab in the Scripts window at the bottom of the display.

In addition, you can click Options > Debug to view further details about why a script erroroccurred. When the Debug option is selected, a screenshot of the current screen is taken each timean error occurs and saved on the server where the Active Application Monitoring launcher isinstalled. This screen shot is placed in the following subdirectory of the home directory of the userthat runs the Active Application Monitoring launcher: %UserProfile%\MyDocuments\Citrix EdgeSight Active Application Monitoring\Debug

The specific error messages can be viewed from the screen shots recorded in this directory.

Additionally, the EdgeSight console displays messages detailing execution of Active ApplicationMonitoring scripts. These messages show the Source field as "Active Monitoring."

The messages comprise the following fields:

• Message identifier

• Client name (launcher name where connection issues were encountered)

• Test name

• Script name

• User name

• Passed connection number since the last message

• Failed connection number since the last message

• Timestamp indicating when the message was sent

The following is an example message:

Client xaprod4:80:Notepad, Test test1.mon, Script Test1, Useruser1: ES Agent successful connections = 48, ES agent connectionfailures = 1

Configuring Alerts

After configuring the monitoring script as described previously, you can configure an alert in theEdgeSight console. The monitoring script must contain a monitoring point before an alert can beconfigured.

The following XenApp reports and performance alerts depend on Active Application Monitoring:

• Application response failure

• Application response time

To configure an Active Application Monitoring alert, create a new alert of one of these types andenter the required parameters described in the following table.


Parameter Description

Launcher The name of the system hosting the ActiveApplication Monitoring launcher

Test name The name of the file containing the ActiveApplication Monitoring instructions, whichmust have the file extension .mon

Script name The name of the folder containing the ActiveApplication Monitoring instructions

Monitoring point The location of the script whose result iscompared against the alert criteria

This name must match exactly withthe Monitoring Point Name in theMonitoring Point Properties, whetherit is a long or custom name.

After you configure the alert, configure an alert action as with any type of alert.

Test Your Knowledge: Active Application Monitoring

1. Which EdgeSight component executes Active Application Monitoring scripts?

a. Console

b. Controller

c. Agent

d. Launcher

2. Which two XenApp performance alerts depend on Active Application Monitoring? (Choosetwo.)

a. Application Response Failure

b. Application Response Time

c. Session Idle Too Long

d. Slow ICA Connection

e. XenApp Session Performance



851 West Cypress Creek Road Fort Lauderdale, FL 33309 USA (954) 267 3000 www.citrix.com

Rheinweg 9 8200 Schaffhausen Switzerland +41 (0) 52 63577 00 www.citrix.com

© Copyright 2011 Citrix Systems, Inc. All rights reserved.