The License Manage Console communicates through port 8082.
The client device communicates with the Access Gateway appliance through port 443.
Unsecured client to XenApp server communication travels on port 1494. When Session Reliability is enabled, and then it is through port 2598.
IMA server to server communication is on port 2512.
A data collector is a server that hosts an in-memory database that maintains dynamic information about the servers in the zone, such as server loads, session status, published applications, users connected, and license usage. Data collectors receive incremental data updates and queries from servers within the zone. Data collectors relay information to all other data collectors in the farm.
There is no exact formula for determining the ideal number of farms, but general guidelines can help: In general, a single farm meets the needs of most deployments. A significant benefit to deploying a single farm is needing only one data store database. Consider using multiple farms when you have geographically dispersed data centers that can support their own data store database, or when you do not want communication between servers within the farm to cross a firewall or WAN. For very large deployments with thousands of servers, breaking the environment into multiple farms can increase performance.
When servers in a farm come online, they query the data store for configuration information. The data store provides a repository of persistent information. For this reason, you would want your data store to be in the same location as most of the servers to minimize the XenApp server to data store traffic travelling over the WAN.
While installing XenApp 6, the administrator can choose to add anonymous users, authenticated users or a list of the users from the users group to the Remote Desktop Users.
Use the XenApp Server Role Manager by selecting “Leave the current server farm” and once removed, “Join an existing server farm”. CHFARM is no longer supported in XenApp 6. The Delivery Services Console only removes server from farm so that it is not visible in the console however the Server is not removed from the data store.
The Citrix online plug-in and Citrix offline plug-in are installed automatically when you install the XenApp role. These plug-ins do not appear in the components lists, and you cannot disable these installations during a wizard-based installation.
The XenApp Server Role Manager deploys the Windows Server Remote Desktop Services role if it is not already installed and enables the RDP client connection option. You will be asked to restart the server and resume the installation when you log on again.
You cannot grant permissions to applications and servers directly. To grant permissions to applications and servers, you must first place the applications or servers in folders and then grant permissions at the folder level. Therefore, before you delegate tasks for applications and servers, make sure you group the applications and servers in folders that allow you to delegate the tasks in a meaningful way.
Configuring XenApp Sessions
The web plug-in has a minimal feature set and the user launches applications from their web browser.
If you want to share sessions, ensure all applications are published with the same settings. Inconsistent results may occur when applications are configured for different requirements, such as encryption.
For session sharing to occur, both applications must be hosted on the same server. Session sharing is configured by default when you specify that applications appear in seamless window mode. Session sharing always takes precedence over load balancing.
Plug-ins can be delivered to multiple users using the Receiver, which allows you to deliver the plug-ins automatically with the Merchandising server, or using Active Directory with an MSI file in a Group Policy Object.
HDX MediaStream for Flash detects the level of network latency between the server and user device the first time an individual browser or browser tab accesses an embedded Flash Player. If latency is determined to be within an acceptable threshold, HDX MediaStream for Flash is used to render Flash content on the user device. If the latency is above this threshold, the network server renders the content if a Flash player is available there. The default threshold setting is 30 milliseconds.
SpeedScreen Image Acceleration applies a lossy compression scheme to reduce the size of image files that the server sends to the client for faster throughput. The compression scheme removes redundant or extraneous data from the files while attempting to minimize the loss of information. The lossy compression levels are as follows: High – low quality, lowest bandwidth; Medium (default) – good quality, lower bandwidth; Low – high image quality, higher bandwidth; None – same quality as original, highest bandwidth.
HDX MediaStream multimedia acceleration optimizes multimedia files that are encoded with codecs that adhere to Microsoft’s DirectShow, DirectX Media Objects (DMO), and Media Foundation standards. To play back a given multimedia file, a codec compatible with the encoding format of the multimedia file must be present on the client device.
SmoothRoaming, more commonly known as Workspace Control, is configured in Web Interface. To use workspace control, you must enable the “Override user device names” setting in the Session Preferences task in the Citrix Web Interface Management console.
Configuring XenApp Policies
Shadow policy settings include: Input from shadow connections, Log shadow attempts, Notify user of pending shadow connections, Users who can shadow other users, Users who cannot shadow other users.
To configure CPU Utilization Management, in the Policies node of the Delivery Services Console, select the Computer tab. The Memory/CPU section contains policy settings for managing CPU utilization and memory optimization.
Remove Server From Load Balancing excludes the server from load balancing. Clients do not attempt to make new connections to this server through Load Manager. However, existing connections are maintained, and attempts are made to reconnect disconnected sessions.
Policies with the highest priority get applied last and take priority over lower policies.
The IMA encryption feature provides a robust AES encryption algorithm to protect sensitive data in the IMA data store. Enabling IMA encryption provides an additional layer of security for the data preserved by the Configuration Logging feature.
If you want administrators to be able to make changes to the server farm when log entries cannot be saved to the Configuration Logging database, select the “Allow changes to the farm when logging database is disconnected” check box.
When a Custom Citrix Administrator is created, his only role by default is “Log on to Management Console”.
Publishing Applications and Content
Publishing the desktop presents users with an entire Windows Server desktop when they log onto XenApp. For security, the desktop should be locked down, or course.
Configure content redirection from client to server by associating published applications with file types and then assigning them to the users you want to be affected. When you configure client to server content redirection, users running the online plug-in open all files of the associated type with applications published on the server. Content redirection from client to server is available only for users connecting with the online plug-in. On the Web Interface server, configure Web Interface to allow content redirection for the farm.
Using application streaming to a client desktop, you make available the full set of application streaming features. You can publish applications as “streamed to client” or any other method for streaming. When you stream applications directly to client desktops, some of the application files are cached locally and the application runs using the resources of the user device.
Selecting “Accessed from a server” grants users access to applications that run on a XenApp server. Choose this option because you cannot stream the application to the thin clients. When you select “Accessed from a server” you must also select the server application type. “Streamed to server” grants users access to stream a profiled application from the file share to a XenApp server (so the application does not have to be installed on a XenApp server, keeping the servers in the state they are currently in) and launch it from XenApp through an ICA connection.
Configure the profiler workstation to provide a run-time environment that is as close to your user device environment as possible. After you create a profile, save it to a file share in your App Hub.
Packages created with the profiler are PROFILE files. Example: msword.profile
Inter-isolation communication is a feature that links individual profiles so that applications in separate profiles can communicate with each other when launched on the user device. An associated profile does not include any additional installation.
You link existing profiles and set their hierarchy so that they can communicate when launched on the user device. By associating these two profiles, Outlook and the Reader can interact as users expect, even though the individual applications are profiled separately. This happens because they are now aware of each other and can interact as though they are profiled together.
The application in the profile is streamed from the App Hub to the XenApp server, where the offline plug-in is installed by default.
Power and Capacity Management can help reduce power consumption and manage XenApp server capacity by dynamically scaling up or scaling down the number of online XenApp servers. As users log on to the system and reduce the idle capacity, other servers in the workload are powered up. As users log off and idle capacity increases, idle servers are shut down. This helps optimize capacity for XenApp workloads. Scheduling provides an automated approach.
Roaming profiles used in Profile Management use the file extension .dat. Mandatory profiles use .man.
Monitoring and Managing Performance and Load
XenApp servers are contained in worker groups.
Load balancing policies can consist of a worker group preference list to determine the servers to which users are directed when logging on.
To ensure users are directed to the appropriate servers, create a worker group preference list to prioritize the servers that users can access. A priority of 1 is considered the highest priority. When a user launches a published application, the load balancing policy directs the user to servers in the highest priority worker groups first. Users are directed to servers in lower priority worker groups if servers in the higher priority worker groups are offline or have reached maximum capacity.
The scheduling rule schedules the availability of selected servers or published applications. This rule sets the weekly days and hours during which the server or published application is available to users and can be load managed.
The IP rule must be used in conjunction with another rule and defines a range of allowed or denied client IP addresses for a published application.
The Default Load Evaluator contains Load Throttling and Server User Load rules. The Load Throttling rule can only be applied to servers, not to applications. Load Throttling limits the number of concurrent connection attempts that a server handles. This prevents the server from failing when many users try to connect to it simultaneously. Server User Load limits the number of users allowed to connect to a selected server.
The Advanced Load Evaluator contains the CPU Utilization Load, Memory Usage, Page Swaps, and Load Throttling rules.
Memory Usage defines a range of memory used by a server. This rule uses the “Memory: % Committed Bytes in Use” performance counter to determine load.
The Session Printers setting “Set default printer to client’s main printer” sets the default printer for the session to the client’s current default printer while allowing the reporting group to use other network printers.
The setting “Redirect only the default client printer” in Microsoft’s Printer Redirection only allows the default printer in the session.
To specify how client printer drivers are installed on the XenApp 6 servers, configure the following Citrix policy settings: “Automatic installation of in-box printer drivers” which controls whether Windows native drivers are automatically installed when auto-creating either a client or network printer. Disabling this setting prevents the automatic installation of printer drivers.
“Printer driver mapping and compatibility” lists driver substitution settings for auto-created printers. It allows or prevents printers to be created with the specified driver.
Citrix Universal Printer drivers allow users to print regardless of whether they have the correct printer drivers installed.
If the servers in your farm have the same drivers as the client printers but the drivers themselves are named differently, XenApp may not recognize the drivers are the same and users will have difficulty printing or printer auto-creation may fail. You can resolve this issue by overriding, or mapping, the printer driver name the client provides and substituting an equivalent driver on the server.
You can use a printer driver mapping policy to substitute good printer drivers for outdated or corrupted drivers, specific Windows printer drivers for manufacturer’s client printer drivers and a driver that is available on Windows Server for a client driver name.
To specify that specific printers are created in sessions rather than auto-create all the network printing devices available from the client device, configure the Citrix policy setting Session printers.
Enabling and Securing Web Access to Published Applications and Content
To add a farm to an existing XenApp Services site using the Web Interface Management Console, in the left pane click XenApp Services Sites and select your site in the results pane. In the Action pane, click Server Farms. Click Add. Enter a name for the server farm in the Farm name box. In the Server Settings area, click Add to specify a server name.
When configuring secure access for a XenApp Services or Web site with Access Gateway or Secure Gateway in your deployment, you must configure the Web Interface for gateway support. You can use Gateway Direct, Gateway Alternate or Gateway Translated.
Citrix recommends using Gateway Direct when users are connecting through Access Gateway to a server farm.
You can specify backup servers for the Citrix online plug-in to contact if the primary Web Interface server is not available.
Choose the XenApp Services site and use the Server Settings task in the Citrix Web Interface Management console to specify URLs for backup servers.
In the event of a server failure, users are connected automatically to the backup server specified first on the Backup site paths list. If this server fails, the Citrix online plug-in attempts to contact the next server on the list.
The online plug-in initiates a Secure Sockets Layer (SSL) connection to the full qualified domain name (FQDN) of Access Gateway, which then terminates the SSL connection and completes an ICA connection to the real address of the target XenApp server. This method relies on the Secure Ticket Authority (STA) to validate incoming connections. Gateway Direct is used if users are outside the LAN and have not established a connection using the Access Gateway Plug-in.
After you create the Web Interface site, use Web Interface Management console to configure settings for Access Gateway.
To enable pass-through with smart card authentication for XenApp Web sites, open Citrix Web Interface Management. Select the “Pass-through with smart card” check box.
Some of the settings to use when configuring Web Interface on the internal network with Access Gateway in the DMZ and load balancing two STAs are: In Access Method, select Gateway direct, click OK and click Next. In Address (FQDN), type the Access Gateway full qualified domain name (FQDN). In Port, use the default, 443. Click “Enable session reliability” and “Request tickets from two STAs, where available” and click Next. Under Secure Ticket Authority URLs, click Add. In the Add Secure Ticket Authority dialog box, in Secure Ticket Authority URL, type the name of the master server running the XML Service on XenApp, click OK and then click Finish. Repeat for each STA server you want to add. Click “Use for load balancing”.
To put it simply, in a basic Web Interface deployment, the user device communicates with the Web Interface server, which communicates with the XML Service, which locates the least busy XenApp server and returns that information to the Web Interface server to send back to the user’s web browser.
An administrator can use either QUERY FARM or QFARM to get information about servers in the server farm.
To get the load of a specific server, use QFARM ServerName/load or QUERY FARM ServerName/load (where ServerName is replaced with the actual name of the server).
To get the load of all servers in the farm, just use /load. Examples: QFARM /load or QUERY FARM /load.
The XML Service port default is 80.
Without configuring IIS to support it, HTTPS would not work.
Without configuring the XML ports on the XenApp servers, SSL Relay would not work.
In many environments, especially large ones, Citrix recommends that you auto-create only one default printer. Auto-creating a smaller number of printers creates less overhead on the server and is better for CPU utilization.
If you do not want large numbers of printers created at the beginning of each session, consider specifying XenApp to use the Citrix Universal Printer.
Load Manager values: 0 to 9998 – This is the normal range for Load Manager;
99999 – No load evaluator is configured;
10000 – Load is at 100 percent (full load);
20000 – XenApp Advanced Configuration contains an incorrect server edition or a license mismatch;
99990 – Results when a custom administrator with restricted rights runs the following QFARM commands: QFARM SERVER /APP, QFARM /APP, QFARM /APP <appname> or QFARM /ZONEAPP.
With the Delivery Services Console you can reset, logoff and disconnect sessions, and terminate processes in a session.
When the ActiveX Controller is being deployed to a client, if Internet Explorer does not place the XenApp Web site in the “Local intranet” or “Trusted sites” zone, it displays an error message.
Load Manager user loads are calculated using active ICA sessions only.
Citrix Universal Printing might not work in your environment if you don’t have compatible client devices or plug-ins.
If you want the Citrix Universal Printer to appear in sessions, make sure that the Citrix policy setting Client printer names is not set to Legacy printer names in any policies affecting those sessions.
When the IMA Service is restarted, users who are already connected will continue working uninterrupted, however, new connections will not be allowed until the IMA service is running.
Session reliability travels through TCP port 2598. Make sure the port is open for users outside of the firewall.
The policy setting “Do not auto-create client printers” turns off auto-create for all client printers when users log on.