CXD 300 6I en StudentManual

ot

N fo rr

e

al

es

Deploying App and Desktop Solutions with Citrix XenApp and XenDesktop 7.6

or

Citrix Course CXD-300-I

st di n

io

ut

rib

ot

N fo e

al

es

rr or st di n

io

ut

rib

2

© Copyright 2015 Citrix Systems, Inc.

Citrix Course CXD-300-I August 2015 Version 6.2

ot

N

Deploying App and Desktop Solutions with Citrix XenApp and XenDesktop 7.6

fo

e

al

es

rr

or st di n

io

ut

rib

ot

N fo e

al

es

rr or st di n

io

ut

rib

4


Table of Contents Module 1: Understanding the XenDesktop Architecture ................................................................ 17

ot

N

Understanding the XenApp and XenDesktop Architecture ........................................................................................... 19 Overview .................................................................................................................................................................. 19 XenApp or XenDesktop ........................................................................................................................................... 19 New Features .......................................................................................................................................................... 20 Deprecated Features ............................................................................................................................................... 21 Discussion Question ................................................................................................................................................ 22 XenApp and XenDesktop Virtualization Technologies ............................................................................................... 22 Discussion Question ................................................................................................................................................ 22 Hosted Applications ................................................................................................................................................ 23 Discussion Question ................................................................................................................................................ 23 Server OS Machines ................................................................................................................................................ 24 Discussion Question ................................................................................................................................................ 24 Desktop OS Machines ............................................................................................................................................. 25 Discussion Question ................................................................................................................................................ 26 Remote PC Access ................................................................................................................................................. 26 Discussion Question ................................................................................................................................................ 26 Streamed VHD ........................................................................................................................................................ 27 Discussion Question ................................................................................................................................................ 27 Local VM ................................................................................................................................................................. 27 Discussion Question ................................................................................................................................................ 28 Local Application Access ......................................................................................................................................... 28 Discussion Question ................................................................................................................................................ 29 Infrastructure Components ...................................................................................................................................... 29 Discussion Question ................................................................................................................................................ 32 Citrix Components ................................................................................................................................................... 32 Discussion Question ................................................................................................................................................ 36 Designing a XenApp and XenDesktop Implementation ............................................................................................ 36 Assess Phase .......................................................................................................................................................... 37 Discussion Question ................................................................................................................................................ 37 Design Phase .......................................................................................................................................................... 37 Discussion Question ................................................................................................................................................ 38 Deploy Phase .......................................................................................................................................................... 38 Discussion Question ................................................................................................................................................ 39 Maintain Phase ........................................................................................................................................................ 39 Discussion Question ................................................................................................................................................ 39 Design Document .................................................................................................................................................... 39 Reinforcement Exercise: Identifying Components .................................................................................................... 39

fo

e

al

es

rr

or

st di

io

ut

rib

n

Module 2: Setting Up the Hypervisor ............................................................................................ 43 Setting Up the Hypervisor ............................................................................................................................................ 45 Overview .................................................................................................................................................................. 45 Installing the Hypervisor ........................................................................................................................................... 45 To Install XenServer ................................................................................................................................................. 46 Discussion Question ................................................................................................................................................ 48 Installing the Hypervisor Management Console ........................................................................................................ 49 To Install XenCenter ................................................................................................................................................. 49 Discussion Question ................................................................................................................................................ 50 Connecting the Management Console to the Hypervisor ......................................................................................... 50 To Connect XenCenter to the XenServer Host ......................................................................................................... 50 Discussion Question ................................................................................................................................................ 51 Configuring the Hypervisor ...................................................................................................................................... 51 Configuring the Virtual Networks .............................................................................................................................. 51 To Configure an External Network ........................................................................................................................... 52 Discussion Question ................................................................................................................................................ 53 Creating a Pool or Cluster of Hosts ......................................................................................................................... 53 To Create a New Pool in XenServer ......................................................................................................................... 53 Discussion Question ................................................................................................................................................ 54 © Copyright 2015 Citrix Systems, Inc.

5

ot

N

Configuring an ISO Library ....................................................................................................................................... 54 To Configure an ISO Library for XenServer .............................................................................................................. 54 Discussion Question ................................................................................................................................................ 55 Configuring Virtual Disk Storage .............................................................................................................................. 55 To Configure Virtual Disk Storage ............................................................................................................................ 55 Discussion Question ................................................................................................................................................ 57 Applying Updates and Hotfixes ................................................................................................................................ 57 To Upload and Apply a XenServer Hotfix ................................................................................................................. 57 Discussion Question ................................................................................................................................................ 58 Creating Templates ................................................................................................................................................. 58 Discussion Question ................................................................................................................................................ 59 Discussion Question ................................................................................................................................................ 59 Installing Windows Server 2012 R2 ......................................................................................................................... 59 To Install the Operating System on a VM in XenServer ............................................................................................ 59 Discussion Question ................................................................................................................................................ 60 Installing Hypervisor Tools ....................................................................................................................................... 60 To Install Hypervisor Tools on a VM in XenServer .................................................................................................... 61 Discussion Question ................................................................................................................................................ 61 Installing the .NET Framework 3.5 Features on Server 2012 R2 .............................................................................. 61 Discussion Question ................................................................................................................................................ 62 Running Sysprep on the Virtual Machine ................................................................................................................. 62 To Run Sysprep on the VM in XenServer ................................................................................................................. 62 Discussion Question ................................................................................................................................................ 62 Creating the Template ............................................................................................................................................. 63 To Create a Template in XenServer ......................................................................................................................... 63 Discussion Question ................................................................................................................................................ 63 Troubleshooting Hypervisor Setup Issues ................................................................................................................ 63 Reinforcement Exercise: Creating a Windows 7 Template ....................................................................................... 64

fo

es

rr

al

Module 3: Setting Up the Infrastructure Components ................................................................... 65

e

Setting Up the Infrastructure Components .................................................................................................................. 67 Overview .................................................................................................................................................................. 67 Setting Up the Domain Controller ............................................................................................................................ 67 Active Directory Domain Services ............................................................................................................................ 68 Discussion Question ................................................................................................................................................ 68 Troubleshooting AD DS Installation Issues ............................................................................................................... 68 Creating Organizational Units ................................................................................................................................... 68 To Create Organizational Units for a XenApp and XenDesktop Implementation ....................................................... 69 Discussion Question ................................................................................................................................................ 69 Adding Users and Groups ....................................................................................................................................... 69 To Create End-User Accounts and Groups ............................................................................................................. 70 Discussion Question ................................................................................................................................................ 71 Configuring Policies Using Group Policy .................................................................................................................. 71 To Configure Policies Using Group Policy ................................................................................................................ 72 Discussion Question ................................................................................................................................................ 73 Securing Service Accounts ...................................................................................................................................... 74 To Secure a Service Account .................................................................................................................................. 74 Discussion Question ................................................................................................................................................ 74 Setting Up the Dynamic Host Configuration Protocol ............................................................................................... 75 Installing and Configuring the DHCP Role ................................................................................................................ 75 Troubleshooting DHCP Installation Issues ................................................................................................................ 75 Setting Up A Certificate Authority ............................................................................................................................ 75 Installing the Certificate Services Role ...................................................................................................................... 76 To Install the Certificate Authority ............................................................................................................................. 76 Discussion Question ................................................................................................................................................ 77 Setting Up the File Server ........................................................................................................................................ 77 Creating a Computer Account for a New VM ........................................................................................................... 77 To Create a Computer Account ............................................................................................................................... 77 Creating the VM ...................................................................................................................................................... 77 To Create a VM Using a Custom Template ............................................................................................................. 78 Adding the File Server Role ...................................................................................................................................... 79 To Add the File Server Role to a VM ........................................................................................................................ 79 Discussion Question ................................................................................................................................................ 79

or

st di

n

io

ut

rib

6


ot

N

Creating a Share for Folder Redirection ................................................................................................................... 79 To Create a File Share for Folder Redirection .......................................................................................................... 80 Creating a Folder Redirection Group Policy ............................................................................................................. 82 To Create a Folder Redirection Group Policy for Virtual Desktops ........................................................................... 82 Discussion Question ................................................................................................................................................ 82 Setting Up the Microsoft KMS License Server ......................................................................................................... 83 Setting Up SQL Server 2012 .................................................................................................................................. 83 Creating the Computer and Service Accounts for SQL Server 2012 ........................................................................ 83 To Create Computer and Service Accounts for SQL Server 2012 ........................................................................... 83 Installing SQL Server 2012 ...................................................................................................................................... 84 To Install SQL Server 2012 ...................................................................................................................................... 84 Discussion Question ................................................................................................................................................ 85 Configuring SQL Server and the Windows Firewall .................................................................................................. 85 To Configure SQL Server and the Windows Firewall to Accept Inbound Connections ............................................. 85 Discussion Question ................................................................................................................................................ 87 Setting Up SQL Server Mirroring .............................................................................................................................. 87 Discussion Question ................................................................................................................................................ 87 Installing the SQL Server Witness ............................................................................................................................ 88 Discussion Question ................................................................................................................................................ 88 Configuring SQL Server Mirroring ............................................................................................................................ 88 To Configure SQL Server Mirroring .......................................................................................................................... 88 Discussion Question ................................................................................................................................................ 91 Troubleshooting SQL Server Issues ......................................................................................................................... 91 Installing Anti-Virus Software .................................................................................................................................... 91 Discussion Question ................................................................................................................................................ 91 Setting up the DMZ ................................................................................................................................................. 92 Discussion Question ................................................................................................................................................ 92 Reinforcement Exercise: Redirecting Additional Folders ........................................................................................... 92

fo

es

rr

al

Module 4: Setting Up Citrix Components ..................................................................................... 93

e

Setting Up Citrix Components ..................................................................................................................................... 95 Overview .................................................................................................................................................................. 95 Architecture ............................................................................................................................................................. 95 Discussion Question ................................................................................................................................................ 96 Setting Up the Citrix License Server ........................................................................................................................ 96 Installing the Citrix License Server ............................................................................................................................ 97 To Install the Citrix License Server ........................................................................................................................... 97 Troubleshooting License Server Issues .................................................................................................................... 98 Allocating, Downloading, and Adding a License File ................................................................................................ 99 To Allocate, Download, and Import a License File ................................................................................................... 99 Discussion Question .............................................................................................................................................. 101 Adding License Administrators .............................................................................................................................. 101 To Add a License Administrator ............................................................................................................................. 101 Discussion Question .............................................................................................................................................. 102 Configuring Licensing Alerts .................................................................................................................................. 102 To Configure Licensing Alerts ................................................................................................................................ 102 Moving from XenApp 7.6 to XenDesktop 7.6 ......................................................................................................... 103 Setting Up the Delivery Controller .......................................................................................................................... 103 Installing the First Controller ................................................................................................................................... 104 To Install the First Controller .................................................................................................................................. 104 Discussion Question .............................................................................................................................................. 106 Configuring a Site .................................................................................................................................................. 106 To Configure a Site ................................................................................................................................................ 106 Editing Connection and Resource Settings ............................................................................................................ 108 To Edit Connection and Resource Settings ........................................................................................................... 108 Connecting to Resources ...................................................................................................................................... 108 Discussion Question .............................................................................................................................................. 109 Troubleshooting Studio .......................................................................................................................................... 109 Adding Delegated Administrators .......................................................................................................................... 109 To Add a Delegated Administrator ......................................................................................................................... 110 Discussion Question .............................................................................................................................................. 110 Setting Up a Second Controller ............................................................................................................................. 110 To Install a Second Controller ................................................................................................................................ 110

or

st di

n

io

ut

rib


7

ot

N

Joining a Controller to a Site .................................................................................................................................. 112 To Join a Controller to an Existing Site .................................................................................................................. 112 Discussion Question .............................................................................................................................................. 113 Setting Up the Citrix Universal Print Server ............................................................................................................ 113 Installing the Universal Print Server ........................................................................................................................ 114 To Install the Universal Print Server ........................................................................................................................ 114 Discussion Question .............................................................................................................................................. 114 Configuring the Universal Print Server .................................................................................................................... 114 To Configure the Universal Print Server ................................................................................................................. 115 Discussion Question .............................................................................................................................................. 116 Creating Printers .................................................................................................................................................... 116 To Create Printers ................................................................................................................................................. 116 Discussion Question .............................................................................................................................................. 116 Setting Up StoreFront ............................................................................................................................................ 117 Discussion Question .............................................................................................................................................. 117 Installing Citrix StoreFront ...................................................................................................................................... 117 To Install StoreFront .............................................................................................................................................. 117 Discussion Question .............................................................................................................................................. 118 Requesting and Installing a Certificate on StoreFront ............................................................................................. 118 To Create and Install a Certificate on StoreFront ................................................................................................... 118 Discussion Question .............................................................................................................................................. 119 Configuring a Store ................................................................................................................................................ 119 To Configure a Store ............................................................................................................................................. 120 Creating a Store for Anonymous User Access ....................................................................................................... 120 To Create a Store for Anonymous User Access ..................................................................................................... 120 Discussion Question .............................................................................................................................................. 121 Setting Up a Second StoreFront Server ................................................................................................................. 121 To Install a Second StoreFront Server ................................................................................................................... 121 Discussion Question .............................................................................................................................................. 124 Setting Up Receiver ............................................................................................................................................... 124 Configuring DNS for Email-Based Account Discovery ............................................................................................ 124 To Configure a Service Location Locator Record for Email-based Account Discovery ........................................... 125 Installing and Configuring Receiver ........................................................................................................................ 126 To Install and Configure Receiver .......................................................................................................................... 126 Discussion Question .............................................................................................................................................. 127 Troubleshooting Receiver ...................................................................................................................................... 127 Reinforcement Exercise: Using the Receiver for Web Site ...................................................................................... 127

fo

e

al

es

rr

or

st di

rib

Module 5: Setting Up XenDesktop Resources ............................................................................ 129

n

io

ut

Setting Up XenApp and XenDesktop Resources ....................................................................................................... 131 Overview ................................................................................................................................................................ 131 Resources ............................................................................................................................................................. 131 Discussion Question .............................................................................................................................................. 132 Preparing the Master Image Virtual Machine .......................................................................................................... 132 Creating the Master Image .................................................................................................................................... 133 Discussion Question .............................................................................................................................................. 133 Setting Up a Server OS Master Image ................................................................................................................... 133 To Set Up a Server OS Master Image ................................................................................................................... 133 Using a Virtual IP Address ..................................................................................................................................... 135 Installing and Configuring the Virtual Delivery Agent ............................................................................................... 135 To Install and Configure the VDA on a Server OS Master Image ............................................................................ 135 Installing and Configuring Third-Party Applications ................................................................................................ 137 To Install Third-Party Applications .......................................................................................................................... 137 Installing Anti-Virus Software .................................................................................................................................. 138 Discussion Question .............................................................................................................................................. 138 Troubleshooting Virtual Delivery Agent Issues ........................................................................................................ 138 Setting Up a Desktop OS Master Image ................................................................................................................ 139 To Set Up a Desktop OS Master Image ................................................................................................................ 139 Installing and Configuring the Virtual Delivery Agent ............................................................................................... 141 To Install and Configure the VDA on a Desktop OS Master Image ......................................................................... 141 Discussion Question .............................................................................................................................................. 143 Creating a Machine Catalog .................................................................................................................................. 143 Creating a Machine Catalog for Server OS and Hosted Applications ..................................................................... 143 8


To Create a Machine Catalog for Server OS and Hosted Applications ................................................................... 144 Discussion Question .............................................................................................................................................. 145 Creating a Machine Catalog for Desktop OS Machines ......................................................................................... 145 To Create a Desktop OS Machine Catalog ............................................................................................................ 146 Discussion Question .............................................................................................................................................. 148 Creating a Delivery Group ...................................................................................................................................... 148 Securing Connections ........................................................................................................................................... 148 To Create a Delivery Group to Provide Hosted Applications .................................................................................. 149 Creating a Delivery Group for Anonymous User Access ........................................................................................ 151 To Create a Delivery Group for Anonymous User Access ...................................................................................... 151 Organizing Applications in Folders ......................................................................................................................... 152 To Organize Applications in Folders ....................................................................................................................... 152 To Create a Delivery Group to Provide Desktops ................................................................................................... 152 Discussion Question .............................................................................................................................................. 154 Securing Connections ........................................................................................................................................... 154 Troubleshooting XenApp and XenDesktop Resource Issues .................................................................................. 155 Reinforcement Exercise: Adding Machines and Delivery Groups ........................................................................... 155

Module 6: Setting Up Policies ..................................................................................................... 157

ot

N

Setting Up Policies .................................................................................................................................................... 159 Overview ................................................................................................................................................................ 159 Installing the Group Policy Management Feature ................................................................................................... 160 To Install the Group Policy Management Feature ................................................................................................... 160 Configuring Printing Policies .................................................................................................................................. 160 Configuring the Universal Printer Driver .................................................................................................................. 160 To Configure the Universal Printer Driver ............................................................................................................... 161 Discussion Question .............................................................................................................................................. 161 Configuring Client Printer Auto-Creation ................................................................................................................ 161 To Modify the Printer Auto-Creation Behavior ........................................................................................................ 162 Discussion Question .............................................................................................................................................. 162 Configuring Session Printers .................................................................................................................................. 162 To Configure Session Printer Settings .................................................................................................................... 163 Discussion Question .............................................................................................................................................. 164 Optimizing Print Job Routing ................................................................................................................................. 164 Optimizing Printing Performance ............................................................................................................................ 165 To Optimize Printing .............................................................................................................................................. 165 Discussion Question .............................................................................................................................................. 166 Configuring Remote Assistance ............................................................................................................................. 166 To Configure Remote Assistance Permissions ....................................................................................................... 166 Discussion Question .............................................................................................................................................. 167 Prioritizing the Policies ........................................................................................................................................... 167 Changing the Priority of the Policy ......................................................................................................................... 169 To Change the Priority of a Policy .......................................................................................................................... 169 Discussion Question .............................................................................................................................................. 170 Running the Resultant Set of Policy ....................................................................................................................... 170 To Create a Resultant Set of Policy Using the Group Policy Management Console ............................................... 170 Discussion Question .............................................................................................................................................. 171 Troubleshooting Policies ........................................................................................................................................ 171 Setting Up Citrix Profile Management .................................................................................................................... 171 To Configure a Profile Management Share ............................................................................................................ 171 To Configure the Profile Management Settings ...................................................................................................... 172 Discussion Question .............................................................................................................................................. 174 Reinforcement Exercise: Configuring a Session Printer .......................................................................................... 175

fo

e

al

es

rr

or

st di

n

io

ut

rib

Module 7: Setting Up Provisioning Services ................................................................................ 177 Setting Up Provisioning Services ............................................................................................................................... 179 Overview ................................................................................................................................................................ 179 Provisioning Services Architecture ......................................................................................................................... 179 Discussion Question .............................................................................................................................................. 181 Setting Up A Provisioning Services Server ............................................................................................................. 181 Creating a Service Account for Provisioning Services ............................................................................................ 181 © Copyright 2015 Citrix Systems, Inc.

9

ot

N

To Create a Service Account for Provisioning Services .......................................................................................... 181 Creating a Share for the Store ............................................................................................................................... 182 To Create the Share for the Store .......................................................................................................................... 183 Write Cache Considerations .................................................................................................................................. 183 Discussion Question .............................................................................................................................................. 185 Creating Windows Firewall Exceptions ................................................................................................................... 185 To Create Windows Firewall Exceptions ................................................................................................................ 185 Discussion Question .............................................................................................................................................. 187 Installing Provisioning Services .............................................................................................................................. 187 To Install Provisioning Services .............................................................................................................................. 187 Discussion Question .............................................................................................................................................. 190 Granting Database Permissions ............................................................................................................................. 190 To Grant Database Permissions to the Service Account ........................................................................................ 190 Installing the Provisioning Services Console ........................................................................................................... 191 To Install the Provisioning Services Console .......................................................................................................... 191 Discussion Question .............................................................................................................................................. 192 Configuring Boot from Network ............................................................................................................................. 192 To Configure DHCP (Options 66 and 67) for PXE Booting ..................................................................................... 192 Discussion Question .............................................................................................................................................. 192 Setting Up a Second Provisioning Services Server ................................................................................................ 192 To Configure a Second Provisioning Services Server ............................................................................................. 193 Discussion Question .............................................................................................................................................. 195 Configuring the Bootstrap File for High Availability ................................................................................................. 195 To Configure the Bootstrap File for High Availability ............................................................................................... 195 Discussion Question .............................................................................................................................................. 196 Configuring the Master Target Device .................................................................................................................... 196 Creating the Master Target Device ........................................................................................................................ 197 To Create a New Master Target Device ................................................................................................................. 197 Installing the Virtual Delivery Agent ......................................................................................................................... 199 To Install the Virtual Delivery Agent ........................................................................................................................ 199 Creating the vDisk ................................................................................................................................................. 201 To Convert the Hard Drive of the Master Target Device to a vDisk ........................................................................ 201 Discussion Question .............................................................................................................................................. 203 Setting the vDisk Mode ......................................................................................................................................... 203 To Set the vDisk Mode .......................................................................................................................................... 204 Discussion Question .............................................................................................................................................. 204 Assigning a vDisk to a Target Device ..................................................................................................................... 204 To Assign a vDisk to a Target Device .................................................................................................................... 204 Discussion Question .............................................................................................................................................. 205 Creating the Machine Catalog ............................................................................................................................... 205 To Create a Diskless Target Device Template ........................................................................................................ 205 To Create the Machine Catalog ............................................................................................................................. 206 Discussion Question .............................................................................................................................................. 207 Creating the Delivery Group ................................................................................................................................... 207 To Create the Delivery Group ................................................................................................................................ 207 Discussion Question .............................................................................................................................................. 209 Reinforcement Exercise: Creating BDM Target Devices ......................................................................................... 209

fo

e

al

es

rr

or

st di

n

io

ut

rib

Module 8: Preparing the Environment for Rollout ........................................................................ 211 Preparing the Environment for Rollout ....................................................................................................................... 213 Overview ................................................................................................................................................................ 213 Testing a Service Account ..................................................................................................................................... 213 To Test a Service Account ..................................................................................................................................... 213 Discussion Question .............................................................................................................................................. 214 Testing the DHCP Scope ...................................................................................................................................... 214 To Verify IP Addresses Are within the DHCP Scope .............................................................................................. 214 Discussion Question .............................................................................................................................................. 214 Testing the Certificates .......................................................................................................................................... 215 To Verify Secure Communications with StoreFront ................................................................................................ 215 Discussion Question .............................................................................................................................................. 215 Testing the Provisioning Services Share ................................................................................................................ 215 To Verify the vDisk Storage Location ..................................................................................................................... 215 Discussion Question .............................................................................................................................................. 216 10


Verifying Internal Access to Hosted Applications .................................................................................................... 216 To Verify Internal Access to Hosted Applications ................................................................................................... 216 Discussion Question .............................................................................................................................................. 218 Verifying Internal Access to a Server OS Machine (PVS) ........................................................................................ 218 To Verify Internal Access to a Server OS Machine Streamed Using PVS ............................................................... 218 Discussion Question .............................................................................................................................................. 221 Verifying Internal Access to a Desktop OS Machine ............................................................................................... 221 To Verify Internal Access to a Desktop OS Machine with a Personal vDisk ............................................................ 221 Discussion Question .............................................................................................................................................. 224 Testing Remote Assistance ................................................................................................................................... 224 To Test Remote Assistance ................................................................................................................................... 224 Discussion Question .............................................................................................................................................. 226 Testing Delivery Controller High Availability ............................................................................................................ 226 To Test Delivery Controller High Availability ............................................................................................................ 227 Discussion Question .............................................................................................................................................. 228 Testing SQL Server Mirroring ................................................................................................................................. 228 To Test SQL Server Mirroring ................................................................................................................................ 228 Discussion Question .............................................................................................................................................. 230 Reinforcement Exercise: Verifying Internal Access to a Server OS Machine (MCS) ................................................ 230

N

Module 9: Setting Up NetScaler ................................................................................................. 231

ot

Setting Up NetScaler ................................................................................................................................................. 233 Overview ................................................................................................................................................................ 233 To Import the NetScaler Gateway VPX .................................................................................................................. 234 Discussion Question .............................................................................................................................................. 235 Creating the NetScaler VM .................................................................................................................................... 235 To Create a NetScaler VPX VM ............................................................................................................................. 235 Discussion Question .............................................................................................................................................. 235 Performing the Initial NetScaler Configuration ........................................................................................................ 235 To Perform the Initial Configuration of the First NetScaler ...................................................................................... 236 Discussion Question .............................................................................................................................................. 237 Configuring NTP .................................................................................................................................................... 237 To Synchronize the Time on the NetScaler ............................................................................................................ 237 Discussion Question .............................................................................................................................................. 238 Configuring NetScaler High Availability ................................................................................................................... 238 To Perform the Initial Configuration of the Second NetScaler ................................................................................. 238 To Configure a Second NetScaler for Redundancy ................................................................................................ 239 Discussion Question .............................................................................................................................................. 241 Setting Up DNS ..................................................................................................................................................... 241 To Configure DNS A Records for the NetScaler .................................................................................................... 242 Discussion Question .............................................................................................................................................. 242 Creating Certificates for NetScaler ......................................................................................................................... 242 Creating a Wildcard Certificate for Internal Resource Access ................................................................................. 243 To Create a Wildcard Certificate for the Domain .................................................................................................... 243 Discussion Question .............................................................................................................................................. 245 Creating a Certificate Signed by a Third-Party Certificate Authority ........................................................................ 245 To Create a Public Certificate for the NetScaler ..................................................................................................... 245 Load Balancing StoreFront Servers ....................................................................................................................... 247 To Load Balance StoreFront Servers ..................................................................................................................... 248 Configuring NetScaler for Remote Access ............................................................................................................. 250 To Create a Service Account for LDAP Authentication and the Security Group for Remote Access ...................... 250 Configuring Active Directory Integration ................................................................................................................. 252 To Configure Active Directory Integration with NetScaler ....................................................................................... 252 Redirecting HTTP Requests for StoreFront ............................................................................................................ 254 To Redirect HTTP Requests for StoreFront ........................................................................................................... 254 Discussion Question .............................................................................................................................................. 255 Modifying StoreFront to Integrate with NetScaler ................................................................................................... 255 To Modify StoreFront to Work with NetScaler ........................................................................................................ 255 Discussion Question .............................................................................................................................................. 256 Creating Beacons .................................................................................................................................................. 256 To Create a Beacon Point ..................................................................................................................................... 256 Enabling Remote Access to the Store ................................................................................................................... 257 To Enable Remote Access to the Store ................................................................................................................. 257

fo

e

al

es

rr

or

st di

n

io

ut

rib


11

Propagating Settings to the StoreFront Server Group ............................................................................................ 258 To Propagate the StoreFront Settings ................................................................................................................... 258 Discussion Question .............................................................................................................................................. 258 Configuring ICA Proxy ........................................................................................................................................... 258 To Configure the NetScaler for ICA Proxy .............................................................................................................. 259 Discussion Question .............................................................................................................................................. 260 Configuring Pre-Authentication Policies ................................................................................................................. 260 Enabling XML Service Trust ................................................................................................................................... 261 To Enable XML Service Trust ................................................................................................................................. 261 Configuring a Pre-Authentication Policy ................................................................................................................. 261 To Configure a Pre-Authentication Policy ............................................................................................................... 262 Discussion Question .............................................................................................................................................. 263 Configuring NetScaler for Email-Based Account Discovery .................................................................................... 263 To Configure NetScaler for Email-Based Account Discovery ................................................................................. 263 Testing Access through NetScaler ......................................................................................................................... 263 To Test HTTP Redirection Requests for StoreFront Servers .................................................................................. 263 To Test External Access to the Environment .......................................................................................................... 264 To Test a Pre-Authentication Policy ....................................................................................................................... 266 Reinforcement Exercise: Scanning an Endpoint for a File ....................................................................................... 267

ot

N fo e

al

es

rr or st di n

io

ut

rib

12


Credits John Spina, Karla Stagray

Product Specialist:

Evin Safdia

Graphic Artist:

Tyler Fromma, Andres Mungarrieta

Managers:

Leslie Keelan, Brad Moczik, Patrick Quinlan

Editor:

Kathryn Morris

Translation Project Manager:

Tanya Brice

Publication Services:

Dustin Clark, Adrianna Cournoyer

CCI Enablement:

Christy Vega

Subject Matter Expert:

Jeff Apsley, Justin Apsley, Allen Furmanski, Dave Gunn, James Hsu, David Jimenez, Arnd Kagelmacher, Christopher Rudolph, Stacy Scott, Mark Simmons, Elisabeth Teixeira

ot

N

Instructional Designer:

fo e

al

es

rr or st di n

io

ut

rib

Notices Citrix Systems, Inc. (Citrix) makes no representations or warranties with respect to the content or use of this publication. Citrix specifically disclaims any expressed or implied warranties, merchantability or fitness for any particular purpose. Citrix reserves the right to make any changes in specifications and other information contained in this publication without prior notice and without obligation to notify any person or entity of such revisions or changes. © Copyright 2015 Citrix Systems, Inc. All Rights Reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording or information storage and retrieval systems, for any purpose other than the purchaser’s personal use, without express written permission of: Citrix Systems, Inc. 851 West Cypress Creek Road Fort Lauderdale, FL 33309 USA http://www.citrix.com The following marks are service marks, trademarks or registered trademarks of their respective owners in the United States and other countries.

Mark

Owner

Adobe®, Flash®, Reader®, Acrobat®

Adobe Systems Incorporated

N

Apache Micro Peripherals, Inc.

ot

Apache®

iPhone™, Mac®, QuickTime™, iPhone™, iPad™

Apple, Inc.

fo

e

al

es

rr

Branch Repeater™, Citrix®, Citrix Access Gateway™, Citrix Citrix Systems, Inc. Authorized Learning Center™, Citrix Certified Administrator™, Citrix Certified Enterprise Administrator™, Citrix Certified Integration Architect™, Citrix Education™, Citrix Receiver™, EdgeSight®, HDX™, ICA®, NetScaler®, MyCitrix™, XenApp™, XenDesktop® , Provisioning Services™, XenCenter™, SpeedScreen™, CitrixReady®, Citrix Developer Network™, XenServer®, SecureICA®, Citrix Workflow Studio™, Citrix Merchandising Server™

or

Hewlett-Packard Development Company, L.P.

Chromebook™, Android™

Google, Inc.

Blackberry®

Research in Motion

Intel®, Xeon®

Intel Corporation

Linux®

Linus Torvalds

Active Directory®, Internet Explorer®, Microsoft®, SQL Server®, Windows®, Windows Mobile®, Windows Server®, Win32™, Access®, Excel®, Outlook®, PowerPoint®, Office®, Windows 7™, Windows XP™, Visual J#™, Windows Vista®, SharePoint™, Remote Desktop Services®, PowerShell®

Microsoft Corporation

Firefox®, Mozilla®

Mozilla Corporation

Novell®, Novell Directory Services®, NDS®

Novell, Inc.

UNIX®

The Open Group

Oracle®

Oracle Corporation

Pearson VUE®

Pearson Education, Inc.

RealPlayer®

RealNetworks, Inc.

RC5™, RSA™

RSA Data Security, Inc.

st di

HP®, OpenView®, LaserJet™

n

io

ut

rib

Mark

Owner

Secure Computing®, SafeWord®

Secure Computing Corporation

SecurID®

Security Dynamics Technologies, Inc.

Java®, JavaScript®

Sun Microsystems, Inc.

Toolwire®

Toolwire

VMWare®, ESX Server®

VMware, Inc.

Other product and company names mentioned herein might be the service marks, trademarks or registered trademarks of their respective owners in the United States and other countries.

ot

N fo e

al

es

rr or st di n

io

ut

rib

ot

N fo e

al

es

rr or st di n

io

ut

rib

16


1

Module 1

Understanding the XenDesktop Architecture

ot

N fo e

al

es

rr or st di n

io

ut

rib

ot

N fo e

al

es

rr or st di n

io

ut

rib

18


Understanding the XenApp and XenDesktop Architecture Overview XenApp and XenDesktop empower you to deliver on-demand virtual desktops and applications anywhere your end users work, anywhere your business takes you, to any type of device, bringing unprecedented flexibility and mobility to a workforce. This release of XenApp and XenDesktop unifies hosted applications and Server OS machines (XenApp functionality) with personalized desktops (XenDesktop functionality) within a single architecture and management experience. XenApp comes in three editions: Advanced, Enterprise and Platinum. XenDesktop comes in three editions: VDI Edition, Enterprise Edition (supports all XenDesktop virtualization technologies), and Platinum Edition (supports all XenDesktop virtualization technologies and includes Cloud functionality). By the end of this module, you will be able to: • • •

ot

N

fo

Module timing: 1.5 hours

e

al

XenApp or XenDesktop

es

rr

• • • •

Identify differences between XenApp and XenDesktop. Identify new and deprecated features. Explain the various ways in which Citrix XenApp and XenDesktop can be configured to provide desktops and applications to your end users. Identify the infrastructure components of a XenApp and XenDesktop implementation. Identify the Citrix components of a XenApp and XenDesktop implementation. Summarize the process used to design a XenApp and XenDesktop implementation. Interpret the information provided in a XenApp and XenDesktop Design document.

or

XenApp and XenDesktop share a common architecture; where one or more Delivery Controllers are used to broker user connections to sessions. Users connect to XenApp and XenDesktop sessions using the Citrix HDX protocol (formerly known as ICA).

st di

Sessions are hosted on physical or virtual machines running the Citrix Virtual Delivery Agent (VDA). A VDA can be installed on Server OS and Desktop OS machines. The operating system on which you can run the VDA and the type of sessions supported is dependent upon whether you bought XenApp or XenDesktop. The following table identifies the type of machines and sessions available per product edition.

Server OS Machines

X

X

X

Desktop OS Machines

Sessions Chart

XenDesktop XenDesktop XenDesktop VDI Enterprise Platinum

X

XenApp Advanced

n

XenApp Platinum

io

XenApp Enterprise

ut

XenApp Advanced

rib

VDA Chart

X

X

X

X

XenApp Enterprise

XenApp Platinum

Server OS X Hosted Desktop

X

X

X

X

Server OS Hosted Applications

X

X

X

X

X


XenDesktop XenDesktop XenDesktop VDI Enterprise Platinum

Module 1: Understanding the XenDesktop Architecture

19

Sessions Chart

XenApp Advanced

XenApp Enterprise

XenApp Platinum

Desktop OS Desktop

XenDesktop XenDesktop XenDesktop VDI Enterprise Platinum X

Desktop OS Applications

X

X

X

X

X

X

*XenDesktop VDI does not the support the use of physical machines. Additional features and FlexCast models become available in the editions as you move from left to right in the table. For a complete list of features, see the XenDesktop 7.6 and XenApp 7.6 Features and Entitlement document at http://www.citrix.com/go/products/xendesktop/feature-matrix.html.

New Features This release of XenApp and XenDesktop includes the following new features:

e

al

es

•

rr

•

fo

•

ot

•

Session prelaunch and session linger - These features enhance the user experience by starting sessions before they are requested (session prelaunch) and keeping sessions active for a period of time after users close the applications (session linger). These features are supported on Server OS machines only. Support for unauthenticated users - This feature (formerly known as anonymous users in XenApp) supports administrators granting access to sessions on Server OS machines to users with no credentials. Connection leasing - This feature extends the Delivery Site database connection requirements beyond platform redundancy by enabling Delivery Controllers to continue to broker users to the resources the users most often request even when the site database is unavailable. Application folders - This feature allows administrators to organize the applications created by Delivery Groups within Citrix Studio. Using the Applications tab administrators can nest application organization into multiple tiers. XenApp 6.5 migration - This feature enables administrators currently supporting a XenApp 6.5 farm to move to a XenApp 7.6 site with a quick and efficient transition. Migration allows administrators to perform in place upgrades of existing XenApp 6.5 workers to XenApp 7.6 Server OS machines running the VDA. For more information, see http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-upgrade-existing-environment/xad-xamigrate.html. Citrix Customer Experience Improvement Program - This program allows administrators to work directly with Citrix in design and development contributions. Enrollment allows Citrix to collect anonymous information about the deployment. For more information, see http://www.citrix.com/cms/ws/ceip/. Enhanced connection throttling settings - This feature optimizes the virtual machine performance for a site by limiting actions, inventory updates, and other occurrences over the host connection to the hypervisor. Enhanced reporting in Studio - This feature adds additional details about the action status, error reporting, licensing and more to Studio. SSL/TLS - This feature enables administrators to configure these secure protocols on the machines running the VDA. Virtual IP and virtual loopback - This feature enables administrators to centralize applications that require unique IP addresses on XenApp and XenDesktop servers running a server OS and VDA. Remote PC Access - This feature has been optimized to enable administrators to prevent local users from disconnecting a remote session without the permission of the remote user. Citrix Director - This tool has been expanded to include clickable navigation between User Details, Machine Details, Endpoint Details and Anonymous Sessions. In addition, it has been optimized to further assist support staff in gathering detailed information about a user session when opening support tickets. Optimizations includes: • Licensing alerts to assist support staff in further awareness of issues that impact user connections. • View hosted application usage to allow support staff to view per Delivery Group lists of users who have access to applications and view who is currently using an application. • Monitor hotfixes to allow support staff to view specific hotfixes per machine with the VDA installed.

N

•

or

•

n

•

io

• •

ut

•

rib

•

st di

•

This release of Citrix Director cannot be used to support sessions on versions of XenApp older than XenApp 6.5.

20



• •

ot

N

AppDNA 7.6 - This tool assists administrators in the migration of applications to new implementations through rapid analysis, automated application remediation and packaging, and daily application management. Citrix StoreFront 2.6 - This component has been updated to include the following optimizations: • My Apps Folder View in Receiver for Web - This feature assists users during the transition from Web Interface to StoreFront by allowing applications to be organized into folders. • Kerberos constrained delegation for XenApp 6.5 - This feature enables pass-through authentication and eliminates the need for endpoints to run Windows with Receiver. • Single Fully Qualified Domain Name (FQDN) access - This feature gives administrators the ability to give resource access internally and externally with a single FQDN. • XenApp Services Support smart card authentication - This feature enables administrators to provide support for smart card access without requiring specific versions of Receiver and operating systems. • Receiver for Android, iOS, and Linux smart card authentication - This feature enables local and remote use of smart cards for access to applications and desktops. • Extensible authentication - This feature provides a single customization point to be used with Worx Home and Receiver for Web to authenticate with XenMobile, XenApp and XenDesktop for internal and external access scenarios. • Citrix Connector 7.5 - This feature provides a bridge between Microsoft System Center Configuration Manager and XenApp or XenDesktop to extend the use of Configuration Manager to Citrix environments. • Receiver for Chrome and Receiver for HTML5 - These components were updated to include the ability to: • Convert documents to PDF and view them on a local device or print them to locally attached printers. • Provide end-user metrics. • Track license usage for hosted applications. • Utilize additional clipboard operations. • HDX Real-Time Optimization Pack 1.5 for Microsoft Lync - This feature enables administrators to support Lync certified USB phones, mixed Lync 2010 clients and Lync Server 2013 configuration, and asynchronous upgrades.

fo

e

al

es

rr

Deprecated Features

or

Some functionality that was available in previous releases of XenApp and XenDesktop is not available in this release. The deprecated features include:

•

Secure ICA encryption below 128-bit - HDX (formerly known as ICA) has always supported encryption, but this minimum level of encryption is no longer sufficient. Legacy printing - Operating system incompatibilities make the following printing features unavailable: • DOS clients, 16-bit printers, and legacy client printer names. • Printers connected to Windows 95 and NT operating systems, enhanced and extended printer properties, and Win32FavorRetainedSetting. • Ability to enable or disable auto-retained and auto-restored printers. • The DefaultPrnFlag registry setting for Server OS. Secure Gateway - This component served releases of XenApp and XenDesktop prior to 7.x as a means of a secure software HDX (ICA) secure proxy. This functionality is now available in NetScaler Gateway, which can be implemented as a VPX. Shadowing users - This functionality is now provided using Windows Remote Assistance and can be initiated from Citrix Director. Power and Capacity Management - This feature used to power manage virtual machines to lower the power costs during off-peak usage times. This functionality is now available through Microsoft Configuration Manager. Flash v1 Redirection - This feature allowed devices to render client-side flash, locally when possible. Version 1 has been replaced by version 2 which provides the same functionality and supports second generation Flash. Local Text Echo - This feature was used with earlier Windows application technologies as a session optimization feature when user sessions were impacted by latency. Because of the graphic subsystem and HDX Super Codec included with the VDA, this feature is no longer needed. Smart Auditor - This feature enabled the recording of user sessions to video files for viewing later. This feature was removed due to lack of demand.

st di

•

• • • •

•


n

io

ut

rib

•


21

•

•

•

•

• •

ot

N

•

Single Sign-On (Password Manager) - This feature supports single sign on to Windows, Web, and Terminal-emulated applications. This feature still works with Windows Server 2008 R2 and Windows 7 implementations, but is not available for Windows Server 2012 and Windows 8 implementations due to dependencies on the operating systems. Oracle database support for XenApp and XenDesktop databases has been removed. Citrix chose to simplify the platform by consolidating all Citrix database requirements for XenApp, XenDesktop and their supporting features to one platform, Microsoft SQL. Health Monitoring and Recovery (HMR) was a built-in feature designed to assist administrators in monitoring mission critical Citrix services running on machines hosting user sessions. This was in lieu of having a central means of managing farms and sites. Citrix Director now provides insight into the entire infrastructure from a central console. Custom ICA files enabled administrators to give users direct access to applications and desktops by bypassing both Web Interface and the Zone Data Collector. This feature is still available in XenApp 7.x, but is disabled by default. A custom ICA file can still be used for troubleshooting and for direct user connections when the Delivery Controller is unavailable. Citrix recommends that you direct all user connections through StoreFront. Management Pack for System Center Operations Manager (SCOM) 2007 is not supported on 7.x releases. CNAME function was enabled, by default, prior to XenApp 7 and XenDesktop 7 to assist with FQDN re-routing. In subsequent versions of XenApp and XenDesktop, 7.x, the Delivery Controller auto-update replaced the CNAME function because it can dynamically update the list of Delivery Controllers and notify the distributed VDAs when Delivery Controllers both join and leave the Delivery Site. Some administrators prefer to use the CNAME function. Those administrators can use a Citrix policy to disable the dynamic updates and can re-enable the CNAME functions in the registry. Quick Deploy wizard was a XenDesktop 5.x feature designed to quickly create a Delivery Site and all of the server components, including the catalog, Delivery Groups and more using one wizard. This wizard was created to enable administrators to quickly setup a proof of concept deployment. Quick Deploy Delivery Sites had limitations and could not be scaled. The refined configuration and workflow in XenDesktop 7.x renders this legacy deployment wizard unnecessary. Remote PC Service configuration file and PowerShell script for automatic administration was deprecated because Remote PC is now integrated into Studio and the Delivery Controller with support for Wake-on-LAN. Workflow Studio was a management feature that allowed administrators to manage multiple workflows (also known as sets of code or scripts) from a Windows Server management console. This feature was removed due to lack of demand.

fo

or

Discussion Question

e

al

es

•

rr

•

st di

An administrator at a local company was tasked with implementing a Citrix solution to host user resources centrally and securely in the datacenter, enabling users to access resources from any user device over any Internet connection. The users’ require access to the Microsoft Office Suite and a Windows 8.1 desktop. Which Citrix products and editions can the administrator purchase and implement to meet the needs of this scenario?

rib ut

XenApp and XenDesktop Virtualization Technologies

n

io

Different types of end users need different types of processing environments. Some end users may require simplicity and standardization, while others may require high levels of performance and personalization. Implementing a single virtualization model across an entire organization may lead to end-user frustration and reduced productivity. Instead, organizations need to identify the functionality that is required and understand the technical differences between the various processing environments and the virtualization components that provide that environment.

Discussion Question What are some advantages of integrating hosted applications and desktops into a single architecture?

22



Hosted Applications

ot

N fo e

al

es

rr or

With the Hosted Applications model, end users may not be provided with a virtual desktop; instead Windows applications are centralized in the datacenter and instantly delivered through a multi-channel protocol. Hosted applications can be provided to connected end users or configured to use Microsoft App-V technology to stream to end users for offline use. The Citrix version of application streaming, is not supported in XenDesktop 7.6.

st di


n

How can end users access hosted applications?

io

Discussion Question

ut

rib

Hosted applications on a Desktop OS were formerly known as VM Hosted Apps. Hosted applications on a Server OS were formerly known as published applications.


23

Server OS Machines

ot

N fo e

al

es

rr or

A Server OS machine was formerly known as a published desktop in Citrix XenApp 6.5. With the Server OS machine model, multiple desktop sessions are hosted on a single server-based operating system. The Server OS machine model provides a lowcost, high density solution. Applications must be compatible with a server-based operating system. In addition, because multiple users are sharing a single operating system end users are restricted from performing actions which may negatively affect other end users, for example installing applications, changing system settings, and restarting the operating system.

st di

n

io

ut

How can end users access Server OS machines?

rib

Discussion Question

24



Desktop OS Machines

ot

N fo e

al

es

rr or

With the Desktop OS machine model, each end user is provided with a full desktop operating system, which provides administrators with a granular level of control over the number of virtual processors and memory assigned to each desktop. •

st di

Desktop OS machines can be delivered as:

rib

RandomDesktops, which are based on a single master image and provisioned using Citrix Machine Creation Services or Citrix Provisioning Services. End users are dynamically connected to one of the desktops in the pool each time they log on. Changes to the desktop image are lost when the machine is restarted.

•

•

StaticDesktops, which are based on a single master image and provisioned using Citrix Machine Creation Services or Citrix Provisioning Services. End users are administratively assigned a virtual desktop or are allocated a virtual desktop on first access. Once assigned, end users will always be connected to the same virtual desktop. Changes to the desktop image are lost when the machine is restarted unless persistent write cache or Personal vDisk is implemented. If high availability/persistence of the end user's desktop personalization settings is required, use Static with Personal vDisk Desktops. Static with Personal vDiskDesktops are based on a single master image and provisioned using Citrix Machine Creation Services (MCS) or Provisioning Services (PVS). End users are administratively assigned a virtual desktop or are allocated a virtual desktop on first access. Once assigned, end users will always be connected to the same virtual desktop. Changes to the desktop are stored on a Personal vDisk and retained between restarts. Desktops with a Personal vDisk cannot be shared between multiple end users; each end user requires their own desktop. If high availability/persistence of the end user's desktop personalization settings is required, the Personal vDisk must be stored on shared storage. Existing refers to virtual desktops created from a manual build, a hypervisor template, cloning, or third-party tools. They are not created using Citrix Machine Creation Services (MCS) or Citrix Provisioning Services (PVS). These desktops must be managed manually with third-party desktop management tools.


n

•

io

ut

Desktop OS machines are delivered on a first-come, first served basis. An end user may get a different desktop each time they log on.


25

Discussion Question How can end users access Desktop OS machines?

Remote PC Access

ot

N fo al

es

rr e

With Remote PC Access, end users are provided access to their physical workplace computers or laptops remotely using the Citrix HDX protocol. This allows businesses to quickly benefit from a flexible work style without implementing virtual desktops. Remote PC Access can be used as a stepping stone towards a full XenDesktop virtualization implementation. When a company is ready, an established Remote PC Access environment can be converted to a full XenDesktop virtualization infrastructure. Specialized physical computers such as CAD workstations, video editors, and high-security devices that need physical FOBs for licensing and classified content are perfect candidates for Remote PC Access.

or

st di

26


n

What do you need to configure for the Delivery Controller to enable Remote PC Access?

io

What do you need to install on the office PC to enable Remote PC Access?

ut

What do you need to install on the endpoint to enable Remote PC Access?

rib

Discussion Question


Streamed VHD

ot

N fo e

al

es

rr or

With the Streamed VHD model, Provisioning Services provides desktop workloads based on a master image (either shared or private) for each hardware type. In shared mode, changes to desktops are lost upon startup.

st di

The Streamed VHD model allows any desktop workload to be run locally on the endpoint hardware. Streamed VHD is a great solution for high-end hardware because it allows an existing corporate investment in high-end hardware to be used as an asset in the XenDesktop environment. Streamed VHD requires a LAN connection between the desktop and the server running Provisioning Services. The Provisioning Services server can be physical or virtual. If you only have one Provisioning Services server, make it a physical Provisioning Services server. If all end user hardware is similar, then you can use a common VHD. Each VHD must be customized to match the hardware of the endpoint.

n

io

ut

rib

Discussion Question

The Streamed VHD model allows you to use the computing power of the endpoint while still using desktop virtualization. In order to use this computing power, what must the desktop image contain?

Local VM



27

You can create a VM and use the Synchronizer to deploy it to multiple XenClient devices. In addition, you can use the Synchronizer to deploy an image to similar hardware in the event that a laptop is compromised, lost, or stolen. All VMs must be created on the XenClient platform. A master image created in XenDesktop cannot be copied into the Synchronizer because that master image (VDI) is dependent upon DOM0 to reach most of it's resources, whereas in a XenClient deployment, each VM communicates directly with the hardware for all assets through the XenClient tools. The XenClient tools must be installed on every VM on the laptop to facilitate access to all hardware assets. XenDesktop (Enterprise and Platinum editions) includes the following Local VM solutions that allow XenDesktop administrators to deliver desktops to users with offline capabilities, while still managing and enforcing security and synchronization of backups: • •

XenClient works with PC-based laptops and desktops. DesktopPlayer works with MacBooks.

XenClient consists of two components: • •

The XenClient Engine runs on users’ laptop or computer as a Type I bare-metal hypervisor that allows VMs to operate the computer’s hardware. The XenClient Synchronizer runs on a server and allows administrators to centralize and manage all distributed virtual machines. A single Synchronizer can administer hundreds of XenClient Engines.

DesktopPlayer consists of two components:

N

•

ot

The DesktopPlayer for Mac runs on users’ MacBooks as a Type II hypervisor and enables Windows VMs to run on a Mac host computer.

fo

For more information about DesktopPlayer, see www.citrix.com/desktopplayer.

rr

The Synchronizer runs on a server and allows administrators to centralize and manage all distributed virtual machines. A single Synchronizer can control multiple DesktopPlayer machines.

al

es

•

e

The same Synchronizer management infrastructure is used for both XenClient and DesktopPlayer. You cannot move a virtual machine from XenClient to XenServer or XenServer to XenClient. For more information about XenClient, see www.citrix.com/xenclient.

or st di

Discussion Question

What is the purpose of XenClient, Receiver, and Synchronizer in the Local VM model?

n

io

ut

rib

Local Application Access

28



With the Local Application Access model, end users are provided with a Server OS machine or Desktop OS machine delivered full screen. The end user has locally installed applications on the endpoint that they want to use within their virtual desktop. Local Application Access allows you to make those locally installed applications available on the virtual desktop and in the Start menu even when the desktop is running in locked-down full-screen mode. When the end user launches a local application in the virtual desktop, the application window appears in the desktop session window even though it is actually running on the endpoint. This is ideal for use-cases where desktops are being delivered full-screen and end users want to simultaneously work with local applications like iTunes, CD burning software, video conferencing software, games, and more. To use Local Application Access, Citrix Receiver must be installed. Local Application Access is enabled by default in Citrix Receiver. In addition, you must enable Local Application Access using the Allow Local App Access (HDX) policy and apply it to the Server OS and Desktop OS machines. Local Application Access is disabled by default in XenApp and XenDesktop. Once enabled, you must publish the local applications using a Delivery Group in Studio.

Discussion Question What is an advantage of providing Local Application Access to end users rather than installing the applications on the virtual desktop?

Infrastructure Components

N

ot

A XenApp and XenDesktop implementation is only as good as the configuration of the infrastructure components on which it is built. It is important that anyone tasked with deploying XenApp and XenDesktop in an environment understand the purpose of each component in that infrastructure as it relates to XenApp and XenDesktop and understands how the configuration of the infrastructure components affect the XenApp and XenDesktop implementation.

fo

rr

e

al

es

During this course, you will build an environment, similar to that shown in the following graphic, to produce a pilot implementation of XenApp and XenDesktop. The pilot implementation will configure hosted applications, Server OS machines, and Desktop OS machines for the Accounting, Human Resources, and IT departments at the hospital. To accomplish this, you must set up not only the Citrix components and resources, but configure the infrastructure that will support the deployment.

or st di n

io

ut

rib The following infrastructure components play a key role in the XenApp or XenDesktop solution:



29

Explanation

Domain Controller

The domain controller is a Windows server on which the Active Directory Domain Services role is installed. Its role in a XenApp and XenDesktop solution is to maintain information about the objects (OUs, servers, groups, policies, and end users) in the domain and authorize and authenticate access to the domain. To ensure that the domain controller service is highly available in your XenApp or XenDesktop solution, you should configure at least two servers to serve as domain controllers and both servers should be configured with static IP addresses.

DNS

The DNS server role can be installed on the domain controller in a domain. Its role in a XenApp and XenDesktop solution is to resolve computer names to the IP addresses assigned to the computers. This allows communications to be sent to the IP address of the computer when the computer name is entered. To ensure DNS is highly available in your XenApp or XenDesktop solution, you should configure at least two servers with the DNS server role.

DHCP

ot

N

Component

fo Certificate Authority

e

al

es

rr

The DHCP server role can be installed on a Linux or Windows server. Its role in a XenDesktop solution is to manage the IP addresses and provide them automatically to the computers in the environment that do not have them statically assigned. DHCP can also be used by the Provisioning Server component used by XenDesktop. To ensure that the DHCP service is highly available in your XenApp and XenDesktop solution, you should configure at least two servers with the DHCP server role.

or

The Certificate Authority role can be installed on a Windows server. Its role in a XenApp and XenDesktop solution is to issue digital certificates that validate the identity of a computer. In a XenApp and XenDesktop solution, an internal Certificate Authority can be used to issue digital certificates to components behind the firewall. Components located in the DMZ and outside the domain should use digital certificates provided by an external Certificate Authority. To ensure that the Certificate Authority is highly available, you should configure your Certificate Authority as a cluster.

st di

io

ut

rib

n

Deploying multiple Certificate Authorities instead of clustering the Certificate Authorities only provides redundant enrollment services. It does not allow for recovery of the certificates in the event of a single node failure. File Server

30

A file server is a network accessible server that provides a centralized location for storing data files. Its role in a XenApp and XenDesktop solution is to host end-user profiles and the redirected folders for end-users' data in the environment. To ensure that your end users' profiles, data files, and redirected folders are highly available, you should configure at least two servers to serve in the file server role through a DFS share or optimally through a file server cluster.



Component

Explanation

SQL Server

The SQL Server is a relational database and management system that can be installed on a Windows server. Its role in a XenApp and XenDesktop solution is to store the Site, configuration logging, and monitoring data for the implementation. By default, XenApp and XenDesktop create the required database on the SQL Server. SQL Server Express cannot be configured for high availability, so you should install and configure a full SQL Server edition for use with XenApp and XenDesktop. To ensure that the XenApp and XenDesktop database is highly available, two SQL Servers and a witness should be configured for mirroring, or two or more SQL Server 2012 R2 servers should be configured to use the Always On functionality.

ot

N

Storage

fo e

al

es

rr

Hypervisor

Storage is required to store the VMs, ISOs, vDisks, Personal vDisks, and write cache in your XenApp and XenDesktop implementation. Types of storage include: • Local: Storage on the hard drive of a system • Shared: Storage that is network accessible Both types of storage are required to implement XenApp and XenDesktop. Storage is made available to the implementation through the hypervisor. To ensure that storage is highly available, use the best practices for the hypervisor and storage vendors to implement and manage the storage.

or

A hypervisor is responsible for low-level tasks such as CPU scheduling and memory isolation for VMs. The hypervisor abstracts the hardware from the VMs. XenApp and XenDesktop can run on a Citrix XenServer, Microsoft HyperV (through System Center Virtual Machine Manager), or VMware hypervisor platform. To ensure that your XenApp and XenDesktop implementation is highly available, you should configure the selected hypervisor on more than one server and configure your VMs to be agile.

st di

ut

rib

Agile means that VMs can be moved from host to host.

io

The KMS License Server provides a way to automatically activate volume license editions of Microsoft products removing the need for end users to provide licensing information or to connect to a Microsoft activation server. This is important in a XenApp and XenDesktop environment because desktops are provisioned on demand. A KMS Client License is embedded in Microsoft products.

n

(Optional) Key Management Services (KMS) License Server

Installing individual licenses on VMs and Multiple Activation Key (MAK) is another way to activate Microsoft product licenses. With MAK licensing, computers running Microsoft software are required to connect to a Microsoft activation server at least once. MAK licensing is not supported by XenApp and XenDesktop 7.5 when using MCS. The KMS License Server service can be placed on a server that provides other services in the environment.



31

Component

Explanation

Endpoints

An endpoint is any device that the end user touches and can support the use of the Citrix Receiver or the Receiver for Web site to access XenApp and XenDesktop resources. This includes PCs, Macs, laptops, servers, and mobile devices running a variety of operating systems. Endpoints can be located inside the network or be external to the network.

Print Server

A print server is a server that accepts print jobs from networked computers for one or more printers. In addition, it queues the print job and sends it to the correct print device in the network. This enables multiple computers to use a printer and eliminates the need for each computer to have a printer physically attached to it. To ensure that the print server function is highly available in your XenApp and XenDesktop solution, you should configure at least two print servers in a cluster.

ot

N

A print server may need to be restarted in order to restart the Print Spooler. Therefore, the Windows Print Services role should not be installed on a server that must be always available.

fo

Demilitarized Zone (DMZ) or Perimeter Network

StoreFront can be deployed in either the internal network or the DMZ.

e

al

es

rr

The DMZ is an area between two firewalls, one firewall protects the internal network and the other firewall protects the DMZ from the external network. Some XenApp and XenDesktop components are located in the DMZ and others are located in the internal network.

or

To ensure the security of your internal network, you should consult with a security expert when configuring your DMZ.

st di

n

io

Discussion Question

ut

rib

This course will take you through the steps required to set up a basic infrastructure to host a XenApp and XenDesktop implementation. To ensure the security and the performance of your implementation, follow Microsoft guidelines, your corporate guidelines, your customized XenApp and XenDesktop Design document, and the advice of a security professional before rolling your implementation out to a production environment.

In the lab environment, you will use a single firewall that places the internal, DMZ, and external networks on different network interfaces. This configuration is not optimal for a production environment. What are some weaknesses of this solution and how might you improve the security?

Citrix Components It is important that anyone tasked with deploying XenApp and XenDesktop in an environment understand the purpose of each Citrix component in that implementation. The following Citrix components play a key role in a XenApp and XenDesktop solution.

32



Component

Explanation

(Optional) Citrix XenServer

XenServer is a server virtualization platform (hypervisor) that offers near bare-metal virtualization performance for a XenApp and XenDesktop implementation. It allows each virtual machine to run isolated from other virtual machines on the server. A hypervisor is required for XenApp and XenDesktop. Microsoft Hyper-V (through System Center Virtual Machine Manager) or VMware can be used as the hypervisor instead of XenServer, if desired. To ensure high availability, you should use the clustering capability of the chosen hypervisor.

(Optional) Citrix XenCenter

The selected hypervisor requires a management console. The management console you use is based on the hypervisor selected. The management console can be Citrix XenCenter, Microsoft SCVMM, or VMware vCenter.

ot

N

XenCenter is a Windows-based graphical management console that enables you to deploy, manage, and monitor virtual machines running on XenServer. XenCenter has templates that make configuring your virtualized environment fast and easy. XenCenter can be installed on multiple Windows-based systems. This allows multiple administrators to access and support the virtualized environment.

fo e

al

es

rr Citrix Delivery Controller (Controller)

or

A Controller consists of services that communicate with the hypervisor to make applications and desktops available, authenticate and manage end-user access, and define the connections between end users and their virtual desktops and applications. The Controller controls the state of the desktops, starting and stopping them based on demand and administrative controls. To ensure that your XenApp and XenDesktop implementation is highly available, you should configure multiple Controllers in the environment.

st di

Studio is the unified management console used to set up and administer a XenApp and XenDesktop implementation. Studio is used to manage Server OS machines, hosted applications, Desktop OS machines, and Remote PC Access through machine catalogs and Delivery Groups. To ensure that Studio is highly available, you should install multiple instances of Studio in the environment.

n

io

ut

rib

Citrix Studio

Studio can be installed on the Delivery Controllers.

Citrix Director


Director is a Web-based (read only) tool that enables IT support and Help Desk teams to monitor an environment, troubleshoot issues before they become system critical, and perform support tasks for end users. To ensure that Director is highly available, cluster the host on which Director is installed.


33

Component

Explanation

Citrix License Server

The Citrix License Server stores and manages the license files for all Citrix components within the XenApp and XenDesktop architecture, with the exception of NetScaler components, which are manually configured with license files. If XenApp and XenDesktop is deployed across multiple sites, each site should have its own license server with an allocated license file to prevent slow logons resulting from license acquisition. Citrix licenses have a 30-day grace period during which XenApp and XenDesktop components will continue to function normally should the license server become unavailable. Because of this grace period, a single license server can be used per site. Should the license server fail, this grace period provides enough time to restore the license files on another server without interrupting the XenApp and XenDesktop implementation.

Citrix Receiver

ot

N

You can install the Citrix License Server on a physical server or a VM. At this time, you cannot use the Citrix License Server VPX to provide this functionality. Refer to http://support.citrix.com for the latest information.

fo

StoreFront provides authentication and resource delivery services for end users of Citrix Receiver. In addition, StoreFront uses a local data file to keep track of end-users' application subscriptions, shortcut names, and locations so end users have a consistent experience across all of their endpoints. To ensure that StoreFront is highly available, you should install multiple StoreFronts. All StoreFronts will automatically synchronize among themselves once they are added to the server group.

e

al

es

rr

Citrix StoreFront

Receiver is platform-specific software that provides secure, high-performance delivery of virtual desktops and applications in a XenApp and XenDesktop environment. Plug-ins for Receiver provide advanced features and capabilities.

or

st di

NetScaler is a secure application access solution that provides granular application-level policy and action controls. NetScaler provides a wide range of functions, including load balancing, ICA proxy, and endpoint analysis that can control remote access to the resources in your XenDesktop environment.

n

io

ut

rib

Citrix NetScaler

To ensure that NetScaler is highly available, you should deploy NetScaler in an HA pair.

34



Component

Explanation

Citrix Provisioning Services (PVS)

PVS allows machines to be provisioned and re-provisioned in real-time from a single vDisk image. This eliminates the need to manage and update individual virtual machines. To ensure that PVS is highly available, you should deploy multiple PVS servers and ensure that all servers can see the store or a replicated store. With PVS you install the required software on a Master Target Device. Then you create a vDisk image of the hard drive on the Master Target Device and save it to the network. Once the vDisk is available from the network, the target device no longer needs its local hard drive to operate and starts up directly across the network. PVS streams the contents of the vDisk to the target device on demand, in real time. The target device behaves as if it is running from its local hard drive.

Citrix Provisioning Services Console

ot

N

Provisioning Services Console is the management console for PVS. It can be installed on any computer that can communicate with the PVS database and the SOAP service on the PVS servers. To ensure that the Provisioning Services Console is highly available, you should install the console on multiple servers.

fo e

al

es

rr

Machine Creation Services (MCS)

or

Personal vDisk (PvD)

MCS is a collection of services that work together, from the XenApp and XenDesktop Delivery Controllers, to create virtual machines from a master image. One of the primary benefits of MCS is the ease with which virtual desktops can be updated. MCS provides many of the same single image management benefits of Provisioning Services, but works directly on the storage managed by the hypervisor without the need to use PXE or BDM to start a target device.

st di

PvD is a separate virtual disk attached to an end-user's virtual machine. The PvD stores the end-user's customizations and personally installed applications. When an end user logs on to a Desktop OS machine (XenDesktop only), the contents of the PvD are blended with the contents of the desktop. This separation allows the administrator to make changes to the master image without causing the end user to lose their customizations and personally installed applications.

io

ut

rib

n

If Citrix Profile Management is being used to store the end-user's customizations, you can disable end-user customizations in the PvD or vice versa. Universal Print Server


The Universal Print Server allows Windows print servers to use the compression and optimization capabilities of Citrix Universal Printer Drivers for network printers. The Universal Print Server has two parts: a Universal Print Client and a Universal Print Server. The server part is loaded on existing Windows print servers and the client part is included in the Virtual Delivery Agent (VDA) software installation.


35

Component

Explanation

Citrix Profile Management

Profile Management (previously a separate component) is integrated in the Enterprise and Platinum editions of XenApp and XenDesktop as policies. It provides an easy way to manage end-user personalization settings (profiles) and provide end users with fast logons and logoffs. You can opt to use Profile Management policies or another profile management solution with XenApp and XenDesktop. Profile Management policies offer several advantages over roaming profiles including extended synchronization to eliminate lastwrite wins conflicts and profile bloat.

Virtual Delivery Agent (VDA)

A Virtual Delivery Agent (previously called a Virtual Desktop Agent) enables virtual machines to register with Controllers. In addition, the VDA manages the HDX connection between the virtual machines and the endpoints. When an end user logs on to a resource through Receiver, the Receiver on the end-user's endpoint links to the Virtual Delivery Agent on the virtual machine and establishes a session.

ot

N Discussion Question

fo

The Delivery Controller, Studio, and Director can be installed on which operating systems?

rr

es

Designing a XenApp and XenDesktop Implementation

e

al

XenApp and XenDesktop allows you to start an implementation with a simple configuration, such as the one being taught during this class, and add additional desktop virtualization models and end users at a later time. However, to realize the immediate benefits and ensure the success of your implementation, it is imperative that you assess the needs of your organization and then use that information to design a customized virtualization solution. Failure to thoroughly assess and design a solution may cause your implementation to fail.

or

st di

Properly executed Assess and Design phases will save hours in the Deploy phase. Design cannot be carried out in a vacuum. You cannot design a solution until you understand the requirements of the organization and the end users that will use your solution. A bad design cannot be remedied by administration. Some organizations will need to ask for professional help during the Assess/Design phases.

rib

You can use the Citrix Virtual Desktop Handbook for XenDesktop to assist you in:

io

Assessing the needs of your organization. Designing your desktop virtualization solution.

ut

• •

n

The Citrix Virtual Desktop Handbook, available at http://support.citrix.com/article/CTX139331 follows the Citrix Consulting Methodology. This proven methodology has been successfully employed across thousands of desktop virtualization projects. Each phase includes guidance on the important questions to ask, what tools to use, and tips to help you succeed. The Citrix Consulting Methodology consists of four phases.

36



To learn more about designing a XenApp and XenDesktop solution, you can attend the CXD-400 Designing App and Desktop Solutions with Citrix XenDesktop 7 course.

ot

N Assess Phase

fo

During the Assess phase, you identify the following information that is necessary for the design:

or

st di

Discussion Question

n

io

ut

rib

•

e

•

al

•

Business Drivers identify the motivation and key drivers behind the desktop virtualization initiative. This information allows you to focus your efforts on creating a solution that meets the needs of the business based on the priorities of the business. Data Capture identifies (inventories) the end users, applications, devices, and current infrastructure components. This information allows you to segment end users, identify risks, and determine the capabilities of the current environment. User Segmentation divides the end users into groups based on a common set of requirements. This information allows you to assign the appropriate desktop virtualization model to each group without compromising performance or functionality. Application Assessment identifies the applications currently in use in the environment. The application list is rationalized by justifying the removal of legacy applications, standardizing application versions, and removing nonbusiness applications. The remaining applications are then analyzed for compatibility issues. Roadmap prioritizes the rollout to each user group by comparing implementation time/resources against business objectives as defined by the business drivers. The results of this prioritization process are then used to update the project plan. The project team that will implement the solution is then assembled according to the skillsets required.

es

•

rr

•

What is the main reason for understanding the top business drivers for moving to a desktop virtualization solution?

Design Phase During the Design phase, you use the information gathered during the Assess phase to create a customized desktop virtualization design.



37

ot

N

This graphic is based on the inputs provided during the Assess phase of a sample project. It depicts a logical representation; looking at components within the Access, Desktop, and Control Layers. Ultimately all of the sizing and scaling decisions are based on the hardware components that are selected to host the components within the Hardware layer.

fo

User Group Layer documents the recommended endpoints and the required end-user experience functionality. Access Layer shows how end users will connect to the desktops that are defined in the Desktop Layer. Local end users will often connect directly to StoreFront while remote end users often connect through a DMZ that protects the internal environment. To bridge the DMZ, remote end users will often connect through an SSL-VPN device (like Citrix NetScaler). Disconnected end users using Citrix XenClient will need to synchronize their local images with the backend store (Synchronizer) through a browser (not StoreFront). This requires additional access through the DMZ that separates the internal and external environments. Desktop Layer identifies the desktop virtualization model selected for each user group. The Desktop Layer is further subdivided by Image, Applications, and Personalization. Within each sub-layer, specifics are documented that detail the operating system, assigned policies, profile design, and application requirements. Control Layer provides details about the controllers needed to manage and maintain the entire solution. The Control Layer is further subdivided by Access Controllers, Desktop Controllers, and Infrastructure Controllers. The Access Controllers manage the hardware needed to support the Access Layer. The Desktop Controllers provide details about the components needed to support the Desktop Layer, which could include XenApp and XenDesktop, XenClient, or Provisioning Services. Finally, the Infrastructure Controllers are responsible for providing the underlying resources needed to support each component. These resources can include databases, license servers, and hypervisor controllers. Hardware Layer provides the physical devices required to support the entire solution. It includes servers, processors, memory, and storage devices.

e

al

es

• •

rr

The design is accomplished using a five-layered approach that focuses the design process and ensures that all necessary considerations are included in the design. The layers include:

st di

n

•

io

ut

rib

•

or

•

Discussion Question During the Design Phase, you document the recommended endpoints and the required end-user experience functionality based on the information gathered during the Assess phase. What might influence the design of the User Group layer?

Deploy Phase During the deploy phase the application and desktop virtualization solution is installed and configured as described in the Design phase. A pilot is performed to ensure that all requirements are addressed. In addition, the pilot helps determine the scalability thresholds for the production environment. Key success criteria are identified for the pilot and the environment is then tested

38



by a subset of end users. Once the pilot is completed, the solution is rolled out to production. The rollout to production includes technical assistance, deployment work plans, end-user training, and IT staff training.

Discussion Question When building a XenApp and XenDesktop implementation, which of the five layers should be implemented first?

Maintain Phase The Maintain phase occurs after the application and desktop virtualization solution has been rolled out to production. During the Maintain phase, the following activities are performed: •

•

ot

N

•

Monitoring enables administrators to address issues proactively. By having an in-depth understanding of the current and expected behavior of the various components, administrators are better equipped to discover an issue before it impacts the end-user community. Furthermore the data tracked during normal operations can be used for trending and capacity planning. Support fine tunes the pilot outputs in terms of proper staffing, organization, training, and tools required by technical support to provide issue resolution for the production environment. Testing and Change Control ensures that all upgrades and improvements are properly approved, tested, and validated by appropriate parties. The change management process ensures that changes in production environments are deliberate, proven, and accountable. Ongoing Operations identifies routine operations and structures the responsibilities and assignments for maintenance, issue prevention, and resolution in the production environment to reduce issues and their resolution times.

fo

•

es

rr

Discussion Question

or

Design Document

e

al

Which Citrix consoles can be used to maintain, monitor, and support a XenApp and XenDesktop implementation?

n

io

•

ut

• • • • •

Types of end users and their requirements Types of devices and Citrix Receivers that will be used to access the XenApp and XenDesktop environment XenApp and XenDesktop Site architecture Operating system delivery methodology such as Streamed VHD, Server OS machines, and Desktop OS machines Application delivery methods such as hosted applications, locally installed applications, and Streamed Applications (AppV) End-user profile management and logon script management Printing strategy/printing policies User policies Internal and external end-user access Peripheral components required to support the XenApp and XenDesktop environment, such as the virtualization infrastructure, hardware, network, storage, and Active Directory Redundancy and continuity recommendations for disaster recovery purposes

rib

• • • • •

st di

The Design document is used to deploy the virtualization solution. It contains the details for implementing the application and desktop virtualization solution. It is created using the information gathered during the Assess and Design phases. Within the Design document you will find information about the:

After the Design document is approved, you can use it to ensure that you configured the XenApp and XenDesktop implementation to best meet the needs of the organization and ensure the success of the implementation.

Reinforcement Exercise: Identifying Components •

Citrix Delivery Controller



39

• • • • • • •

Citrix Director Demilitarized Zone Desktop OS machines File Server Hosted Applications SQL Server Server OS machines

Term

Description Supports the use of static desktops with a Personal vDisk. Provides desktop sessions to multiple end users from a single server.

ot

N

Uses the processing power of Server OS and Desktop OS machines to run. Stores redirected folders and end-user profiles.

fo

Contains the NetScaler appliances.

al

es

rr

Stores the Site, Configuration, and Monitoring data for XenApp and XenDesktop.

e

Starts and stops desktops based on demand and administrative controls.

or

n

io

Term

ut

Citrix Provisioning Services Citrix Receiver Citrix Studio Hypervisor Machine Creation Services Personal vDisk Virtual Delivery Agent

rib

• • • • • • •

st di

Provides monitoring and support capabilities for XenApp and XenDesktop.

Description Provides the management interface for XenApp and XenDesktop. Delivers virtual desktops and applications to end users. Uses a vDisk image to provision virtual machines. Uses a master desktop image to create virtual machines.

40



Term

Description Stores an end-user's customizations and installed applications and is associated with a virtual machine. Enables virtual machines to register with the Delivery Controllers. Abstracts the hardware from the virtual machines.

ot

N fo e

al

es

rr or st di n

io

ut

rib



41

ot

N fo e

al

es

rr or st di n

io

ut

rib

42


2

Module 2

Setting Up the Hypervisor

ot

N fo e

al

es

rr or st di n

io

ut

rib

ot

N fo e

al

es

rr or st di n

io

ut

rib

44


Setting Up the Hypervisor Overview A hypervisor allows multiple operating systems to run as virtual machines (VMs) on a single physical host. A hypervisor is installed on a host computer that is dedicated entirely to the task of running the hypervisor and hosting VMs. It works by allocating the resources of the host computer to the VMs running on it. The management console used to manage the hypervisor can be installed on any system with a supported operating system. The management console allows you to create VMs, take VM disk snapshots, and manage VM workloads. Using a hypervisor rather than installing XenApp and XenDesktop components directly on physical hardware limits your exposure to hardware failure and reduces the cost of deploying the solution. This cost reduction is the result of reduced power consumption, increased utilization of existing hardware, fewer required servers, and decreased space and cooling requirements. In addition, management becomes streamlined and efficient because you are managing the pool as a single unit rather than managing each system separately. The hypervisor should be the first component configured in the environment so that most or all of the components in the environment can be virtualized.

ot

N

XenApp and XenDesktop can be used with Microsoft Hyper-V, Citrix XenServer, or VMware vSphere. Citrix XenServer will be the virtualization platform used during this course, but any of the supported hypervisors could have been used.

Install XenServer. Install and configure the XenCenter management console. Configure XenServer. Create a virtual machine template.

Module timing: 3 hours

e

al

es

rr

• • • •

fo

After completing this module, you will be able to:

or

At the beginning of this module, the VMs should be in following the states: • DomainController-1 = On • All other VMs = Off

st di rib

Installing the Hypervisor

n

io

ut

When you install a hypervisor on a bare-metal box, the hypervisor software installs a kernel. It installs a Linux kernel for vSphere and XenServer and a Windows kernel for Hyper-V. The appropriate hypervisor tools (XenServer Tools, and VMware Tools) need to be installed on the virtual machines to allow them to communicate optimally with the hardware and the control domain. Hyper-V has its hypervisor tools (Integration Services) built into Microsoft Windows. The following graphic illustrates this point.


Module 2: Setting Up the Hypervisor

45

Hardware-assist virtualization technologies are built into many central processing unit (CPU) chips manufactured by both Intel and AMD. With hardware-assist virtualization, the guest operating system on the virtual machine does not require modifications in order to have direct access to the server resources. Hardware assist must be enabled through the BIOS on the host for XenServer. Paravirtualization allows a guest operating system, such as Windows, to communicate with the hypervisor. This direct communication improves performance and is enabled by installing paravirtualization tools such as XenServer Tools or VMware Tools on the virtual machines.

ot

N

•

fo

•

es

rr

All hypervisors are composed of the following components:

st di

•

Hardware Layer contains the physical server components, including memory, CPU, and disk drives. Hypervisor is a thin layer of software that runs on top of the hardware. The hypervisor provides an abstraction layer that allows each physical server to run one or more virtual machines, effectively decoupling the operating system and its applications from the underlying hardware. Control Domain manages the network I/O and storage I/O of all virtual machines. The control domain is a Linux virtual machine for vSphere and XenServer, with higher priority to the hardware than other guest operating systems. In HyperV, the control domain is embedded in the hypervisor and is provided by the base installation of the server operating system when the Hypervisor role is added to the base operating system. Guest Operating System is the operating system that is installed on the virtual machines hosted by the hypervisor. Linux Virtual Machines are accessed through the control domain, while CPU and memory are accessed through the hypervisor directly to the hardware. Windows Virtual Machines use paravirtualized drivers to access storage and network resources through the control domain. XenServer is designed to use the hardware virtualization of Intel VT- or AMD-V-enabled CPUs.

or

• •

e

al

Regardless of the hypervisor selected to support your XenApp and XenDesktop implementation, the installation basics are the same. First, verify that the hardware and software requirements are met by the system on which you plan to install the hypervisor. Second, make sure that you carefully follow the instructions to properly install and configure the hypervisor.

n

io

ut

rib

• • •

To Install XenServer XenServer is pre-installed in the lab environment. To experience installing XenServer to support a XenApp and XenDesktop implementation, we have provided an Installing XenServer exercise below. Click the following link and use the steps in this course to complete the exercise: • Installing XenServer Exercise You can access a list of all simulated exercises from the Student Resource Kit module located in this course. 1.

46

Insert the XenServer installation media in the drive of the computer and start the installation program.



During the XenServer installation, you will not be able to use a mouse to navigate.

Proceed to the next step since this has been competed within the simulation. 2.

Select the Keymap layout for the installation and then press Enter. Verify that [qwerty] us is highlighted, press the spacebar, and then press Enter twice.

3.

Determine if a device driver needs to be loaded. Press Enter on the Welcome to XenServer Setup screen to continue to install XenServer without loading additional device drivers.

4.

Read and respond to the End User License Agreement (EULA). Press the Left arrow key to select Accept EULA and then press Enter.

Specify the storage to use, whether the storage should be optimized for XenApp and XenDesktop, and then press Enter.

al

es

rr

c. d.

Verify that sda-20 GB [ATA VBOX HARDDISK] is selected. Press the Down arrow key to highlight Enable thin provisioning (Optimized storage for XenApp and XenDesktop). Press the spacebar to select Enable thin provisioning (Optimized storage for XenApp and XenDesktop). Press Enter twice.

fo

a. b.

ot

5.

N

If the server does not have Hardware Assist enabled in the BIOS, an error message will appear after you accept the EULA. You can continue with the installation, but XenServer will have limited functionality until Hardware Assist is enabled.

e

Thin Provisioning optimizes the utilization of available storage for XenApp and XenDesktop end users and enables local caching to work properly.

or

6.

Select the installation media source and then press Enter.

st di

Press the spacebar to select Local media as the installation source and then press Enter twice.

Determine if Supplemental Packs will be installed and then press Enter.

n

Press the Right arrow key to select No and then press Enter.

io

7.

ut

rib

Select Local media if you are installing XenServer from a CD. Select HTTP, FTP, or NFS if you are installing XenServer using PXE. When Local media is selected, the installer will check the repository.

This step is only displayed if you selected Local media during the previous step. If you selected HTTP, FTP, or NFS, you must configure networking so that the installer can connect to the XenServer installation media files on the network. 8.

Determine if the integrity of the installation media should be verified before beginning the installation and then press Enter. Press the Up arrow key to select Skip verification and then press Enter twice. If you select Verify installation source, the MD5 checksum of the package is calculated and checked against the known value. Verification may take a few minutes.



47

9.

Specify the password to set for the root account on the XenServer and then press Enter. a. b. c.

Type Password1 in the Password field and then press Enter. Type Password1 in the Confirm field and then press Enter. Press the Down arrow key and then press Enter.

10. Specify how networking should be configured, set up the primary management interface, and then press Enter. You can get an IP address automatically using Automatic configuration (DHCP) or specify it yourself using Static configuration.

a. b. c. d. e.

Press the Down arrow key to highlight Static configuration and then press the spacebar. Press the Down arrow key to move to the IP Address field, type 192.168.10.24, and then press Enter. Type 255.255.255.0 in the Subnet mask field and then press Enter. Type 192.168.10.1 in the Gateway field and then press Enter. Press the Down arrow key and then press Enter.

11. Specify the host name and DNS configuration and then press Enter.

N

Type xs1 in the Hostname field and then press Enter. Type 192.168.10.3 in the DNS Server 1 field and then press Enter. Press the Down arrow key twice and then press Enter.

ot

fo

a. b. c.

rr

e

al

es

To be part of a pool, XenServer hosts must have static IP addresses or be DNS addressable. When using DHCP, ensure that a static DHCP reservation policy is in place. If you want to manually specify the host name, use a short host name and not the fully qualified domain name (FQDN). Typing an FQDN may cause external authentication to fail. At least one DNS server address must be specified. Adding a second and third DNS address will ensure that XenServer can find other machines on the network based on their names if the first DNS server is unavailable.

or

12. Select the geographical area and then press Enter.

Press the Down arrow key to select America for the time zone and then press Enter twice.

st di

13. Select the city and then press Enter.

Type L, press the Down arrow key to select Los Angeles, and then press Enter twice.

rib

14. Specify how you would like the server to determine local time and then press Enter.

io

ut

Press the Down arrow key to select Manual time entry for the system time and then press Enter twice.

n

NTP (Network Time Protocol) requires an NTP server on the network. If you select Using NTP, you must provide the address of the NTP server in your network. If your network does not have an NTP server, you should select Manual time entry. 15. Press the Left arrow key to select Install XenServer and then press Enter. 16. Set the local time and date and then press Enter. Press the Down arrow key to select OK and then press Enter to accept the default settings for the local time and date. 17. Press Enter when the installation completes to restart the server. The XenServer Configuration screen appears once the server restarts.

Discussion Question What is the minimum number of physical computers required for a redundant XenServer implementation? 48



Installing the Hypervisor Management Console Hyper-V, XenServer, and vSphere hypervisors are command-line based software programs. Each of these hypervisors has a management console that can be installed on a separate system to configure the hypervisor, create and configure virtual machines, and monitor the resources available to the hypervisor.

ot

N fo

e

al

es

rr

The management console is a GUI that allows you to see multiple settings at once. It should be used for daily maintenance tasks and for tasks that are performed on an as-needed basis. Tasks that must be repeated on a regular basis should be scripted to use the command-line interface instead of the management console for the hypervisor. For example, you can create a script that takes a snapshot of a live running machine and then exports it as a backup. You can then run the script as a scheduled task to create regular backups of a machine without shutting it down. Scripting is enabled by the XE commandline interpreter, which is installed wherever you install the XenCenter management console. For a comprehensive list of commands that can be used for scripting, see Appendix A in the XenServer Administrator's Guide which is available from http://docs.citrix.com.

or

st di

To Install XenCenter

ut

rib

You can install XenCenter on any computer that has access to the servers running the XenServer hypervisor and has Microsoft .NET Framework 3.5.1 installed on it. In this exercise, you will install XenCenter on a Windows 8.1 system called MyLaptop.

n

io

XenCenter is pre-installed in the lab environment. To experience installing XenCenter to support a XenApp and XenDesktop implementation, we have provided an Installing XenCenter exercise below. Click the following link and use the steps in this course to complete the exercise: • Installing XenCenter Exercise You can access a list of all simulated exercises from the Student Resource Kit module located in this course. 1.

Insert the XenServer installation media in the drive of the computer that has Microsoft .NET 3.5.1 installed on it and start the installation program. Proceed to the next step.

2. 3.

Click the File Explorer (folder icon) on the taskbar. Select the drive containing the XenServer installation media. Click CD Drive (G:) XenServer-6.1.0.

4. 5. 6.

Double-click the client_install folder. Double-click the XenCenter Windows Installer file. Click Next in the Welcome to Citrix XenCenter Setup Wizard screen.



49

7.

Specify the folder where you want to install XenCenter, determine if XenCenter should be installed for all users of the system or just the currently logged on user, and then click Next. Click AllUsers and then click Next to accept the default installation location.

8. 9.

Click Install to begin the installation. Click Finish to close the Citrix XenCenter Setup Wizard after the installation completes.

Discussion Question Why should you secure the XenCenter management console for your hypervisor? How can you secure the management console?

Connecting the Management Console to the Hypervisor Before you can begin using the console, you must first configure it to communicate with the hypervisor that you will be managing and add a license for the hypervisor. Every time you launch the console, you must reconnect the console to the hypervisor unless you choose to save the settings. The settings can be saved with or without a password.

N

ot

To Connect XenCenter to the XenServer Host

fo

XenCenter is pre-configured in the lab environment. To experience configuring XenCenter to connect to a XenServer, we have provided a Connecting to XenServer exercise below. Click the following link and use the steps in this course to complete the exercise: • Connecting to XenServer Exercise

es

rr

You can access a list of all simulated exercises from the Student Resource Kit module located in this course. Log on to the system hosting XenCenter.

e

Proceed to the next step. Open Citrix XenCenter.

Click Start on the lower-left corner of the screen. Click Citrix XenCenter.

st di

a. b.

Click Add New Server. Type the host name or IP address of the XenServer host in the Server field.

Press Tab and then type the user name for the administrator account on the server.

6.

n

Proceed to the next step to accept the default user name.

io

5.

ut

Type 192.168.10.24 in the Server field and then press Enter.

rib

3. 4.

or

2.

al

1.

Press Tab and then type the password for the administrator account. Type Password1 in the Password field and then press Enter.

7.

Click Add. The XenServer environment will appear in the console and storage is automatically configured on the local disk of the host. If XenServer is installed on additional servers, you can add them to the XenCenter console using these steps.

8.

Close the XenCenter window. Click the X in the upper-right corner of the XenCenter window.

50



Discussion Question The management console for your hypervisor and the computer it was installed on are not available to you. What other options are available to you to manage the hypervisor environment?

Configuring the Hypervisor Hyper-V, XenServer, and vSphere hypervisors are highly customizable. For example, you can configure: • • • •

The network interfaces used by the hypervisor. A library to host the ISO resources available to the VMs. The virtual disk storage used by the VMs. Templates for virtual machines.

Configuring the Virtual Networks

N

A virtual network provides flexibility to satisfy changes in security and application requirements quickly and efficiently. For example, when someone needs a new virtual machine (VM) or application, you can add a new virtual network that can isolate the VM from other VMs in the environment. Physical interface (PIF) is the physical network interface card for each host. Virtual interface (VIF) is a server-side software object that is a virtual representation of a computer network interface. A virtual machine connects to a virtual interface to provide network connectivity to other virtual machines and the physical network. Network the control domain (DOM0) is used to bridge multiple virtual interfaces to a physical interface. Some hypervisors refer to this as a virtual switch.

fo

• •

ot

A virtual network consists of three pieces:

al

es

rr

•

e

Each of these three pieces has their own universally unique identifier (UUID). The UUID allows you to refer to the specific object you want to act upon. For example, you can take a VIF and attach or unattach it using a script that references its UUID. When typing the UUID in XenServer, you can type the first few characters and then press the Tab key to complete it.

or st di n

io

ut

rib NIC bonding is another network task that can be performed at the physical layer of the network. It combines one or more NICs connected to the same physical network.



51

When you bond multiple NICs, a new virtual NIC is created. This is the bond master, and the bonded NICs are known as the NIC subordinates. The NIC bond can then be connected to a network to allow virtual machine traffic and server management functions to take place across that bond. There are two NIC bonding modes: • •

Active-active mode provides load balancing of virtual machine traffic across the physical NICs in the bond. If one NIC within the bond fails, all of the network traffic on the host is automatically routed over the second NIC. Active-passive (active-backup) mode provides hot-standby capability. Only one NIC in the bond is active; the inactive NIC becomes active if and only if the active NIC fails.

A XenServer with its management interface on a bonded network will have limited pool functionality. For example, the "create a pool" and "join a pool" tasks will not be permitted. To get past this issue, you can temporarily attach the management interface to a non-bonded network. Perform the management tasks and then reconnect the management interface to the bonded network. This restriction also applies to management interfaces attached to tagged VLANs.

To Configure an External Network

ot

N

XenServer is pre-configured in the lab environment. To experience configuring virtual networks for XenServer, we have provided an Adding a New Network exercise below. Click the following link and use the steps in this course to complete the exercise: • Adding a New Network Exercise You can access a list of all simulated exercises from the Student Resource Kit module located in this course.

fo

1.

Log on to the system hosting XenCenter.

Open Citrix XenCenter.

e

Select the XenServer host in XenCenter to which you want to add a network.

or

3.


al

a. b.

es

2.

rr

Proceed to the next step.

Verify that xs1 is highlighted in the left column under XenCenter.

st di

4.

Click the Networking tab.

Click Add Network. Select the type of network to add and then click Next.

7.

n

Verify that External Network is selected and then click Next.

io

5. 6.

ut

rib

XenServer automatically manages NICs as needed based on the related network, virtual interface, server network, and bond configuration. You can view the available NICs, configure NIC bonds, and dedicate NICs to a specific function from the NICs tab.

Specify the name of the new network and then click Next. Type Network2 in the Name field, press Enter, and then click Next.

8.

Select the network interface to be used by the new network. Select NIC 1 from the NIC field.

9.

Select a number to use for the VLAN on the network. Accept the default value of 1 in the VLAN field.

10. Select the appropriate MTU value for your network. Accept the default value of 1500 for the MTU.

52



Maximum transmission unit (MTU) identifies the maximum number of bytes of data the protocol can pass in a packet. The larger the MTU the more efficient the throughput. The default MTU size for Ethernet is 1500. 11. Select Automatically add this network to new virtual machines. 12. Click Finish and then verify that the new network on VLAN 1 appears in the list. 13. Close the XenCenter window. Click the X in the upper-right corner of the XenCenter window.

Discussion Question A database application has recently emerged from the pilot phase. After the rollout to the production environment, end users began complaining about slow access to the database. What should the administrator do to address this issue?

Creating a Pool or Cluster of Hosts

ot

N

A pool or cluster is comprised of multiple hosts, bound together as a single managed entity. When combined with shared storage or local storage, a pool or cluster enables VMs to be created or started on one host and then dynamically moved to another host in the pool or cluster, if the original host fails. This functionality in XenServer and vSphere is called High Availability (HA). In Hyper-V this functionality is called HA Protection.

fo

es

rr

To Create a New Pool in XenServer

e

al

XenServer is pre-configured in the lab environment. To experience configuring a new pool for XenServer, we have provided a Creating a XenServer Pool exercise below. Click the following link and use the steps in this course to complete the exercise: • Creating a XenServer Pool Exercise

1.


or

You can access a list of all simulated exercises from the Student Resource Kit module located in this course.

st di

Proceed to the next step. 2.

Open Citrix XenCenter.

io

ut


rib

a. b.

n

There are two XenServer hosts available in XenCenter. You are going to create a pool so VMs running on these hosts can be dynamically moved from one host to the other. 3. 4.

Click New Pool in the XenCenter toolbar. Type a name for the new pool. Type Pool1 in the Name field and then press Enter.

5.

Select a server in the Master field. Verify that xs1 is selected as the Master.

6.

Select one or more servers to place in the new pool from the Additional members list. All available XenServer hosts are listed. If a host is not listed, it may be because it does not satisfy one or more of the pool joining requirements.



53

Select xs2 as a member. 7. 8.

Click Create Pool to create the new pool. Double-click the newly added pool to view the pool members. Double-click Pool1.

9.


Discussion Question What is required to implement a pool or cluster of hosts for a hypervisor environment?

Configuring an ISO Library

Network File System (NFS) share, which uses the Linux/Unix NFS protocol to share files and folders on the network. Common Internet File System (CIFS) share, which uses the Windows CIFS protocol to share files and folders on the network. A CIFS share is only available to Hyper-V and XenServer hypervisors.

fo

• •

ot

N

An ISO is a disk image of a CD or DVD. An ISO library is a type of storage repository. It is used to store CD/DVD images in the ISO format. Storing ISOs in a library makes them administratively accessible to any VM. An ISO library can be added anytime to create a virtual collection of installation media. CD/DVD images in the ISO library can be shared and accessed by VMs hosted by the hypervisor. An ISO library can be created as a:

rr

al

es

The share must be pre-created prior to creating the storage repository and all .ISO files must be at the root of the share. ISOs stored in subfolders will not be enumerated and therefore cannot be seen.

e

To Configure an ISO Library for XenServer

or

st di

XenServer is pre-configured in the lab environment. To experience configuring an ISO library for XenServer, we have provided a Creating an ISO library exercise below. Click the following link and use the steps in this course to complete the exercise: • Creating an ISO Library Exercise

1.


ut

Proceed to the next step. Open Citrix XenCenter. Click Start on the lower-left corner of the screen. Click Citrix XenCenter.

n

a. b. 3.

io

2.

rib

You can access a list of all simulated exercises from the Student Resource Kit module located in this course.

Select the XenServer host to which you want to attach the new storage repository. Verify that xs1 is selected.

4. 5.

Click New Storage in the XenCenter toolbar to open the New Storage Repository wizard. Select the type of ISO library you want to create and then click Next. Select Windows File Sharing (CIFS) and then click Next.

6.

Type a name for the new storage repository in the Name field. Type My-ISOs in the Name field and then press Enter.

54



7.

Type a description or allow XenCenter to automatically generate the description for the storage repository and then click Next. Click Next to allow XenCenter to automatically generate the description.

8.

Type the location of the share in the Share Name field. Type \\WIN-V06KOCR56GO\ISO_Library in the Share Name field and then press Enter.

9.

Determine if different credentials should be used to connect to the share. Different credentials may be necessary if the host instance does not have the necessary rights to the network share.

a. b. c.

Click Finish to create the ISO storage repository. Click the My-ISOs storage repository in the left pane of the XenCenter window. Click the Storage tab to view the ISO files store in the share addressed by the storage repository. Close the XenCenter window.

ot

N

10. 11. 12. 13.

Select Use different user name. Type Administrator in the User name field and then press Enter. Type Password1 in the Password field and then press Enter.

fo

Click the X in the upper-right corner of the XenCenter window.

es

rr

Discussion Question

e

al

You can perform Detach, Forget, and Destroy operations on a storage repository. What do each of these operations do and when might you use each?

or

Configuring Virtual Disk Storage

st di

Virtual disk storage is used to store the virtual disks used by the VMs. You can create additional virtual disk storage if external storage is available. In Hyper-V virtual disk storage is referred to as a store; in vSphere it is called a data store; in XenServer it is called a storage repository. You can set virtual disk storage up during the initial installation of the hypervisor or at any time after the installation. If you create the virtual disk storage after installation, you must shut down the VMs and move them manually to the storage. If you are using the most current version of a hypervisor, storage motion is available (this allows a VM to be moved from local to external storage while the VM is active) but this operation can be time consuming.

ut

rib

n

io

To Configure Virtual Disk Storage

XenServer is pre-configured in the lab environment. To experience configuring additional virtual disk storage for XenServer, we have provided a Adding Virtual Storage below. Click the following link and use the steps in this course to complete the exercise: • Adding Virtual Storage Exercise You can access a list of all simulated exercises from the Student Resource Kit module located in this course. 1.

Log on to the system hosting XenCenter. Proceed to the next step.

2.

Open Citrix XenCenter. a. b.




55

3.

Select the XenServer host to which you want to attach the new storage repository. Verify that xs1 is selected.

4. 5.

Click New Storage to open the New Storage Repository wizard. Select the type of virtual disk storage you want to attach to your host and then click Next. Verify that NFS VHD is selected and click Next. •

•

•

•

ot

N

NFS VHD storage repository stores VM images as thin-provisioned VHD format files on a shared NFS target. Existing NFS servers that support NFS V3 over TCP/IP can be used as a storage repository for virtual disks. NFS storage repositories can be shared, allowing any VMs with their virtual disks in an NFS VHD storage repository to be migrated between servers in the same resource pool. Because virtual disks on NFS storage repositories are created as sparse, you must ensure that there is enough disk space on the storage repository for all required virtual disks to grow as they are used. Software iSCSI storage repository uses a shared Logical Volume Manager on a SAN attached LUN over iSCSI. iSCSI is supported using the open-iSCSI software iSCSI initiator or by using a supported iSCSI Host Bus Adapter (HBA). Hardware HBA storage repository connects to Fibre Channel (FC), Fibre Channel over Ethernet (FCoE), or shared Serial Attached SCSI (SAS) LUNs via an HBA. Prior to configuring a Hardware HBA storage repository, you need to expose the LUN because the wizard will automatically probe for and display a list of all available LUNs found. StorageLink storage repository uses an existing Network Appliance (NetApp), Dell EqualLogic storage infrastructure, or Citrix StorageLink Gateway (CSLG) to access a range of different storage systems.

fo

Type a name for the new storage repository in the Name field.

Type a description or allow XenCenter to automatically generate the description for the storage repository and then click Next.

or

7.

e

Use the default name provided.

al

6.

es

rr

Dynamic multipathing support is available for Software iSCSI and Hardware HBA storage repositories. By default, multipathing uses round-robin mode load balancing, so traffic will be active on both routes during normal operation. You can enable and disable storage multipathing in XenCenter using the Multipathing tab in the Properties of the server.

8.

st di

Click Next to allow XenCenter to automatically generate the description.

rib

Type the location of the share in the Share Name field or click Scan if you would like to re-attach an existing storage repository. Type WIN-V06KOCR56GO:/NFS_Share in the Share name field and then press Enter. Determine if any advanced options should be applied to the storage repository.

n

io

Do not specify any advanced options and then proceed to the next step.

ut

9.

The advanced options available are based on the type of virtual disk storage selected.

10. Determine if a new storage repository will be created or an existing storage repository will be reattached and then click Finish. Verify that Create a new SR is selected and then click Finish. 11. Verify that the new storage repository is listed in the left pane of the XenCenter window. Verify that NFS virtual disk storage is listed. 12. Close the XenCenter window. Click the X in the upper-right corner of the XenCenter window.

56



Discussion Question With which types of storage can you use a High Availability (HA) solution? The following is a list of different storage options and their benefits:

Applying Updates and Hotfixes To ensure optimal performance, stability and security, you should keep your operating systems, applications, and Citrix components up to date. It is important to remember that all updates and hotfixes must be tested in a test environment prior to rolling them out to a production environment. Once you decide to roll updates out to the production environment, ensure that you apply them consistently across the components in the environment. Updates come in many forms: service packs, hotfix rollup packs, security fixes, and general public hotfixes. Read the release notes for the update to determine the criticality of the update and the applicability of the update to your environment to determine whether or not to install it. When applying an update to XenServer, you should: • •

ot

N

•

Log on as a user with full access permissions. Update all hosts in a pool within a short period of time. Begin with the pool master. Running a pool with mixed versions of XenServer hosts is not supported. XenCenter will restart each host automatically before applying the update file, so move all VMs off of the host before beginning the update. You can do this manually using the command line interface (CLI), or you can use the hostevacuate command. If you are using the CLI to apply the updates, you will have to restart the hosts manually before the update. Empty the CD/DVD drives of any virtual machine which will be suspended. Disable high availability for the resource pool. Be careful if the pool master is offline.

fo

es

rr

• •

e

al

To Upload and Apply a XenServer Hotfix

or

XenServer is pre-configured in the lab environment. To experience applying a hotfix to XenServer, we have provided an Applying an Update exercise below. Click the following link and use the steps in this course to complete the exercise: • Applying an Update Exercise

st di

Follow these steps to open the Applying an Update exercise in the Student Resource Kit: Log on to the system hosting XenCenter.

rib

1.

Proceed to the next step. Open Citrix XenCenter.

n


io

a. b. 3. 4.

ut

2.

Click Tools > Check for Updates in the XenCenter menu bar. Select the required update from the list and then click Download & Install to start the download process and perform pre-checks on the servers. Select XS61E017 and then click Download & Install.

5. 6.

Click Next to continue once all pre-checks have been resolved. Determine if post-update tasks should be performed automatically or manually and then click Install update. Verify Automatically perform post-update tasks after the update has been applied is selected and then click Install update.

7. 8.

Click Finish when the update process is completed. Click Close to close the Check for Updates window.



57

Updates that are applied to a XenServer host can be viewed in the General tab of the host. If you opted to manually perform the post-update tasks, you should complete those tasks at this time. 9.


Discussion Question What is the difference between a hotfix, a rollup/service pack, and a feature pack?

Creating Templates A virtual machine (VM) is a software container that runs on a host and behaves as if it were a physical computer itself. VMs consist of a guest operating system, CPU, memory (RAM), networking resources, and software applications. All of the information about the virtual machine is stored in an image file. After the VM is created, an operating system and applications can be installed on the virtual machine as if it were a physical computer.

N

ot

A template is a virtual machine encapsulated into a base image file and makes it possible to rapidly create new VMs. In XenServer, once a VM is converted to a template, it cannot be reverted. This limitation does not apply to Hyper-V or vSphere.

fo

The template creation process allows you to pre-create a library of base images from which new virtual machines can be created very quickly without reinstalling the operating system or other applications. Templates can be created at any time. When templates are used to create VMs, the VMs have increased consistency and reliability across the environment.

es

Create a virtual machine. Install the operating system. Install updates and fixes. Install the hypervisor tools. Run Sysprep on VM running a Windows operating system. Convert to template.

e

al or st di

1. 2. 3. 4. 5. 6.

rr

Steps required to create a template include:

n

io

ut

rib

Your virtual machines are hosted using Citrix XenServer. Each virtual machine is an independent system running a guest operating system. Citrix XenCenter allows you to connect to the XenServer environment and administer your VMs. Once you are connected to your XenServer system, you will notice a list of VMs in the left pane of XenCenter. Selecting a VM will allow you to monitor and administer it. The Console tab allows you to see the desktop of the VM. You can manipulate the console window to suit your preference. Useful functions for XenCenter console screens are listed in the following table.

Control

Function

Send Ctrl+Alt+Del

Sends the Ctrl+Alt+Del sequence to the VM to access the Windows Security screen.

Alt+Shift+U

Undock or redock (separate or join console screen).

Ctrl+Alt

Toggle full-screen mode.

Scale

Scale the VM windows to fit inside the console window.

DVD Drive

Select an ISO image to insert into the DVD drive for the selected VM.

Switch to Remote Desktop/Switch to Default Desktop

Toggle between VNC connection and RDP connection. Using RDP to connect can improve the performance of the user interface.

58



Holding the Shift key will only capitalize the initial letter in a string of letters typed into a virtual machine. To capitalize multiple letters in succession, use the Caps Lock key.

Discussion Question Why do you need to Sysprep a VM before converting it into a template? And, why do you need to shut down the VM before you convert the VM into a template?

Discussion Question The hypervisor is often bundled with built-in templates. What is unique about these built-in templates? Is it possible to create a template from a running virtual machine in XenServer?

Installing Windows Server 2012 R2

ot

N

A VM cannot start up without first installing an operating system on a virtual disk associated with the VM. The easiest way to install the operating system on a VM is to attach a bootable ISO and start up the VM from that ISO.

fo

To Install the Operating System on a VM in XenServer

rr

1.

Open XenCenter.

al

es

A virtual machine in the lab environment is pre-configured with a new install of Windows 2012 R2. The following steps were used to create the WinServer2012R2_template VM and can be used as reference.

e

Double-click Citrix XenCenter on the desktop, if XenCenter is not already open. Select the virtual machine in XenCenter onto which the operating system will be installed.

st di

Click the WinServer2012R2_template VM. 3.

or

2.

Click the Console tab.

Select the desired language, time and currency format, and keyboard or input method, and then click Next.

io

4.

ut

rib

If the VM fails to start, verify that the correct ISO is loaded in the DVD Drive 1 field. If the ISO image is nonbootable, the VM will not start. To correct this issue, select the correct ISO image and then click within the Console page to start the VM.

n

Verify that: a. English (United States) is selected in the Language to install field. b. English (United States) is selected in the Time and currency format field. c. US is selected in the Keyboard or input method field. d. Click Next. 5. 6.

Click Install now. Select the desired operating system and then click Next. Select Windows Server 2012 R2 Standard (Server with a GUI) and then click Next. Ensure you select the Server with GUI and not the Server Core Installation option. XenApp and XenDesktop does not support the Server Core version.



59

7.

Read and respond to the license agreement. Select I accept the license terms and then click Next.

8.

Determine the type of installation to perform. Select Custom: Install Windows only (advanced).

9.

Select the drive on which to install Windows and then click Next. Verify Drive 0 Unallocated Space is selected and then click Next. It will take approximately 15 minutes to install the operating system.

10. Set the local administrator password and then click Finish. Type Password1 in both the Password and Reenter password fields and then click Finish. The user name is set to Administrator and cannot be changed at this point because this is the log on for the local administrator.

ot

N fo

11. Click Eject to the right of the DVD Drive 1 field to unload the Windows Server 2012 R2 ISO file. 12. Log on as the local administrator. Click Send Ctrl+Alt+Del (Ctrl+Alt+Insert), type Password1 in the Password field, and then press Enter.

rr

e

13. Verify that the time is correct.

al

es

The Server Manager dashboard is launched automatically. This dashboard provides access to many of the setup and administrative tasks in Windows Server 2012 R2. You will be making extensive use of the Server Manager in future exercises.

or

Do not change the date and time setting before adjusting the time zone, because the time will need to be adjusted again to match the new time zone.

st di

Click the time in the lower-right corner of the window and then click Change date and time settings. Click Change time zone, select the correct time zone, and then click OK. Click Change date and time, change the time, and then click OK. Click OK.

Discussion Question

n

io

ut

rib

a. b. c. d.

Windows Server 2012 R2 (64-bit) requires a minimum of 32 GB of hard disk space and 2048 MB of RAM. What will be the effect on performance if you increase the amount of RAM and why?

Installing Hypervisor Tools Hypervisor tools provide high performance drivers that significantly improve disk and network performance for XenServer and vSphere VMs. Without these tools, you have limited lifecycle operations (start, stop, suspend) in the hypervisor and limited performance monitoring. You can find out if XenServer Tools are installed on a VM by looking at the Virtualization state field on the General tab for the VM. Valid states include: • •

60

Optimized(version x installed) - the most up-to-date version of XenServer Tools is installed. XenServer tools not installed - XenServer Tools are not currently installed on the VM. You can click the status field to install the latest version from the XenServer Tools ISO. Module 2: Setting Up the Hypervisor


•

Tools out of date (version x installed) - the VM has a version of XenServer Tools installed from an earlier XenServer release.

To Install Hypervisor Tools on a VM in XenServer 1.

Open XenCenter. Double-click Citrix XenCenter on the desktop, if XenCenter is not already open.

2.

Select the virtual machine in XenCenter onto which XenServer Tools will be installed. Click the WinServer2012R2_template VM.

3.

Log on to the VM. Log on to the VM using the Administrator and Password1 credentials, if not already logged on.

4.

Insert the XenServer Tools ISO in the DVD drive. Select xs-tools.iso in the DVD Drive 1 field. Click the File Explorer (folder icon) on the taskbar. Double-click CD Drive (D:) XenServer Tools. Click Next on the welcome screen of the XenServer Tools Wizard. Read and respond to the license agreement.

ot

N

5. 6. 7. 8.

fo

Select I accept the terms in the License Agreement and then click Next.

rr

9.

Specify where the XenServer Tools should be installed and then click Next.

es

Click Next to accept the default destination folder location.

or

Click Restart Now.

e

al

10. Click Install and then click Install Tools. 11. Determine if the VM should be restarted now.

st di

The XenServer Tools are not installed until the VM is restarted.

rib

12. Log on to the VM with the local administrator credentials.

io

13. Click Eject to remove the XenServer Tools media from DVD Drive 1.

ut

Click Send Ctrl+Alt+Del, type Password1 in the Password field, and then press Enter.

n

In this lab environment there is only one XenServer, so leaving the ISO media in DVD Drive 1 would not cause any issues. In a pooled environment, leaving an ISO image in a drive that is located on local storage would prevent that VM from running on any other server in the pool. Ejecting the ISO makes the VM agile once again. 14. Click Done to exit the installer. 15. Apply the recommended Microsoft updates to the operating system.

Discussion Question Why is it necessary to install the hypervisor tools on a new virtual machine?

Installing the .NET Framework 3.5 Features on Server 2012 R2 Many components in our lab environment require .NET Framework 3.5 to function correctly. By installing .NET Framework on the VM before converting the VM to a template, you can avoid installing it separately, when needed. © Copyright 2015 Citrix Systems, Inc.


61

Discussion Question Many applications require the installation of a .NET Framework version. What does .NET Framework do?

Running Sysprep on the Virtual Machine The System Preparation, or Sysprep tool is used to change Windows VMs to a generalized state. When you use the Sysprep tool to generalize an image, Sysprep removes all system-specific information and resets the operating system. The next time the VM starts, you can add user-specific information through the Out-Of-Box Experience (OOBE). You can run Sysprep as either a command-line tool or a graphical user interface (GUI) tool. Sysprep removes any SID-related settings and allows you to rename the VM so it is not seen as a clone, but as a new entity.

To Run Sysprep on the VM in XenServer 1.


2.

Select the virtual machine in XenCenter on which Sysprep will be run.

N

Click the WinServer2012R2_template VM. Log on to the VM.

ot

3.

fo

Log on to the VM using the Administrator and Password1 credentials, if not already logged on.

rr

Click the File Explorer icon on the taskbar and then click This PC. Browse to the C:\Windows\System32\Sysprep directory. Double-click the Sysprep application to open the System Preparation Tool. Verify that Enter System Out-of Box Experience (OOBE) is selected for the System Cleanup Action.

e

al

es

4. 5. 6. 7.

or

The System Cleanup options are OOBE and Audit mode. OOBE enables end users to customize their Windows operating system, create user accounts, select a computer name, and other tasks. Audit mode enables you to add additional drivers or applications to Windows. You can also test an installation of Windows before you send the installation to an end user.

st di

8.

Select Generalize.

Select Shutdown in the Shutdown Options field.

io

9.

ut

rib

Generalize prepares the Windows installation to be imaged. Sysprep removes all unique system information from the Windows installation and resets the security ID (SID), clears any system restore points, and deletes Event Logs.

n

Shutdown Options include Quit, Reboot, and Shutdown. Quit closes the Sysprep tool without displaying onscreen confirmation messages. This option can be used if you automate the Sysprep tool. Reboot restarts the VM and is used to audit the VM and verify that the first-run experience operates correctly. Shutdown shuts down the VM after Sysprep finishes running. 10. Click OK. A window will appear indicating that Sysprep is working and then it shuts down the VM when Sysprep is completed. Sysprep will add a new SID to the VM when the VM is restarted. Do not restart the VM at this time.

Discussion Question What should you take into account when specifying the amount of memory to assign to a VM or VM template?

62



Creating the Template A VM template contains preconfigured hardware and software settings. A VM template can be used to create new VMs with the same settings quickly and easily. Once a VM is converted to a template, it cannot be reverted back to a VM.

To Create a Template in XenServer 1.


2.

Select the virtual machine in XenCenter on which Sysprep was run. Click the WinServer2012R2_template VM. Do not start the VM. Starting the VM will undo Sysprep and you will need to rerun Sysprep before you convert the VM to a template.

3.

Right-click the VM that you want to make a template and then click Convert to Template.

N

Right-click the WinServer2012R2_template VM and then click Convert to Template.

ot

4.

Click Convert to begin the process.

fo

e

al

Discussion Question

es

rr

When conversion is complete, the VM disappears from the Resources pane and reappears as a new custom template at the bottom of the pane. The new custom template can now be used to create new VMs in the same way as any other template.

Which virtual machines can be used to create additional virtual machines?

or st di

Troubleshooting Hypervisor Setup Issues The following table provides resolutions for hypervisor setup issues.

rib

Resolution

VMs can communicate with each other but not with the hypervisor.

•

The VMs have private or cross-private networks. Attach a network to the VM that can communicate with the hypervisor. The DHCP service is offline and the VMs are configured for DHCP. Turn the DHCP service on.

•

•

n

io

• The management console does not connect to the host.

ut

Issue

Use ping to test the connectivity between the XenCenter computer and the XenServer host. If the ping fails, correct the network settings. Ensure that: • The host name or IP address of the XenServer host is correctly specified. • The administrator credentials for the XenServer host are correctly specified.

The option to install XenServer Tools on a virtual machine is XenServer Tools are already installed on the virtual machine. unavailable.



63

Issue

Resolution

You receive a fatal error message when attempting to run the The VM is corrupted. This error message is designed to Sysprep tool. prevent the deployment of a corrupted VM. You cannot correct the problem within the VM, you must recreate the VM.

Reinforcement Exercise: Creating a Windows 7 Template During this exercise, you will not be given step-by-step instructions for performing the task. Instead, you must use what you have learned to complete it. This exercise is designed to take your newly acquired knowledge and discover if you can perform a task you have never done before. You are encouraged to try things out. If you have a question or need help, ask the instructor or a fellow student for assistance. In this module, you learned how to: Install XenServer. Install and configure the XenCenter management console. Configure XenServer. Create a virtual machine template.

ot

N

• • • •

Now you are ready to see if you can apply what you have learned.

Use the existing Windows 7 (32-bit) VM called Win7_template to create a new Windows 7 32-bit template. Install the hypervisor tools on the virtual machine. Make sure to set the time on the VM to the current date and time.

al

es

1. 2. 3.

rr

To complete this exercise, you must:

fo

Approximate time to complete: 20 minutes

e

If the time is not set properly, this may create future lab problems for any VMs created from this template. XenServer stores a time offset for each VM, so the incorrect time will persist.

or

Run Sysprep. Convert the virtual machine into a template named Win7_template so it can be used to build additional virtual machines.

st di

4. 5.

rib

It is not necessary to install .NET 3.5 Framework on this template.

n

io

ut

64



3

Module 3

Setting Up the Infrastructure Components

ot

N fo e

al

es

rr or st di n

io

ut

rib

ot

N fo e

al

es

rr or st di n

io

ut

rib

66


Setting Up the Infrastructure Components Overview The infrastructure on which Citrix components will be installed plays a key role in the success of a XenApp and XenDesktop implementation. At a minimum, the infrastructure components required are: • • • • • •

Domain Controller Domain Name Services (DNS) server Dynamic Host Configuration Protocol (DHCP) server Certificate Authority (CA) File Server SQL Server

You may need to install and configure additional components to support your specific organizational needs. After completing this module, you will be able to: Set up and configure a domain controller and DNS. Configure a Dynamic Host Configuration Protocol (DHCP) server. Configure a private Certificate Authority server. Set up and configure a file server. Set up and configure SQL Server mirroring.

ot

N

fo

• • • • •

es

rr


e

al

During this module, you will be performing procedures in XenCenter. You will be instructed when to start VMs. At the beginning of this module, the VMs should be in the following state: • DomainController-1 = On • All other VMs = Off

or st di

Setting Up the Domain Controller

rib

At least one domain controller must exist in an environment before XenApp and XenDesktop can be configured. Domain controllers are used to store and manage settings that enforce authentication, authorization, auditing, and accounting. All infrastructure servers should be joined to a domain.

n

io

ut

A server running Active Directory functions as a domain controller and relies on a properly configured DNS. With DNS installed, the domain controller provides both domain name resolution services as well as directory services.


Module 3: Setting Up the Infrastructure Components

67

A domain controller should be a dedicated server. Do not install any XenApp and XenDesktop component or SQL Server on a domain controller.

Active Directory Domain Services Administrators can use Active Directory Domain Services (AD DS) to organize elements of a network such as end users, computers, and other devices into a hierarchical containment structure. This structure includes: the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. When you want to create a new forest, domain, or additional domain controller in an existing domain, install AD DS on the server. The AD DS role should be added before any XenApp and XenDesktop components are installed in the environment. As part of the AD DS role installation, you should configure DNS. DNS is a service that translates domain names into IP addresses in an environment. Once the AD DS role is installed, the name of the server should not be changed. Doing so could be problematic and could impact the performance of the domain controller for up to 24 hours.

ot

N

You should install and configure multiple domain controllers in a XenApp and XenDesktop environment. When multiple domain controllers exist, they synchronize their information and provide high availability to optimize Active Directory functionality.

fo

Discussion Question

rr

XenApp and XenDesktop can be used with domain controllers running which versions of Windows Server?

es

Why should you use Active Directory Domain Services with XenApp and XenDesktop?

al

e

Troubleshooting AD DS Installation Issues

or

The following table identifies common AD DS installation issues and resolutions.

st di

Resolution

After installing the domain controller VM, you do not see the Promote this server to domain controller link in Server Manager.

There may be critical alerts that need to be attended to before the link appears. Click the red flag in Server Manager to view the alerts and get additional information.

The installation of roles and features fails.

•

ut

rib

Issue

n

io

Click the red flag in the Server Manager window to view messages. Reinstall the roles and features again using Server Manager after all critical alerts have been addressed. Ensure that all the required source files are on the server.

• You cannot add servers to the domain.

• •

The installation of the AD role has not completed. The administrator account being used to add the servers to the domain does not have domain administrator rights.

Creating Organizational Units Organizational units are Active Directory containers into which you can organize end user accounts, groups, computers, and other organizational units. An organizational unit cannot contain objects from other domains. OUs are the smallest unit to which you can assign Group Policy settings. All required OUs have been pre-created in our lab environment.

68



ot

N fo

This graphic shows the organizational units configured for use in the lab environment.

es

rr

A well-designed organizational unit structure (OU) is an important piece for a XenApp and XenDesktop environment.

e

al

To Create Organizational Units for a XenApp and XenDesktop Implementation

or

This procedure is for informational purposes only. All organizational units required in the lab environment have been pre-created. You do not need to perform this procedure in class.

st di

1. 2.

rib

Log on to the domain controller with the domain administrator credentials. Click Tools in the upper-right corner of the Server Manager window and then click Active Directory Users and Computers.

4. 5.

Right-click the domain and then click New > Organizational Unit to create the organizational units for the infrastructure servers and virtual desktops in the environment. Type a name for the organizational unit in the name field and then click OK. Close Active Directory Users and Computers after all OUs have been created.

n

3.

io

ut

If the Server Manager does not appear, move the mouse pointer to the lower-left corner of the taskbar and then click the Server Manager icon that resembles a server tower and toolbox.

Discussion Question What are some benefits of using OUs?

Adding Users and Groups A group is a collection of end user and computer accounts, contacts and other groups that can be managed as a single unit. End user accounts and computers that belong to a particular group are referred to as group members. Once end user accounts and groups are created in Active Directory, they can be granted or denied access to services, desktops, and applications. When assigning permissions to resources, assign them to groups rather than individual end-user accounts. If you © Copyright 2015 Citrix Systems, Inc.


69

assign permissions to groups, assignments are updated automatically when you add or remove end-user accounts from the group. When permissions are assigned to groups, enumeration is more efficient than when they are assigned to individual end-user accounts and objects.

To Create End-User Accounts and Groups Many of the end-user accounts required in the lab environment have been pre-created. You will use the following procedure to create two new accounts for administrators at Training. 1.

Log on to the first domain controller using local administrator credentials. Log on to DomainController-1 using the TRAINING\Administrator and Password1 credentials.

2.

Click Tools in the upper-right corner of the Server Manager window and then click Active Directory Users and Computers. If the Server Manager does not appear, move the mouse pointer to the lower-left corner of the taskbar and then select the Server Manager icon.

N

3.

Browse to the OU containing your domain users.

ot

Double-click Training.lab > Training Users and then double-click IT.

fo

4.

Right-click the OU and then click New > User to create a new end-user account.

es

rr

Right-click the IT OU and then click New > User.

5.

e

al

You can right-click an OU and then click New > Group to add new groups. This isn't necessary in our lab environment, because all required groups have been pre-created. The pre-created groups are: Accounting, Contractors, Human Resources, and IT. Specify the details for the user account in the New Object - User window and then click Next.

or

Type Admin1 in the First Name field and in the User Logon name field and then click Next. Type the password for the new user account in the Password and Confirm password fields.

st di

6.

Type Password1 in both the Password and Confirm password fields.

Select the desired password behaviors, click Next, and then click Finish.

rib

7.

ut

Deselect User must change password at next logon, select Password never expires, click Next and then click Finish.

n

io

In most cases, you should not select Password never expires. Additionally, if you create an account for an end user, it is recommended to leave the User must change password at next logon option selected. This allows the account password to be known only by the end user and not by IT. 8.

Right-click the newly created end-user account and then click Add to a group. Right-click Admin1 in the IT OU and then select Add to a group.

9.

Type the name of the group to which this end user will be a member in the Enter the object names to select field. Type Domain Admins in the Enter the object names to select field.

10. Click Check Names and then click OK twice. You can add multiple groups at the same time by using a semicolon to separate each group name.

11. Right-click the newly added end user account and then click Copy to use it as a template to create a new account.

70



Right-click Admin1 and then click Copy.

12. Specify the details that are different for the new user account in the New Object - User window and then click Next. Type Admin2 in the First Name field and in the User Logon name field and then click Next. 13. Type a password for the new account in the Password and Confirm password fields and then click Next. Type Password1 in both the Password and Confirm password fields and then click Next. The desired password behavior is already configured to match the account from which the copy was made.

14. Click Finish. 15. Double-click the group to which the newly created accounts were added. Click Users and then double-click Domain Admins.

N

16. Select the Members tab and verify that the accounts were added to the group.

ot

Select the Members tab and verify that the Admin1 and Admin2 accounts are present.

fo

These new administrator accounts now have the same domain administrator rights as the TRAININGAdministrator account.

rr

Discussion Question

e

al

es

17. Click Cancel to close the properties window. 18. Click the X in the corner of the Active Directory Users and Computers window to close the window.

or

st di

When providing end users with access to resources, why is it better to specify groups rather than individual end-user accounts?

rib

Configuring Policies Using Group Policy

io

ut

Policies can be set and applied using the Microsoft Group Policy Management Console. Group Policy Objects (GPOs) are created to hold policies and settings which will be applied to end users or computers. The GPOs are then linked to either the domain, organizational unit (OU) or site.

n

You should use GPOs linked to the domain mainly for policies that must be applied to all end users and computers in order to comply with corporate security policies, industry-specific best practices, or general security best practices.



71

ot

N fo

The majority of GPOs will be linked to OUs rather than directly to the domain. The policy then will apply only to the end users or computers within that OU or any child OUs. Policies are inherited from the parent of an object. All OUs, by default, inherit GPOs linked to the domain as the domain is the parent of all OUs.

rr

es

GPOs are the most efficient and consistent method of controlling connection, security, and bandwidth settings. You can create them for specific groups of end users, devices, or connection types. Each GPO can contain multiple settings.

e

al

Citrix HDX policies can be managed through both Group Policy Objects in Microsoft Windows or within the Citrix Studio console in XenApp and XenDesktop. The console or tool you use depends on whether you have the appropriate permissions to manage GPOs, where policies will be stored, and how policies will be maintained. Using Group Policy Objects is usually preferred over creating policies in Citrix Studio when it is organizationally possible to do so.

or

1.

st di

To Configure Policies Using Group Policy

Log on to the first domain controller using domain administrator credentials.

rib

Log on to DomainController-1 using the TRAINING\Administrator and Password1 credentials. Click Tools in the Server Manager and then click Group Policy Management.

io

ut

2.

n

You can use a non-administrative account that has Group Policy edit permissions or use Run as administrator to give you higher-level permissions when creating policies. In this lab, you will use a domain administrator account to create the group policies. 3.

Browse to the Domain and create a policy to configure the Account Lockout settings. Browse to Forest: Training.lab > Domains > Training.lab.

4.

Right-click the domain and then click Create a GPO in this domain, and Link it here. Right-click the Training.lab domain and then click Create a GPO in this domain, and Link it here.

5.

Name the policy and then click OK. Type Account Lockout in the Name field and then click OK.

6.

Right-click the new policy and then click Edit. Click the Linked Group Policy Objects tab, right-click the Account Lockout policy and then click Edit.

7.

72

Double-click Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy. Module 3: Setting Up the Infrastructure Components


8.

Configure the Account Lockout setting. a. b. c. d. e.

Double-click Account lockout threshold. Select Define this policy setting. Type 3 in the invalid logon attempts field. Click OK. Click OK in the Suggested Value Changes window to accept the suggest lockout duration of 30 minutes.

9. Close the Group Policy Management Editor. 10. Browse to the OU containing your virtual desktops. Double-click Forest: Training.lab > Domains > Training.lab > Training Virtual Desktops. In many cases it is preferable to link a GPO to a specific OU rather than to the entire domain. For example, if there is a setting that you want to apply to all infrastructure servers, you could apply the policy to the OU that contains only the infrastructure servers. 11. Right-click the OU for the virtual desktops and then click Create a GPO in this domain, and Link it here. Right-click Training Virtual Desktops and then click Create a GPO in this domain, and Link it here.

N

ot

12. Type a name for the policy in the Name field and then click OK. Type Enable User Group Policy Loopback Processing in the Name field and then click OK.

fo

13. Right-click the new policy and then click Edit.

rr

Right-click the Enable User Group Policy Loopback Processing policy and then click Edit.

al

es

14. Click Computer Configuration> Policies > Administrative Templates > System > Group Policy. 15. Double-click Configure user Group Policy loopback processing mode.

e

To reorder the Group Policy settings so that they appear in alphabetical order, click the Setting heading in the right pane.

or st di

16. Select Enabled and then select Merge in the Mode field.

n

17. Click OK. 18. Close the Group Policy Management Editor. 19. Close the Group Policy Management Console.

io

ut

rib

This setting will be needed by other GPOs you will create, such as the one for folder redirection. GPOs, by default, only apply to end users or computers in the OU they are linked to or child OUs. User Group Policy Loopback Processing is a way to link GPOs with user settings to an OU containing computer objects and have the settings apply to end users who log on to those computers. It will only be applied to the end users when they log on to computers in that OU. This is different than having a GPO with end user settings linked to the OU containing the end user object because in that scenario, the policy would be applied to the end user regardless of which computer is being logged on to.

To ensure that the policy is applied to a specific computer or end user, you can run the gpupdate /force command from a command prompt on that computer.

Discussion Question By default, how often does Active Directory refresh Group Policies for computers and end users?



73

Securing Service Accounts A service account is a machine account used by a server, service, or program. Once a service account is created, it should be secured to prevent service outages caused by security policies being applied to a service account inappropriately and from creating a larger attack surface for your network. Your organization can set a password change policy for service accounts, but procedures should be put in place to change passwords in a way that does not cause service outages.

To Secure a Service Account This procedure is for informational purposes only. The Service Accounts - Deny logon locally policy is preconfigured in the lab environment. The follow steps were used to create the policy and can be used as reference. You do not need to perform this procedure in class. 1.

Log on to a domain controller using domain administrator credentials. Log on to DomainController-1 using the TRAINING\Administrator and Password1 credentials.

2. 3.

Click Tools in Server Manager and then click Active Directory Users and Computers. Browse to the domain name in the left pane.

4.

ot

N

Click Training.lab in the left pane. Create a group to which all service accounts will be added and then click OK.

es

rr

5.

Browse to the Training Service Accounts OU. Verify that the Service Accounts group exists. Close the Active Directory Users and Computers window.

fo

a. b. c.

Click Tools in the top-right corner of the Server Manager window and then click Group Policy Management.

al

e

The Service Accounts - Deny Logon Locally policy has been created. that disallows the right to log on locally using any account that is a member of the service accounts group has been .

or

6.

Right-click the domain name and then click Create a GPO in this domain, and Link it here.

7.

Name the newly created policy and then click OK.

st di

Right-click Training.lab and then click Create a GPO in this domain, and Link it here.

rib

Type Service Accounts - Deny logon locally as the name and then click OK. Right-click the newly created policy and then click Edit.

Double-click Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment. 10. Double-click Deny log on locally and then click Define these policy settings. 11. Click Add User or Group and then click Browse. 12. Type the name of the group that contains the service accounts and then click Check Names.

n

9.

io

Right-click Service Accounts - Deny logon locally and then click Edit.

ut

8.

Type Service Accounts in the Enter the object names to select field and then click Check Names. 13. Click OK three times. 14. Close the Group Policy Management Editor and Group Policy Management Console.

Discussion Question John configured a GPO to "Allow log on locally" and then applied it to the Everyone group. Kelly configured a GPO to "Deny log on locally" and then set it for the Service Accounts group. What effect will these group policies have on the Everyone and Service Accounts groups? 74



Setting Up the Dynamic Host Configuration Protocol All devices in the XenApp and XenDesktop environment require an IP address in order to communicate with other resources in the environment. You can manually configure each device with an IP address, but the task quickly becomes unmanageable as devices enter and leave the environment. To facilitate the distribution of IP addresses to new devices in the environment and to reclaim IP addresses from devices no longer in the environment, you can configure the Dynamic Host Configuration Protocol (DHCP). DHCP automatically provides a unique IP address to each device in the network from a pool of IP addresses. Each IP address distributed by DHCP is leased for a period of time to that device. When the lease period expires, the IP address is automatically returned to the pool. In our lab environment, you are assigning all infrastructure components a static IP address. DHCP will be used to provide internal endpoints and virtual desktops with IP addresses.

Installing and Configuring the DHCP Role DHCP can be implemented as a Linux appliance or added as a role on a Windows server. With the exception of the DNS role, domain controllers should not host other roles. After the DHCP service is installed, configurations can include setting up one or more scopes and a scope or server options. The range of IP addresses that are available to be leased is called a scope. One scope should be set up for each subnet in the environment.

ot

N

In our lab environment, the DHCP role is pre-configured on the domain controller to accommodate lab environment constraints.

fo

rr

Troubleshooting DHCP Installation Issues

Issue

All end users are experiencing slow start times.

Resolution Check the DNS entries for errors.

or

IP address conflicts appear.

e

al

es

The following table identifies DHCP installation issues and resolutions.

st di

Determine if a statically assigned IP address is not properly excluded from the scope or if someone has statically assigned an IP address that has already been assigned to another server.

ut

rib

Setting Up A Certificate Authority You should use a: •

n

io

You can use certificates from a public or private Certificate Authority (CA) to secure the communications in your XenApp and XenDesktop deployment. Public Certificate Authority: When communications need to be secured between the internal network and an external network, a public certificate must be requested and purchased from a public CA such as VeriSign. An external or public certificate should be acquired before remote access to the environment is configured. When a public certificate is used, the following occurs:

•

• The public CA issues the certificate. • The certificate is installed on an externally-accessible service or Web server. • The certificate is used by the externally-accessible service or Web server to secure its communications. • The client makes sure the certificate is authentic by verifying it was legitimately issued by a CA it trusts. Private Certificate Authority: When communications need to be secured within the internal network, a private CA can be implemented by installing the Certificate Authority role on a server in the environment.



75

Installing the Certificate Services Role Installing the Active Directory Certificate Services role allows you to add the Certification Authority and the Certification Authority Web Enrollment features that are part of your public key infrastructure (PKI) and bind the public key with the user identity for the digital certificate.

To Install the Certificate Authority 1.

Log on to the server that will host the Certificate Authority using your domain administrator credentials. Log on to DomainController-1 using the TRAINING\Administrator and Password1 credentials.

2. 3. 4. 5. 6.

Click Add roles and features in the Server Manager. Click Server Selection and then click Server Roles in the left pane. Select Active Directory Certificate Services. Click Add Features and then click Next. Select the desired features on the Select features page and then click Next. Click Next to accept the defaults.

N

Click Next on the Active Directory Certificate Services page. Verify that Certification Authority is selected and then select Certification Authority Web Enrollment. Click Add Features and then click Next. Click Next on the Web Server Role (IIS) page. Select the role services to install and then click Next.

ot

fo

rr

7. 8. 9. 10. 11.

12. Click Install to begin the installation of the role.

This installation may take several minutes.

e

al

es

Click Next to install the default role services.

or

st di

13. Click Close when the installation completes. 14. Click the yellow warning icon at the top of the Server Manager. 15. Click Configure Active Directory Certificate Services on the destination server.

rib

The AD CS Configuration wizard may launch behind the Server Manager window.

io

ut 16. Verify that the correct domain administrator account name appears in the Credentials field and then click Next.

n

Verify that TRAINING\Administrator appears and then click Next.

17. Select Certification Authority and Certification Authority Web Enrollment and then click Next. 18. Select the setup type and then click Next. Select Enterprise CA as the setup type and then click Next. 19. Select the certificate type and then click Next. Select Root CA and then click Next. 20. Specify whether to use an existing private key or to create a new one and then click Next. Select Create a new private key and then click Next. 21. Select the hash algorithm to use for signing certificates and the key length and then click Next. Verify SHA1 is selected for the hash algorithm and 2048 is entered for the key length and then click Next.

76



22. Specify a name for the Certificate Authority and then click Next. Use the default value for the CA name and then click Next. 23. Specify the validity period for the certificates and then click Next. Accept the default expiration period and then click Next. 24. Specify a location for the certificate database and then click Next. Accept the default database location and then click Next. 25. Review the CA settings and then click Configure on the Confirmation screen. 26. Click Close when the configuration is completed.

Discussion Question What two components are required for SSL encryption? How does the client determine whether to trust the server certificate?

ot

N

Which kind of certificate would need to be installed to allow for communication between an internal endpoint and StoreFront?

fo

Setting Up the File Server

es

rr

A file server provides a central location on your network where you can store your end-users' intellectual property. Shares can be created to allow end users to share files with other end users across your network. When end users require an important file such as a project plan, they can access the file stored on the file server from a XenApp and XenDesktop resource.

e

al

Creating a Computer Account for a New VM

or

Every component in an implementation should have an account created in Active Directory. This account can be created before the component is created or after. Creating the account prior to creating the component eliminates the need to go back and move the component into the proper OU later.

st di

To Create a Computer Account

rib

3. 4. 5.

Log on to the domain controller with domain administrator credentials. Click Tools in the upper-right corner of the Server Manager window and then select Active Directory Users and Computers to create a computer account for the server in the proper OU in Active Directory. Expand the domain and browse to the OU that will host the server. Right-click the OU and then select New > Computer. Type a name for the server in the Computer name field and then click OK.

n

1. 2.

io

ut

The computer account for the file server has already been created in the lab environment. These steps are provided for informational purposes only. You do not need to complete this procedure in the lab environment.

Doing this before you create the server VM will prevent you from having to go back to the domain controller after joining the server to the domain in order to move the computer account into the proper OU.

Creating the VM In order to virtualize a server or a desktop, a VM must be created that identifies the number of virtual CPUs, amount of memory, network interface cards (NICs), and hard drive space allocated to it. In addition, an operating system must be installed on the VM, network settings must be configured, and the VM must be joined to the domain.



77

If a built-in template is used to create the VM, then you must install an operating system on the VM before it can be used. If a custom template is used, then the operating system may already be installed on the VM during the custom template creation process. The following procedure assumes that a custom template was used. The steps for creating a VM are the same regardless of the purpose of the VM. However, the steps can vary based on the operating system installed on the VM. The following procedure can be used to create additional VMs for the environment.

To Create a VM Using a Custom Template The file server VM has already been created in the lab environment to save time. These steps are provided for informational purposes only. You do not need to complete this procedure in the lab environment. 1. 2. 3.

Right-click a custom template containing the desired operating system in XenCenter and then select New VM wizard. Verify that the appropriate template is selected and then click Next. Provide a name for the virtual machine and then click Next. This name will appear in XenCenter. Use a name that helps you identify its purpose.

ot

N Set the DVD drive selection to and then click Next. Determine if the VM will be assigned to a home server and then click Next. Specify the number of vCPUs and memory to allocate and then click Next. Configure the storage settings and then click Next. Configure the network settings and then click Next. Verify that Start the new VM automatically is selected and then click Finish. Select the new VM and then click the Console tab in XenCenter.

fo

e

al

es

rr

4. 5. 6. 7. 8. 9. 10.

Wait while the VM goes through its initial startup.

or n

io

ut

78

Read and respond to the license terms. Configure the region and language settings for this computer and then click Next. Type the password for the local administrator and then click Finish. Click Send Ctrl+Alt+Del and then log on using the local administrator credentials. Move your mouse pointer to the bottom-right corner of the taskbar to display the Charms bar and then click Search. Type Control and then select Control Panel. Click Network and Internet, click Network and Sharing Center, and then click Ethernet. Click Properties in the Ethernet status page and then double-click Internet Protocol Version 4 (TCP/IPv4). Select Use the following IP address and then type the appropriate values into the fields. Click OK two times and then click Close. Click Control Panel Home in the Network and Internet window. Click System and Security and then click System. Click Change settings in the Computer name, domain, and workgroup settings section, and then click Change in the System Properties window. Change the computer name to a name consistent with your corporate naming scheme. Click Domain, type the name of the domain, and then click OK. Type the domain administrator credentials into the appropriate fields and then click OK. Click OK in the Welcome to the domain message. Click OK and then click Close. Click Restart Now.

rib

24. 25. 26. 27. 28. 29.

st di

11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23.



Adding the File Server Role The File Server role manages shared folders and enables end users to access files on this server from the network.

To Add the File Server Role to a VM 1.

Start the file server. Right-click FileServer-1 and then click Start.

2.

Log on to the file server using domain administrator credentials. Log on to FileServer-1 using the TRAINING\Administrator and Password1 credentials.

3.

Click Add roles and features in the Server Manager to open the Add Roles and Features wizard. Click the Server Manager icon in the taskbar, if Server Manager is not already open.

Click Next in the Before You Begin page. Select the type of installation that will be used to configure the server and then click Next.

ot

N

4. 5.

Verify that Role-based or feature-based installation is selected and then click Next.

fo

6.

es

rr

The role or feature-based installation option is used to configure a single server. The Remote Desktop Services installation option is used for a Virtual Desktop Infrastructure (VDI) to create a virtual machine-based or session-based desktop deployment. Verify that Select the server from the server pool and that the proper destination server are selected and then click Next.

al

Verify that Select the server from the server pool and FS-1.Training.lab are selected and then click Next.

e

The destination server can be a server from the server pool or a virtual hard disk.

or st di

7. 8.

Click the arrow to the left of File and Storage Service (Installed) in the center pane to expand the nodes. Click the arrow to the left of File and iSCSI Services, select File Server, and then click Next.

rib

n

9. Click Next in the Select features page. 10. Click Install in the Confirm installation selections page. 11. Wait for the installation to complete and then click Close.

io

ut

When the File Server role is selected, File and iSCSI Services is automatically selected for installation because it is the parent role.

Discussion Question What tools can you use to centrally manage the file servers in your environment?

Creating a Share for Folder Redirection Active Directory allows folders, such as the Application Data or Documents folder to be saved (redirected) to a network location. Thus, the contents of those folders are stored in the designated location and not included within the end-user profile, which reduces its size. Depending on the version of Active Directory in use, the specific folders that can be redirected vary.



79

Configuring folder redirection allows end users to save some settings, files, and other data while still enabling the benefits of mandatory profiles. As a general guideline, you should enable folder redirection for all end-user data that is not accessed regularly within a session, if network bandwidth permits. Redirected folders contain personal information such as documents so it is important to protect this data by: • • • •

Creating a security group for end users who have redirected folders on a particular share and limiting access only to those end users. Creating a hidden share by putting a dollar sign ($) after the share name so the share is not visible on the network. For example, use Home$ as the share for home directories. Using the proper system variable in the creation of the policy. For example, use %Username% to create the account directories. Granting end users the minimum set of permissions required to access their data.

To Create a File Share for Folder Redirection 1.

Log on to the file server using domain administrator credentials. Log on to FileServer-1 using the TRAINING\Administrator and Password1 credentials. Click File and Storage Services in the left pane of the Server Manager and then click Shares.

N

2.

ot

If the Server Manager is not open, click the Server Manager icon in the Windows taskbar.

fo

Click Tasks in the middle pane of the window and then click New Share. Select the desired file share profile and then click Next.

es

rr

3. 4.

Select SMB Share - Quick and then click Next.

al

e

The different file share profiles are: • SMB Share - Quick is a basic profile and is the quickest way to create an SMB share that is typically used with Windows-based computers. • SMB Share - Advanced is an advanced profile that provides more options to configure an SMB file share like setting folder owners, folder data classification for management and access policies, and setting quotas. • SMB Share - Applications creates an SMB file share with settings appropriate for Hyper-V, certain databases, and other server applications. • NFS Share - Quick is the quickest way to create an NFS file share that is typically used with UNIX-based systems. • NFS Share - Advanced offers additional options to configure an NFS file share like setting folder owners for access-denied assistance, default classification of data in the folder for management and access policies, and setting quotas.

or

st di

n

io

ut

rib

5.

Select the server where the share will be added, select the volume, and then click Next. Verify FS-1 is selected, select volume E:, and then click Next. A volume is drive space on the local file system.

6.

Type a name for the share in the Share name field. Type users$ as the share name. The dollar sign at the end of the share name hides the share from being browsed on the network.

80



7.

Type a description for the share in the Share description field and then click Next. Type For folder redirection as the share description and then click Next. When you type the share name, the corresponding local path and remote path to the share are automatically completed. For example: Share name: users$ Local path to share: E:haresusers$ Remote path to share: FS1users$

8.

Configure the share settings and then click Next. Deselect Allow caching of share, select Enable access-based enumeration, and then click Next. Access-based enumeration displays only the files and folders that an end user has permissions to access.

9. 10. 11. 12.

Click Customize permissions. Click Disable inheritance and then click Remove all inherited permissions from this object. Click Add to add permissions. Click Select a principal and then type System in the Enter the object name to select field.

N

ot

The System account is used by the operating system and Windows services.

fo

Click Check Names and then click OK. Select Full control for the Basic permissions and then click OK. Click Add and then click Select a principal. Type Domain Admins in the Enter the object name to select field. Click Check Names and then click OK. Select Full control for the Basic permissions and then click OK. Click Add and then click Select a principal. Type Creator Owner in the Enter the object name to select field. Click Check Names and then click OK. Select Subfolders and files only in the Applies to field, select Full control for the Basic permissions, and then click OK. Click Add and then click Select a principal. Type Everyone in the Enter the object name to select field. Click Check Names and then click OK. Select This folder only in the Applies to field. Click Clear all to clear all permissions and then click Show advanced permissions. Select the following advanced permissions for the account: • Traverse folder / execute file • List folder / read data • Read attributes • Create folders / append data 29. Click OK to add the permissions and then click OK to close the Advanced Security Settings for the share.

e

al

es

rr

13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28.

or

st di

n

io

ut

rib

You are setting the permissions on the share such that only end users can access their folders, and new folders can be created dynamically for new end users. For more information, see http://support.microsoft.com/kb/274443. 30. Click Next and then click Create. 31. Click Close when the process is completed.



81

Creating a Folder Redirection Group Policy A folder redirection group policy allows end users to access the shared folder created for the redirected profiles. Folder redirection is not a default setting. It must be configured in a policy prior to managing the end users' profiles. End-user settings and files are typically stored in the local end-user profile in the Users folder. The files in local end-user profiles can be accessed only from the current endpoint, which makes it difficult for end users who use more than one endpoint to work with their data and synchronize settings between them. Folder redirection allows administrators to redirect the path of a folder to a new location. The location can be a folder on the local endpoint or on a network file share.

To Create a Folder Redirection Group Policy for Virtual Desktops 1.

Log on to a domain controller with domain administrator credentials. Log on to DomainController-1 using the TRAINING\Administrator and Password1 credentials.

2.

Click Tools in the top-right corner of the Server Manager window and then click Group Policy Management. If the Server Manager is not open, click the Server Manager icon in the toolbar to open it.

N

3.

Browse to the OU for the virtual desktops.

ot

Double-click Forest: Training.lab > Domains > Training.lab > Training Virtual Desktops.

fo

4.

Right-click the OU and then click Create a GPO in this domain, and Link it here.

Type a name for the policy and then click OK. Type Folder Redirection and then click OK.

Right-click the newly created policy and then click Edit.

e

6.

al

es

5.

rr

Right-click the Training Virtual Desktops OU and then click Create a GPO in this Domain, and Link it here.

Double-click User Configuration > Policies > Windows Settings > Folder Redirection to browse to the Desktop folder. Right-click the Desktop folder and then select Properties. Set the folder redirection properties for the Desktop folder.

st di

7. 8. 9.

or

Right-click the Folder Redirection policy and then click Edit.

Type \\FS-1\users$ in the Root Path field and then click OK.

n

11. Click Yes in the warning message. 12. Right-click the Documents folder and then select Properties. 13. Set the folder redirection properties for the Documents folder.

io

ut

10. Set the folder redirection path and then click OK.

rib

Select Basic - Redirect everyone's folder to the same location in the Setting field.

Select Basic - Redirect everyone's folder to the same location in the Setting field. 14. Set the folder redirection path for each end user and then click OK. Type \\FS-1\users$ in the Root Path field and then click OK. 15. Click Yes in the warning message. 16. Close the Group Policy Management Editor window and Group Policy Management Console.

Discussion Question What must the administrator consider when setting up folder redirection? What does the $ do when added to the folder redirection path? 82



Setting Up the Microsoft KMS License Server A Key Management Server (KMS) is used to centralize the activation of licenses for Microsoft products in a local network. This makes it easier to manage licenses by connecting to one license server versus connecting each computer in the network to Microsoft. A single KMS host can support an unlimited numbers of KMS clients; however, Microsoft recommends deploying a minimum of two KMS hosts for failover. In this class, you will be pointing your servers to a preconfigured KMS License Server, instead of setting up a KMS License Server in the lab environment.

Setting Up SQL Server 2012 SQL Server is a relational database engine. The primary function of a SQL Server is to store and retrieve structured data as requested. A SQL Server can manage multiple databases. XenApp and XenDesktop stores Site, configuration logging, and monitoring data in a dedicated SQL Server database, by default. The XenApp and XenDesktop configuration logging and monitoring information can be moved to separate databases after the initial configuration is completed.

ot

N

SQL Server Express can be installed during the XenApp and XenDesktop installation for use with pilot implementations of XenApp and XenDesktop. However, a full edition of SQL Server should be installed for use in a production environment. Regardless of the edition selected for use, you cannot configure XenApp and XenDesktop (create a Site) until SQL Server is installed.

fo

Creating the Computer and Service Accounts for SQL Server 2012

rr

e

al

es

You can create the computer accounts required by the Primary, Mirror, and Witness SQL Servers prior to joining them to the domain. This removes the need to move the computers into the correct OU at a later time. In addition, during the installation of SQL Server 2012, you will be asked to provide the name of the account that will be used to access the database engine. If you create the service account prior to the installation, you will not need to change the account after the installation is completed.

or

To Create Computer and Service Accounts for SQL Server 2012

st di

The computer and service accounts for SQL Server 2012 are already created in the lab environment. The following procedure is provided for informational purposes only. You do not need to complete this procedure in the lab environment. Log on to a domain controller with domain administrator credentials to create the computer and service accounts that will be used with SQL Server. Click Tools in Server Manager and then click Active Directory Users and Computers. Browse to the OU hosting the SQL Servers. Right-click the OU and then select New > Computer to create a new computer account within the OU. Name the computer account and then click OK.

n

io

ut

2. 3. 4. 5.

rib

1.

Doing this now will prevent you from having to go back to the domain controller after joining the SQL Server to the domain in order to move the computer account into the proper OU. 6. 7. 8. 9. 10. 11. 12. 13.

Browse to the OU hosting the service accounts. Repeat Steps 4 through 6 to create computer accounts for the other SQL Servers. Right-click the OU and then click New > Group to create a SQL security group. Name the group and then click OK. Right-click the newly created OU. Click New > User to create a new account. Type the account name and user logon name and then click Next. Type the password in the Password and Confirm password fields.



83

14. Set the password requirements and then click Next. 15. Click Finish. The password you set should be a strong, and relatively randomized password. You should not allow accounts with non-expiring passwords to log on locally. Windows Server 2008 R2 and 2012 R2 can be used to create managed service accounts where the passwords are automatically changed. For further information, see http://technet.microsoft.com/en-us/library/jj128431.aspx. In addition, Windows Server 2012 R2 added the ability to create group managed service accounts. For more information, see http://technet.microsoft.com/enus/library/hh831782.aspx. 16. Right-click the newly created service account and then click Add to a group. 17. Type the group names to which this account will be a member and then click Check Names. 18. Click OK. Adding the account to the service accounts group is what will prevent the service account from being used to log on locally because you created a Group Policy Object that disallows log on locally to that group.

N

Installing SQL Server 2012

ot

You can install SQL Server 2012 using the Installation Wizard or the command line on a dedicated server. A SQL Server should be configured to be highly available because no new users can connect to the environment if connectivity to the database is lost. This configuration requires that multiple SQL Servers be installed in the environment. You can configure SQL Server 2012 to use mirroring, clustering, or Always On. In our lab environment, you will configure SQL Server 2012 to use mirroring.

fo

rr

or

To Install SQL Server 2012

e

al

es

SQL Server is already installed on the Primary, Mirror and Witness SQL Servers in the environment. The following procedure is provided for informational purposes only. You do not need to install SQL Server in the lab environment.

This procedure was used to create the Primary, Mirror, and Witness SQL Server VMs in the lab environment.

Create a Windows Server 2012 R2 virtual machine using the Creating a VM steps covered previously. Insert the ISO file for Microsoft SQL Server 2012 into the DVD drive. Click the File Explorer (file folder) icon in the taskbar. Click Computer. Double-click the CD Drive containing the installation media and then click Yes in the User Account Control message. Click Installation in the left column of the window and then click New SQL Server stand-alone installation or add features to an existing installation. Ensure that the Setup Support Rules run successfully and then click OK.

n

io

ut

rib

7.

st di

1. 2. 3. 4. 5. 6.

Verify that the bar is green with a message: Operation completed - 0 Failed.

8.

Type the product key and then click Next. The customer must purchase a product license.

9. Read and respond to the license agreement. 10. Ignore the warning in the Product Updates page and then click Next.

84



This message appears if you do not have Internet access.

11. 12. 13. 14. 15. 16. 17. 18. 19.

ot

N

fo

rr

20. 21. 22. 23. 24. 25. 26.

Wait for the setup files to be installed, review the Setup Support Rules page, and then click Next. Verify that SQL Server Feature Installation is selected and then click Next. Select Database Engine Services >SQL Server Replication >Management Tools - Basic, and then click Next. Click Next on the installation Rules page. Click Next on the Instance Configuration page. Click Next on the Disk Space Requirements page. Click the entry under Account Name for SQL Server Database Engine service and then select Browse to change the SQL Server Database server to use the new SQL Server service account. Type the name associated with the newly created service account, click Check Names, and then click OK. Type the appropriate password for the SQL Server service account in the Password column for the SQL Server Database Engine and then click Next. Click Add and then type the names of the SQL Server administrators. Click Check Names and then click OK. Click Next in the Database Engine Configuration page. Click Next in the Error Reporting page. Click Next in the Installation Configuration Rules page. Click Install to begin the installation. Wait for the installation to finish and then click Close.

al

es

This may take several minutes.

e

27. Close the SQL Server Installation Center. 28. Click Eject to eject the installation media. 29. Repeat these steps to configure the Mirror and Witness SQL Servers.

or

st di

Discussion Question

ut

rib

Does SQL Server need to be installed before you install XenApp and XenDesktop?

io

Configuring SQL Server and the Windows Firewall

n

Firewalls help prevent unauthorized access to computer resources. However, if a firewall is turned on but configured incorrectly, attempts to connect to the SQL Server might be blocked. To allow communications with the SQL Server through a firewall, you must configure the firewall for each server that is running SQL Server. The easiest way to do this is to apply a GPO to the OU hosting the SQL Servers in the environment. This eliminates the need to open the inbound ports on each SQL Server.

To Configure SQL Server and the Windows Firewall to Accept Inbound Connections The following steps are provided for informational purposes only and do not need to be performed in the lab environment, because the firewalls are already turned off. However, students without this experience are encouraged to perform this exercise. 1.

Start the primary SQL Server. Right-click SQLServer-1 and then click Start.



85

2.

Log on to the SQL Server using domain administrator credentials. Log on to SQLServer-1 using the TRAINING\Administrator and Password1 credentials.

3. 4. 5. 6. 7. 8. 9.

Click the Windows Start button. Type SQL Server Configuration Manager Click SQL Server Configuration Manager. Click the arrow to the left of the SQL Server Network Configuration node and then click Protocols for MSSQLSERVER. Verify that TCP/IP is enabled and then double-click TCP/IP. Click the IP Addresses tab, note the TCP Port that is set, click Cancel, and then close the SQL Server Configuration Manager. Log on to the domain controller using domain administrator credentials. Log on to DomainController-1 using the TRAINING\Administrator and Password1 credentials, if not already logged on.

10. Click Tools in the Server Manager and then click Group Policy Management. 11. Browse to the OU hosting the SQL Servers. Double-click Forest: Training.lab > Domains > Training.lab > Training Servers > SQL.

N

12. Right-click the OU and then click Create a GPO in this domain, and Link it here.

ot

Right-click the SQL OU and then click Create a GPO in this domain, and Link it here.

fo

13. Type a name for the GPO and then click OK.

rr

Type Windows Firewall - SQL Rules in the Name field and then click OK.

es

14. Right-click the newly created policy and then select Edit.

al

Right-click Windows Firewall - SQL Rules and then click Edit.

e

15. Double-click Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules. 16. Right-click Inbound Rules and then click New Rule. 17. Click Port and then click Next. 18. Specify the ports that will be used to communicate with the SQL Server and then click Next.

or

st di

Verify that TCP is selected, type 1433, 5022 in the Specific local ports field, and then click Next.

rib

Port 1433 is for regular SQL Server communications and Port 5022 is for mirroring.

io

ut Verify that Allow the connection is selected and then click Next. Click Next in the Profile page to apply this rule to the Domain, Private, and Public firewall profiles. Type SQL in the Name field and then click Finish. Right-click Inbound Rules and then click New Rule to configure a rule that allows inbound Windows file sharing.

n

19. 20. 21. 22.

This inbound rule will be useful when you set up SQL Server Mirroring later on.

23. 24. 25. 26. 27.

Click Predefined, click File and Printer Sharing in the Predefined field and then click Next. Click Next on the Predefined Rules page. Click Finish. Close the Group Policy Management Editor and the Group Policy Management Console. Log on to the first SQL Server using domain administrator credentials. Log on to SQLServer-1 using the TRAINING\Administrator and Password1 credentials, if not already logged on.

86



28. Move the mouse pointer to the bottom-right corner of the taskbar to display the Charms bar. 29. Select Search, type cmd, and then press Enter to open a command prompt window. You can also open a command prompt window by selecting the Start icon, typing cmd or command, and then pressing Enter. 30. Type gpupdate /force and then press Enter to force an update. 31. Type exit and then press Enter to close the command prompt window.

Discussion Question Is it a good practice to disable the Windows firewall on a SQL Server?

Setting Up SQL Server Mirroring

ot

N

Mirroring the SQL Server database is a solution for creating redundancy of XenApp and XenDesktop settings. By mirroring the database, you are ensured that, if the active database server fails, the mirrored SQL Server will be available to replace it. This automatic failover process happens in a matter of seconds, so that end users are generally unaffected.

fo e

al

es

rr or st di n

io

ut

rib Mirroring requires a primary SQL Server, a secondary SQL Server, and a SQL Server witness. Mirroring is an active/passive arrangement. All activity takes place on the primary SQL Server. In the event of a primary failure, the secondary SQL Server assumes the primary role. The witness determines when a failure occurs. Mirroring does not protect data integrity - only the database engine is protected. If data corruption occurs, the preferred method of recovery is rollback. Therefore, it is imperative to follow appropriate backup procedures for the SQL Server database.

Discussion Question SQL Server is used to store the XenApp and XenDesktop database. Why is database redundancy so important with XenApp and XenDesktop?



87

Installing the SQL Server Witness To support the mirroring of a SQL Server database, three SQL Servers are required. Two of the servers contain a copy of the XenApp and XenDesktop database. The third server is known as the witness and does not contain the XenApp and XenDesktop database. The sole purpose of the witness is to monitor the health of the primary and secondary SQL Servers. The witness determines when to initiate an automatic failover. Microsoft calls this configuration mirrored with high-safety. The primary and secondary SQL Servers rely on the witness to determine which is the primary and which is the secondary (mirror). A SQL Server Witness can be installed using the procedure for installing SQL Server 2012. A SQL Server Witness is already installed in the lab environment.

Discussion Question Does the SQL Server Witness need to use the same version and edition of SQL Server as the mirroring partners?

Configuring SQL Server Mirroring

N

ot

In order for SQL Server mirroring to work, you must first make a backup of the primary database and restore it on the secondary SQL Server. This ensures that both SQL Servers contain the same database structure. Once they are configured, they will synchronize the database. This synchronization takes place in a transactional manner. Any change made to the primary database is synchronized to the secondary database immediately.

rr

The principal and mirror server instances must exist and be running the same edition of SQL Server. A recent backup of the principle database must be available to restore to the mirror database. The same domain user account must exist for all server instances.

al

es

• • •

fo

To configure database mirroring:

e

You can choose to use a database on a separate server. If you intend to use an external database created manually, that is, one that is not created using Studio, ensure that the database administrator uses the following collation setting when creating the database: Latin1_General_100_CI_AS_KS (where Latin1_General varies depending on the country; for example Japanese_100_CI_AS_KS). If this collation setting is not specified during database creation, subsequent creation of the XenApp and XenDesktop service schemas within the database will fail, and an error similar to ": schema requires a case-insensitive database" appears (where is the name of the service whose schema is being created).

or

st di

2.

Right-click SQLServer-1 in XenCenter and then click Start. Wait for the VM to start before proceeding to the next step.

n

a. b.

io

Start the primary SQL Server if it is not already running.

ut

1.

rib

To Configure SQL Server Mirroring

Start the secondary SQL Server if it is not already running. Right-click SQLServer-2 in XenCenter and then click Start.

3.

Start the SQL Server Witness. Right-click SQLServer-Witness in XenCenter and then click Start. SQLServer-1, SQLServer-2, and SQLServer-Witness must be started in order to complete this procedure.

4.

Switch to the primary SQL Server. Click SQLServer-1 in XenCenter.

88



5.

Log on to the primary SQL Server using domain administrator credentials. Log on to the SQLServer-1 VM using the TRAINING\Administrator and Password1 credentials, if you are not already logged on.

6. 7. 8. 9.

Click the Windows Start button. Type SQL Server Management Studio. Right-click SQL Server Management Studio and then click Run as administrator. Specify the name of the SQL Server in the Server name field and then click Connect. Verify that SQL-1 is in the Server name field and then click Connect to connect to the local database instance. If the connection to SQL-1 fails, verify that the SQL Server Management Studio was launched as an administrator. If the connection continues to fail, reboot the SQL-1 server

10. Right-click the Databases node and then click New Database. 11. Type a name for the database in the Database name field. Type CitrixMain Site in the Database name field. 12. Click Options in the left pane. 13. Select the Latin1_General_100_CI_AS_KS for the Collation and then click OK.

N

ot

Ensure that you select the correct Collation option. Many of the options are very similar. If you accidentally choose the wrong collation for the lab environment, the Delivery Controller Site will not be able to use the database. You will need to go through this procedure again, because the database will be mirrored but may be unusable.

fo

rr

es

14. Expand the Databases node. 15. Right-click the database and then click Tasks > Back Up. Right-click CitrixMain Site and then click Tasks > Back Up.

al

e

Click View > Refresh if the database does not appear.

or

st di

16. Verify that Full appears in the Backup type field and then click OK. 17. Wait for the backup process to complete and then click OK. 18. Copy the SQL backup file from the Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Backup folder on the first SQL Server (Primary) to the backup SQL Server (Mirror).

rib

a. b. c. d. e. f.

n

io

ut

If the Windows Firewall is enabled, firewall exceptions need to be added to the SQL Servers either manually or through a GPO to grant this access. This has already been done for the lab environment. Ensure that the SQLServer-2 VM is running before continuing with this exercise. Click the File Explorer icon in the taskbar of SQLServer-1. Browse to C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Backup. Right-click the CitrixMain Site.bak file and then click Copy. Click the right side of the Address field at the top of the window, type \\SQL-2\C$ and then press Enter. Right-click below the folders in the c$ window and then click Paste. Close the c$ window.

19. Click the Connect menu in the Object Explorer of the Microsoft SQL Server Management Studio and then click Database Engine. 20. Type the name of the backup SQL Server in the Server name field and then click Connect. Type SQL-2 and then click Connect. 21. Right-click Databases under the backup SQL Server instance and then click Restore Database. Right-click Databases under the SQL-2 instance and then click Restore Database.



89

22. Select Device and then click the ... button to the right of the Device field. 23. Click Add, browse to the backup file, and then click OK. Click Add, click C:, click CitrixMain Site.bak, and then click OK. 24. Click OK in the Select backup devices window. 25. Verify that the check box in the Restore column is selected. 26. Click Options in the left pane, select RESTORE WITH NORECOVERY in the Recovery state field and then click OK. Ensure that you select RESTORE WITH NORECOVERY before you click OK. Failure to do so will result in errors later in the procedure in the lab environment. 27. Click OK in the message when the restore successfully completes. 28. Right-click the database you want to mirror on the primary SQL Server and then select Tasks > Mirror. Right-click CitrixMain Site under the SQL-1 instance and then click Tasks > Mirror. Click Configure Security. Click Next on the first screen. Verify that Yes is selected and then click Next on the Include Witness Server screen. Verify that Witness server instance is selected and then click Next on the Choose Servers to Configure screen. Click Next on the Principal Server Instance screen to accept the defaults for the primary (principal) SQL Server.

ot

N

29. 30. 31. 32. 33.

fo

SQL-1 is the principal SQL Server.

es

rr 34. Click Connect to the right of the Mirror server instance field to connect to the SQL Server that will be the mirror.

e

al

SQL-2 is the mirror SQL Server.

or

st di

35. Click Connect on the Connect to Server dialog and then click Next in the Configure Database Mirroring Security wizard to proceed. An error will appear at the bottom of the wizard. This is normal.

ut

rib

36. Click the Witness server instance drop-down and then click Browse for more.

n

io

Ensure that SQLServer-Witness is running before continuing with the next step in this exercise.

37. Type the name of the SQL Server that will be the witness and then click Connect. Type SQL-W and then click Connect in the Connect to Server window. 38. Click Next in the Configure Database Mirroring Security wizard. 39. Type the name of the SQL service account in the Principal, Witness, and Mirror fields in the Service Accounts screen and then click Next. Type TRAINING\SQLAcct1 in each of the fields and then click Next. This service account was pre-created for you in the lab environment.

40. Review the settings and then click Finish. 41. Click Close when the configuration of the endpoints is completed. 90



42. Click Start Mirroring in the Database Properties message and then click OK. If you receive an error stating that SQL-1 cannot be reached on port 5022, delete the database for SQL-1 and SQL-2 and start again with Step 10 in this procedure.

The SQL Server witness must remain running after mirroring is configured. The databases may become inaccessible if the server is shut down.

Discussion Question Why is SQL Server mirroring a better high-availability solution for the Site database than using the high-availability feature of the hypervisor?

Troubleshooting SQL Server Issues The following table identifies SQL Server issues and resolutions.

ot

N Issue

Resolution

fo

You cannot connect to the database engine.

e

al

es

rr

or

Verify that the SQL database is configured to accept remote connections. To correct this issue: • Use SQL Server Management Studio, open the properties for the local server, click Connections and then verify that TCP Port 1433 is open for SQL traffic on the firewall. • Open Windows Firewall Advanced Security to verify or create an Inbound rule for the SQL Server ports. • Verify that the settings contained in the DSN file are appropriate and that the DSN file is not corrupted. If the file is corrupted, recreate the DSN file or copy the DSN file from a server that can connect to the database.

st di

Delete the SQL Server mirror database and start again by right-clicking Databases under the mirror SQL Server instance and then click Restore Database. Continue to follow the steps to configure the mirror database.

n

Installing Anti-Virus Software

io

ut

rib

You receive an error stating that the primary SQL Server cannot be reached on port 5022.

You should install anti-virus software to detect and remove computer viruses from your corporate environment. Computing resources are often subjected to malicious code that can negatively impact normal operations. Anti-virus should be installed where appropriate and the anti-virus signatures should be updated regularly. You should select an anti-virus software application that is appropriate for the computing resource. In addition, you should configure the anti-virus software for appropriate inclusions and exclusions in anti-virus scans. The configuration of an anti-virus software solution is beyond the scope of this course. Refer to a security specialist to ensure that your environment is properly protected.

Discussion Question You installed anti-virus software on all of the infrastructure servers in your environment and now performance is slow and the operating systems on the servers are having reliability problems. What can you do to correct the problem?



91

Setting up the DMZ A Demilitarized Zone (DMZ) is a buffer between the trusted (internal) environment and the untrusted (external) environment. Its primary purpose is to protect the production environment from outside threats. The DMZ typically consists of two firewalls separated by a private subnet. The objects placed in the DMZ, such as NetScaler, need to be hardened and they must not contain any corporate intellectual property. All components in the lab environment use a single network. The configuration of the DMZ is beyond the scope of this course. Refer to a security specialist to ensure that your implementation is properly protected.

Discussion Question Which services might be appropriate for deployment in the DMZ?

Reinforcement Exercise: Redirecting Additional Folders

ot

N

During this exercise, you will not be given step-by-step instructions for performing the task. Instead, you are asked to use what you have just learned to complete it. This exercise is designed to take your newly gained knowledge and stretch it to determine if you can apply that knowledge to perform a task you've never done before. In most instances the default value/choice will be the best choice, but we encourage you to explore and try things out. If you have a question or get stuck, ask the instructor or a fellow student for assistance.

rr

Set up and configure a domain controller and DNS. Configure a Dynamic Host Configuration Protocol (DHCP) server. Configure a private Certificate Authority server. Set up and configure a file server. Set up and configure SQL Server mirroring.

e

al

es

• • • • •

fo

Now that you know how to:

or

You are ready to try your hand at editing an existing group policy to redirect additional folders to the users' shares on the file server.

st di


Here is what you need to do:

Edit the existing Folder Redirection policy that you created for the virtual desktops in the domain. Add the Pictures, Favorites, and Downloads folders to the policy. Configure the properties for the folders so that the information from all users is redirected to the same location. Redirect the folders to the users$ share on FileServer-1.

n

io

92

ut

1. 2. 3. 4.

rib

Children's Charitable Hospital (Training) wants you to redirect the Pictures, Favorites, and Downloads folders for all users of virtual desktops. This will keep the information off of the virtual desktops and store it safely on the network.



4

Module 4

Setting Up Citrix Components

ot

N fo e

al

es

rr or st di n

io

ut

rib

ot

N fo e

al

es

rr or st di n

io

ut

rib

94


Setting Up Citrix Components Overview Once the non-Citrix infrastructure components required by XenApp and XenDesktop are in place, you can begin to implement the Citrix components. By the end of this module, you will be able to: • • • • •

Install Install Install Install Install

and and and and and

configure the Citrix License Server. configure Citrix Delivery Controller, Citrix Studio, and Citrix Director. configure the Citrix Universal Print Server. configure Citrix StoreFront. configure Citrix Receiver.

Module timing: 4.5 hours the beginning of this module, the VMs should be in following the states: DomainController-1 = On FileServer-1 = On SQLServer-1 = On SQLServer-2 = On SQLServer-Witness = On All other VMs = Off

ot

N

al

es

rr

Architecture

fo

At • • • • • •

e

XenApp and XenDesktop relies on the following Citrix components to provide server-hosted desktops and applications, and desktop-hosted desktops and applications to end users.

or st di n

io

ut

rib

• •

• • • •

Citrix License Server stores and manages the license files for all components within the XenApp and XenDesktop architecture with the exception of NetScaler components, which require the license files to be installed directly on them. Delivery Controller consists of services that communicate with the hypervisor to distribute applications and desktops, authenticate and manage user access, and broker connections between end users and their virtual desktops and applications. Studio is the management console used to set up and administer a XenApp and XenDesktop implementation. Director is a Web-based tool that enables IT support and Help Desk teams to monitor an environment, troubleshoot issues before they become critical, and perform support tasks for end users. Universal Print Server extends universal printing support to network printers. StoreFront provides authentication and resource delivery services for users of Citrix Receiver. StoreFront uses a local configuration data file to keep track of end users' application subscriptions, shortcut names, and locations so end users have a consistent experience from all of their endpoints.


Module 4: Setting Up Citrix Components

95

•

Receiver provides end users with access to hosted applications and virtual desktops.

The Citrix components rely on the following infrastructure components that were installed during the last module: • • •

SQL Server stores the configuration data for the XenApp and XenDesktop Site and its resources. Hypervisor hosts all virtual machines in the environment as well as the resources provided to end users. Active Directory provides authentication, authorization, and auditing for all components within the environment.

The following components and resources will be configured in future modules: •

•

•

ot

N

• • •

Provisioning Services(PVS) creates virtual disks (vDisks) from a Master Target Device. PVS uses PXE, DHCP, BDM and the Stream Service to provide vDisks to target devices. PVS supports both virtual target devices and physical target devices. Machine Creation Services(MCS) is a collection of services that work together to create virtual desktops from a master image. MCS provides many of the same single-image management benefits as Provisioning Services, but works directly on the storage managed by the hypervisor, without the need to use PXE or BDM to start a target device. Hosted applications are the applications that are installed on a Server OS machine or Desktop OS machine and made available to users of Citrix Receiver. Server OS machines are virtual desktops running a Windows Server operating system. Desktop OS machines are virtual desktops running a Windows workstation operating system. NetScaler is an appliance that provides a wide range of functions including: load balancing, proxy service, and endpoint analysis.

fo

Discussion Question

al

es

rr

The network onto which XenApp and XenDesktop is placed must be resilient, robust, and reliable. You can configure all components perfectly and still have a failed implementation if the network doesn't meet the needs of the environment. What constitutes a resilient, robust and reliable network?

e

Setting Up the Citrix License Server

or

The Citrix License Server manages the Citrix licenses for Citrix products, except for Citrix NetScaler. Each time a Citrix product starts up, it opens a connection to the license server and checks out a startup license. The license server can be installed on a physical server or a virtual server. A Citrix License Server can reside on server that hosts other roles or on a server completely dedicated to storing and managing Citrix licenses.

st di

ut

rib

At this time, the Citrix License Server VPX is not supported for use with XenApp and XenDesktop. This may change in the future. Refer to www.citrix.com for further information.

io

Citrix licenses are stored in a file that must be added to the license server. The license file is initially acquired from My Account on the www.citrix.com Web site or by using Citrix Studio.

n

All components must be configured to communicate with the license server. This communication is configured from the Citrix product. The default port for communication is 27000. The license server then uses the vendor daemon with a default port of 7279 to deliver the license. The License Administration Console communicates with the Citrix License Server on port 8082. All ports can be configured from within the License Administration Console. After a license is installed for use with XenApp and XenDesktop, all license management is done through the Web-based License Administration Console or Citrix Studio. The License Administration Console lets you manage and monitor your Citrix licenses. The availability of a license is determined by the number of available licenses on the license server when a session is requested. If a license is not available, the session is denied. You can track license usage using the Licensing node in Citrix Studio or the EdgeSight License Server Monitoring tool which provides license reporting and is a free download from the www.citrix.com/downloads/licensing/components Web site. This tool works for all products regardless of the product edition. Citrix licensing can be configured in the License Administration Console or Citrix Studio to use a license that supports:

96



•

•

A Concurrent licensing model, which checks a license out when an end user requests a session and checks the license back in when the end user logs off or disconnects from the session. A concurrent license is not tied to a specific end user. License consumption is based on: • If a single end user is running multiple sessions on a single endpoint, a single license is consumed. • If a single end user is running sessions on multiple endpoints, multiple licenses are consumed. User/Device licensing model, which checks a license out for a device when an end user makes a connection and keeps the license for 90 days after the end user ends the session on the device. License consumption is based on: • If a single end user is running multiple sessions on a single endpoint, a single license is consumed (User licensing model). • If a single end user is running multiple sessions on multiple endpoints, a single license is consumed (User licensing model). A licensed end user requires a unique user ID, such as an Active Directory entry. When assigned to an end user, the license allows the end user to connect to the desktops and applications with multiple endpoints, such as a desktop computer, laptop, netbook, smartphone, or thin client concurrently. • If multiple end users are running multiple sessions from a single endpoint, a single license is used (Device licensing model). A licensed device requires a unique device ID and is authorized for use by any end user to access desktops and hosted applications. This licensing model can be used for shared devices, such as in a classroom or hospital because it allows an unlimited number of end users per device.

ot

N

The license server determines how to minimize license consumption based on whether the licenses installed are User/Device or Concurrent and how the environment is configured. For example, with concurrent licensing, load balancing of the license server can affect license consumption, as can multiple product editions in the environment. For a detailed description of how the various license models work, see the "Types" topic under Licensing Your Product on the http://docs.citrix.com Web site.

fo rr

Installing the Citrix License Server

es

e

al

The Citrix License Server can be installed using the software on the XenApp and XenDesktop installation media or downloaded from www.citrix.com. The license server software should be installed before any other XenApp and XenDesktop component. This allows you to point the Delivery Controller to the license server during the installation and initial configuration. If the license server software is not installed prior to the installation of XenApp and XenDesktop, a trial license can be selected and used for up to 30 days.

or

st di

Citrix products store a replica of the licensing information from the license server, including the number and type of licenses. Citrix products and the license server exchange "heartbeat" messages every five minutes to indicate to each other that they are still up and running. If the product and the license server fail to send or receive heartbeats, the product lapses into the licensing grace period and the product licenses itself through cached information. The Citrix products continue operations as if they were still in communication with the license server. Citrix products update their grace period information every hour.

rib

n

io

ut

High availability of the license server can be accomplished with clustering. Clustering the license server allows users to continue working during failure situations without interrupting access to critical applications. When the active node in a cluster-enabled license server suffers from hardware failure, failover occurs automatically. Resources are available again in a few seconds to a few minutes. If clustering will be used, you should register the name of the cluster, not the individual names of the servers when allocating the license on the My Account site or in Citrix Studio. Another way to provide high availability for the license server is at the hypervisor layer. For more information about clustering license servers, see the "Clustered license servers" topic on the http://docs.citrix.com Web site.

To Install the Citrix License Server 1.

Start the license server VM. Right-click CitrixLicenseServer-1 in XenCenter, click Start, and then click the Console tab.

2.

Log on to the license server with domain administrator credentials. Log on to CitrixLicenseServer-1 using the TRAINING\Administrator and Password1 credentials.

3.

Insert the XenApp and XenDesktop media in the DVD drive. Select XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field.

4. 5.

Click the File Explorer icon in the taskbar and then click This PC. Double-click CD Drive (D:) to start the installation wizard.



97

If the installation wizard does not start, double-click AutoSelect.

6. 7. 8.

Click Start in next to XenDesktop. Click Citrix License Server under Extend Deployment on the right. Read and respond to the license agreement. Select I have read, understand, and accept the terms of the license agreement and then click Next.

9. Click Next on the Core Components screen to accept the default installation location setting. 10. Select the method to use for port configuration. Verify that Automatically is selected on the Firewall page and then click Next. You should select Automatically, if you are using the default ports for communication with your license server. If you are using custom ports, select Manually. Changing the licensing port after licenses are installed might cause the "No such product or vendor exists: CITRIX" message to appear on the License Administration Console dashboard instead of the installed licenses.

ot

N

11. Click Install and wait for the installation to complete. 12. Click Finish. 13. Eject the XenApp and XenDesktop media from the DVD drive.

fo

Click Eject to the right of the DVD Drive 1 field to eject the media from the drive.

es

rr al

Troubleshooting License Server Issues

e

The following table provides resolutions for Citrix License Server issues.

or

Resolution

The license server will not start or an upgrade of the license server fails.

Run the License Server Configuration tool from C:Program FilesCitrix LicensingLSresourceLSPostConfigTool.exe. If the License Server Configuration tool fails for any reason, uninstall and reinstall the license server.

The installation fails when localized characters are used in the installation path.

Accept the default installation path or use only ASCII alphabetic characters for the installation path.

The 30-day free trial license is the only license available.

Verify that a license for the product edition has been added to the license server. Accept the trial license and then use Studio to change the license information after installation.

A read-only administrator receives the following message in Studio after the Citrix License Server software is uninstalled and then reinstalled: "You do not have permissions to perform this operation."

Have a full license administrator log on and access the License node in Studio to initiate a trust with the new license server.

Newly added licenses are not appearing in the License Administration Console.

Do one of the following: • Re-read the license file using the Vendor Daemon Configuration tab in the License Administration Console. • Restart the Citrix Licensing Service on the license server. • Restart the license server.

st di

Issue

n

io

ut

rib

98



Allocating, Downloading, and Adding a License File After you install the licensing components, you are ready to obtain your Citrix license files from My Account on the www.citrix.com Web site or Citrix Studio. You can generate a license file, download it to the license server, and then import the license file using the License Administration Console, Citrix Studio, or a web browser. Before allocating a license, you need the following information: • • •

•

ot

N

The license code. You can find this code on the XenApp and XenDesktop installation media pack, in an email you receive from Citrix, or from the Subscription Advantage Management-Renewal-Information system (SAMRI). Your user ID and password for My Account on the www.citrix.com Web site. You can register for this password on the Web site. The name of the server on which you installed the licensing software. The entry field for this name is case-sensitive, so ensure that you copy the name exactly as it appears on the server. You can find the license server host name and Ethernet address in the License Administration Console in the Administration area on the System Information tab. You can also run the hostname command at a command prompt on the license server. The number of licenses you want to include in the license file. You do not have to download all of the licenses you are entitled to at once, if you are using My Account from the www.citrix.com Web site. If you are using Citrix Studio to allocate the licenses, you must allocate all licenses in the file at one time in this version of XenApp and XenDesktop. For example, if your company purchases 100 licenses, you can choose to allocate and download only 50 at this time if you are using My Account. At a later date or time, you can allocate the rest in another license file. You can have more than one license file. This cannot be done from Citrix Studio.

fo

To Allocate, Download, and Import a License File

e

al

es

rr

A Citrix License Server is preconfigured for use in the lab environment with licenses already allocated to it. To experience allocating, downloading and adding a license file from My Account, we have provided a Downloading, Allocating, and Importing License Files exercise below. Click the following link and use the steps in this course to complete the exercise: • Downloading, Allocating, and Importing License Files Exercise You can access a list of all simulated exercises from the Student Resource Kit module located in this course.

or

1. 2.

Click My Account (Log in) in the upper-right corner of the www.citrix.com Web site page. Click Create Account.

st di

Use the mouse to move between fields in this exercise.

rib

Click Create Customer Account.

ut

3.

n

io

If your company already has an account, you would use the existing account rather than create a new one.

4.

Complete the form to create an account and then click Continue. The form has been completed with generic information. Click Continue.

5.

Create a new Login ID and password and then click Continue. Verify that CitrixStudent is in the Login ID field, type Password1 in the New Password and Confirm Password fields, and then click Continue.

6. 7.

Click Activate and Allocate Licenses under the Licensing heading on the page. Click the Single Allocation tab. If you currently have available licenses, they will appear within the Activate and Allocate Licenses tab.



99

8.

Type the license code into the Enter license code field and then click Continue. Type CTXLF-12345-67890-12345-67890 and then click Continue.

9.

Click Continue on the Host Name Warning Page. Not all licenses for Citrix products are allocated based on the host name of the license server.

10. Type the case-sensitive name of the Citrix License Server that will host the license in the Host ID field. Type LS-1 into the Host ID field. Make sure that students do not type CLS-1 as the host name. CLS-1 is the host name of the Citrix License Server that the students created in the lab environment, but is not the host name used in this exercise. 11. Click the Quantity/Available field, type the license quantity, and then click Continue. Click the Quantity/Available field, type 5, and then click Continue.

N

ot

You can always come back to reallocate and re-download your licenses should they become corrupt, lost, or you need to specify a different allocation of your licenses using the Reallocate and Redownload tabs from My Account on the www.citrix.com Web site.

fo

Verify that the information is correct and then click Confirm. Click OK in the message stating that the allocation was successful. Click Download. Click the down arrow next to Save and then click Save as.

al

es

rr

12. 13. 14. 15.

e

The name of the license file can be changed, but the contents within the file cannot be changed without corrupting the license file.

or

Click Save in the Save As window to download the license file to the Downloads folder. Click Log Out in the upper-right corner of the window. Close the browser window. Click the Start button on the bottom-left corner of the screen. Type Citrix License and then click the Search icon. Click Citrix License Administration Console. Click Administration in the upper-right corner of the License Administration Console. Log on as a license administrator.

st di

n

io

ut

rib

16. 17. 18. 19. 20. 21. 22. 23.

Type TRAINING\Administrator in the User Name field, Password1 in the Password field, and then click Submit. 24. Click Vendor Daemon Configuration in the lower-left corner of the License Administration Console. 25. Click Import License. 26. Click Browse to the right of the License File from Your Local Machine field to browse to the recently downloaded license file. 27. Select the recently downloaded license file and then click Open. Select FID_15.lic in the Downloads folder and then click Open. 28. Click Import License. 29. Click OK. In order to view the active licenses within the dashboard, you must restart the license server or reread the license file.

100



30. Verify that the licenses have been allocated. Click Dashboard and then click Citrix XenDesktop Enterprise|Concurrent. 31. View the allocated licenses and then click X in the upper-right corner of the window to close the dashboard.

Discussion Question When downloading the license for the first time from My Account on the www.citrix.com Web site, you are asked to allocate the licenses. What does allocate mean?

Adding License Administrators A default administrator account is created during the installation of the License Administration Console. To delegate license administration to other users, you need to configure accounts on the license server using the License Administration Console. The License Administration Console can use License Administration users, local Windows users and groups, and Active Directory users and groups. The Simple License Service used by the License Administration Console can use local Windows users and groups as well as Active Directory users and groups.

ot

N

Active Directory users and groups are part of an Active Directory/network authentication system. To support Active Directory users and groups, the license server must be a member of a Microsoft Active Directory domain.

fo

Start the management system VM.

es

1.

rr

To Add a License Administrator Right-click StudentManagementConsole-1 in XenCenter, click Start, and then click the Console tab.

al

e

The StudentManagementConsole-1 (SMC-1) is a system specifically set up in the lab environment for you to use to administer components in the environment. In the real-world, it is more realistic that administrators use an endpoint to administer their environments than to log on directly to the servers in the environment.

or

Log on to the management system using domain administrator credentials.

st di

2.

Log on to StudentManagementConsole-1 using the TRAINING\Administrator and Password1 credentials. Double-click the Mozilla Firefox icon on the desktop. Type the FQDN and port number of the License Administration Console into the Address field and then press Enter to access the License Administration Console. Type cls-1.training.lab:8082 in the Address field and then press Enter.

Click Administration in the upper-right corner of the console. Log on to the License Administration Console using the credentials you used to install the Citrix License Server software.

n

5. 6.

io

ut

rib

3. 4.

Log on using the TRAINING\Administrator and Password1 credentials. If you are in a domain, the account of the end user who installed the license server is automatically added as the administrator. If you were logged on with a different account when you installed the Citrix License Server, you must either use that account to log on to the console to create new administrators or any account that is a member of the BUILTINAdministrators group (including the Domain Admins Security group). 7. 8.

Click User Configuration. Click New User. You should not include a backslash for a locally managed administrator (for example, tester1). If you do, you will be unable to delete that account.



101

9.

Select a role for the new Citrix License administrator. Select Domain Administrator in the Role field.

10. Type the name of an end user or group in the User name field in the form of domain\username or domain\group and then click Save. Type TRAINING\Admin2 and then click Save. 11. Verify that the new account appears on the User Configuration page. 12. Click Log Out on the top right of the License Administration console.

Discussion Question What steps are required to recover from a catastrophic failure of the license server?

Configuring Licensing Alerts

ot

N

A licensing alert can be set to notify an administrator when an important event concerning Citrix licensing occurs. There are two types of alerts: critical and important. All alerts are triggered at one minute intervals except the Vendor Daemon alert which is triggered immediately. You can set alerts for Subscription Advantage expiration, license expiration, Vendor Daemon has stopped, and concurrent license usage. For example, an important alert for concurrent license usage can be set to 90%, and a critical alert can be set to 98% consumption.

fo

To Configure Licensing Alerts

e

1.

al

es

rr

Alerts and license usage are displayed on the first page of the License Administration Console. By default, to view information on the first page of the License Administration Console, you do not need log on credentials. You can change this behavior and require log on.

Log on to the management system using domain administrator credentials.

or

Log on to StudentManagementConsole-1 using the TRAINING\Administrator and Password1 credentials, if not already logged on.

st di

2. 3.

Type cls-1.training.lab:8082 in the Address field and then press Enter. Click Administration in the upper-right corner of the console.

io

ut

4.

rib

Double-click the Mozilla Firefox icon on the desktop. Type the FQDN and port number of the License Administration Console into the Address field and then press Enter to access the License Administration Console.

n

If the Log On screen does not appear, click Log Out at the top of the console and then click Administration.

5.

Log on to the License Administration Console using Citrix License administrator credentials. Log on to the License Administration Console using the TRAINING\Admin2 and Password1 credentials.

6. 7.

Click Alert Configuration on the left side of the console. Select an alert to display on the Dashboard, determine the threshold you want to set to trigger the alert, and then click Save. Select Concurrent threshold exceeded, set the alert to 80%, and then click Save.

8.

Deselect an alert to remove it from the Dashboard and then click Save. Deselect Overdraft license issued and then click Save in the lower-right corner of the console.

9. Click Dashboard in the upper-right corner of the console to view the Dashboard. 10. Click Citrix Start-up License|Server to expand and view the license. 102



The alerts, if any, will be displayed in the left pane of the console.

11. Click the yellow triangle to view the Important alerts. There should not be any alerts at this time because you do not have any Citrix products installed.

12. Click the red circle to view the Critical alerts. 13. Click the X in the upper-right corner of the License Administration Console to close the window. You can shut down the CitrixLicenseServer-1 VM to free up lab environment resources. You will be using a centralized license server in the classroom.

Moving from XenApp 7.6 to XenDesktop 7.6 An edition of XenApp 7.6 to another. An edition of XenDesktop 7.6 to another. An edition of XenApp 7.6 to an edition of XenDesktop 7.6.

fo

rr

• • •

ot

N

XenApp and XenDesktop now share a unified architecture. This makes it possible to simply upload a license to move an implementation from:

al

es

Once the license is uploaded and the edition is selected, all of the features available in the edition become available to the administrator.

e

Setting Up the Delivery Controller

or

The Delivery Controller (Controller) is responsible for managing end user access, load balancing connections, and optimizing connections. The Delivery Controller relies on Machine Creation Services (MCS) to create multiple VMs from a single virtual image.

st di

The Controller:

n

1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

io

ut

rib

XenApp supports Server OS-based applications and desktops. XenDesktop supports Server OS-based applications and desktops and Desktop OS-based applications and desktops along with other FlexCast models. The installation media for XenDesktop contains options for installing XenApp 7.6 or XenDesktop 7.6. The installations are the same with the exception of branding. The licenses you upload determine the features and functions available to you. For example, if you choose to install XenApp 7.6 and then upload XenDesktop licenses, your installation will be XenDesktop.

Receives authentication requests from end users and queries Active Directory. Interacts with the database to retrieve the list of resources for the end user. Communicates with StoreFront to make the resources available for selection. Receives requests from the end user to access a resource. Load balances the request for a resource. Prepares the resource to be delivered to the end user via the hypervisor. Sends load balancing information to StoreFront, where a connection file is created. Prepares the VM for connection. Retrieves the client license and issues it to the started resource. Monitors the connection state throughout the duration of the session.

The Controller provides the following services: • •

Communicates with the hypervisor to distribute hosted applications and virtual desktops. Manages connection options using Delivery Groups.



103

• •

Manages virtual desktops, hosted applications, and Remote PC Access through machine catalogs. Manages the power state of VMs.

To provide high availability so that end users can continue to access and use their resources in the event of a Controller failure, you should configure more than one Controller per site. To add a Controller, you need the securityadmin or db_owner database server role permission for the XenApp and XenDesktop database.

Installing the First Controller During the installation of the first Controller, you can point to a database server or install a SQL Server Express instance. After the Controller is installed, it must be configured using Studio. You will install Studio on this VM later in this module. The license server should be installed before the Controller is installed. This will simplify the registration of the Controller with the license server.

N

1.

ot

To Install the First Controller Right-click the Controller VM, click Start, and then click the Console tab.

fo

Right-click Controller-1, click Start, and then click the Console tab.

rr

2.

Log on to the Controller using domain administrator credentials.

Insert the XenApp and XenDesktop installation media into the DVD drive.

al

3.

es

Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials.

e

Select XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field. Click the File Explorer icon in the taskbar and then click This PC. Double-click CD Drive (D:) to start the installation wizard.

or

4. 5.

st di


io

ut

Click Start on next to XenDesktop. Click Delivery Controller. Read and respond to the licensing agreement.

rib

6. 7. 8.

n

Select I have read, understand, and accept the terms of the license agreement and then click Next. 9.

Specify the components to install and then click Next. Deselect License Server and StoreFront and then click Next. If you are deploying a Proof of Concept or small implementation that will not grow, you can install the Controller, Studio, and Director on the same server.

10. Specify whether or not to install Microsoft SQL Server 2012 Express or Remote Assistance and then click Next. Deselect Install Microsoft SQL Server 2012 Express, verify that Install WindowsRemote Assistance is selected, and then click Next.

104



Microsoft SQL Server 2012 Express does not need to be installed on the server because we will be using a mirrored instance of SQL Server 2012. If a SQL Server installation was not available in the environment, SQL Server Express could be selected and installed automatically from the installation media. Windows Remote Assistance is selected for installation because you are installing Director on this server. Director can be used by Help Desk personnel to assist end users, so Windows Remote Assistance is needed. 11. Select the port configuration method to use and then click Next. Verify that Automatically is selected and then click Next. If the Controller will use the default ports for communications, select Automatically. If the Controller will use alternate port assignments, select Manually to configure the ports after the installation. 12. Review the installation summary and then click Install. Based on the components that are selected for installation in the lab environment and the number of VMs running, you can expect the installation to take approximately 15 minutes.

ot

N

13. Wait for the installation to complete, deselect Launch Studio, and then click Finish. 14. Click Eject to the right of the DVD drive field to eject the media from the drive. 15. Click Tools at the top of the Server Manager window and then click Internet Information Services (IIS) Manager to begin the process of requesting and installing a certificate on the first Delivery Controller. 16. Click the name of the Delivery Controller in the left pane.

fo

rr

Click C-1 in the left pane.

es

17. Respond to the Internet Information Services (IIS) Manager message. Click No.

al

e

18. Double-click Server Certificates in the center pane under the IIS heading. 19. Click Create Domain Certificate in the Actions pane on the right. 20. Specify the appropriate distinguished name properties and then click Next.

or

n

io

ut

rib

b.

Use the following information: • Common name: c-1.training.lab • Organization: Training • Organizational Unit: IT • City/locality: Ft Lauderdale • State/province: Florida • Country/region: US Click Next.

st di

a.

The Common name must match the FQDN that will be used to access the Site.

21. Click Select, select the Certificate Authority, and then click OK. Click Select, select training-AD-CA, and then click OK. 22. Type a friendly name for the certificate and then click Finish. Type c-1.training.lab and then click Finish. 23. Double-click Sites > Default Web Site in the left pane. 24. Click Bindings in the right pane. 25. Click Add and then select https in the Type field.



105

26. Select the newly created certificate from the SSL certificate field, click OK, and then click Close. Select c-1.training.lab in the SSL certificate field, click OK, and then click Close. 27. Close the Internet Information Services (IIS) Manager.

Discussion Question In previous versions of XenApp and XenDesktop, device drivers were installed during the installation of the Controller. This is no longer the case. Why is it an important advancement that device drivers are no longer installed on the Controller? How are Virtual Delivery Agents (VDAs) notified of available Controllers?

Configuring a Site A Site is the management scope for a XenApp and XenDesktop environment and encompasses all of the components needed for the deployment of XenApp and XenDesktop. All management is done at the Site level. All administrators are configured at the Site level. A Site must be named during the configuration phase of the first Controller. Components contained in a Site must be able to communicate with each other and are managed by the Controller.

ot

N

Studio is the GUI interface used to manage the Site. During the configuration of the Site, you configure communications between the Controller, Citrix License Server, database, and the hosting environment. Studio can be installed on the Controller, on an administrator's desktop, on a Server OS machine, or made available as a hosted application.

rr

Log on to the VM hosting Studio using domain administrator credentials.

es

1.

fo

To Configure a Site

Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials, if not already logged on. Open Studio.

Click Start, type Studio and then click Citrix Studio.

e

al

2.

or

Click Deliver applications and desktops to your users. Verify that A fully configured, production-ready Site (recommended for new users) is selected. Type a Site name and then click Next.

n

io

Type MainSite in the Name your Site field and then click Next.

ut

rib

3. 4. 5.

st di

Studio will open automatically at the end of the Controller installation by default, if Studio was selected for installation.

Semantically, the Site name should make sense in the context of the overall architecture or be relevant to the groups or Controller residing on the Site. 6.

Type the database server location and the name of the database in the appropriate fields. Type sql-1.training.lab in the Database server location field and verify that CitrixMainSite appears in the Database name field.

7.

Click Test connection. An information message will appear at this point because you created the database during the SQL mirroring exercise and the database is empty. This is the expected behavior and is okay.

8. 9.

106

Click OK in the message. Click Close and then click Next.



10. Type the License Server IP address, host name, or FQDN and then click Connect. Type license.edutestsite.com in the License server address field and then click Connect. You are not using the CitrixLicenseServer-1 VM during this class to provide licenses for XenApp and XenDesktop. Instead, you are connecting to an external license server to provide the licenses. 11. Select Connect me and then click Confirm. 12. Select the proper license and then click Next. Select Citrix XenDesktop Platinum: User/Device and then click Next. 13. Select the Connection type (hypervisor). Select Citrix XenServer. 14. Type the Connection address. Type the address of the XenServer management network. To locate this address, open XenCenter, select the XenServer host, and then click the Networking tab.

N

ot

It is recommended that HTTPS connections be used to communicate with XenServer. HTTPS prevents the XenServer password from being transmitted over the network in plain text. Certain tools are able to read plain text user names and passwords in HTTP (unencrypted) network packets, which creates a security risk for users. A certificate is not installed on the XenServer host in the lab environment.

fo

rr

15. Type the user name and password for the host connection. Type the user name and password provided by the instructions at the beginning of the lab.

al

es

16. Specify a name for the connection.

Type XenServer in the Connection name field.

e

17. Determine which provisioning tool will be used to create VMs for XenApp and XenDesktop and then click Next.

or

Verify that Studio tools (Machine Creation Services) is selected and then click Next.

st di

18. Type a name for the virtualization settings in the Enter a name for the Resources field, select the desired networks for the VMs to use, and then click Next.

ut

19. Select the storage device and type of storage to use.

rib

Type XenApp and XenDesktop Network in the Enter a name for the Resources settings field, select Internal, verify that all other networks are deselected, and then click Next.

n

io

Select Local from the storage devices drop down list. Verify that Local Storage is selected. When Shared and NFS virtual disk storage are selected, you can specify whether or not IntelliCache will be used to reduce the load on the shared storage device. This option is not valid for Local storage. To learn more about IntelliCache, see http://support.citrix.com/article/CTX129052. 20. Determine where Personal vDisks will be stored and then click Next. Verify that Use same storage for virtual machines and Personal vDisk is selected and then click Next. 21. Determine if App-V publishing will be used, specify the appropriate information, and then click Next. Verify that No is selected on the App-V Publishing page and then click Next. 22. Click Finish. You can expect the Site configuration to take approximately 10 minutes because the primary and mirror database schemas are being created for the new Site. 23. Verify that a green check mark appears next to Step 1 and then click the Test site configuration button. © Copyright 2015 Citrix Systems, Inc.


107

24. Click Show report to review the test results. 25. Close the Site Configuration Testing Report and then click Finish. Some warnings may appear. The warnings will not affect the lab environment, but should be addressed in a real-world implementation. In our database, Read Committed Snapshot is disabled. This means that the database engine will not modify information in the database while a transaction is reading that information. When Read Committed Snapshot is enabled, versioning is used to allow reading and writing of the information at the same time.

Editing Connection and Resource Settings Resource settings are the connection information used by your XenApp or XenDesktop Delivery site to communicate with the underlying hypervisor technology. You can improve the performance of a XenApp or XenDesktop site, by further optimizing the Delivery site connection to the host for XenServer, vSphere, and Hyper-V. After you specify the host connection in Citrix Studio, you can use the properties to modify the connection settings. The connection settings allow you to specify the maximum number of simultaneous actions, simultaneous Personal Storage inventory updates, and the number of actions per minute that can occur on a host connection.

N

ot

For more information about connection settings and connection throttling, see http://docs.citrix.com/en-us/xenappand-xendesktop/7-6/xad-connections.html.

fo rr

To Edit Connection and Resource Settings

es

1.

Log on to the VM hosting Studio using domain administrator credentials.

Open Studio.

e

2.

al

Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials, if not already logged on.

Edit the Hosting connection settings.

ut

4.

Click Hosting. Verify XenServer is selected. Click Edit Connection in the Actions pane.

n

io

View the options to improve the performance of the XenApp and XenDesktop Delivery site by enhancing the connection throttling settings. Click the Advanced tab.

5.

rib

a. b. c.

st di

3.

or

Click Start, type Studio and then click Citrix Studio.

Click Cancel. Citrix recommends that you only adjust these advanced connection properties under the guidance of a Citrix Support representative.

Connecting to Resources Site outages and interruptions in communications between the Delivery Controller and the site database can result in resource availability issues for users. Connection leasing enables Delivery Controllers to continue to broker users to sessions in the event the site cannot communicate with the site database. This connection brokering relies on a cache on each Delivery Controller. User sessions brokered for the last two weeks are cached on the Delivery Controller. Connection leasing is not a database redundancy solution. Citrix recommends that XenApp and XenDesktop implementations use SQL mirroring or clustering to protect and provide failover for the site database. Connection leasing is a XenApp and XenDesktop feature that supplements a SQL Server high availability solution. 108



In most large deployments, connection leasing will likely never be used because the SQL clustering options will prevent the loss of connection to the site database. Example: An end user has accessed Microsoft Word within the last two weeks, but has not accessed Microsoft PowerPoint. During the site outage, the connection leasing feature allows the Delivery Controllers to broker that user’s request to Microsoft Word, but not to Microsoft PowerPoint, because Microsoft PowerPoint is not in the cache. Connection leasing is enabled by default and is limited to user sessions accessing server-hosted applications, server desktops and static (assigned) desktops; it is not supported for random (pooled) desktops. Connection leasing can be turned on or off using the PowerShell SDK or the Windows registry. When the Delivery Controller enters into lease connection mode during a database connection failure: • • • •

ot

N

• • • •

Studio, Director and the PowerShell console cannot be used. Workspace control is not available, so users will not be automatically reconnected to disconnected sessions. If new sessions are created just before the database becomes unavailable, users may not be able to access the resources in those sessions if the Delivery Controllers did not have a chance to sync with the database. Users roaming from an external to internal HDX connection may not be able to reconnect to a session established from a different network. Power managed, powered off static (assigned) desktops remain unavailable until the database connection is restored. New sessions will not prelaunch and session lingering timeouts are not used. Server-based connections are routed to the most recently used VDA, and all server-based load balancing is ignored. Only VDAs that are 7.6 minimum version are supported.

fo

e

al

Discussion Question

es

rr

For more information about connection leasing, see http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xadconnection-leasing.html.

When might you consider adding an additional Controller to the environment?

or st di

Troubleshooting Studio

The following table identifies resolutions for issues related to Studio.

rib

Resolution

There is a delay when starting Studio.

Verify that there is an Internet connection prior to starting Studio. If no connection is available, you must disable the Authenticode signature checking feature as described in http://support.citrix.com/article/CTX120115.

Studio sometimes shows completed tasks as "In progress."

This issue is cosmetic and can be ignored if you are certain that the task has been completed. You should not restart Studio if a long-running task is genuinely active because it will cause the task to remain in an incomplete state.

n

io

ut

Issue

Adding Delegated Administrators You cannot create an administrator account using Studio. Instead, you use Studio to assign administrative privileges to users and groups created in Active Directory. You should only assign administrative privileges to those users and groups that require them and you should avoid compromising Site security by providing excessive privileges. You can remove administrative privileges for one administrator, but that administrator account may also be a member of a group that was assigned those privileges. As a result, the account still has those privileges. The default administrator is the account that was used to install the Controller and configure the Site. To avoid configuration frustration, you should always use a domain account, rather than a local account to install the Controller and configure the © Copyright 2015 Citrix Systems, Inc.


109

Site. This ensures that the same account can be used with each component in the XenApp and XenDesktop environment, such as the license server, Provisioning Services, hosting environment, and SQL Server database. In addition, you should keep the number of simultaneous administrators using Studio to a minimum to avoid overwriting each other's configuration changes. The "last write wins" concept applies to changes to the database.

To Add a Delegated Administrator 1.

Log on to the VM hosting Studio using domain administrator credentials. Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials, if not already logged on.

2.

Open Studio. Click Start, type Studio and then click Citrix Studio.

3. 4. 5.

Expand Configuration in the left pane and then click Administrators. Click Create Administrator in the right pane. Click Browse and then type the name of the user or group to be added in the Enter the object name to select field. Click Browse and then type HelpDesk into the Enter the object name to select field.

N

Only one user or group can be added at a time.

ot fo

Click Check Names and then click OK. Select a scope and then click Next.

rr

6. 7.

al

es

Select All for the scope and then click Next.

e

If you create a new scope, refresh the console so new administrators can create a new connection or resource without encountering an error. If the console is not refreshed, the new connection/hosting scope will not be available to new administrators. Select the role and then click Next.

or

8.

9.

st di

Select Help Desk Administrator and then click Next.

Verify that Enable Administrator is selected and then click Finish.

ut

rib

Discussion Question

n

io

The administrator account used to install the Controller and configure the Site has Full Administrator privileges. What happens if you delete that account from Studio?

Setting Up a Second Controller A second Controller is required for high availability of the XenApp and XenDesktop environment. Because the second Controller is joining an existing Site, and is being added to the existing database, database configuration is minimal during the installation. The second Controller can be installed at any time after the first Controller is configured. Once installed, any instance of Studio can be used to manage multiple Controllers for a Site.

To Install a Second Controller 1.

Right-click the second Controller VM, click Start, and then click Console. Right-click Controller-2, click Start, and then click Console.

110



2.

Log on to the second Controller using domain administrator credentials. Log on to Controller-2 using the TRAINING\Administrator and Password1 credentials.

3.

Insert the XenApp and XenDesktop installation media into the DVD drive. Select XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field.

4. 5.

Click the File Explorer icon in the taskbar and then click This PC. Double-click CD Drive (D:) to start the installation wizard. If the installation wizard does not start, double-click AutoSelect.

6. 7. 8.

Click Start next to XenDesktop. Click Delivery Controller. Read and respond to the licensing agreement. Select I have read, understand, and accept the terms of the license agreement and then click Next.

9.

Specify the components to install and then click Next.

N

Deselect License Server and StoreFront and then click Next.

ot

fo

If you are deploying a Proof of Concept or small implementation that will not grow, you can install the Controller, Studio, and Director on the same server.

rr

es

10. Specify whether or not to install Microsoft SQL Server 2012 Express or Windows Remote Assistance and then click Next.

e

al

Deselect Install Microsoft SQL Server 2012 Express, verify that Install Windows Remote Assistance is selected, and then click Next.

or

Microsoft SQL Server 2012 Express does not need to be installed on the server because you already have a mirrored instance of SQL Server 2012. The same database must be used for both the first Controller in the environment and all subsequent Controllers in the environment. If Windows Remote Assistance was selected for installation on the first Controller, it must be selected for all subsequent Controllers to ensure that it is available to Director.

st di

11. Select the port configuration method to use and then click Next.

ut

rib

Verify that Automatically is selected and then click Next.

n

io

If the Controller will use the default ports for communications, select Automatically. If the Controller will use alternate port assignments, select Manually to configure the ports after installation completes. 12. Review the installation summary and then click Install. Based on the components that are selected for installation in the lab environment and the number of VMs running, you can expect the installation to take approximately 15 minutes. 13. Wait for the installation to complete, deselect Launch Studio, and then click Finish. 14. Click Eject to the right of the DVD drive field to eject the media from the drive. 15. Click Tools at the top of the of the Server Manager window, select Internet Information Services (IIS) Manager to begin the process of requesting and installing a certificate on the second Delivery Controller server. 16. Click the name of the Delivery Controller in the left pane. Click C-2 in the left pane. 17. Respond to the Internet Information Services (IIS) Manager message. Click No. © Copyright 2015 Citrix Systems, Inc.


111

18. Double-click Server Certificates in the center pane under the IIS heading. 19. Click Create Domain Certificate in the right pane. 20. Specify the appropriate distinguished name properties and then click Next. a.

b.

Use the following information: • Common name: c-2.training.lab • Organization: Training • Organizational Unit: IT • City/locality: Ft Lauderdale • State/province: Florida • Country/region: US Click Next. The Common name must match the FQDN that will be used to access the Site.

N

21. Click Select, select the Certificate Authority, and then click OK.

ot

Click Select, select training-AD-CA, and then click OK. 22. Type a friendly name for the certificate and then click Finish.

fo

Type c-2.training.lab and then click Finish.

rr

Double-click Sites > Default Web Site in the left pane. Click Bindings in the right pane. Click Add and then select https in the Type field. Select the newly created certificate in the SSL certificate field, click OK, and then click Close.

e

al

es

23. 24. 25. 26.

Select c-2.training.lab in the SSL certificate field, click OK, and then click Close.

or

27. Close the Internet Information Services (IIS) Manager.

st di

Joining a Controller to a Site

io

ut

rib

By default, the configuration phase of a Controller takes place immediately after the installation of the Controller. In some instances, you may want to move a Controller from one Site to another, such as from a test Site to a production Site. In this case, you only need to rerun the Configuration utility (this task), not reinstall the Controller. When you run the Configuration utility you have the opportunity to create a new Site (new database), or join an existing Site (existing database).

n

As a best practice, you should locate each Controller VM on a different physical hypervisor hosts for high availability purposes.

To Join a Controller to an Existing Site This procedure assumes that you installed Studio on each Controller in the environment.

1.

Log on to the second Controller with domain administrator credentials. Log on to Controller-2 using the TRAINING\Administrator and Password1 credentials.

2. 3.

112

Click Start, type Studio, and then click Citrix Studio. Click Connect this Delivery Controller to an existing Site.



4.

Type the FQDN of the first Controller and then click OK. Type c-1.training.lab and then click OK.

5. 6. 7.

Click Yes when prompted to update the database automatically. Select Controllers from the Configuration node in the left pane of Studio. Verify that both Controllers are listed. Verify that C-1.training.lab and C-2.training.lab are listed. You can shut down the Controller-2 and SQLServer-2 VMs to free up lab resources.

Discussion Question You added multiple Controllers to your implementation, but discover that you do not need all of them. You decide to use the Remove Controller option in Studio to remove the extra Controllers. What impact will this have on the remaining implementation and on the removed Controllers?

N

ot

Setting Up the Citrix Universal Print Server

fo

The Citrix Universal Print Server extends XenApp and XenDesktop universal printing support to network printing. The Citrix Universal Print Server eliminates the need to install numerous non-native printer drivers on the virtual desktops and on the servers that host desktops and applications.

rr

•

es

The Universal Print Server includes a client component and a server component:

•

e

al

The client component (Universal Print Client) is installed on the resources hosting desktops and applications and on the objects located in a Machine Catalog that provide network printers that use the Universal Printer Driver. The client component is installed during the installation of the Virtual Delivery Agent on the resource. The server component (Universal Print Server) is installed on each Windows print server that provisions session network printers and uses the Universal Printer Driver for the session printers (regardless of whether or not the session printers are centrally provisioned).

or

Install the Universal Print Client software. Install the Universal Print Server software. Configure a policy to enable the use of the Universal Print Server. The policy can be a local policy or a group policy.

n

io

ut

rib

1. 2. 3.

st di

To configure the Universal Print Server:



113

After the Universal Print Server components are installed and policy settings are configured, an end user can add and enumerate network printers through the Windows Print Provider and Citrix Print Provider interfaces. The Citrix Print Provider does not support client-side rendering.

Installing the Universal Print Server The Universal Print Server must be installed on the print servers in the environment. During the installation of the Universal Print Server, the Print and Document Services role is installed on the server as are runtime libraries and client-side extensions. The client-side extensions are required to retrieve and configure Universal Print Server policy settings. You should not attempt to install the Universal Print Server on a server on which XenApp and XenDesktop components are installed because the components are already installed.

To Install the Universal Print Server 1.

Start the Citrix Universal Print Server VM. Right-click UniversalPrintServer-1 in XenCenter, click Start, and then click Console.

2.

Log on to the Citrix Universal Print Server VM using domain administrator credentials.

N

Log on to UniversalPrintServer-1 using the TRAINING\Administrator and Password1 credentials.

ot

3.

Insert the XenApp and XenDesktop installation media into the DVD drive.


es

rr

4. 5.

fo

Select XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field.


e

al st di

Click Start next to XenDesktop. Click Universal Print Server. Read and respond to the licensing agreement.

or

6. 7. 8.

Select I have read, understand, and accept the terms of the license agreement and then click Next. Determine where the Citrix Universal Print Server will be installed and then click Next.

n

io

10. Click Install and then wait for the installation to complete. 11. Click Finish. 12. Eject the XenApp and XenDesktop media from the DVD drive.

ut

Click Next to accept the default location.

rib

9.


Discussion Question What is the maximum number of concurrent print streams allowed when using the Universal Print Server?

Configuring the Universal Print Server The Universal Print Server provides simplified print management to allow network printing from any device by provisioning network session printers. If you want to change the values for the Universal Print Server policy settings specified below, you can add them to a policy. If the settings are not included in a policy, the default settings will be used. • • 114

Universal Print Server enable (default=disabled) (Computer Configuration) Universal Print Server data stream (CGP) port (default=Port 7229) (Computer Configuration) Module 4: Setting Up Citrix Components


• •

Universal Print Server web service (HTTP/SOAP) port (default=SOAP port 8080) (Computer Configuration) Universal Print Server print stream bandwidth limit (default=0 kilobits per second which means unlimited bandwidth) (User Configuration) You must include the Universal Print Server enable setting in a policy to enable the use of the Universal Print Server.

To Configure the Universal Print Server 1.

Log on to a VM that is hosting Studio with domain administrator credentials. Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials, if not already logged on. In our lab environment, Studio is hosted on the Controller VMs. You will not be using Studio during this procedure, but you must use a VM with Studio installed on it or install the Citrix HDX policy extensions on a system in order to access the Citrix HDX policies provided by XenApp and XenDesktop. The Citrix HDX policy extensions can be installed from the x64Citrix Policy folder on the XenApp and XenDesktop media or downloaded from the www.citrix.comdownloads site.

N

Click the Server Manager icon in the taskbar and then click Add roles and features. Click Server Selection and then click Features. Select Group Policy Management.

ot

fo

2. 3. 4.

Click Next on the Select features screen. Click Install. Wait for the installation to complete and then click Close. Click Tools in Server Manager and then click Group Policy Management.

e

al

or

5. 6. 7. 8.

es

rr

By default, the Group Policy Management feature is only installed on a domain controller. You can install the feature on any server. The Group Policy Management feature gives you the ability to create and manage GPOs.

Browse to the OU that contains the virtual desktops.

rib

9.

st di

The Group Policy Management Console may be behind the Server Manager window.

ut

Double-click Forest: training.lab > Domains > training.lab > Training Virtual Desktops.

n

io

You can determine which OU contains the virtual desktops using Active Directory Users and Computers on the domain controller. 10. Right-click the OU containing your virtual desktops and then click Create a GPO in this domain, and Link it here. Right click the Training Virtual Desktops OU and then click Create a GPO in this domain, and Link it here. 11. Type a descriptive name in the Name field and then click OK. Type Enable and configure Universal Print Server Service and then click OK. 12. Right-click the newly created GPO and then click Edit. Right-click Enable and configure Universal Print Server Service and then click Edit. 13. 14. 15. 16.

Double-click Computer Configuration > Policies > Citrix Policies. Click Edit and then click the Settings tab to add settings to the unfiltered policy. Select Printing in the Categories field. Click Add to the right of the Universal Print Server enable setting.



115

17. Select Enabled with fallback to Windows' native remote printing in the Value field and then click OK. The Universal Print Server is disabled by default. When you enable Universal Print Server, you choose whether to use the Windows Print Provider if the Universal Print Server is unavailable. After you enable the Universal Print Server, a user can add and enumerate network printers through the Windows Print Provider and Citrix Print Provider interfaces. 18. Click OK in the Edit Policy window. 19. Close the Group Policy Management Editor and Group Policy Management windows.

Discussion Question To which OU must the Universal Print Server policy be applied?

Creating Printers

N

You can use the Print Management utility to automatically discover and create printers that are on the same subnet as the Universal Print Server. Once the printers are discovered, you can configure the printers by installing the printer drivers, setting up the print queues and sharing the printers.

ot

Printers are already created in the lab environment, but will not work because there are no printer devices in the environment. You can verify which printers exist in the lab environment using the following steps: 1. Log on to UniversalPrintServer-1 using the TRAININGAdministrator and Password1 credentials. 2. Click Tools > Print Management in the Server Manager. 3. Select Printers in the left pane and then verify that the following network printers exist: • Accounting (HP Color LaserJet Enterprise cm4549 MFP PCL6 Class Driver) • Color Laser Printer (HP Color LaserJet 1600 Class Driver) • Human Resources (HP Color LaserJet CP4005 PCL6 Class Driver) 4. Close the Print Management window.

fo

e

al

es

rr

or st di

To Create Printers

Log on to the Citrix Universal Print Server using domain administrator credentials. Click Tools in the Server Manager window and then click Print Management. Expand Print Servers, right-click the Universal Print Server, and then click Add Printer. Select the printer installation method and then click Next. Click Next on the Printer Driver page. Select a printer manufacturer in the left column, a printer in the right column, and then click Next. Type a name for the printer in the Printer Name and Share Name fields and then click Next. Click Next in the Printer Found page. Click Finish.

n

io

ut

1. 2. 3. 4. 5. 6. 7. 8. 9.

rib

The following steps are provided for informational purposes only and are not to be performed in the lab environment.

Discussion Question You want to automatically add the network printers through discovery, but the Print Management utility is not available. What must you do to add printers?

116



Setting Up StoreFront StoreFront is the replacement for Web Interface. StoreFront authenticates end users to Sites hosting resources (desktops and applications) that end users access. When an end user's credentials have been validated, the authentication service handles all subsequent interactions to ensure that the end user only needs to log on once. StoreFront uses centralized enterprise stores to deliver desktops, applications, and other resources to end users on any endpoint. End users access stores through Citrix Receiver. If Citrix Receiver is not installed on the endpoint, end users can download Citrix Receiver using the Receiver for Web site. By default, the Receiver for Web site attempts to determine whether Citrix Receiver is installed on Windows and MAC OS X systems. If a suitable client cannot be detected, end users are prompted to download and install Citrix Receiver. StoreFront records details of end users' application subscriptions, plus associated shortcut names and locations in a local configuration data file on the StoreFront server. When an end user accesses a store, the application synchronization feature automatically updates the subscribed applications to match the configuration stored in the StoreFront local configuration data file to ensure that end users have a consistent experience across all their endpoints. When multiple StoreFront servers are configured, the local configuration data file on each StoreFront server is automatically synchronized to contain the same information and does not require any administration. When planning your StoreFront deployment, Citrix recommends the following considerations: •

ot

N

• •

Host StoreFront on a dedicated instance of IIS. Installing other web applications on the same IIS instance as StoreFront could have security implications for the overall StoreFront infrastructure. Use HTTPS to secure communication between the StoreFront and end user devices. StoreFront servers must reside within the same Microsoft Active Directory forest as the XenApp and XenDesktop Servers hosting end user resources. All the StoreFront servers in a group must reside within the same domain. To enable smart card and user certificate authentication, end user accounts must be configured within the Active Directory forest containing the StoreFront Servers. Implement multiple StoreFront servers to ensure high availability if the primary server hosting StoreFront fails. Configure the external load balancer, (such as Citrix NetScaler) to fail over between the servers to ensure end users have uninterrupted access to their applications and desktops.

fo

Discussion Question

st di

Installing Citrix StoreFront

or

How do you create a Receiver for Web site?

e

al

es

rr

• •

n

io

ut

rib

StoreFront is typically installed on an IIS server and can be installed using the XenApp and XenDesktop installation media. StoreFront and its prerequisites can also be installed from a command line. StoreFront should be installed after a Site is configured but before end users are given access to the environment. StoreFront can be located in the DMZ or the internal network if NetScaler Gateway (formerly known as Access Gateway) is installed between the end user and the StoreFront.

To Install StoreFront 1.

Right-click the Citrix StoreFront VM, click Start, and then click Console. Right-click StoreFrontServer-1, click Start, and then click Console.

2.

Log on to Citrix StoreFront using domain administrator credentials. Log on to StoreFrontServer-1 using the TRAINING\Administrator and Password1 credentials.

3.


4. 5.




117


6. 7. 8.

Click Start next to XenDesktop. Click Citrix StoreFront. Read and respond to the licensing agreement. Select I have read, understand, and accept the terms of the license agreement and then click Next.

9.

Determine where StoreFront will be installed and then click Next. Click Next to accept the default location.

10. Select the firewall rule configuration method to use and then click Next. Verify that Automatically is selected and then click Next. If the StoreFront will use the default ports for communications, select Automatically. If the StoreFront will use alternate port assignments, select Manually to configure the ports after installation completes.

N

ot

11. Review the installation summary and then click Install.

fo

Based on the components that are selected for installation in the lab environment and the number of VMs running, you can expect the installation to take approximately 10 minutes.

rr

es

12. Wait for the installation to complete. 13. Deselect Open the StoreFront Management Console and then click Finish.

e

al

If you decide to open the StoreFront Management Console, and you receive an Add Snap-in error, click Cancel in the End Snap-in message and the console will open. Do not click End Now because it will close the console.

or

14. Eject the XenApp and XenDesktop media from the DVD drive.

rib

Discussion Question

st di


n

Requesting and Installing a Certificate on StoreFront

io

ut

Do the StoreFront servers need to be a member of the same domain as the Controllers?

You should use HTTPS between the end user device and the StoreFront. This is accomplished using a certificate. The certificate should be installed on the StoreFront server before any end users are given access to the environment. Server certificates are used for machine identification and transport security in StoreFront. If you decide to enable ICA file signing, StoreFront can also use certificates to digitally sign ICA files. Authentication services and stores each require certificates for token management. StoreFront generates a self-signed certificate when an authentication service or store is created. Self-signed certificates generated by StoreFront should not be used for any other purpose.

To Create and Install a Certificate on StoreFront 1.

Log on to the StoreFront server using domain administrator credentials. Log on to StoreFrontServer-1 using the TRAINING\Administrator and Password1 credentials, if not already logged on.

2. 118

Click Tools in the Server Manager window and then click Internet Information Services (IIS) Manager. Module 4: Setting Up Citrix Components


3.

Click the name of the StoreFront server in the left pane. Click SFS-1 in the left pane.

4.

Respond to the Internet Information Services (IIS) Manager message. Click No.

5. 6. 7.

Double-click Server Certificates in the center pane under the IIS heading. Click Create Domain Certificate in the right pane. Specify the appropriate distinguished name properties and then click Next. a.

ot

N

b.

Use the following information: • Common name: sfs-1.training.lab • Organization: Training • Organizational Unit: IT • City/locality: Ft Lauderdale • State/province: Florida • Country/region: US Click Next. The Common name must match the FQDN that will be used to access the Site.

fo rr

8.

Click Select, select your Certificate Authority, and then click OK.

Type a friendly name for the certificate and then click Finish.

al

9.

es

Click Select, select Training-AD-CA, and then click OK.

e

Type sfs-1.training.lab and then click Finish.

Double-click Sites >Default Web Site in IIS Manager. Click Bindings in the right pane. Click Add and then select https in the Type field. Select the newly created certificate from the SSL certificate field, click OK, and then click Close.

or

st di

10. 11. 12. 13.

14. Close the Internet Information Services (IIS) Manager.

n

Discussion Question

io

ut

rib

Select sfs-1.training.lab in the SSL certificate field, click OK, and then click Close.

XenApp and XenDesktop 7.6 does not support the use of SSL Relay to secure communications between StoreFront servers and the Controllers. What other option is available to secure those communications?

Configuring a Store StoreFront requires that you create a store to provide resources to end users. You can create as many stores as you need. For example, you can create one store for Engineering and another store for Sales. StoreFront automatically establishes a trust relationship between each configured store and the authentication service. Each store that is configured requires its own local configuration data file on the StoreFront server. When multiple StoreFront servers are configured for a store, each local configuration data file is replicated among all StoreFront servers. When a store is configured, a URL is assigned to it. End users can access the resources in the store using the Receiver for Web site or by using a Receiver that is installed on the endpoint (not a browser).



119

To Configure a Store 1.

Log on to the StoreFront server using domain administrator credentials. Log on to the StoreFrontServer-1 VM using the TRAINING\Administrator and Password1 credentials, if not already logged on.

2. 3. 4.

Click Start, type StoreFront, and then click Citrix StoreFront to access the StoreFront console. Click Create a new deployment. Verify that the URL for the StoreFront server is correct for your deployment and then click Next. Verify that https://sfs-1.training.lab appears in the Base URL field and then click Next. It may take a few minutes for the deployment to be created.

5.

Specify a name for the store and then click Next. Type Store-1 in the Store name field and then click Next. Add the XenDesktop, XenApp, and XenMobile 9.0 Enterprise (AppController) deployments that will provide the resources that you want to make available in the store and then click Next.

Configure the remote access and then click Create.

or

Verify that None is selected and then click Create.

e

al

es

rr

7.

Click Add and then type XenApp and XenDesktop in the Display name field. Verify that XenApp 7.5 (or later), or XenDesktop is selected. Click Add, type c-1.training.lab and then click OK. Click Add, type c-2.training.lab, and then click OK. Verify that HTTPS is selected as the Transport type. Click OK and then click Next.

fo

a. b. c. d. e. f.

ot

N

6.

st di

You have not yet set up the NetScaler component, so at this stage you are not setting up remote access. You will configure remote access in Module 9. Based on the components that are selected for configuration in the lab environment and the number of VMs running, you can expect the configuration to take approximately 10 minutes.

rib

Click Finish. Click Stores in the left pane of the StoreFront console and then verify that the store was successfully created.

n

io

Click Stores and then verify that Store-1 appears in the center pane.

ut

8. 9.

Creating a Store for Anonymous User Access Delivery Groups can be configured for use with both authenticated and unauthenticated (Anonymous) users. To support both types of users accessing sessions using XenApp or XenDesktop, you must create separate stores for the authenticated users and the unauthenticated users in StoreFront. Stores created for unauthenticated users do not support remote access through NetScaler Gateway.

To Create a Store for Anonymous User Access 1.

Log on to the primary StoreFront server using domain administrator credentials. Log on to the StoreFrontServer-1 virtual machine using the TRAINING\Administrator and Password1 credentials.

120



2. 3.

Click Start, type StoreFront, and then click StoreFront. Click Yes on the User Account Control window, if it appears. Click Cancel if the End Snap-in window appears.

4. 5. 6.

Select the Stores node and then click Create Store for Unauthenticated Users. Click Next in the Information screen. Specify the store name and the click Next. Type Anonymous Store and then click Next.

7. 8.

Click Add on the Delivery Controllers page. Type the name of the Delivery Controller. Type Delivery Controller as the display name.

9. Select XenApp 7.5 (or later), or XenDesktop. 10. Click Add. 11. Type the server name or IP address of a Delivery Controller in the environment. Type c-1.training.lab.

N

ot

12. Click OK and then click Add. 13. Type the server name or IP address of another Delivery Controller in the environment.

fo

Type c-2.training.lab.

es

rr

14. Click OK. 15. Select the types of connections from the Transport type list that StoreFront will use to communicate with the Delivery Controllers.

al

Verify HTTPS is selected to use an secure connection.

e

16. Specify the port for StoreFront to use for connections to the XenApp or XenDesktop site.

or

Verify that 443 is specified in the Port field.

st di

17. Click OK. 18. Click Create. It may take several minutes to create the store. 19. Click Finish.

rib ut

Discussion Question

n

io

The Citrix Broker Service runs on each Controller in the environment. You should secure data sent over the connection using HTTPS or make other arrangements to secure connections to the store. To secure Citrix Broker Service on the Controllers, what must be configured?

Setting Up a Second StoreFront Server For high availability, you should install more than one StoreFront server in an environment. Multiple StoreFront servers are members of a single server group. A server group is the management container located and configured in the StoreFront console. An authorization code is required from the authorizing server in order to add additional StoreFront servers to existing StoreFront deployments. The authorizing server is the first StoreFront server configured for the Site. The authorization code can be obtained from the StoreFront console on the first StoreFront server.

To Install a Second StoreFront Server 1.

Right-click the second StoreFront VM, click Start, and then click Console. Right-click StoreFrontServer-2, click Start, and then click Console.



121

2.

Log on to the second StoreFront server using domain administrator credentials. Log on to StoreFrontServer-2 using the TRAINING\Administrator and Password1 credentials.

3.


4. 5.

Click the File Explorer icon in the taskbar and then click This PC. Double-click CD Drive (D:) to start the installation wizard. If the installation wizard does not start, double-click AutoSelect.

6. 7. 8.

Click Start next to XenDesktop. Click Citrix StoreFront. Read and respond to the licensing agreement. Select I have read, understand, and accept the terms of the license agreement and then click Next.

9.

Determine where StoreFront will be installed and then click Next.

N

Click Next to accept the default location.

ot

10. Select the firewall rule configuration method to use and then click Next.

fo


rr

al

es

If the StoreFront will use the default ports for communications, select Automatically. If the StoreFront will use alternate port assignments, select Manually to configure the ports after installation completes. 11. Review the installation summary and then click Install.

e

or

Based on the components that are selected for installation in the lab environment and the number of VMs running, you can expect the installation to take approximately 10 minutes.

st di

Wait for the installation to complete. Deselect Open the StoreFront Management Console and then click Finish. Click Eject to the right of the DVD drive field to eject the media from the drive. Click Tools at the top of the of the Server Manager window, and then click Internet Information Services (IIS) Manager to begin the process of requesting and installing a certificate on the second StoreFront server. 16. Click the name of the StoreFront server in the left pane.

n

Click SFS-2 in the left pane.

io

ut

rib

12. 13. 14. 15.

17. Respond to the Internet Information Services (IIS) Manager message. Click No. 18. Double-click Server Certificates in the center pane under the IIS heading. 19. Click Create Domain Certificate in the right pane.

122



20. Specify the appropriate distinguished name properties and then click Next. a.

b.

Use the following information: • Common name: sfs-2.training.lab • Organization: Training • Organizational Unit: IT • City/locality: Ft Lauderdale • State/province: Florida • Country/region: US Click Next. The Common name must match the FQDN that will be used to access the site.

21. Click Select, select the Certificate Authority, and then click OK. Click Select, select training-DC-1-CA, and then click OK.

N

22. Type a friendly name for the certificate and then click Finish.

ot

Type sfs-2.training.lab and then click Finish. Double-click Sites > Default Web Site. Click Bindings in the right pane. Click Add and then select https in the Type field. Select the newly created certificate from the SSL certificate field, click OK, and then click Close.

fo

es

rr

23. 24. 25. 26.

al

Select sfs-2.training.lab in the SSL certificate field, click OK, and then click Close.

e

27. Close the Internet Information Services (IIS) Manager. 28. Log on to the first Citrix StoreFront VM using domain administrator credentials.

or

Switch to the StoreFrontServer-1 and log on using the TRAINING\Administrator and Password1 credentials, if not already logged on.

st di

rib

29. Click Start, type StoreFront, and then click Citrix StoreFront to access the StoreFront console. 30. Right-click Server Group in the left pane and then click Add Server. 31. Record the authorizing server and authorization code.

n

io

ut

This code will be typed into the StoreFront console on the second Citrix StoreFront server to join it to the server group. To assist in entering the code, you can launch notepad from server desktop the lab XenCenter is running on; copy and paste the code into notepad; copy and paste into the field for StoreFrontServer-2. 32. Leave the Add Server screen containing the authorizing server and authorization code open until the second server has successfully joined the server group. This window will automatically close when the server joins and the propagation of the configuration data is completed. 33. Return to the second Citrix StoreFront VM. Switch to the StoreFrontServer-2 VM. 34. Click Start, type StoreFront, and then click Citrix StoreFront to access the StoreFront console. 35. Click Join existing server group in the Welcome to StoreFront screen. 36. Type the authorizing server and authorization code noted earlier into the appropriate fields in the Join Server Group window and then click Join. Type SFS-1 in the Authorizing server field, type the code you wrote down into the Authorization code field, and then click Join. © Copyright 2015 Citrix Systems, Inc.


123

37. Wait for the "Join Server Group" task to complete. Based on the number of VMs actively running, you can expect the join task to take approximately 10 minutes.

38. Click OK in the "Joined Successfully" message on the second Citrix StoreFront server. 39. Return to the first Citrix StoreFront server. Switch to the StoreFrontServer-1 VM. 40. Click OK in the message.

Discussion Question When you add additional StoreFront servers to a deployment, where should you manage those additional servers?

Setting Up Receiver Citrix Receiver provides:

fo

Simple, self-service access to virtual desktops, hosted applications, and IT services. High-definition user experience (HDX) on any network or device. Instant updates to end users with IT control and visibility. Easier management of enterprise data, applications, desktops, and SaaS applications through secure, centralized deployment to any endpoint.

al

es

rr

• • • •

ot

N

Citrix Receiver is a universal software client that provides secure, high-performance delivery of virtual desktops and hosted applications.

e

In order for users to make use of the HDX (ICA) features at the endpoint, a Receiver must be installed. If Receiver is not installed, then the HTML 5 proxy can be used and the HDX features will be between the StoreFront and the desktop or hosted application only. HDX features are enabled in policies. HTML 5 must be enabled in StoreFront for the Receiver for Web Site in order to use it.

n

io

6.

ut

3. 4. 5.

When end users connect from inside your network or a remote location and install Receiver, they provide their email address or the StoreFront URL. Receiver then queries the appropriate DNS server, which responds with the StoreFront or NetScaler URL. The URL depends on whether end users connect from the internal network or a remote location. Users then log on to Receiver with their user name, password, and domain. If end users connect from a remote location, NetScaler provides the StoreFront URL to Receiver. Receiver gets the account information from StoreFront. If end users connect through NetScaler, the appliance performs single sign-on to StoreFront. If more than one account is available, end users receive a list of accounts from which to choose. When end users log on to an account, a list of resources appear in Receiver. End users can then select resources to add to their Receiver or open a resource that was already added to their Receiver.

rib

2.

st di

1.

or

The process for end-user connections is:

To enable email-based account discovery for internal end users connecting directly to StoreFront, you must install a valid server certificate on the StoreFront server. The full chain to the root certificate must also be valid.

Configuring DNS for Email-Based Account Discovery You can configure email-based account discovery to enable internal end users who install Citrix Receiver on an endpoint to set up their accounts by providing their email addresses. During the initial configuration process, Citrix Receiver prompts end users to enter either an email address or a server URL. When an internal end user enters an email address, Citrix Receiver contacts the DNS server for the domain specified in the email address to obtain a list of available stores from which the end user can select. 124



To enable Citrix Receiver to locate available stores on the basis of end users' email addresses, you must configure Service Location (SRV) locator resource records for StoreFront on your DNS server. As a fallback, you can also deploy StoreFront on a server named "discoverReceiver.domain," where domain is the domain containing your end users' email accounts. If no SRV record is found in the specified domain, Citrix Receiver searches for a machine named "discoverReceiver" to identify a StoreFront server.

To Configure a Service Location Locator Record for Email-based Account Discovery 1.

Log on to the domain controller using domain administrator credentials. Log on to DomainController-1 using the TRAINING\Administrator and Password1 credentials. At this time, email-based account discovery cannot be used by remote end users.

2. 3.

Click Tools in Server Manager and then click DNS. Browse to your domain in the Forward Lookup Zones in the left pane of DNS Manager.

N

Double-click DC-1 > Forward Lookup Zones and then click training.lab.

ot

4.

Right-click the forward lookup zone for your domain and then click Other New Records.

fo

Right-click training.lab and then click Other New Records.

rr

Select Service Location (SRV) and then click Create Record in the Resource Record Type screen. Type _citrixreceiver in the Service field. Type _tcp in the Protocol field. Type the port number used by StoreFront in the Port number field.

Specify the fully qualified domain name (FQDN) of the StoreFront server (to support end users in the local network only).

or

9.

e

Type 443 in the Port number field.

al

es

5. 6. 7. 8.

st di

Type sfs-1.training.lab in the Host offering this service field.

ut

rib

You are specifying the FQDN of the first StoreFront server.

io

10. Click OK.

n

The StoreFront FQDN must be unique and different from the NetScaler virtual server FQDN. Using the same FQDN for StoreFront and the NetScaler virtual server is not supported. Citrix Receiver requires that the StoreFront FQDN is a unique address that is only resolvable from endpoints connected to the internal network. If this is not the case, Receiver for Windows users cannot use email-based account discovery. 11. 12. 13. 14.

Select Service Location (SRV) and then click Create Record in the Resource Record Type dialog box. Type _citrixreceiver in the Service field. Type _tcp in the Protocol field. Type the port number used by StoreFront in the Port number field. Type 443 in the Port number field.

15. Specify the fully qualified domain name (FQDN) of the StoreFront server (to support end users in the local network only). Type sfs-2.training.lab in the Host offering this service field. 16. Click OK. 17. Click Done. © Copyright 2015 Citrix Systems, Inc.


125

18. Close the DNS Manager window.

Installing and Configuring Receiver End users who want to access XenApp and XenDesktop resources can use Citrix Receiver to access those resources. During the installation of the VDA on a desktop machine, you have the option to install Receiver. End users that will not be using a desktop machine can install Citrix Receiver on their endpoints to access resources such as hosted applications. Citrix Receiver for Windows can be installed in the following ways: •

•

By an end user downloading the CitrixReceiver.exe package from Citrix.com or your download site and then running the package. During the installation, the end user can set up an account using an email address, a server URL, or by downloading a provisioning file. From Receiver for Web site. During the installation, the end user can set up an account using an email address, a server URL, or by downloading a provisioning file using the Activate option. This installation method does not provide automatic updates.

Using an Electronic Software Distribution (ESD) tool. During the installation, the user can set up an account using an email address, a server URL, or by downloading a provisioning file using the Activate option.

ot

N

•

fo

When an email address is specified, Receiver contacts the StoreFront server associated with the email address and then prompts the end user to log on and continue the installation. When a server URL is specified, Receiver is configured to point to that server and then prompts the end user to log on and continue the installation. Once the end user provides their credentials in Receiver, Receiver is configured for use by that end user on the endpoint. If additional end users log on to the endpoint, they will need to configure Receiver for their use. This can be done using the Receiver for Web site.

es

rr

al

To Install and Configure Receiver

e

The following procedure is being performed on an internal endpoint to demonstrate email-based account discovery. Emailbased account discovery cannot be performed from an external endpoint at this time.

or

1.

Right-click the internal endpoint, click Start, and then click Console.

2.

Log on to the internal endpoint using domain user credentials.

st di

Right-click Endpoint-Internal in XenCenter, click Start, and then click Console.

rib

Log on to EndPoint-Internal using the TRAINING\HRUser1 and Password1 credentials.

3.

Insert the XenApp and XenDesktop installation media in the DVD drive.

n

io

ut

You do not need administrator credentials to install Citrix Receiver unless Receiver will be configured to use pass-through authentication. In addition, each end user that logs on to an endpoint must configure Receiver in order to use it.

Select XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field. 4. 5. 6. 7. 8. 9. 10.

Click the File Explorer icon in the taskbar and then click This PC. Right-click the CD Drive (D:) and then click Open. Double-click Citrix Receiver and Plug-ins > Windows > Receiver. Double-click CitrixReceiver. Click Install on the Welcome screen. Click Add Account in the Installed successfully screen to configure Receiver using an email address. Type the end user's email address or the URL of the StoreFront server in the Enter your work email or server address field and then click Next. Type [email protected] and then click Next.

11. Click Continue in the Add Account message.

126



12. Determine if you want Receiver to optimize your access. Click Yes. 13. Click Finish. 14. Eject the XenApp and XenDesktop media from the DVD drive. Click Eject to the right of DVD Drive 1 field. 15. Log on to Receiver using the end user's account credentials. Log on to Receiver using the TRAINING\HRUser1 and Password1 credentials. 16. Click the + sign in the left portion of the Receiver window to view the applications that are available in the store. No applications aside from GoToMeeting, GoToTraining, and GoToWebinar will be available. You will add applications to the store in the next module. 17. Click the down arrow to the right of the user name at the top of the Receiver window and then click Log Off. 18. Close the Receiver window.

ot

N

Click the X in the corner of the Receiver window to close it. You can also shut down the EndPoint-Internal VM to save lab resources.

fo es

rr

Discussion Question

e

al

Can you make a connection from an endpoint to a XenApp and XenDesktop resource without a Receiver installed on the endpoint?

or

Troubleshooting Receiver

st di

The following table identifies resolutions for Citrix Receiver issues.

Resolution

rib

Issue

Open a PowerShell command prompt and run the following command on the Delivery Controller servers: Set-BrokerSite TrustRequestsSentToTheXmlServicePort $True

Receiver for HTML5 is not available to end users.

• •

n

io

ut

Receiver for Windows end users cannot log on to stores using pass-through authentication, even though the domain pass-through authentication method is enabled in the StoreFront authentication service.

Enable Receiver for HTML5 in StoreFront and propagate the settings to all StoreFront servers in the environment. Ensure that a supported browser is being used. Supported browsers include Internet Explorer version 10, Safari version 6, Chrome version 23, and Firefox version 17.)

Reinforcement Exercise: Using the Receiver for Web Site During this exercise, you will not be given step-by-step instructions for performing the task. Instead, you are asked to use what you have just learned to complete it. This exercise is designed to take your newly gained knowledge and stretch it to determine if you can apply that knowledge to perform a task you've never done before. In most instances the default value/choice will be the best choice, but we encourage you to explore and try things out. If you have a question or get stuck, ask the instructor or a fellow student for assistance.



127

Now that you know how to: • • • • •

Install Install Install Install Install

and and and and and

configure configure configure configure configure

the Citrix License Server. Citrix Delivery Controller, Citrix Studio, and Citrix Director. the Citrix Universal Print Server. Citrix StoreFront. Citrix Receiver.

You are ready to try your hand at using the Citrix Receiver for Web Site to install Citrix Receiver. Approximate time to complete: 20 minutes You just finished setting up your Citrix infrastructure components in the Training environment. When you configured the store in StoreFront, it automatically created a Receiver for Web site. You want to test its ease of use and use it to install Citrix Receiver on another Windows 8.1 system in your environment to determine if it is a better option than using the XenApp and XenDesktop installation media. Here is what you need to do: 1.

Log on to the domain controller and use Active Directory Users and Computers to identify an Administrator account and a non-administrator account that you can use for this exercise.

ot

N

All user accounts use Password1.

Log on to the StoreFront-1 server using an administrator account. Open the StoreFront console to discover the URL for the Receiver for web site. Log on to the StudentManagementConsole-1 VM with an administrator account. Use Internet Explorer to access the Receiver for Web site. Install Citrix Receiver from the Receiver for Web site. Configure Citrix Receiver using the server address (FQDN) of the StoreFront server for the selected user account. Do not use an email address.

fo

e

al

es

rr

2. 3. 4. 5. 6. 7.

or

If you receive an SSL error within Firefox, this can be safely ignored.

st di n

io

ut

rib

128



5

Module 5

Setting Up XenDesktop Resources

ot

N fo e

al

es

rr or st di n

io

ut

rib

ot

N fo e

al

es

rr or st di n

io

ut

rib

130


Setting Up XenApp and XenDesktop Resources Overview XenApp and XenDesktop provide desktops and hosted applications to endpoints in a secure and reliable fashion. To do this, the XenApp and XenDesktop resources need to be configured appropriately and tested. High availability also needs to be addressed at the resource level. Good planning minimizes risks associated with a single point of failure and improperly scaled environments. After completing this module, you will be able to: • • • • • •

Configure a master image for Server OS machines and hosted applications. Configure a master image for Desktop OS machines and hosted applications. Create a machine catalog for hosted applications installed on Server OS machines. Create a machine catalog for Desktop OS machines. Create a Delivery Group to deliver hosted applications. Create a Delivery Group to deliver desktops.

ot

N

All of these resources will be configured using Machine Creation Services. For information about using Provisioning Services, see Module 7. For information on managing Machine Catalogs and Delivery Groups, attend the CXD-203 Managing App and Desktop Solutions with Citrix XenApp and XenDesktop 7.6 course.

the beginning of this module, the VMs should be in following the states: Controller-1 = On DomainController-1 = On FileServer-1 = On SQLServer-1 = On SQLServer-Witness = On StoreFrontServer-1 = On StoreFrontServer-2 = On StudentManagementConsole-1 = On UniversalPrintServer-1 = On All other VMs = Off

e

al

es

or

st di

io

ut

rib

Resources

rr

At • • • • • • • • • •

fo


n

XenApp and XenDesktop provide a variety of virtualization models that can be used to provide the end-user with access to virtual desktops and hosted applications. XenApp and XenDesktop virtualization models include: •

• •

Server OS machines and hosted applications are provided via Remote Desktop Services (formerly Terminal Services) on a Windows Server operating system. Remote Desktop Services allows multiple user sessions to be hosted on a single system. Desktop OS machines and hosted applications are provided on virtual machines running a workstation operating system. Remote PC Access provides direct access to any physical PC located in the environment. Installing the Virtual Delivery Agent on the office PC enables it to register with the Delivery Controller. In addition, it manages the HDX (ICA) connection between the machine and endpoints. The Citrix Receiver running on the endpoint provides access to all of the applications and data on the office PC. An end user can be provided access to more than one physical PC or a combination of physical PCs and virtual desktops.


Module 5: Setting Up XenDesktop Resources

131

ot

N

This graphic shows that the information from Active Directory is used to create the Delivery Groups, which are then used to determine which end users will be allowed to use the machines. The Master Images (VMs) contain the resources (desktops and hosted applications) that will be delivered to end users. These VMs are used by MCS or PVS to create the machines in a machine catalog. The machine catalog is then used by the Delivery Group to provide resources to end users.

fo

es

rr

Discussion Question

e

al

You want to provide four applications to over 50 end users, but you do not want to provide those end users with a desktop. In addition, you want to run and deliver the applications from only two systems. Which XenApp and XenDesktop virtualization model should you implement to meet these requirements?

or

Preparing the Master Image Virtual Machine

st di

Optimize the hard drive. Delete end-user specific information. Update the operating system and applications installed on the master image to the current standard. Install all required drivers. Install the appropriate XenApp and XenDesktop tools (such as Virtual Delivery Agent, HDX 3D Pro Virtual Desktop Agent, P2V, or V2V).

n

io

ut

• • • • •

rib

XenApp and XenDesktop uses a master image (in VHD format) to create the machines that will be delivered to end users. The master image virtual machine contains the operating system and applications (resources) that will be delivered to end users. The master image can be prepared from a physical or virtual machine. To prepare the master image, you should:

You should only install the HDX 3D Pro Virtual Desktop Agent if the master image has a desktop OS installed on it and the image will have access to a Graphical Processing Unit (GPU). You should install the P2V (Physical to Virtual) tool if you are converting a physical machine to a virtual machine image. You should install the V2V (Virtual to Virtual) tool if you are converting a Xen-based virtual machine to a Citrix XenServer virtual machine. • •

132

Install core applications that are appropriate for general distribution and that the majority of users of the machines created from the image will need. Examples include anti-virus and alternate browsers. Install the Citrix Receiver and plug-ins that are needed such as the Microsoft App-V plug-in if applications will be streamed to the VDA on the machine.



Creating the Master Image You should keep the number of master images in the environment to a minimum to reduce administrative overhead. If the requirements of the end users are different, it may warrant creating separate master images. Application requirements are not enough of a reason to create a separate master image. Application requirements can be met using hosted applications. Installing Locales and Language Packs is not the best method for the localization of your master image. It is best to create a separate master image for each language group. That way, the operating system, applications, and data match the selected language group. The operating system in the master image is used to provide: •

•

A Windows Server environment for Server OS machines, hosted applications, or Server OS machines with hosted applications. Applications can be tested using AppDNA to determine compatibility with the operating system and the multi-user nature of the master image. A Windows Desktop environment to provide Desktop OS machines, hosted applications, or Desktop OS machines with hosted applications.

ot

N

Make sure that you configure the amount of hard disk space in the master image to allow sufficient room for the operating system, applications, and updates. The amount of hard disk space allocated is difficult to change later. Remember that the amount of write cache space needed is equal to the amount of empty space on the master image. Specifying a large empty disk space can cause problems with your storage. For example, in Provisioning Services, if a master image has 100 GB of free space, and you deploy it to 1000 end users, you will need 1000 multiplied by the free space just for the write cache. Machine Creation Services has a differencing disk and an identity disk for each end user and also scales using the same formula.

fo es

rr

Discussion Question

e

al

You created a master image and used it to create a machine catalog consisting of 100 machines. One of your co-workers deleted the master image from the hypervisor. What will be the effect of this deletion on the XenApp and XenDesktop environment?

or

Setting Up a Server OS Master Image

st di

Some of your master images will be based on a Windows Server operating system. These images will be used to deliver Server OS machines and server-based hosted applications. A master image must exist before a machine catalog can be created.

ut

1.

rib

To Set Up a Server OS Master Image

io

Log on to the domain controller using domain administrator credentials to create a computer account for the new master image.

n

Log on to DomainController-1 with the TRAINING\Administrator and Password1 credentials. 2. 3.

Click Tools in the Server Manager and then click Active Directory Users and Computers. Expand the domain and OU that will contain the Windows Server OS VM. Browse to training.lab > Training Virtual Desktops > Servers.

4.

Right-click the OU and then click New > Computer. Right-click the Servers OU and then click New > Computer.

5.

Type a name for the computer in the Computer name field and then click OK. Type Win2012R2Master and then click OK. To see existing accounts or view the newly added account, click the Servers OU and view the account names in the right pane.

6.

Close the Active Directory Users and Computers window.



133

7.

Right-click a Windows Server 2012 R2 template in XenCenter and click New VM wizard. Right-click the WinServer2012R2_template in XenCenter and then click New VM wizard. You are using a template that already has the hypervisor tools installed. If you were creating the VM from scratch, you would need to install the hypervisor tools on the VM before you use the master image to create a machine catalog.

8. 9.

Click Next. Type a name for the new VM and then click Next. Type Win2012R2Master in the Name field and then click Next.

10. Verify that no ISO files are mounted in the DVD drive and then click Next. 11. Determine if the VM will be assigned to a home server and then click Next. Select Place the VM on this server and then click Next. 12. Specify the CPU and memory usage for this server and then click Next. Verify that 2 vCPU and 2048 MB of memory are allocated for this VM and then click Next.

N

13. Specify the vDisk storage and properties for this VM and then click Next.

ot

Accept the default vDisk storage device, select Use storage-level fast disk clone, and then click Next.

fo

14. Specify one or more virtual network interface cards and then click Next.

rr

Verify that Internal is selected for the Network interface card and then click Next. 15. Review the selected settings and then click Create Now.

es

Verify that Start the new VM automatically is selected and then click Create Now.

al

16. Click the Windows 2012 R2 Server VM and then click the Console tab.

e

Click Win2012R2Master in XenCenter and then click the Console tab in the center pane.

or

It may take a few minutes for the server to start.

st di rib

17. Specify the region, language, and keyboard settings and then click Next.

Verify that United States, English, and US are selected and then click Next.

io

ut

18. Read and respond to the license agreement. Click I accept.

n

19. Type a password for the local administrator in the Password and Confirm password fields and then click Finish. Type Password1 in both password fields and then click Finish. 20. Log on using the local administrator credentials. Log on with the Administrator and Password1 credentials. The local administrator account is the only account available because the server has not been joined to the domain. If the Windows Security window appears, be sure to sign on as the local administrator. 21. Click Local Server in the Server Manager to access the System Properties. 22. Click the link to the right of Computer name and then click the Change button in the System Properties window. 23. Type a name for the server in the Computer name field. Type Win2012R2Master in the Computer name field.

134



24. Select Domain, type the name of the domain, and then click OK. a.

Select Domain, type training.lab, and then click OK.

25. Type a domain administrator name and password and then click OK. Type Administrator in the Username field and Password1 in the Password field, and then click OK. 26. Click OK in the Computer Name/Domain Changes message. 27. Click OK in the restart message. 28. Click Close in the System Properties window, and then click Restart Now to restart the VM and apply the changes.

Using a Virtual IP Address Virtual IP and virtual loopback allow XenApp and XenDesktop administrators hosting application sessions on Server OS machines running Server 2008 R2 and later to host IP dependent applications. By default, each application running on a Server OS machine shares the IP address of that machine.

N

The virtual IP address feature allows you to provide a unique and unused IP address to an application session running on a Server OS machine. The virtual loopback feature allows you to assign a session an IP address from the localhost 127.0.0.1 range. These features are implemented using Citrix policies and are independent; you do not have to enable both.

ot

In larger environments, depending upon the class of network and the number of devices and applications supported, it may be possible to run out of unique IP addresses.

fo

al

es

rr

Applications that might require the use of the virtual IP and virtual loopback features for addressing, licensing, and identification, include CRM and Computer Telephone Integration (CTI). For more information about virtual IPs and virtual loopback, see http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-deliver-virtual-ip.html.

e

Installing and Configuring the Virtual Delivery Agent

or

The Virtual Delivery Agent (VDA) is required on all Server OS master images. The VDA enables connectivity to the Server OS machine from any endpoint that has Citrix Receiver installed. The Virtual Delivery Agent enables the Server OS machine to register with Delivery Controllers and manage the HDX (ICA) connection between the Server OS machine and the endpoint. HDX (ICA) technology supports the communication and collaboration tools and high-quality multimedia that end users need to work productively. It examines screen activity and determines how best to display responses, graphics and media, and whether to render locally or remotely in real-time.

st di

rib

io

ut

In addition, when the Virtual Delivery Agent is installed on a Server OS machine, the Remote Desktop Services role is installed and the Remote Desktop Session Host is activated. This allows you to host multiple end-user sessions for desktops and hosted applications on a single server. The Virtual Delivery Agent should be installed prior to any applications being installed on the server.

n

Remote Desktop Services (Terminal Services) is no longer required on servers running the Delivery Controller; however, Remote Desktop Licenses are still required. The VDA is configured to discover the Delivery Controllers during the installation of the VDA. The HDX 3D Pro VDA is not available for installation on a Server OS operating system.

To Install and Configure the VDA on a Server OS Master Image The installation steps for installing a VDA on a Server operating system are different than those used to install the VDA on a Desktop operating system.



135

1.

Log on to the VM on which you want to install the VDA using domain administrator credentials. Log on to Win2012R2Master using the TRAINING\Administrator and Password1 credentials.

2.

Insert the XenApp and XenDesktop installation media in the DVD drive. Select XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field.

3. 4. 5.

Click the File Explorer icon on the taskbar. Click This PC. Double-click CD Drive (D:) to start the installation wizard. If the installation wizard does not start, double-click AutoSelect.

6. 7. 8. 9.

Click Start next to XenDeskop. Click Virtual Delivery Agent for Windows Server OS. Select Create a Master Image and then click Next. Determine if Citrix Receiver will be installed and then click Next.

ot

N

Verify that Citrix Receiver is selected and then click Next. 10. Determine how Delivery Controller locations will be specified and then click Next.

fo

Select Let Machine Creation Services do it automatically and then click Next.

rr

al

es

When Machine Creation Services is used to provision the desktop or hosted applications, you can use choose to manually enter the location of the Delivery Controllers or allow Machine Creation Services to do it for you. When Provisioning Services is being used to provision the desktop or hosted applications, you must enter the location of the Delivery Controllers manually.

e

11. Select the features you want to install and then click Next. Verify that all features are selected and then click Next.

or

•

n

io

ut

•

Optimize performance: Enables or disables optimization for VDAs running in a VM on a hypervisor. VM optimization includes disabling offline files, disabling background defragmentation, and reducing the Event Log size. For more information about the optimization tool, see CTX125874. You should not enable this option for Remote PC Access. Use Windows Remote Assistance: Enables or disables Windows Remote Assistance for use with Director. When this feature is enabled, Windows automatically opens TCP port 3389 in the firewall (even if you choose to open firewall ports manually on the next wizard page). Use Real-Time Audio Transport for audio: Enables or disables the use of UDP for audio packets. Enabling this feature can improve audio performance.

rib

•

st di

Features include:

12. Determine how the firewall ports will be configured and then click Next. Verify that Automatically is selected and then click Next. These are the ports used by the VDA. If the VDA will use alternate port assignments, select Manually to configure the ports after installation completes. 13. Review the installation settings and then click Install. You can change the settings by clicking the Back button.

14. Click Close and then wait for the master image to restart.

136



The machine will restart automatically after a few seconds and the VDA will be configured. Do not eject the XenApp and XenDesktop media from the DVD drive. Doing so will cause the installation of the VDA to be incomplete and result in desktops created from the image to fail to register. 15. Wait while the VM updates. This will take approximately 5 minutes.

16. Log on to the VM on which you installed the VDA using domain administrator credentials to complete the configuration of the VDA. Log on to Win2012R2Master using the TRAINING\Administrator and Password1 credentials. 17. Wait while the prerequisites and selected core components are installed and initialized. This will take approximately 5 minutes.

ot

N

18. Verify that Restart machine is selected and then click Finish. 19. Wait while the VM restarts. 20. Log on to the VM using domain administrator credentials.

fo

Log on to Win2012R2Master using the TRAINING\Administrator and Password1 credentials.

rr

21. Eject the XenApp and XenDesktop media from the DVD drive.

al

es

Click Eject to the right of the DVD Drive 1 field to remove the XenApp and XenDesktop media.

e

Installing and Configuring Third-Party Applications

or

Install any third-party applications or tools that you want to include in the master image. These applications may include: Windows applications, antivirus software, electronic software distribution agents, configuration services, Windows Update software, and more.

st di

rib

You should virtualize applications to significantly reduce the number of master images you need to support the end users in the environment and to reduce the administrative overhead required to support multiple master images when application updates need to be installed.

To Install Third-Party Applications 1.

n

io

ut

When configuring the applications, you should ensure that you use settings appropriate for the end users and the machine type, as these configurations will be propagated to end users from the master image. Compatibility testing should be conducted before you install any application on a master image that will be released to the production environment.

Log on to the VM that will be used as the master image using domain administrator credentials. Log on to Win2012R2Master using the TRAINING\Administrator and Password1 credentials.

2. 3.

Click Desktop. Insert the ISO image of the third-party application into the DVD drive. Select Microsoft_Office_2010_Professional_SP1_English.iso in the DVD Drive 1 field.

4. 5.

Click the File Explorer icon in the taskbar and then click This PC. Double-click CD Drive (D:). If the installation wizard does not start, double-click setup.



137

6.

Read and respond to the license agreement. Select I accept the terms of this agreement and then click Continue.

7.

Determine which applications to install on the master image. Be aware that if you select a Standard install, all Microsoft Office applications will be installed which requires additional disk space as well as the time to complete the download and installation.

ot

N

Click Customize and then do the following: a. Click the down arrow to the left of Microsoft Access and then click Not Available. b. Click the down arrow to the left of Microsoft InfoPath and then click Not Available. c. Click the down arrow to the left of Microsoft OneNote and then click Not Available. d. Click the down arrow to the left of Microsoft Outlook and then click Not Available. e. Click the down arrow to the left of Microsoft Publisher and then click Not Available. f. Click the down arrow to the left of Microsoft SharePoint Workspace and then click Not Available. g. Click the down arrow to the left of Microsoft Visio Viewer and then click Not Available. h. Click the down arrow to the left of Office Shared Features and then click Not Available. i. Click the down arrow to the left of Office Tools and then click Not Available.

fo

Microsoft Excel, Microsoft PowerPoint, and Microsoft Word will be the only applications installed on the master image.

rr

Click Install Now.

es

8.

e

al

You can expect the installation to take approximately 15 minutes.

Click Close when the installation is completed.

or

9.

st di

The operating system and applications installed on the master image should be licensed before the master image is used to create a machine catalog. Once armed, you do not need to rearm Microsoft Office or Microsoft Windows if you are using XenServer 6.1, XenServer 6.2, vSphere, or SCVMM with Machine Creation Services.

n

io

ut

Installing Anti-Virus Software

rib

10. Click Eject next to the DVD drive field to eject the ISO image.

Antivirus software is a common sense, generally accepted requirement in most corporate environments. Once you have determined which anti-virus platform you will standardize upon, install the anti-virus software on the master image. You should configure anti-virus software with the appropriate inclusions to and exclusions from anti-virus scans. This topic is beyond the scope of this class and you should consult with the proper security specialist in your company to ensure machines are properly protected.

Discussion Question You are providing desktops to four end-user groups in your environment. Each of the end user groups requires a set of common applications. In addition each end user group requires that a set of job-specific applications be available to them from their desktop. How many master images will you need to create to support the four end-user groups?

Troubleshooting Virtual Delivery Agent Issues The following table identifies VDA configuration issues and resolutions. 138



Issue

Resolution

The VDA installation stops responding.

Check behind the VDA installation window to see if an error message is halting the installation. If an error message is present, address the issue in the error message and then click OK in the error message to continue installing the VDA. A common error is "Printer - The arguments are invalid". This error message appears when the Print Spooler Service is not started. The VDA requires the Printer Spooler Service to be running. You can manually start the Print Spooler Service or wait for it to start.

Setting Up a Desktop OS Master Image

ot

N

Some of your master images will be based on a Windows Desktop operating system and will be used to provide Desktop OS machines and hosted applications to end users. The steps for Desktop OS master images are similar to the steps used to create Server OS master images.

To Set Up a Desktop OS Master Image

fo

1.

rr

Log on to the domain controller using domain administrator credentials to create a computer account for the new master image.

Click Tools in the Server Manager and then click Active Directory Users and Computers. Expand the domain and OU that will contain the Windows 8 master image VM.

e

al

2. 3.

es

Log on to DomainController-1 with the TRAINING\Administrator and Password1 credentials.

Browse to training.lab > Training Virtual Desktops > Desktops.

or

4.

Right-click the OU and then click New > Computer.

5.

st di

Right-click the Desktops OU and then click New > Computer.

Type a name for the computer in the Computer name field and then click OK.

rib

Type Win8Master and then click OK.

6. 7.

Close the Active Directory Users and Computers window. Right-click a Windows 8 template in XenCenter and then click New VM wizard.

n

io

ut

To see existing accounts or view the newly added account, click the Desktops OU and view the account names in the right pane.

Right-click the Win8_Template VM in XenCenter, select New VM wizard, and then click Next. You are using a template that already has the hypervisor tools installed. If you were creating the VM from scratch, you would need to install the hypervisor tools on the VM before you could use the master image to create a machine catalog. 8.

Specify a name for the new VM and then click Next. Type Win8Master in the Name field and then click Next.

9. Verify that no ISO files are mounted in the DVD drive and then click Next. 10. Determine if the VM will be assigned to a home server and then click Next. Select Place the VM on this server and then click Next.



139

11. Specify the CPU and memory usage for this VM and then click Next. Verify that 2 vCPU and 2048 MB of memory are allocated for this VM and then click Next. 12. Specify the vDisk storage and properties for this VM and then click Next. Accept the default vDisk storage device, verify Use storage-level fast disk clone is selected, and then click Next. 13. Specify one or more virtual network interface cards and then click Next. Accept the default network interface card Network 0 and then click Next. 14. Review the selected settings and then click Create Now. Verify that Start the new VM automatically is selected and then click Create Now. 15. Select the new VM in XenCenter and then click the Console tab. Select the Win8Master VM in XenCenter and then click the Console tab. 16. Wait while the VM restarts. 17. Specify the region, language, and keyboard settings and then click Next. Verify that United States, English, US, and Pacific Time are selected and then click Next.

N

ot

18. Read and respond to the license terms for Windows. Click I accept.

fo

19. Type a name for the desktop and then click Next.

rr

Type Win8Master and then click Next.

es

The name provided at this point is irrelevant. It will be replaced later.

or

Click Use express settings.

e

al 20. Select the PC connection services for this desktop.

st di

The settings selected at this point will be replaced later.

rib io

ut

21. Click Create a new account on the "Sign in to your Microsoft account" screen. 22. Click Sign in without a Microsoft account on the "Create a Microsoft account" screen. 23. Type an end-user name and the password information, and then click Finish.

n

Type CitrixUser in the Username field, Password1 in the password fields, First Password in the Password Hint field, and then click Finish. Windows configuration will continue for a few minutes.

24. Log on using the local credentials if the Windows Security window appears. Log on using CitrixUser and Password1 credentials. 25. 26. 27. 28.

140

Click the Desktop icon on the Start screen. Click the File Explorer (folder) icon on the taskbar. Right-click This PC and then click the Properties. Click the Change settings link and then click the Change button.



29. Type a name for the master image virtual machine. Verify that Win8Master is in the Computer name field. 30. Select Domain, type the name of the domain, and then click OK. Select Domain, type training.lab, and then click OK. 31. Type a domain administrator name and password and then click OK. Type Administrator in the Username field, Password1 in the Password field, and then click OK. 32. Click OK in the Computer Name/Domain Changes message. 33. Click OK in the restart message. 34. Click Close in the System Properties window, and then click Restart Now to restart the VM and apply the changes.

Installing and Configuring the Virtual Delivery Agent

ot

N

The VDA is required on all Desktop OS master images. The VDA enables connectivity to the Desktop OS machine from any endpoint using Citrix Receiver. The VDA enables the Desktop OS machine to register with the Delivery Controllers and manage the HDX (ICA) connection between the Desktop OS machine and the endpoint. The VDA is configured to discover the Delivery Controllers during the installation of the VDA.

fo

You cannot upgrade the Virtual Desktop Agents running on Windows XP or Windows Vista operating systems to XenDesktop 7 Virtual Delivery Agents. You must upgrade these VDAs to the Windows XP or Windows Vista version provided by the installer, or upgrade them using XenDesktop Version 5.6 Feature Pack 1.

rr

al

es

There are two different VDAs available for installation on a Desktop operating system: Standard VDA and HDX 3D Pro VDA. The HDX 3D Pro VDA allows the desktop to take advantage of the Graphical Processing Unit on the hardware running the virtual desktop.

e

To Install and Configure the VDA on a Desktop OS Master Image Log on to the VM on which you want to install the VDA using domain administrator credentials.

or

1.

Log on to Win8Master using the TRAINING\Administrator and Password1 credentials.

st di

2.

Click Desktop on the Start screen and then click the File Explorer icon on the taskbar.

Click This PC. Insert the XenApp and XenDesktop installation media into the DVD drive.

5.

n

Click XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field.

io

3. 4.

ut

rib

You may need to complete the mini tutorial before you are allowed to click the Desktop icon.

Double-click CD Drive (D:) to start the installation wizard. If the installation wizard does not start, double-click AutoSelect.

6. 7. 8. 9.

Click Start next to XenDesktop. Click Virtual Delivery Agent for Windows Desktop OS. Verify that Create a Master Image is selected and then click Next. Determine which version of the Virtual Delivery Agent should be installed and then click Next. Verify No, install the standard VDA is selected and then click Next.



141

The HDX 3D Pro VDA should not be installed in the lab environment.

10. Determine if Citrix Receiver will be installed and then click Next. Verify that Citrix Receiver is selected and then click Next. 11. Determine how Delivery Controllers locations will be specified and then click Next.. Click Let Machine Creation Services do it automatically in the How do you want to enter the locations of your Delivery Controllers field and then click Next.. When Machine Creation Services is used, you can use choose to manually enter the location of the Delivery Controllers or allow Machine Creation Services to do it for you. When Provisioning Services is being used, you must enter the location of the Delivery Controllers manually. 12. Select the features you want to install and then click Next. Select Personal vDisk, verify that all features are selected, and then click Next.

N

Features include:

ot

•

fo

Optimize performance: Enables or disables optimization for VDAs running in a VM on a hypervisor. VM optimization includes disabling offline files, disabling background defragmentation, and reducing Event Log size. For more information about the optimization tool, see CTX125874. You should not enable this option for Remote PC Access. Use Windows Remote Assistance: Enables or disables Windows Remote Assistance for use with Director. When this feature is enabled, Windows automatically opens TCP port 3389 in the firewall (even if you choose to open firewall ports manually on the next wizard page). Use Real-Time Audio Transport for audio: Enables or disables the use of UDP for audio packets. Enabling this feature can improve audio performance. Personal vDisk: Retains the single image management of static (Machine Creation Services) and streamed (Provisioning Services) Desktop OS machines while allowing users to install applications and change desktop settings. If Personal vDisk is selected, the Personal vDisk Update tool must be the last thing run on the master image before the master image is used to create a machine catalog.

e

al

•

es

•

rr

•

or

st di

13. Determine how the firewall ports will be configured and then click Next. Verify that Automatically is selected and then click Next.

rib

14. Review the installation settings and then click Install. 15. Wait while the prerequisites and selected core components are installed and initialized.

n

io

ut

These are the ports used by the VDA. If the VDA will use alternate port assignments, select Manually to configure the ports after installation completes.

This will take approximately 10 minutes.

16. Verify that Restart machine is selected and then click Finish. The machine will restart automatically after a few seconds and the VDA will be configured. Do not eject the XenApp and XenDesktop installation media from the DVD drive. Doing so will cause the installation of the VDA to be incomplete and desktops that are created from the image will fail to register. 17. Wait while the VM starts. 18. Log on to the VM using domain administrator credentials. Log on to Win8Master using the TRAINING\Administrator and Password1 credentials.

142



19. Eject the XenApp and XenDesktop media from the DVD drive. Click Eject to the right of the DVD Drive 1 field to remove the XenApp and XenDesktop media. 20. Install the desired applications on the master image. Do not install any applications in the class. 21. From the Start screen, type Update, and then click Update Personal vDisk. This step is only necessary if Personal vDisk was selected in Step 13. Failure to run the Update Personal vDisk tool when Personal vDisk is selected will result in a desktop that cannot be accessed by end users. It will take approximately 10 minutes for the Personal vDisk inventory update to complete. If you plan to make additional changes to the master image, you can wait and run the Update Personal vDisk tool later. If you forgot to select the Personal vDisk option, you can enable it by running the Update Personal vDisk tool in the VM.

Discussion Question What is meant by the term registration?

ot

N

Creating a Machine Catalog

fo

A machine catalog is a collection of virtual machines or physical machines managed as a single entity. Machine catalogs specify the virtual machines or physical computers available to host applications or desktops.

es

rr

There are many machine types available for master images running a Desktop operating system, including: random, static, and existing. Each machine type requires a separate machine catalog. You can update a machine catalog and all its virtual machines by updating the master image.

e

al

The existing machine type enables you to use XenApp and XenDesktop to manage and deliver desktops that you have already migrated to VMs in the datacenter. As with traditional local desktops, changes and updates are permanent and must be managed on an individual basis or collectively using third-party electronic software distribution (ESD) tools.

or st di n

io

ut

rib A machine catalog is a collection of machines that have something in common such as random desktops, provisioned desktops, static desktops, physical, same operating system, and so on. A Delivery Group is a collection of end users that have been given access to a machine catalog.

Creating a Machine Catalog for Server OS and Hosted Applications The machine catalog type defines the hosting infrastructure for desktops and applications, and the level of control that end users have over their environment. Server OS machines can provide a Windows Server desktop and hosted applications that are shared by a large numbers of end users. Machine catalogs based on a Server OS can provide desktops that are: © Copyright 2015 Citrix Systems, Inc.


143

• •

Allocated to end users on a per-session, first-come, first-serve basis. Deployed on standardized machines.

Machine catalogs based on a Server OS can also be used to provide hosted applications that: • • •

Are available to end users through Citrix Receiver. Run on the Server OS machine. Use App-V to stream the application to the VDA on the Server OS machine.

To Create a Machine Catalog for Server OS and Hosted Applications 1.

Shut down the master image VM for the Server OS and then click Yes to confirm the shutdown. Right-click the Win2012R2Master VM, click Shut Down, and then click Yes.

2. 3.

Wait for the icon to turn red. Log on to the VM that is hosting Studio using domain administrator credentials. Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials.

ot

N

You must log on to the VM hosting Studio with a domain administrator account if you plan to use XenApp and XenDesktop to create the Active Directory computer accounts for the machines in the catalog. Click Start, type Studio, and then click Citrix Studio. Select the Machine Catalogs node in the left pane. Click Create Machine Catalog in the right pane.

fo

es

rr

4. 5. 6.

Click Next on the Introduction page.

or

7.

e

al

If this is the first machine catalog you have created, the Machine Catalog node will not be visible until you have completed one of the initial configuration tasks presented when you first start Studio.

You can avoid seeing this page when creating additional machine catalogs by selecting Don't show this again.

st di

Select the type of machine catalog you want to create and then click Next. Select Windows Server OS and then click Next.

• •

9.

Windows Desktop OS provides individual and customizable desktops based on a workstation operating system. Windows Server OS provides a standardized desktop based on a Server operating system. Remote PC Access enables end users to log on remotely to a physical PC from anywhere. The Remote PC Service must be installed on the Delivery Controller VM in order to place physical PCs in a machine catalog. Once installed, the VDA on the office PC enables it to register with the Controller and manages the HDX connections between the machine and the endpoints. The Receiver running on the endpoint provides the end user with access to all of the applications and data on the office PC.

n

•

io

Options include:

ut

rib

8.

Determine how the infrastructure will be built and managed and then click Next. Verify that Machines that are power managed and Citrix Machine Creation Services (MCS) are selected and then click Next.

10. Select a virtual machine to use as the master image and then click Next. Select Win2012R2Master and then click Next.

144



11. Specify the number of VMs to create, the number of virtual CPUs and the amount of memory for each VM, and then click Next. Verify that 2 is specified in the Number of virtual machines needed field, 2 is specified in the vCPUs field, 2048 is specified in the Memory (MB) field, and then click Next. Because of the limited storage in the lab environment, you are only creating two machines. In a real-world environment, you would create enough machines to satisfy the needs of the end users in the environment. 12. Determine whether to use existing Active Directory accounts or to create new ones. Verify that Create new Active Directory accounts is selected and then double-click Training Virtual Desktops > Servers in the Active Directory location for computer accounts section. If you are creating new accounts, you must specify the OU where they should be created. The Active Directory organizational units must be created before you complete this step. 13. Create an account-naming scheme, specify the format for the numbering, and then click Next.

ot

N

Type Server2012R2-## in the Account naming scheme field, verify that 0-9 is selected, and then click Next. The ## in the naming scheme will be replaced with numbers or letters. If a large number of machines will be needed, you can add additional # signs to the end of the Account naming scheme.

fo rr

14. Type a machine catalog name and description and then click Finish.

al

es

Type Windows 2012 R2 Servers-Apps in the Machine Catalog name field, Win 2012 R2 Servers with Apps in the Description field, and then click Finish.

e

The master image will be copied, then differencing disks and identity disks will be created for each VM. If you click the Hide progress button during the creation of the machine catalog, the progress bar becomes visible as a green bar in the name of the machine catalog on the Machine Catalog screen. The green bar will grow in size as the machine creation progresses. You can expect the configuration to take approximately 15 minutes. You can continue to use Studio while the machine creation process runs.

or

st di

rib

Discussion Question

n

io

ut

You created a master image with 1 vCPUs, and 2048 MB of memory and then installed Windows Server 2012 R2 on the VM. Next you created a machine catalog using the master image. During the configuration of the machine catalog, you changed the number of vCPUs to 2 and the amount of memory to 1024 MB. Which settings will be used?

Creating a Machine Catalog for Desktop OS Machines

The Desktop OS machine catalog type lets you provide individual desktop environments and hosted applications for each end user as well as customizable desktops that include Personal vDisks (PvD). The types of machines that can be configured in a machine catalog for Desktop OS machines include: • •

•

Random machines (formerly known as pooled) provide desktops to end-users on a per-session, first-come, first-serve basis. They are arbitrarily assigned to end users at each logon and returned to the pool when the end users log off. Static machines (formerly known as assigned) provide desktops that are assigned to individual end users that usually need to install their own applications on their desktops. Machines can be assigned manually or they can be automatically assigned to the first end user to connect to the machine. Whenever end users request a desktop, they are always connected to the same machine. This allows end users to personalize their desktops to suit their needs. Static machines and streamed machines that use Personal vDisks to support end users that need to personalize their desktops and store their changes to a separate vDisks so the changes are available at the next log on. If Personal vDisks are used, the Update Personal vDisk tool must be run on the master image to update the Personal vDisk inventory whenever you make changes to the master image. Failure to update the Personal vDisk inventory can result in machines that cannot be accessed by end users or the Personal vDisk being unavailable in machines based on the master image.



145

Streamed machines refer to virtual machines provided by Provisioning Services. Provisioning Services will be covered later in this course.

To Create a Desktop OS Machine Catalog 1.

Shut down the master image VM for the Desktop OS and then click Yes to confirm the shutdown. Verify the Win8Master VM is shut down. If the Win8Master VM is not shut down, it is probably still updating the personal vDisk. Do not force the shut down, allow the process to continue and it will shut down when it is finished.

2. 3.

Wait until the icon turns red. Log on to the VM that is hosting Studio using domain administrator credentials. Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials. You must log on to the VM hosting Studio with a domain administrator account if you plan to use XenApp and XenDesktop to create the Active Directory computer accounts for the machines in the catalog.

N

Click Start, type Studio, and then click Citrix Studio. Select the Machine Catalogs node in the left pane. Click Create Machine Catalog in the right pane.

ot

fo

4. 5. 6.

Click Next on the Introduction page.

al

7.

es

rr

If this is the first machine catalog you have created, the Machine Catalog node is not visible until you have completed one of the initial configuration tasks presented when you first start Studio.

e

You can avoid seeing this page when creating additional machine catalogs by selecting Don't show this again.

or

Select the type of machine catalog you want to create and then click Next.

st di

8.

Verify that Windows Desktop OS is selected and then click Next.

n

9.

io

• •

Windows Desktop OS provides individual and customizable desktops based on a workstation operating system. Windows Server OS provides a standardized desktop based on a Server operating system. Remote PC Access enables end users to log on remotely to a physical PC from anywhere. The Remote PC Service must be installed on the Delivery Controller VM in order to place physical PCs in a machine catalog. Once installed, the VDA on the office PC enables it to register with the Controller and manages the HDX connections between the machine and the endpoints. The Receiver running on the endpoint provides the end user with access to all of the applications and data on the office PC.

ut

•

rib

Options include:

Determine how the infrastructure will be built and managed and then click Next. Verify that Machines that are power managed and Citrix Machine Creation Services (MCS) are selected and then click Next. The infrastructure can be built using either virtual machines or physical hardware. The machine images can be managed using: Machine Creation Services, Provisioning Services (PVS), or a service or technology other than Citrix (existing images).

10. Select a user experience in the Desktop Experience page. Select I want users to connect to the same (static) desktop each time they log on.

146



You can configure the desktop experience to use a new (random) desktop each time the user logs on, or use the same (static) desktop each time the user logs on. 11. Determine whether user changes will be saved to a Personal vDisk, to the local disk, or discarded, and then click Next. Select Yes, save changes on a separate Personal vDisk and then click Next. The Desktop Experience page is not available if you are configuring a Server OS machine catalog or Remote PC Access. In addition, Personal vDisk is not available if you are configuring a machine catalog for: • A Windows Desktop OS that will deliver a new (random) desktop each time the user logs on. • Windows Server OS. • Remote PC Access. Personal vDisk is only available for machine catalogs providing static Desktop OS desktops. 12. Select a virtual machine to use as the master image and then click Next. Select Win8Master and then click Next. 13. Specify the number of VMs to create, the number of virtual CPUs, and the amount of memory for each VM.

N

ot

Verify that 1 is specified in the Number of virtual machines needed field, 1 is specified in the vCPUs field, and 2048 is specified in the Memory (MB) field.

fo

es

rr

Because of the limited storage in the lab environment, you are only creating a single machine. In a real-world environment, you would create enough machines to satisfy the needs of the end users in the environment. 14. Specify the size and the drive letter to use for the Personal vDisk and then click Next.

e

al

Type 5 in the Personal vDisk size (GB) field and then click Next.

or

The default drive size is 10 GB and the default drive letter is P. You should not reduce the size of the Personal vDisk below 3 GB.

st di

15. Determine whether to use existing Active Directory accounts or to create new ones.

rib

Verify that Create new Active Directory accounts is selected and then double-click Training Virtual Desktops > Desktops in the Active Directory location for computer accounts section.

n

io

ut

If you are creating new accounts, you must specify the OU where they should be created. The Active Directory organizational units must be created before you complete this step. 16. Create an account-naming scheme, specify the format for the numbering, and then click Next. Type Static-PvD-## in the Account naming scheme field, verify that 0-9 is selected, and then click Next. The ## in the naming scheme can be replaced with numbers or letters. If a larger number of machines will be needed, you can add additional # signs to the end of the Account naming scheme. 17. Type a machine catalog name and description, and then click Finish. Type Windows 8 Desktops in the Machine Catalog name field, type Static Win 8 desktops with PvD in the Description field, and then click Finish.



147

The master image will be copied onto each VM created in the machine catalog. If you click the Hide progress button during the creation of the machine catalog, the progress bar becomes visible as a green bar in the name of the machine catalog on the Machine Catalog screen. The green bar will grow in size as machine creation progresses. You can expect the configuration to take approximately 15 minutes. When the configuration completes, one machine in the machine catalog will start automatically to initialize the disks. Once the disks have been initialized, the machine will automatically shut down. You can continue to use Studio while the machine creation process runs.

Discussion Question During the creation of a machine catalog, you are prompted to use existing computer accounts or create new computer accounts in Active Directory. What permissions must you have in order for XenApp and XenDesktop to create new computer accounts?

Creating a Delivery Group

N

Delivery Groups identify the end users that have access to the desktops and hosted applications provided by machine catalogs. You can configure multiple Delivery Groups for a single machine catalog in Citrix Studio. Active Directory integration allows you to select specific groups and grant them access to desktops and applications.

ot

Session prelaunch and session linger are user session experience optimizations. The session prelaunch and session linger features help users quickly access applications by starting sessions before they are requested (session prelaunch) and keeping application sessions active after a user closes all applications (session linger). These features are supported for Server OS machines only.

fo

rr

es

By default, session prelaunch and session linger are not used; a session starts (launches) when a user starts an application, and remains active until the last open application in the session closes. Session prelaunch and session linger settings are configured in the settings for a Delivery Group.

io

ut

rib

•

st di

•

or

•

The Delivery Group must support applications, and the Server OS machines must be running a Server VDA version 7.6 or later. Users must be using a Citrix Receiver for Windows that is configured with additional settings. For more information about these additional settings, search http://docs.citrix.com for session prelaunch for the specific Receiver for Windows version. When using session prelaunch: • Physical client machines cannot use the suspend or hibernate power management functions. • Users can lock their end-user devices but should not log off. Prelaunched and lingering sessions consume a license, but only when connected. Unused prelaunched and lingering sessions disconnect after 15 minutes by default. This value can be configured in PowerShell using the New/SetBrokerSessionPreLaunch cmdlet.

e

•

al

Considerations:

n

Careful planning and monitoring of your users’ activity patterns are essential to tailoring these features to complement each other. Optimal configuration balances the benefits of earlier application availability for users against the cost of keeping licenses in use and resources allocated.

Securing Connections Many administrators are faced with compliance with company security requirements and ensuring that all company traffic (internal and external) is secure. To ensure that communications are properly encrypted, administrators typically add certificates to Delivery Controllers, StoreFront servers, NetScaler appliances and more. The SSL to VDA feature allows you to secure communications between users and the Virtual Delivery Agents (VDAs) with SSL. To configure SSL to VDA, you: •

148

Manually configure SSL on the machines containing the VDA using the Microsoft Management Console or use the Enable-VdaSSL.ps1 PowerShell script located on the installation media.



The PowerShell script configures SSL on static VDAs; it does not configure SSL on random (pooled) VDAs that are provisioned by Machine Creation Services or Provisioning Services, where the machine image resets on each restart. •

Configure SSL in the Delivery Groups containing the VDAs using the Get-BrokerAccessPolicyRule and SetBrokerAccessPolicyRule PowerShell scripts in Studio.

Before you configure the SSL to VDA communications, you should be aware of the following considerations: • • • • •

SSL connections between users and VDAs are valid only for sites in XenApp 7.6 and XenDesktop 7.6 or later versions. SSL configuration in the Delivery Groups and on the machines containing the VDA is done after you create the Delivery site, create the machine catalogs, and create the Delivery Groups. Only Full Administrators have the permissions required to configure SSL in the Delivery Groups and change the Delivery Controller access rules. Only Windows administrators on the machines containing the VDA have the necessary permissions to configure SSL on those machines. If SSL Relay was installed on a machine, it must be uninstalled before installing the VDA on the machine. This is applicable to machines being upgraded from a previous version of XenApp or XenDesktop.

ot

N

For more information about securing internal communications using the SSL to VDA feature, see http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-security-article/xad-ssl.html.

fo

To Create a Delivery Group to Provide Hosted Applications

rr

es

This procedure will make applications installed on Server OS machines available to end users through a Delivery Group. This functionality was formerly provided by Citrix XenApp, but is now integrated in XenApp and XenDesktop.

Log on to the computer hosting Citrix Studio using domain administrator credentials.

or

1.

e

al

This procedure could also be performed on a Desktop OS machine to provide hosted applications to users, although some choices may be slightly different. This functionality was formerly known as VM Hosted Apps.


rib

Click Start and then click Citrix Studio. Select the Delivery Groups node in the left pane. Click Create Delivery Group in the right pane.

st di

2. 3. 4.

Click Next in the Getting Started with Delivery Groups page.

n

5.

io

ut

If the Create Delivery Group option is not available, make sure the Delivery Group tab is selected in the center pane.

If you previously selected Don't show this again, this page will not appear.

6.

Select a machine catalog, determine the number of machines in the catalog that this Delivery Group will consume, and then click Next. Select Windows 2012 R2 Servers-Apps, type 1 in the Choose number of machines to add field, and then click Next. Because of the limited storage in the lab environment, you only have a single machine available in the machine catalog. In a real-world environment, you would create enough machines to satisfy the needs of the end users in the environment.

7.

Select the resource to deliver in the Delivery Type screen and then click Next. Select Applications and then click Next.



149

The options include: a. Desktops: Presents end users with an entire Windows Server desktop when they log on. b. Applications: Publishes specific applications and delivers only those applications to end-users. c. Desktops and applications: Provides a combination of the previous two options. 8.

Click Add users to specify which end users will be part of the Delivery Group. Only those end users added to the Delivery Group will be able to access the selected resource (desktop, applications, or desktop and applications).

9.

Type the names of the end users or groups, click Check Names, and then click OK. Type Human Resources; Accounting; in the Enter the object names to select field, click Check Names and then click OK.

10. Verify that the appropriate end users and groups appear in the Assign users field and then click Next. Verify that TRAINING\Human Resources and TRAINING\Accounting appear and then click Next. 11. Select the applications to publish and then click Next.

N

Select Microsoft Excel 2010, Microsoft PowerPoint 2010, and Microsoft Word 2010, and then click Next.

ot

fo

The Virtual Delivery Agent on the image identifies all of the applications on the machine and presents them for hosting. If no applications appear, verify that the machines in the machine catalog are in a registered state. If the machines fail to register, ensure that the VDA installation completed successfully on the master image prior to creating the machine catalog.

rr

al

es

Keep in mind that the VDA installation on a Server OS machine requires several restarts with the installation media still in the drive. Once the master image restarts, log on to the image, eject the media and restart the master image one more time to ensure that the VDA installation is completed.

e

12. Type a descriptive name for the Delivery Group in the Delivery Group name field.

st di

This is the name that the administrator sees.

or

Type Office Apps in the Delivery Group name field.

rib

13. Click Finish.

14. Shut down the newly created VM, if it is started.

n

io

ut

The end users added to the Delivery Group can now use Citrix Receiver to access the hosted applications, but not the server hosting the applications. If Desktop and Applications had been selected in Step 8, the end users would be able to access both the hosted applications and the Server OS desktop using Citrix Receiver.

Right-click Server2012R2-01 in XenCenter and then click Shut Down. You are shutting down the VM only to save lab environment resources.

15. Optimize the Hosted Applications Delivery Group with Session Prelaunch and Session Lingering. Select the Office Apps Delivery Group and then click Edit Delivery Group in the Actions pane. 16. Configure Application Prelaunch.

150



a. b. c.

a. Click on Application Prelaunch and then select Prelaunch when any user in the delivery group logs on to Receiver for Windows. Select Minutes and set the number to 15. Click Apply.

17. Configure Application Lingering. a. b. c.

Click Application Lingering and select Keep sessions active until. Select Minutes and set the number to 15. Click Apply and then click OK.

Creating a Delivery Group for Anonymous User Access In some scenarios, administrators may want to allow non-domain users to access company resources from non-domain joined computers such as kiosks at libraries, schools and trade shows. You can configure Delivery Groups containing Server OS machines to allow users to access applications and desktops without presenting credentials to StoreFront or Citrix Receiver. Considerations:

N

•

ot

Unauthenticated user support is configured through Delivery Groups. Each machine in the Delivery Group must have a Server VDA version 7.6 or later installed and a store must be specifically configured in StoreFront for use by unauthenticated users.

fo

Users requiring sessions on Desktop OS machines must log on using authenticated user credentials.

es

rr

•

An Anonymous Users Group is created when you install the Delivery Controller.

al

Some applications might still require credentials even though the StoreFront store and Citrix Receiver do not.

e Unauthenticated user accounts are created on demand when a session is launched. User accounts are named AnonXYZ, in which XYZ is a unique three-digit value. Unauthenticated user sessions have a default idle timeout of 10 minutes and are logged off automatically when the user device disconnects. Reconnection, roaming between user devices, and Workspace Control are not supported.

st di

•

or

•

rib

Log on to a machine that has Citrix Studio installed on it.

io

1.

ut

To Create a Delivery Group for Anonymous User Access

n

Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials. 2.

Open Citrix Studio. Double-click the Citrix Studio icon on the desktop.

3. 4. 5. 6.

Select the Delivery Groups node. Click Create Delivery Group. Click Next on the Getting started with Delivery Groups screen. Select the machine catalog and the number of machine to add. Select Windows 2012 R2 Server-Apps machine catalog and select 1 machine

7. 8.

. Click Next. Select Applications and then click Next.



151

9.

Add the unauthenticated (anonymous) users. Select Give access to unauthenticated (anonymous) users; no credentials are required to access StoreFront.

10. Click Next. 11. Add the applications to the Delivery Group and then click on Next. Select Paint, and then click Next. 12. Verify that all of the details on the Summary page are correct and then specify a Delivery Group name. Type Anonymous Access as the Delivery Group name. 13. Click Finish.

Organizing Applications in Folders Application folders allow XenApp and XenDesktop administrators to organize applications in the Delivery Groups without affecting how users access the applications. This organization is accomplished during the creation of the Delivery Group or afterwards using Citrix Studio.

ot

N

By default all applications specified in a Delivery Group are organized under the default application folder named Applications. Application folders can be nested up to five times by dragging and dropping applications and folders.

Log on to a machine that has Citrix Studio installed on it.

rr

1.

fo

To Organize Applications in Folders

2.

es

Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials. Open Citrix Studio.

al

Click Start, type Studio, and then click on Citrix Studio.

or

Select the Delivery Groups node. View the default Application organization.

e

3. 4.

5.

Create a new Application folder.

st di

Click the Applications tab, and note that Excel, Power point, Word and, Paint are all listed under the default Applications folder. This complete list of applications reflects multiple delivery groups.

rib

Organize the Office Applications.

io

6.

ut

Right click the Applications blue bar to the left of the applications list and select Create Folder. Name the new folder Productivity.

n

Click Show all and then drag-and-drop Word and Excel and Power point into the Productivity folder. 7.

Verify that all Office applications are in the Productivity folder. Click the Productivity folder and verify that Excel, Power point and Word are listed.

To Create a Delivery Group to Provide Desktops This exercise will make Desktop OS desktops available to end users through a Delivery Group. This exercise could also be used to make Server OS desktops available to end users through a Delivery Group, although some choices may be slightly different. 1.

Log on to the VM hosting Citrix Studio using domain administrator credentials. Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials.

2. 3. 152

Click Start and then click Citrix Studio. Select the Delivery Groups node in the left pane. Module 5: Setting Up XenDesktop Resources


4.

Click Create Delivery Group in the right pane. If the Create Delivery Group option is not available, make sure the Delivery Group tab is selected in the center pane.

5. 6.

Click Next in the Getting Started with Delivery Groups screen. Select a machine catalog, determine the number of machines in the catalog that this Delivery Group will consume, and then click Next. Select Windows 8 Desktops, type 1 in the number of machines to add field, and then click Next. Because of the limited storage in the lab environment, you only have a single machine available in the machine catalog. In a real-world environment, you would create enough machines to satisfy the needs of the end users in the environment.

7.

Select the resource to deliver in the Delivery Type screen and then click Next. Select Desktops and then click Next.

ot

N

The choices include: • Desktops: Allows you to provide end users with a desktop. • Applications: Allows you to publish applications found on the master image, applications provided on an App-V server, or applications located on other network locations. You can also edit the properties of those applications. • Desktops and Applications: Provides a combination of the previous two choices. This choice is only available for random desktops, not static desktops.

fo

es

rr

Click the Add users button to specify which end users can access the desktops. Type the name of the end user or group, click Check Names, and then click OK.

al

8. 9.

e

Type Accounting in the Enter the object names to select field, click Check Names, and then click OK.

or

10. Verify that the appropriate end users and groups appear in the Assign users field and then click Next. Verify that TRAINING\Accounting appears and then click Next.

st di

11. Determine how Receiver will be configured on the machines.

Select Automatically, using the StoreFront servers selected below.

rib

io

ut

If you select Manually, end users will need to add the server address of a StoreFront server to Receiver on their virtual desktop before Receiver can be used to access resources.

Click Add new and then type SFS-1 in the Name field.

n

12. Click Add new and then type a name for the first StoreFront server in the Name field.

If the URLs for the StoreFront servers appear in the Receiver StoreFront URL list, you can proceed to Step 18.

13. Type a description in the Description field, type the URL for the first StoreFront server, and then click OK. Type First StoreFront in the Description field, type https://sfs-1.training.lab in the URL field, and then click OK. 14. Click Add new. 15. Type a name for the second StoreFront in the Name field. Type SFS-2 in the Name field.



153

16. Type a description in the Description field, type the URL for the second StoreFront server, and then click OK. Type Second StoreFront in the Description field, type https://sfs-2.training.lab in the URL field, and then click OK. 17. Select the StoreFront URLs that will be used by Receiver and then click Next. Select https://sfs-1.training.lab and https://sfs-2.training.lab and then click Next. 18. Type a name for the Delivery Group that administrators will see in the Delivery Group name field. Type Win8-Accounting. 19. Type a name for the Delivery Group that end users will see in the Display name field. Type Win8 Desktop. 20. Type a description for the machine that end users will see and then click Finish. Leave the description field blank and then click Finish.

Discussion Question Windows 8 Desktop OS (random) Windows 8 Desktop OS (static)

ot

• •

N

You have the following machine catalogs created in Studio:

fo

es

rr

Each of these machine catalogs has 5 machines that have not been allocated to users using a Delivery Group. You want to allocate all of the remaining desktops to the Accounting group. How many Delivery Groups will you need to create to provide the Accounting group with these desktops?

e

al

You have the following machine catalogs created in Studio: • Windows 2012 Server OS with Microsoft Office installed • Windows 2012 Server OS with no apps installed

or

Each of these machine catalogs has 7 machines that have not been allocated to users using a Delivery Group. You want to allocate these machine catalogs to users in the Contractors group. How many Delivery Groups will you need to create to provide the Contractors group with all of the machines in these machine catalogs?

st di

Securing Connections

rib

ut

Many administrators are faced with compliance with company security requirements and ensuring that all company traffic (internal and external) is secure. To ensure that communications are properly encrypted, administrators typically add certificates to Delivery Controllers, StoreFront servers, NetScaler appliances and more.

•

n

io

The SSL to VDA feature allows you to secure communications between users and the Virtual Delivery Agents (VDAs) with SSL. To configure SSL to VDA, you: Manually configure SSL on the machines containing the VDA using the Microsoft Management Console or use the Enable-VdaSSL.ps1 PowerShell script located on the installation media. The PowerShell script configures SSL on static VDAs; it does not configure SSL on random (pooled) VDAs that are provisioned by Machine Creation Services or Provisioning Services, where the machine image resets on each restart. •

Configure SSL in the Delivery Groups containing the VDAs using the Get-BrokerAccessPolicyRule and SetBrokerAccessPolicyRule PowerShell scripts in Studio.

Before you configure the SSL to VDA communications, you should be aware of the following considerations: • • •

154

SSL connections between users and VDAs are valid only for sites in XenApp 7.6 and XenDesktop 7.6 or later versions. SSL configuration in the Delivery Groups and on the machines containing the VDA is done after you create the Delivery site, create the machine catalogs, and create the Delivery Groups. Only Full Administrators have the permissions required to configure SSL in the Delivery Groups and change the Delivery Controller access rules.



• •

Only Windows administrators on the machines containing the VDA have the necessary permissions to configure SSL on those machines. If SSL Relay was installed on a machine, it must be uninstalled before installing the VDA on the machine. This is applicable to machines being upgraded from a previous version of XenApp or XenDesktop. For more information about securing internal communications using the SSL to VDA feature, see http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-security-article/xad-ssl.html.

Troubleshooting XenApp and XenDesktop Resource Issues The following table contains resolutions for XenApp and XenDesktop resource configuration issues.

Issue

Resolution

Applications installed on a master image do not appear during the creating of the Delivery Group for a machine catalog.

Verify that at least one of the newly created VMs is started and registered. Verify that the VDA was installed completely.

N

Type the fully qualified name of the Delivery Controller in the Test connection field during the VDA installation.

StoreFront servers do not appear during the creation of a Delivery Group even though "Automatically, using the StoreFront servers selected below" is selected.

Use the Add new button during the creation of the Delivery Group to add the URL of each StoreFront server using the appropriate format for your environment: http://FQDN or https://FQDN

ot

A red X appears next to the Delivery Controller address when testing the Controller connection.

fo

es

rr

e

al

Reinforcement Exercise: Adding Machines and Delivery Groups

or


rib

Configure a master image for Server OS machines and hosted applications. Configure a master image for Desktop OS machines and hosted applications. Create a machine catalog for hosted applications installed on Server OS machines. Create a machine catalog for Desktop OS machines. Create a Delivery Group to deliver hosted applications. Create a Delivery Group to deliver Desktop OS machines.

n

io

ut

• • • • • •

st di


You are ready to try your hand at adding machines to an existing machine catalog and configuring a Delivery Group to provide the Contractors group with access to the new machines. Approximate time to complete: 15 minutes Training is growing. The hospital just hired a group of contract IT personnel. You need to provide the contractors with access to Server OS desktops so they can use them to test applications prior to making them available to hospital personnel. Here is what you need to do: 1.

Add one new machine to the existing machine catalog for the Windows 2012 R2 Servers-Apps. Because of the limited storage and memory in the lab environment, you should only add a single machine to the machine catalog. In a real-world environment, you would create enough machines to satisfy the needs of the end users in the environment.



155

2. 3. 4. 5. 6. 7.

Create new Active Directory accounts in the Training Virtual Desktops > Servers OU using the same account naming scheme as was previously used for the Server 2012 R2 machines. Create a new Delivery Group that will provide the TRAINING\Contractors group with access to the Server OS machines in the machine catalog. Configure a Delivery Group to provide the Contractors group with access to the desktop of the server, but not hosted applications. Add both StoreFront servers to the Delivery Group. Use Win2012R2-Contractors as the Delivery Group name. Use Win2012R2 Desktop as the Display name.

ot

N fo e

al

es

rr or st di n

io

ut

rib

156



6

Module 6

Setting Up Policies

ot

N fo e

al

es

rr or st di n

io

ut

rib

ot

N fo e

al

es

rr or st di n

io

ut

rib

158


Setting Up Policies Overview HDX (ICA) policy settings directly affect the efficiency of the HDX (ICA) protocol and the channels that are contained in each HDX (ICA) packet. Proper configuration of these settings ensures that the end user has an optimal work experience and that corporate mandates such as bandwidth, storage, and security are satisfied. If HDX policies are configured using Studio, they are applied only to HDX (ICA) connected XenApp and XenDesktop sessions. If HDX policies are configured using the Group Policy Management Console (GPMC), global settings will be applied to all connected XenApp and XenDesktop sessions regardless of the protocol being used. Policies are the most efficient method of controlling connection settings, security settings, bandwidth settings, and some feature settings such as Profile Management in a XenApp and XenDesktop environment. Each policy can contain multiple settings. You can work with policies through Studio or the Group Policy Management Console.

ot

N Determine which console will be used to create or modify the policy.

rr

1.

fo

To create policies:

or

After completing this module, you will be able to:

n

io

ut

Configure printing policies. Configure Remote Assistance. Prioritize the policies. Run the Resultant Set of Policies (RSOP). Configure Citrix Profile Management settings.

rib

• • • • •

st di

5.

Create the policy from scratch or by using a template. Configure the settings for the policy. Prioritize the policy to address conflicting policies. For example, one policy removes a printer, while another policy provides a printer. Which one should prevail? The one with the highest priority. Run a Resultant Set of Policy to analyze the policies/filters/prioritization settings.

e

2. 3. 4.

al

es

If the Group Policy Management Console is used to create the policy, the policy is applied to the selected OU. If Citrix Studio is used to create the policy, the policy is applied based on the OU, and the filters you configure after the policy settings are added.

Module Timing: 2.5 hours At • • • • • • • • • •

the beginning of this module, the VMs should be in following the states: Controller-1 = On DomainController-1 = On FileServer-1 = On SQLServer-1 = On SQLServer-Witness = On StoreFrontServer-1 = On Static-PvD-01 = On StudentManagementConsole-1 = On UniversalPrintServer-1 = On All other VMs = Off


Module 6: Setting Up Policies

159

Installing the Group Policy Management Feature The Group Policy Management Console is a tool that can be used to create, edit, and manage group policy objects, and model policies to simulate the Resultant Set of Policy. The Group Policy Management feature can be used to add the Group Policy Management Console to a non-domain controller. In order to use the Group Policy Management Console to create, edit, and manage policies provided by XenApp and XenDesktop, you must install the Group Policy Management Console on a system running Studio. Policies can also be created using Studio. If the same policy settings are configured in both the Group Policy Management Console and in Studio, the policy settings configured in the Group Policy Management Console will take precedence. An exception to this rule is the Session printer policy settings. If Session printer policy settings are configured in both consoles, the settings will be merged to produce the Resultant Set of Policy.

To Install the Group Policy Management Feature The Group Policy Management feature has already been installed on Controller-1 (the VM hosting Citrix Studio in our lab environment.) You do not need to complete this procedure in the lab environment. The steps are being provided for informational purposes only. Log on to a computer hosting Citrix Studio using domain administrator credentials. Click Add roles and features in the Server Manager. Click Server Selection > Features in the left pane. Select Group Policy Management. Click Next on the Select features screen. Click Install. Wait for the installation to complete and then click Close.

ot

N

fo

Configuring Printing Policies

e

al

es

rr

1. 2. 3. 4. 5. 6. 7.

When a session is being established, XenApp and XenDesktop:

st di

Determines which printers to provide to the end user. This is known as printer provisioning. Restores the end-user's printing preferences. Determines which printer is the default for the session.

rib

• • •

or

In a XenApp and XenDesktop environment, all printing is initiated (by the end user) on machines through applications. Print jobs are redirected through the network print server or endpoint to the printing device.

n

Configuring the Universal Printer Driver

io

ut

You can customize how XenApp and XenDesktop performs these tasks by configuring options for printer provisioning, print job routing, printer property retention, and driver management.

The Universal Print Server uses the Universal Printer Driver. This solution enables you to use a single driver to allow network printing to any device. The Universal Printer Driver is installed when the VDA is installed on the Server OS machine or Desktop OS machine and can be configured for use using a policy. By default, the Universal Print Server uses a Universal Printer Driver only if the requested driver is unavailable. Other options include: • • •

Use only printer model specific drivers, if the printer model-specific driver is unavailable, the printer will not be created. Use universal printing only, if a suitable universal driver is unavailable, the printer will not be created. Use printer model specific drivers only, if universal printing is unavailable. If a universal driver is available it will be used, otherwise a printer model-specific driver will be used.

If the default setting works for your environment, you do not need to create a policy to configure Universal Printer Driver usage.

160



The following procedure is provided for informational purposes only. You do not need to configure Universal Printer Driver usage for the lab environment.

To Configure the Universal Printer Driver 1.

ot

N

fo

Discussion Question

al

es

rr

2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14.

Log on to a VM with the Group Policy Management feature and Citrix Studio installed using domain administrator credentials. Click Tools in the Server Manager window and then click Group Policy Management. Browse to the OU where you want to create and link the policy. Right-click the OU and then click Create a GPO in this domain, and Link it here. Type a descriptive name in the Name field and then click OK. Right-click the newly created policy and then click Edit. Double-click User Configuration > Policies > Citrix Policies. Click Edit to open the Unfiltered policy. Click the Settings tab in the Edit Policy window. Select Printing > Drivers in the Categories field. Select Add to the right of the Universal printer driver usage setting. Select the appropriate value from the drop-down list box and then click OK. Click OK to close the Edit policy window. Close the Group Policy Management Editor window.

Where is the Citrix Universal Print Server software installed and how is it installed?

e

Where is the Citrix Universal Printer Driver installed and when is it installed?

or st di

Configuring Client Printer Auto-Creation

ut

rib

The Auto-create policy setting specifies the client printers that are auto-created and enables you to limit the number or type of printers that are auto-created. During printer auto-creation, if a new local printer connected to an endpoint is detected, the resource is checked for the required printer driver. By default, if a Windows-native driver is not available, the Universal Printer Driver is used. This setting overrides the default client printer auto-creation settings and takes effect only if the Client printer redirection setting is present and set to Allowed. Other options include: •

Auto-create all client printers creates all printers on the endpoint.

n

io

By default, XenApp and XenDesktop auto-creates all printers available on the endpoints.

The Client printer redirection setting should also be enabled if this option is selected so client printers can be mapped. By default, the Client printer redirection setting is enabled. • • •

Do not auto-create client printers turns off printer auto-creation when end users log on. Auto-create the client's default printer only automatically creates only the printer selected as the client's default printer. Auto-create local client printers only automatically creates only printers directly connected to the endpoint through LPT, COM, USB, or another local port.

If the default setting works for your environment, you do not need to create a policy to configure printer auto-creation.



161

At the start of an end-user session, XenApp and XenDesktop auto-creates all printers available on the endpoint, by default. Locally attached printers (i.e. USB) as well as network-based printers (i.e. via print server) can be connected to the endpoint. This process is also referred to as local printer mapping. In environments with a large number of printers per end user, you should only auto-create the default printer. Auto-creating a smaller number of printers creates less overhead (memory/CPU) and can reduce end-user logon times.

To Modify the Printer Auto-Creation Behavior 1.

Log on to a VM with the Group Policy Management feature and Citrix Studio installed using domain administrator credentials. Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials.

2.

Click Tools in the Server Manager window and then click Group Policy Management. The Group Policy Management console may open behind the Server Manager window.

3.

Browse to the OU where you want to create and link the policy.

N


ot

4.

Right-click the OU and then click Create a GPO in this domain, and Link it here.

fo

Right-click Training Virtual Desktops and then click Create a GPO in this domain, and Link it here.

rr

5.

Type a descriptive name for the policy in the Name field and then click OK.

Right-click the newly created policy and then click Edit.

Double-click User Configuration > Policies > Citrix Policies. Click Edit to open the Unfiltered policy. Click the Settings tab in the Edit Policy window. Select Printing in the Categories field. Click Add to the right of the Auto-create client printers setting. Select the appropriate value and then click OK.

or st di n

io

13. Click OK to close the Edit Policy window. 14. Close the Group Policy Management Editor window.

ut

Select Auto-create the client's default printer only and then click OK.

rib

7. 8. 9. 10. 11. 12.

e

Right-click Print Settings and then click Edit.

al

6.

es

Type Print Settings and then click OK.

Discussion Question How is the default printer determined for a session?

Configuring Session Printers The Session printers setting enables administrators to control the assignment of network printers so that administratively assigned printers are created within each session and presented to the end user, based on the location of the endpoint (also known as proximity printing). Network printers created with the Session printers policy setting in Citrix Studio can vary according to where the session was initiated by using filters based on geographic indicators such as IP address or client name. For example: You can filter Session printer policies by IP address to enable end users within a specified IP address range to automatically access the network printing devices that exist within that same range. When proximity printing is configured and an employee travels from one department to another, no additional printing device configuration is required. Once the

162



endpoint is recognized within the IP address range of the new department, it will have access to all network printers within that range. Proximity printing is provided by the Citrix Universal Printer Driver. Session printers are an optimal configuration for scenarios where: • • •

Users roam between locations using the same endpoint (i.e. laptop). Thin clients are used, which do not have the ability to connect to network based-printers directly. Specific printers are required to fulfill corporate policy, such as assigning a fax printer to all end users.

Printer provisioning is typically handled dynamically. That is, the printers that appear in a session are not predetermined and stored, rather they are assembled, based on policies, as the session is built during log on and reconnection. As a result, the printers can change according to policy, end-user location, and network changes, provided they are reflected in policies. Thus, end users who roam to a different location might see different printers. For example, if a health care worker disconnects from an endpoint in the emergency room of a hospital and then logs on to an endpoint in the X-ray laboratory, the policies, printer mappings, and client drive mappings appropriate for the session in the X-ray laboratory go into effect at the session startup. By default, printers are available in sessions by creating all printers configured on the endpoint automatically, including locally attached and network printers. This policy can also be created using the Group Policy Management Console, but is being performed in Citrix Studio to demonstrate how policies are created in Citrix Studio. Administrators that do not have permission to create policies in Active Directory can create policies using Citrix Studio.

N

ot

To Configure Session Printer Settings Ensure that a Print Server with printers defined on it is started.

fo

1.

Log on to a VM with Citrix Studio installed on it using your domain credentials.

es

2.

rr

Right-click the UniversalPrintServer-1 VM and then click Start, if not already started.


al

Click Start, type Studio, and then click Citrix Studio. Click the Policies node in Citrix Studio and then click Close to close the Welcome screen. Click Create Policy in the right pane of the console. Select Printing in the All Settings field. Click Select to the right of the Session printers setting.

e

or

st di

3. 4. 5. 6. 7.

Click Add in the Edit Setting window. Type the UNC path to the Print Server and then click Browse.

n

Type \\UPS-1 and then click Browse.

io

8. 9.

ut

rib

This setting identifies the network printer to be auto-created in a session. You can add printers to the list, edit the settings of a list entry, or remove a printer from the list. The printers listed are merged with any other "Session printers" settings applied in other policies.

10. Browse to the printer location on the Print Server, select the desired printer, and then click OK twice. Double-click Entire Network > UPS-1, select Color Laser Printer, and then click OK twice. 11. Click OK to close the Edit Setting window. 12. Click Next in the Select settings window. 13. Determine to which objects the policy will be assigned and then click Assign to the right of the filter. Click Assign to the right of the Client IP address filter. 14. Type the IP address range in the IP address field, determine if the IP addresses within the specified range will be allowed or denied access, and then click OK. Verify Allow is selected in the Mode field, type 192.168.10.60-192.168.10.80 in the IP address field, and then click OK.



163

Upon session initialization, the session printer will be created for any resource accessed by an endpoint within the specific address range. In our lab environment, this will create the printer for those IP addresses, but it will not enable proximity printing because we do not have multiple subnets and DHCP scopes to demonstrate the feature with. When specifying an IP address range, do not add any spaces between the starting IP address, the hyphen, and the ending IP address. 15. Click Next in the Assign policy to user and machine objects window. 16. Type a name and description for the policy and then click Finish. Type Session Printers in the Policy name field, type Assigns Color Laser Printer to 192.168.10.60 - 192.168.10.80 in the Description field, and then click Finish. 17. Click Session Printers in Citrix Studio and then click each of the tabs (Overview, Settings, and Assigned to) to view information about the policy.

Discussion Question Which configurations must be in place in order to enable proximity printing?

N

ot

Optimizing Print Job Routing

fo

In a XenApp and XenDesktop environment, you can control how print jobs destined for network printers are routed using policies. Jobs can take two paths to a network printing device, the client printing pathway or the network printing pathway. If the job is being routed to the endpoint, the print job is sent using the HDX (ICA) protocol (client printing pathway). If the job is being routed directly to the print server, the print job is sent using RPC over SMB (network printing pathway). If you want to manage printing bandwidth or compression, the print job must be sent using the HDX (ICA) protocol. There is no Citrix policy that controls the bandwidth or compression when a print job is sent using Microsoft's network printing.

e

al

es

rr

or st di n

io

ut

rib The client printing pathway (dashed line) takes a print job from the virtual desktop using a virtual channel in the HDX protocol and sends it to the endpoint where it is removed from the HDX packet and forwarded via TCP/IP onto the print server. This behavior must be configured in a policy. If it is not configured, XenApp and XenDesktop routes the print jobs directly to the print server (solid line). Routing jobs along the network printing pathway (solid line) is ideal for fast local networks and when you want users to have the same end-user experience that they have on their local endpoint (that is, when you want the printer names to appear the same in every session). However, print jobs relayed using the network printing pathway are not suitable for WANs unless the job is being routed to a Universal Print Server which compresses the job by up to 90%. The routing of print jobs to a nonUniversal Print Server using the network printing pathway uses more bandwidth than using the client printer pathway. Consequently, end users might experience latency while the print jobs are printing over the WAN when a non-Universal Print Server is being used. Also, the print job traffic from the server to the print server is treated as regular network traffic, 164



competing with normal HDX (ICA) traffic. When printing across a WAN, you should keep the printer traffic in the HDX (ICA) packet printer channel when printing to a non-Universal Print Server. If XenApp and XenDesktop and the print server are on different domains, XenApp and XenDesktop automatically routes the print job through Receiver (client printing pathway). HDX (ICA) can use multiple virtual channels. When print jobs are delivered over an HDX (ICA) virtual channel, other virtual channels (such as video) may compete for bandwidth leading to decreased performance. To prevent this, you can create a policy to manage the printer bandwidth in the virtual channel. Printer bandwidth limits can be set using the following settings: • •

The Printer redirection bandwidth limit setting specifies the fixed bandwidth that is used for printing in kilobits per second (kbps). The Printer redirection bandwidth limit percent setting specifies a percentage of the available bandwidth that is used for printing.

The printing virtual channel will consume bandwidth only when a print job is being sent.

Optimizing Printing Performance The following practices can improve printing performance:

N

Use a Universal Print Server and a Universal Printer Driver. Lower the image quality. The default setting is Standard quality.

ot

• •

fo

In environments where image quality is crucial, lowering the image quality may not be an option.

rr

Enable heavyweight compression. Ensure that Image Caching and Font Caching settings are enabled. This is the default setting.

To Optimize Printing

or

1.

e

al

es

• •

st di

Log on to a VM with the Group Policy Management feature and Citrix Studio installed using domain administrator credentials. Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials. Click Tools in the Server Manager window and then click Group Policy Management. Browse to the OU where you want to create and link the policy.

rib

2. 3.

Right-click the OU or right-click an existing policy and then click Edit.

n

Right-click the Print Settings policy and then click Edit.

io

4.

ut


You created the Print Settings policy earlier in this module. If you do not see the policy right-click Training Virtual Desktops OU and click refresh. 5. 6. 7. 8. 9.

Double-click User Configuration > Policies > Citrix Policies. Click Edit to open the Unfiltered policy. Click the Settings tab in the Edit Policy window. Select Printing from the Categories field. Click Add to the right of the Universal printing optimization defaults setting.



165

10. Configure the desired settings and then click OK. a. b. c. d. e.

Verify that Standard quality is selected in the Desired image quality field. Select Enable heavy weight compression. Verify that Allow caching of embedded images is selected. Verify that Allow caching of embedded fonts is selected. Click OK.

11. Click OK to close the Edit Policy window. 12. Close the Group Policy Management Editor and Group Policy Management Console windows.

Discussion Question Print jobs sent along the client printing pathway use less bandwidth than print jobs sent along the network printing pathway. If this is true, why might end users experience latency in their XenApp and XenDesktop sessions when print jobs are printing using the client printing pathway?

ot

N

Configuring Remote Assistance

fo

Windows Remote Assistance allows an administrator to monitor and control another end-user's session remotely. It is most commonly used to troubleshoot issues on endpoints. Windows Remote Assistance is always installed during the installation of Director, but is disabled and should remain disabled for security purposes. In addition, Remote Assistance is installed during the installation of the VDA on machines. TCP port 3389, which is used by Remote Assistance, is opened on the firewall during the VDA installation.

rr

al

es

In order for IT administrators, Help Desk personnel, and others to initiate Windows Remote Assistance using the Shadow button in Director, you must enable Remote Assistance using a policy and grant the appropriate administrator groups the required permissions using a Group Policy Object.

e

In XenApp 6.5 and earlier, administrators set policies to control ICA based user-to-user shadowing. These policies have been removed. In this release of XenApp and XenDesktop, Windows Remote Assistance replaces this functionality. In order for shadowing to work properly, you must configure the Remote Assistance feature on any server used to remotely assist end users. This feature is configured within the lab environment.

or

st di

To Configure Remote Assistance Permissions

rib

1.

Log on to a VM with the Group Policy Management feature installed using domain administrator credentials.

n

Click Tools in Server Manager and then click Group Policy Management. Browse to the OU where you want to create and link the policy.

io

2. 3.

ut


Double-click Forest: training.lab > Domains > training.lab > Training Virtual Desktops. 4.

Right-click the OU and then click Create a GPO in this domain, and Link it here. Right-click the Training Virtual Desktops OU and then click Create a GPO in this domain, and Link it here.

5.

Type a descriptive name in the Name field and click OK. Type Remote Assistance in the Name field and then click OK.

6.

Right-click the newly created policy and then click Edit. Right-click the Remote Assistance policy and then select Edit.

7. 8.

166

Double-click Computer Configuration > Policies > Administrative Templates > System and then double-click Remote Assistance. Double-click the Configure Offer Remote Assistance setting and then select Enabled.



9.

Specify the level of remote control that will be provided to the helpers. Verify Allow helpers to remotely control the computer is selected in the Permit remote control of this computer drop-down menu.

10. Click Show. 11. Type the domain users (domain\username) and domain user groups (domain\group) that will have permission to remotely control endpoints and then click OK. a. b. c. d. e. f.

Type TRAINING\HelpDesk in the Value field. Press Tab. Type TRAINING\XenDesktop Admins. Press Tab. Type TRAINING\Domain Admins. Click OK.

12. Click OK to close the Configure Offer Remote Assistance window. 13. Close the Group Policy Management Editor and Group Policy Management Console windows.

N

ot

Discussion Question

fo

You enabled the "Configure Offer Remote Assistance" setting for the OU containing the virtual desktops and added the HelpDesk, XenDesktop Admins, and Domain Admins groups to the policy as directed. In addition, the VDA has been installed on all of the master images used to create the Desktop OS and Server OS machines in the environment. Your manager calls you directly and asks for your help. You use a Web browser to access Director and attempt to Shadow the session, but you get an error. What could be causing the issue?

e

al

es

rr

Prioritizing the Policies

or

Over time, policies will accrue in an environment. Sometimes these policies will conflict. When a conflict occurs, the priority of the policy will dictate which settings will prevail.

st di

When working in an environment with multiple policies, you need to determine how to prioritize them, how to create exceptions, and how to view the effective settings when policies conflict. In general, policies override similar settings configured for the entire site, for specific controllers, or on the endpoint.

n

io

ut

rib



167

ot

N fo al

es

rr e

Policies are processed in the following order: 1. End user logs on to an endpoint using domain credentials. 2. Credentials are sent to domain controller. 3. AD applies all policies (user, device, organizational unit, and domain). 4. End user logs on and accesses a XenApp and XenDesktop resource. 5. Citrix and Microsoft policies are processed for the end user and endpoint. 6. AD determines precedence for policy settings and applies them to the registries of the endpoint and XenApp and XenDesktop machine. 7. End user logs off of the hosted resource. Citrix (HDX) policies for the end user and end-user's endpoint are no longer active. 8. The end user logs off the endpoint, which releases the GPO user policies. 9. The end user powers down the device, which releases the GPO computer policies.

or

st di

n

io

ut

rib

Prioritizing policies allows you to define the precedence of policies when they contain conflicting settings. The process used to evaluate policies is as follows: 1. 2.

When an end user logs on, all policies that match the assignments for the connection are identified. The identified policies are sorted into priority order and multiple instances of any setting are compared. Each setting is applied according to the priority ranking of the policy.

You prioritize policies by changing the priority number. By default, new policies are given the lowest priority. If policy settings conflict, the setting in the policy with a higher priority (a priority number of 1 is the highest) overrides the setting in a policy with a lower priority. Settings not configured in a policy are ignored. If a setting is configured in a lower-ranking policy and not configured in a higher-ranking policy, then the setting in the lower-ranking policy will take effect. In the Group Policy Management Console, the priority of multiple policies bound to the same OU can be modified.

168



When you create policies for groups of end users, endpoints, or servers, you may find that some members of the group require exceptions to some policy settings. You can create exceptions by: • •

Creating a policy only for those group members who need the exceptions and then ranking the policy higher than the policy for the entire group. Using the Deny mode for an assignment added to the policy.

An assignment with the mode set to Deny applies a policy only to connections that do not match the assignment criteria. For example, a policy contains the following assignments: 1. 2.

Assignment A is a Client IP address assignment that specifies the range 208.77.88.* and the mode is set to Allow. Assignment B is a User assignment that specifies a particular end-user account and the mode is set to Deny.

The policy is applied to all end users who log on to the farm with IP addresses in the range specified in Assignment A. However, the policy is not applied to the end user logging on to the farm with the user account specified in Assignment B, even though the end-user's endpoint is assigned an IP address in the range specified in Assignment A.

Changing the Priority of the Policy

ot

N

You can use multiple policies to customize the environment to meet end-users' needs based on their job functions, geographic locations, or connection types. Sometimes the settings in one policy conflict with the settings in another policy. For example, for security reasons you may need to place restrictions on end-user groups who regularly work with highly sensitive data. You can create a policy that prevents all end users from saving sensitive files on their local client drives. However, if some people in the end-user group need access to their local drives, you can create another policy for only those end users.

fo

You can rank or prioritize the policies to control which one takes precedence. Settings in policies with a higher priority take precedence over conflicting settings in policies with a lower priority. When using multiple policies that contain conflicting settings, you need to know how to prioritize them.

rr

e

al

es

You can change the priority of a policy in Citrix Studio by selecting the Policy node, selecting the policy in the Policies pane, and then selecting the Higher Priority or Lower Priority option in the Actions pane on the right.

Log on to a VM with the Group Policy Management feature and Citrix Studio installed using domain administrator credentials.

st di

1.

or

To Change the Priority of a Policy


rib

Click Tools in Server Manager and then click Group Policy Management. Browse to the OU where you want to prioritize the policies.

ut

2. 3.

4.

n

The policies attached to the OU appear in the right pane.

io


Select the policy in the right pane in the Linked Group Policy Objects tab whose priority needs to be changed. Select the Remote Assistance policy.

5.

Select the up or down arrow to the left of the list of policies to increase or decrease the priority of the policy. Select the up arrow on the left side of the policies list to increase the priority of the Remote Assistance policy. This is only being done to illustrate how to change the priority of policies. Moving this policy will have no effect, because none of the policies have conflicting settings.

6.

Close the Group Policy Management Console.



169

Discussion Question One of your team members created an unfiltered policy that enables the integration of locally installed applications on the desktops of Server OS and Desktop OS machines and linked it to the OU containing all virtual desktops. When end users launch one of these locally-installed applications using the desktop shortcut, the application appears to be running on the virtual desktop even though it is running on the local device. Members of the Accounting department are utilizing the Bring Your Own Computer (BYOC) initiative at work. The Accounting manager wants to remove locally-installed application integration for members of the Accounting department. What can you do to accomplish this?

Running the Resultant Set of Policy When multiple policies settings are configured in an environment, it can be difficult to determine the effect of those settings on a resource or end user. You can model the outcome of the policy settings on a connection using the Citrix Group Policy Modeling Wizard. With the Citrix Group Policy Modeling Wizard, you can specify conditions for a connection scenario such as domain controller, end users, Citrix policy assignment evidence values, and simulated environment settings such as slow network connection. The report that the wizard produces lists the policies that would likely take effect in the scenario. The Citrix Group Policy Modeling Wizard can be run from Studio and from the Group Policy Management Console. If you created policies using:

ot

fo

•

Studio only, you should use the Citrix Group Policy Modeling Wizard from Studio. Studio and the Group Policy Management console, you should use the Citrix Group Policy Modeling Wizard from Studio. Group Policy Management Console only, you should use the Citrix Group Policy Modeling Wizard from the Group Policy Management Console.

N

• •

rr

Log on to a Delivery Controller with administrator credentials.

e

1.

al

es

To Create a Resultant Set of Policy Using the Group Policy Management Console Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials.

Right-click Citrix Group Policy Modeling and then click Citrix Group Policy Modeling Wizard. Click Next in the Welcome screen. Specify the domain controller that will process the Resultant Set of Policy.

8.

n

Click Next to use AD.training.lab.

io

ut

5. 6. 7.

rib

Expand the Forest: training.lab node.

st di

Click Tools in Server Manager. Click Group Policy Management. Expand the Forest node.

or

2. 3. 4.

Specify the OU containing the end users or computers you want to model and then click OK. a. b. c.

Click Browse to the right of Container in the Computer Information field. Double-click Training > Training Virtual Desktops > Servers. Click OK.

9. Click Next on the User and Computer Selection screen. 10. Specify the filter criteria to use and then click Next. Click Next. 11. Specify the advanced simulation options and then click Next. Click Next. 12. Click Run.

170



13. Click Close in the Completing screen to view the report . 14. Review the policy modeling report to determine which policies were applied and have an effect on the selected end users or computers. 15. Close the modeling results window.

Discussion Question You opened the Group Policy Management Console, but cannot find the Citrix Group Policy Modeling wizard. What might be the issue?

Troubleshooting Policies The following table provides resolutions for policy issues.

Resolution

A new policy does not get applied.

Run the gpupdate /force command to process and apply all group policies to a computer or end user.

ot

N

Issue

Verify that: • The policies that you want to apply to those connections are enabled. • The policies have the appropriate settings configured. • The priority of a policy with conflicting settings does not have a higher priority. • Policy settings configured in Group Policy Management are not overriding the settings in a policy created in Studio.

fo

Policies applied to hosted applications and desktops under conditions that match the policy evaluation criteria are not affected by any policy settings.

e

al

es

rr

or st di

Setting Up Citrix Profile Management

To Configure a Profile Management Share 1.

n

io

ut

rib

End-user profiles contain properties and settings for each end user accessing resources using XenApp and XenDesktop. When end users access a resource (desktop or application), their profile is loaded. You can elect to use a third-party profile management solution, Group Policy Objects, or Citrix Profile Management to configure profile settings. In this version of XenApp and XenDesktop, Citrix Profile Management is integrated into XenApp and XenDesktop as policy settings. Citrix Profile Management provides 78 policy settings that allow you to finely control your end-user profiles. Earlier in the course, you configured folder redirection. It is common to use both folder redirection and Citrix Profile Management in an environment.

Log on to the file server using domain administrator credentials. Log on to FileServer-1 using the TRAINING\Administrator and Password1 credentials.

2. 3. 4. 5.

Click Server Manager and then click File and Storage Services. Click Shares and then click Tasks > New Share. Verify SMB Share - Quick is selected and then click Next. Select the volume that will host the profile management share and then click Next. Select E: in the Volume column and then click Next.

6.

Type a name for profile management share and then click Next. Type UPM$ in the Share name field and then click Next.



171

7.

Configure the share settings and then click Next. Deselect Allow caching of share, select Enable access-based enumeration, and then click Next. Access-based enumeration displays only the files and folders that an end user has permissions to access.

8. 9. 10. 11.

Click Customize permissions. Click Disable inheritance and then click Remove all inherited permissions from this object. Click Add to add permissions. Click Select a principal and then type System in the Enter the object name to select field. The System account is used by the operating system and Windows services.

Click Check Names and then click OK. Select Full Control for the Basic permissions and then click OK. Click Add and then click Select a principal. Type Domain Admins in the Enter the object name to select field. Click Check Names and then click OK. Select Full Control for the Basic permissions and then click OK. Click Add and then click Select a principal. Type Creator Owner in the Enter the object name to select field. Click Check Names and then click OK. Select Subfolders and files only in the Applies to field, select Full Control for the Basic permissions, and then click OK. Click Add and then click Select a principal. Type Everyone in the Enter the object name to select field. Click Check Names and then click OK. Select This folder only in the Applies to field. Click Clear all to clear all permissions and then click Show advanced permissions. Select the following advanced permissions for the account: • Traverse folder / execute file • List folder / read data • Read attributes • Create folders / append data 28. Click OK to add the permissions and then click OK to close the Advanced Security Settings for the share.

ot

N

fo

e

al

es

rr

or

st di

12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27.

n

io

ut

rib

You are setting the permissions on the share such that end users can access their folders only, and new folders can be created for new end users dynamically. For more information, see http://support.microsoft.com/kb/274443. 29. Click Next and then click Create. 30. Click Close when the process is completed.

To Configure the Profile Management Settings This procedure only implements a few of the policy settings. You should evaluate your end-user and environmental requirements and configure your profile management settings accordingly. For more information about properly configuring Profile Management, see http://blogs.citrix.com/ and search for "Citrix Profile Management and VDI". Include the quotes in the search to limit the search results.

172



1.

Log on to a VM with the Group Policy Management feature and Citrix Studio installed using domain administrator credentials. Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials.

2. 3.

Click Tools in the Server Manager window and then select Group Policy Management. Browse to the OU containing the desktops to create a policy to enable Citrix Profile Management. You want a set of common profile settings to apply to both Server OS and Desktop OS machines and custom profile settings for Server OS and Desktop OS machines so the profiles for the end users will go to different sub-directories. Double-click Forest: training.lab > Domains > training.lab > Training Virtual Desktops.

4.

Right-click the OU containing the virtual desktops and then click Create a GPO in this domain, and Link it here. Right-click Training VirtualDesktops and then click Create a GPO in this domain, and Link it here.

5.

Type a name for the policy and then click OK. Type Citrix Profile Management - Common Settings in the Name field and then click OK. Right-click the newly created policy and then click Edit.

N

6.

Double-click Computer Configuration > Policies > Citrix Policies. Click Edit and then click the Settings tab to edit the unfiltered policy. Select Profile Management > Basic settings in the Categories field. Determine if Profile Management should be enabled and then click OK.

fo

es

rr

7. 8. 9. 10.

ot

Right-click Citrix Profile Management - Common Settings and then click Edit.

Click Add to the right of the Enable Profile management setting, select Enabled, and then click OK.

al

e

By default to facilitate deployment, Profile Management does not process logons or logoffs. You can turn on processing by enabling a policy setting. If the policy setting is not configured, the value from the .ini file is used. If the policy setting is not configured here or in the .ini file, Profile Management does not process Windows end-user profiles in any way.

or

st di

11. Determine if you want to enable Active write back and then click OK.

Click Add to the right of the Active write back setting, select Enabled, and then click OK.

rib

n

io

ut

With active write back: • Files and folders (but not Registry entries) that are modified can be synchronized to the end-user store in the middle of a session, before the end user logs off. • If this setting is not configured here, the value from the .ini file is used. • If this setting is not configured here or in the .ini file, active write back is disabled. 12. Select Profile Management > Streamed user profiles in the Categories field. 13. Determine if end-user profiles will be streamed and then click OK. Click Add to the right of the Profile streaming setting, select Enabled, and then click OK. With profile streaming: • End-user profiles are synchronized on the local computer only when they are needed. • Registry entries are cached immediately, but files and folders are only cached when accessed by end users. 14. Click OK in the Edit Policy window. 15. Close the Group Policy Management Editor.



173

16. Browse to the OU containing Desktop OS machines. Double-click Forest: training.lab > Domains > training.lab > Training Virtual Desktops > Desktops in the Group Policy Management Console. 17. Right-click the OU for the Desktop OS machines and then click Create a GPO in this domain, and Link it here. Right-click Desktops and then click Create a GPO in this domain, and Link it here. 18. Type a name for the policy and then click OK. Type Citrix Profile Management - Desktops path to user store in the Name field and then click OK. 19. Right-click the newly created policy and then click Edit. Right-click Citrix Profile Management - Desktops path to user store and then click Edit. 20. 21. 22. 23.

Double-click Computer Configuration > Policies > Citrix Policies. Click Edit and then click the Settings tab to edit the unfiltered policy. Select Profile Management > Basic settings in the Categories field. Specify the path to the user store for end users of Desktop OS machines. Click Add to the right of the Path to user store setting. Verify that Enabled is selected. Type \\FS-1\UPM$\%USERNAME%.%USERDOMAIN%\Win8 in the text box below Enabled and then click OK.

ot

N

a. b. c.

fo

es

rr

24. Click OK in the Edit Policy window. 25. Close the Group Policy Management Editor. 26. Browse to the OU containing Server OS machines.

e

al

Double-click Forest: training.lab > Domains > training.lab > Training Virtual Desktops > Servers in the Group Policy Management Console. 27. Right-click the OU for the Server OS machines and then click Create a GPO in this domain, and Link it here.

or

Right-click Servers and then click Create a GPO in this domain, and Link it here.

st di

28. Type a name for the policy and then click OK.

Type Citrix Profile Management - Servers path to user store in the Name field and then click OK.

rib

29. Right-click the newly created policy and then click Edit.

Double-click Computer Configuration > Policies > Citrix Policies. Click Edit and then click the Settings tab to edit the unfiltered policy. Select Profile Management > Basic settings in the Categories field. Determine if a path to the user store for end users of Server OS machines should be specified.

n

io

30. 31. 32. 33.

ut

Right-click Citrix Profile Management - Servers path to user store and then click Edit.

a. b. c.

Click Add to the right of the Path to user store setting. Verify that Enabled is selected. Type \\FS-1\UPM$\%USERNAME%.%USERDOMAIN%\Win2012 in the text box below Enabled and then click OK.

34. Click OK in the Edit Policy window. 35. Close the Group Policy Management Editor and the Group Policy Management Console.

Discussion Question Citrix Profile Management is installed during which XenApp and XenDesktop component installations?

174



Reinforcement Exercise: Configuring a Session Printer During this exercise, you will not be given step-by-step instructions for performing the task. Instead, you are asked to use what you have just learned to complete it. This exercise is designed to take your newly gained knowledge and stretch it to determine if you can apply that knowledge to perform a task you've never done before. In most instances the default value/choice will be the best choice, but we encourage you to explore and try things out. If you have a question or get stuck, ask the instructor or a fellow student for assistance. Now that you know how to: • • • • •

Configure printing policies. Configure Remote Assistance. Prioritize the policies. Test the Resultant Set of Policies (RSOP). Configure Citrix Profile Management settings.

You are ready to try your hand at creating a policy that provides members of the Accounting group with access to a network printer. Approximate time to complete: 15 minutes

ot

N

Training wants you to provide members of the Accounting group with a network printer. This end-user group already has access to the Color Laser Printer that you configured in a policy named Session Printers using Studio. However, the Accounting group needs to print documents on large sheets of paper, so they require access to a special printer. You have Active Directory permissions, so you decide to create the session printer using Group Policy Management.

rr

Create a new policy named Accounting Session Printers using Group Policy Management. Attach the policy to the Training Users > Accounting OU. Edit the Unfiltered policy under User Configuration > Policies > Citrix Policies. Add the Accounting printer from the UPS-1 Print Server to the Unfiltered policy.

e

al

es

1. 2. 3. 4.

fo


or st di n

io

ut

rib



175

ot

N fo e

al

es

rr or st di n

io

ut

rib

176


7

Module 7

Setting Up Provisioning Services

ot

N fo e

al

es

rr or st di n

io

ut

rib

ot

N fo e

al

es

rr or st di n

io

ut

rib

178


Setting Up Provisioning Services Overview Provisioning Services allows multiple virtual machines to start up from the same virtual disk (vDisk). This many-to-one relationship simplifies disk management and storage requirements. Provisioning Services improves the scalability of the environment by allowing the instant provisioning of resources on demand. After completing this module, you will be able to: • • • • • • •

Install and configure Provisioning Services. Install the Provisioning Services Console. Configure DHCP Options 66 and 67. Configure the bootstrap file for high availability. Create a vDisk and assign it to a target device. Create a machine catalog from Provisioning Services. Create a Delivery Group for the machine catalog created with Provisioning Services.

the beginning of this module, the VMs should be in following the states: Controller-1 = On DomainController-1 = On FileServer-1 = On SQLServer-1 = On SQLServer-Witness = On StoreFrontServer-1 = On StudentManagementConsole-1 = On UniversalPrintServer-1 = On All other VMs = Off

fo

e

al

es

rr

or

At • • • • • • • • •

ot

N

Module Timing: 5.0 hours

st di

Provisioning Services Architecture

n

io

ut

rib

Provisioning Services works differently than Machine Creation Services to provide resources to users. Provisioning Services allows computers to be provisioned and re-provisioned in real-time from a single shared vDisk. In doing so, administrators can completely eliminate the need to manage and update individual systems. Instead, all image management is done on the master vDisk. The local hard-disk drive of each system may be used for runtime data caching or, in some scenarios, removed from the system entirely, which reduces power usage, system failure rates, and security risks.


Module 7: Setting Up Provisioning Services

179

ot

N

MCS and PVS are two mechanisms that do basically the same thing in different ways. While MCS is all about storage, PVS relies on network. With PVS, you start off with a Master Target Device, capture the disk as a new vDisk and then target devices use the vDisk. The AD-identity comes from an additional disk in MCS, while PVS uses database entries for this.

fo

The Provisioning Services infrastructure is based on software-streaming technology. After installing and configuring Provisioning Services components, a vDisk can be created by imaging a hard disk that contains the operating system with applications installed to a vDisk file on the network. A device that is used to create the vDisk is called the Master Target Device. The devices that use the vDisk are called target devices. Writes with MCS are saved to a Differencing Disk, while writes with PVS are saved to a Write Cache.

es

rr

e

al

The target device downloads a boot file from a Provisioning Services server, and then uses that boot file to start. Based on the device boot configuration settings, the appropriate vDisk is located, and then mounted on the Provisioning Services server. The software on the vDisk is streamed by the Provisioning Services server to the target device as needed. To the target device, it appears like a regular hard drive.

or

Instead of immediately pulling all of the vDisk contents down to the target device (as is done with traditional or imaging deployment solutions), the data is brought across the network in real-time, as needed. This approach allows a target device to get a completely new operating system and set of software in the time it takes to restart, without requiring an administrator to visit the endpoint. This approach dramatically decreases the amount of network bandwidth required by traditional disk imaging tools; making it possible to support a larger number of target devices on the network without impacting overall network performance.

st di

n

io

ut

rib

Provisioning Services can be explained using a hard drive controller card replacement analogy:

180



1. 2. 3. 4.

Target device A powers on and uses TFTP to download a driver called the bootstrap file (ARDBP32.BIN). This driver provides the target device with the connection required to get its vDisk (virtual hard drive). Target device A uses the bootstrap file to request that Provisioning Services send the boot sector from the vDisk. Provisioning Services accesses the vDisk from storage and dynamically merges the boot sector with the SQL Server data to apply the appropriate SID based on the MAC address of the target device. As the target device starts up, further requests for additional sectors from the vDisk are accessed in the same method, but I/O requests are made directly to the vDisk. With Provisioning Services, the entire vDisk is not streamed to the target device. Instead, sectors are sent to the target device as needed.

Discussion Question What is meant by the terms Master Target Device and target device?

Setting Up A Provisioning Services Server

N

A Provisioning Services server is used to stream vDisk sectors as needed, to target devices. In some implementations, vDisks reside directly on the Provisioning Services server. In larger implementations, Provisioning Services servers access the vDisk from a shared-storage location on the network.

ot

Provisioning Services servers use an SQL Server database to store and retrieve configuration information.

fo

Creating a Service Account for Provisioning Services

rr

al

es

A service account is used by two services in Provisioning Services, the Citrix PVS SOAP Server and the Citrix PVS Streaming Service. The service account can be a local system account, network service account, or a named user account. The service account is not required for installation.

e

To Create a Service Account for Provisioning Services

or

In this procedure, you will create a named user account for the Provisioning Services service account.

st di

1.

Log on to the domain controller using domain administrator credentials.

Click Tools in Server Manager and then click Active Directory Users and Computers. Browse to the service account OU for the domain. Double-click training.lab > Training Service Accounts. Right-click the service account OU and then click New > User.

n

4.

io

ut

2. 3.

rib

Log on to DomainController-1 using the TRAINING\Administrator and Password1 credentials.

Right-click the Training Service Accounts OU and then click New > User. 5.

Type the name for the new service account into the First name and User logon name fields and then click Next. Type PVS_svc in the First name field and the User logon name field and then click Next.

6.

Type the desired password for the service account into both password fields. Type Password1 in the Password and Confirm password fields.

7.

Configure the password rules for the service account and then click Next. Deselect User must change password at next logon, select User cannot change password and Password never expires, and then click Next.

8.

Click Finish.



181

This account does not need domain administrator permissions because you will be using a share for Provisioning Services that allows this account access to it. 9.

Add the newly created service account to the service accounts group. a. b.

Right-click PVS_svc and then click Add to a group. Type Service Accounts, click Check Names, and then click OK twice.

Adding this account to the Service Accounts group in our lab environment prevents interactive logon because you created a Group Policy Object in Module 3 that disallows logon locally permissions for the Service Accounts group.

Creating a Share for the Store Provisioning Services requires at least one store to provide booting target devices with a vDisk. A store is the logical name for the physical location of PVS vDisks or golden images. The Provisioning Services service account must be granted read/write/create privileges to the store share.

ot

N

When vDisks are created in the Provisioning Services Management Console, they are assigned to a store. Within a site, one or more Provisioning Services servers are given permission to access a store in order to serve vDisks to target devices. A Provisioning Services server checks the database for the store name and the physical location where the vDisk resides, in order to provide a vDisk to the target device.

fo

rr

In a highly available implementation, if the active Provisioning Services server in a site fails, the target device can get its vDisk from another Provisioning Services server that has access to the store and permissions to serve the vDisk.

e

al

es

There are three locations administrators can choose to place the store: local storage to the Provisioning Services server, local storage on multiple Provisioning Services servers with replication, and shared storage like a SAN or SMB share.

or st di io

ut

rib

The following considerations explain the locations to choose for the vDisk Store:

vDisk Store Location

Considerations

1

The vDisk Store can be placed on the local storage of the Provisioning Services Server.

The vDisks reside on a local folder on a single PVS server. High-availability is not supported with this model.

2

The vDisk Store can be placed on the local storage of multiple Provisioning Services Servers with the latest version of each vDisk replicated across the server.

In order to support high availability these replicated vDisks must be identical. Replication can be done manually or using solutions like DFS replication. Note that the *.vhd, *.avhd, and *.pvp files for each vDisk should be replicated, but not *.lok which specifies its location.

3

The vDisk can be placed on shared storage.

This model requires a single vDisk without replications, but requires shared storage.

182


n

Diagram Label


To Create the Share for the Store 1.

Log on to the file server where the share will be created using domain administrator credentials. Log on to FileServer-1 using the TRAINING\Administrator and Password1 credentials.

2. 3. 4.

Click File and Storage Services in the left pane of the Server Manager and then click Shares. Click Tasks in the center pane and then select New Share. Select a File share profile and then click Next. Verify SMB Share - Quick is selected and then click Next.

5.

Select the drive on the file server where the share will be created and then click Next. Select E: in the Select by volume section and then click Next.

6.

Type a descriptive name for the share in the Share name field and then click Next. Type vDisks in the Share Name field and then click Next.

7. 8.

Deselect Allow caching of share and then click Next on the Configure Share Settings screen. Click Customize permissions and then configure the permissions for the share.

N

ot

Click Customize permissions, click Disable inheritance, and then click Remove all inherited permissions from this object.

fo

9. Click Add, click Select a principal, type System, click Check Names, and then click OK to add a principal to the share. 10. Select Full Control and then click OK. 11. Click Add, click Select a principal, type the name of the Provisioning Services administrators, click Check Names, and then click OK to add a principal to the share.

es

rr

Click Add, click Select a principal, type TRAINING\Administrator, click Check Names, and then click OK.

al

e

12. Select Full Control and then click OK. 13. Click Add, click Select a principal, type the name of the service account created for Provisioning Services, click Check Names, and then click OK to add a principal to the share.

or

Click Add, click Select a principal, type PVS_svc, click Check Names, and then click OK.

io

ut

rib

Write Cache Considerations

st di

14. Select Full Control and then click OK. 15. Click OK and then click Next. 16. Click Create and then click Close.

n

When the Provisioning Services vDisk is in standard image mode a write cache is required to store any machine writes. The write cache location is flexible and can be placed in several places: Target Device hard drive, Target Device RAM, Target Device RAM with overflow to hard drive, or on the Provisioning Services server.



183

The following considerations explain the locations to choose for the Write Cache:

Diagram Label

Considerations:

The Write Cache can be placed on the target device hard drive.

This option limits the network communication to reads only on the standard vDisk. This option requires no additional software to enable this feature. In this case the write cache file is temporary.

ot

N

1

Write Cache Location

fo es

rr The Write Cache can be placed on the target device RAM.

3

The Write Cache can be placed on the target device RAM with overflow on hard disk (only available for Windows 7 and Server 2008 R2 and later).

This option frees up the Provisioning Services Server and limits the network communication to reads only on the standard vDisk. This option uses target device paged pool memory when it is available and overflows the write cache is the local disk when required. This option allows for both optimal performance without a large memory requirement.

4

The Write Cache can be placed on the Provisioning Services Server disk.

In this option both reads and writes are handled by the Provisioning Services Server, which causes an increase disk I/O and Network traffic. The write cache on server disk is temporary between server reboots.

4

The Write Cache can be placed on the Provisioning Services Server disk persisted.

In this option both reads and writes are handled by the Provisioning Services Server, which causes an increase disk I/O and Network traffic. The write cache on server disk is persistent between reboots.

e

al

2

or

st di

This option frees up the Provisioning Services Server and limits the network communication to reads only on the standard vDisk. This option provides the fastest method of disk access since memory access is always faster than disk access. It requires sufficient memory for the machine to remain operational.

n

io

ut

rib

184



Citrix leading practice is to use the RAM cache with overflow to the hard disk method for storing the write cache whenever possible. Reference the following URL for more information on write cache locations: http://docs.citrix.com/enus/provisioning/7-1/pvs-product-wrapper-6-2/pvs-technology-overview-write-cache-intro.html.

Discussion Question Where can vDisks be stored for use with Provisioning Services?

Creating Windows Firewall Exceptions Provisioning Services uses UDP and TCP for the following communications: • •

ot

N

fo

al

es

rr

• • • • • • •

Provisioning Services server to Provisioning Services server - at least five ports must exist in the port range selected. Ports must be selected from the following range: UDP ports 6890 - 6909. Provisioning Services server to target devices over the Stream Service: UDP ports 6910 - 6930. UDP ports 6910-6912 are reserved for Provisioning Services. Target devices to Provisioning Services servers: UDP 6901, 6902, 6905. These ports cannot be changed. Target devices communications with the write cache: UDP ports 10802 - 10803. Provisioning Services Console communications via the SOAP Server: TCP ports 54321 - 54322. TFTP communications: UDP port 69. TSB Boot Device Manager communications: UDP port 6969. PXE (DHCP) communications: UDP port 67. Alternate boot service: UDP port 4011.

e

To enable Provisioning Services communications, you must open up these inbound ports on the firewalls of the servers hosting these components. You can open these ports manually on each server or use a group policy to simplify the process.

or

To Create Windows Firewall Exceptions

st di

Log on to the domain controller using domain administrator credentials.

ut

1.

rib

In the lab environment the firewalls are turned off using a policy, so these exceptions will have no impact. Turning off the firewall in a production environment is not recommended. You are encouraged to perform these steps in the lab environment for practice purposes and to uncover any questions you might have about the procedure.

Click Tools in the Server Manager window and then click Group Policy Management. Browse to the OU that will contain the Provisioning Services servers.

n

2. 3.

io


Double-click Forest: training.lab > Domains > training.lab > Training Servers > PVS. 4.

Right-click the OU for the Provisioning Services servers and then click Create a GPO in this domain and Link it here. Right-click PVS and then click Create a GPO in this domain and Link it here.

5.

Specify a name for the new group policy object and then click OK. Type PVS Firewall Exceptions and then click OK.

6.

Right-click the newly created Group Policy Object and then click Edit. Right-click PVS Firewall Exceptions and then click Edit.

7.

Double-click Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security.



185

8.

Click Inbound Rules under the Windows Firewall with Advanced Security setting in the left pane, right-click Inbound Rules, and then click New Rule. 9. Select Port and then click Next. 10. Select UDP and then verify that Specific local ports is selected. 11. Type 6890-6930, 10802-10803 in the Specified local ports field and then click Next. These ports are used by the Stream Service. For more information about the ports, see the http://docs.citrix.com/en-us/provisioning/6-1.html and http://support.citrix.com/article/CTX101810 articles. 12. Verify Allow the connection is selected and then click Next. 13. Verify that all profiles are selected and then click Next. 14. Type a descriptive name for the Stream Service ports in the Name field and then click Finish. Type PVS - Stream Service and then click Finish. Right-click Inbound Rules and then click New Rule. Select Port and then click Next. Verify that TCP and Specific local ports are selected. Type 54321-54322 and then click Next.

ot

N

15. 16. 17. 18.

These ports are used by the SOAP Server.

fo rr

Type PVS - SOAP Service and then click Finish.

e

Right-click Inbound Rules and then click New Rule. Select Port and then click Next. Select UDP and then verify that Specific local ports is selected. Type 67 in the Specified local ports field and then click Next.

or st di

22. 23. 24. 25.

al

es

19. Verify that Allow the connection is selected and then click Next. 20. Verify that all profiles are selected and then click Next. 21. Type a descriptive name for the SOAP Server ports in the Name field and then click Finish.

ut

rib

This port is used for PXE (DHCP) communications. If an alternate service other than DHCP will be used, you can specify UDP port 4011.

n

io

26. Verify that Allow the connection is selected and then click Next. 27. Verify that all profiles are selected and then click Next. 28. Type a descriptive name for the PXE Service ports in the Name field and then click Finish. Type PVS - PXE Service and then click Finish. 29. 30. 31. 32.

Right-click Inbound Rules and then click New Rule. Select Port and then click Next. Select UDP and then verify that Specific local ports is selected. Type 69 in the Specified local ports field and then click Next. This port is used for TFTP communications.

33. Verify that Allow the connection is selected and then click Next. 34. Verify that all profiles are selected and then click Next.

186



35. Type a descriptive name for the TFTP Service ports in the Name field and then click Finish. Type PVS - TFTP Service and then click Finish. 36. Close the Group Policy Management Editor and Group Policy Management windows. You should have created four inbound rules.

Discussion Question Why does Provisioning Services use UDP for Citrix Streaming Services?

Installing Provisioning Services

N

Provisioning Services streamlines the management of vDisk images (VDI) and provides scalability of the XenApp and XenDesktop environment. For example, after configuring a Server OS machine to host applications, you can easily use that machine as a Master Target Device to create a vDisk that can expand to multiple instances instantly using Provisioning Services.

ot

Provisioning Services consists of two required services: the Citrix PVS SOAP Server, and the Citrix PVS Stream Service. TFTP is an optional service that can be installed if an existing TFTP server is not currently implemented in the environment. TFTP is only used to deliver the ARDBP32.BIN file to the target device that is starting up. The difference between FTP (file transport protocol) and TFTP (trivial file transfer protocol) is that FTP is based on TCP/IP and TFTP is based on UDP.

fo

rr

es

The Citrix PVS SOAP Server is the management service that enables administrative functionality and communication with the database. The Citrix PVS Stream Service uses the UDP protocol to deliver requested sectors of a vDisk to the target device.

1.

e

al

To Install Provisioning Services

Right-click the first Provisioning Services VM, click Start, and then click Console.

or

Right-click ProvisioningServicesHost-1, click Start, and then click Console. Log on to the first Provisioning Services VM using domain administrator credentials.

st di

2.

Log on to ProvisioningServicesHost-1 using the TRAINING\Administrator and Password1 credentials.

rib

3.

Insert the Provisioning Services installation media in the DVD drive.

Click File Explorer in the taskbar. Click This PC and then double-click CD Drive (D:).

If the installation wizard does not start, double-click autorun.

6. 7. 8.

n

io

4. 5.

ut

Select Citrix_ProvisioningServices_7_6_English.ISO in the DVD Drive 1 field.

Select Server Installation in the wizard window. Click Install to begin the installation of Provisioning Services. Click Yes in the message to install SQLncx64, if it is presented. SQLncX64 is the SQL native client and is required if you are using database mirroring. If the SQL native client is already on the system, you will not be presented with this message.

9.

Wait for the Citrix Provisioning Services wizard to appear and then click Next.



187

If the wizard does not appear on the screen, check the taskbar.

10. Read and respond to the license agreement. Select I accept the terms in the license agreement and then click Next. 11. Specify your customer information, determine for whom the application will be installed, and then click Next. Click Next to accept the default information. 12. Specify a destination folder and then click Next. Click Next to accept the default Destination folder. 13. 14. 15. 16. 17.

Click Install to begin the installation. Click Finish. Click OK in the message concerning the PVS Console. Click Next in the Provisioning Services Configuration wizard screen. Specify where DHCP is running and then click Next.

N

Select The service that runs on another computer and then click Next.

ot

fo

DHCP will be used to provide instructions for starting vDisks from the network. Options 66/67 contain the settings required for PXE booting. Options 66/67 are configured within the DHCP Manager.

rr

es

18. Specify where the PXE Service is running and then click Next. Select The service that runs on another computer and then click Next.

al

19. Decide whether to create a new farm or join an existing farm and then click Next.

e

Select Create farm and then click Next.

or

If this is the first Provisioning Services server in the environment, you must create a new farm.

st di

io

21. Specify a name for the Provisioning Services database and a name for the farm.

ut

Type SQL-1 in the Server name field and then click Next.

rib

20. Specify, in the Server name field, the name of the database server that will host the Provisioning Services database and then click Next.

n

Type PVS_db in the Database name field and then verify that Farm is specified in the Farm name field. 22. Specify a site name and a collection name. Verify that Site is specified in the Site name field and Collection is specified in the Collection name field. 23. Determine which groups will be used for security and then click Next. Verify that Use Active Directory groups for security and training.lab/Builtin/Administrators are selected, and then click Next. 24. Type a name for the Provisioning Services store. Verify that Store is specified as the store name. 25. Specify where the vDisks will be stored. Type \\FS-1\vDisks and then click Next.

188



vDisks must be stored in a shared directory if multiple Provisioning Services servers will access the same vDisk simultaneously. You created the FS-1vDisks share earlier in this module. 26. Specify the license server in the License server name field. Type license.edutestsite.com. 27. Select Validate license server version and communication and then click Next. 28. Select the account to use for the Stream Services and SOAP Server and then click Next. a. b. c. d. e.

Select Specified user account. Type PVS_svc in the User name field. Type training.lab in the Domain field. Type Password1 in the password fields. Click Next.

29. Verify that Automate computer account password updates is selected and then click Next.

ot

N

This ensures that Provisioning Server resets the Active Directory computer accounts of the provisioned endpoints before the computer accounts expire in Active Directory. 30. Specify the network card to be used for streaming and management, specify the ports to use, and then click Next.

fo

es

rr

Verify that 6890 is specified as the First communications port, 54321 is specified as the Console port, and then click Next. You will use the network cards on this Provisioning Services server (192.168.10.31) in the lab environment.

e

al or

31. Select Use the Provisioning Services TFTP service and then click Next. 32. Specify the boot servers that target devices can contact to complete their start up process and then click Next. Click Next to accept the default Stream Servers Boot List.

st di

33. Verify that Automatically Start Services is selected and then click Finish. 34. Click OK in the Windows Firewall message.

rib

The message will always appear even if the firewall is turned off.

n

io

ut 35. Wait while the configuration completes and then click Done. 36. Click Exit and then eject the Provisioning Services media from the DVD drive.

Click Exit and then click Eject to the right of the DVD Drive 1 field to eject the Provisioning Services installation media. 37. Click the Server Manager icon in the taskbar of the Provisioning Services server and then click Tools > Services. Service startups can fail in high-latency environments. You should configure the following Recovery settings for the Citrix PVS SOAP Server, Citrix PVS Stream Service, and Citrix PVS TFTP Service to ensure that these services start. 38. Right-click Citrix PVS Soap Server and then click Properties. 39. Click the Recovery tab, select Restart the Service in the First failure, Second failure, and Subsequent failures fields, and then click OK. 40. Right-click Citrix PVS Stream Service and then click Properties. 41. Click the Recovery tab, select Restart the Service in the First failure, Second failure, and Subsequent failures fields, and then click OK. © Copyright 2015 Citrix Systems, Inc.


189

42. Right-click Citrix PVS TFTP Service and then click Properties. 43. Click the Recovery tab, select Restart the Service in the First failure, Second failure, and Subsequent failures fields, and then click OK. 44. Close the Services window.

Discussion Question How does Provisioning Services simplify the management of updating target devices?

Granting Database Permissions Before installing the Provisioning Services Console, the service account specified for use with the Provisioning Services Stream Service and SOAP Service must be configured with db_datareader and db_datawriter permissions to the database. This is done automatically by the XenApp and XenDesktop Configuration wizard, if the service account has securityadmin permissions. The service account configured to access the database does not have securityadmin permissions in the lab environment, so you must perform the following procedure.

ot

N Log on to the first SQL Server using domain administrator credentials.

rr

1.

fo

To Grant Database Permissions to the Service Account

2.

es

Log on to SQLServer-1 using the TRAINING\Administrator and Password1 credentials. Click Start, type SQL Server Management Studio, and then click SQL Server Management Studio.

al

e

If SQL Server Management Studio does not appear in the Start menu, you probably did not install SQL Server using the TRAINING\Administrator account. You should log off and log on again using the credentials used to install SQL Server.

or

3.

Select the first SQL Server in the Server name field and then click Connect.

4.

st di

Select SQL-1 in the Server name field and then click Connect.

Double-click the first SQL Server and then double-click Security > Logins in the left pane.

ut

rib

Double-click SQL-1 > Security > Logins.

5. 6. 7. 8.

Right-click Logins and then click New Login. Click Search. Click Object Types, verify that Users is selected, and then click OK. Click Locations, double-click Entire Directory and the domain name, and then click OK.

n

io

If SQL-1 does not appear in the left pane, click Connect above the left pane, select Database Engine, select SQL-1 in the Server name field, and then click Connect.

Click Locations, double-click Entire Directory> training.lab, and then click OK. 9.

Specify the service account, click Check Names, and then click OK. Type PVS_svc, click Check Names, and then click OK.

10. Click Server Roles in the left pane and then verify public is selected in the right pane to grant server-wide security privileges to the specified user. 11. Click User Mapping in the left pane, select the database, and then select db_owner. Click User Mapping, select PVS_db, and then select db_owner for the role membership.

190



Public must remain selected.

12. Click OK. 13. Verify that the service account appears in the Security > Logins node. Click Security > Logins and verify that TRAINING\PVS_svc appears. 14. Close the Microsoft SQL Server Management Studio.

Installing the Provisioning Services Console The Provisioning Services Console is an MMC snap-in used to manage the sites, Provisioning Services servers, target devices, target device collections, and the lifecycle of the vDisk images. To install the console on a system, PowerShell 2.0 must be available on that system. In addition, the SOAP Server must be running on a Provisioning Services server in order to communicate with the console.

Log on to the Provisioning Services VM using domain administrator credentials.

ot

1.

N

To Install the Provisioning Services Console Log on to ProvisioningServicesHost-1 using the TRAINING\Administrator and Password1 credentials.

fo

2.

Insert the Provisioning Services installation media in the DVD drive.

rr

Select Citrix_ProvisioningServices_7_6.iso in the DVD Drive 1 field.

es

Click File Explorer in the taskbar. Click This PC and then double-click CD Drive (D:).

al

3. 4.

e


or Click Console Installation and then click Next in the wizard. Read and respond to the license agreement.

st di

5. 6.

7.

rib

Select I accept the terms of the license agreement and then click Next.

Specify customer information, determine for whom the application will be installed, and then click Next.

ut

Click Next to accept the default information. Select a destination folder and then click Next. Click Next to accept the default destination folder. 9.

n

io

8.

Determine which components will be installed and then click Next. Verify that Complete is selected and then click Next.

10. 11. 12. 13.

Click Install to begin the installation of the Provisioning Services Console. Click Finish. Click Exit. Click Eject to eject the installation media from the DVD drive. Click Eject to the right of the DVD Drive 1 field to eject the Provisioning Services media.



191

Discussion Question The Console uses the SOAP Server to communicate with which two components of the Provisioning Services implementation?

Configuring Boot from Network Pre-Execution Environment (PXE) booting is a method used to start a target device from the network. It relies on TFTP and the PXE service. DHCP Options 66 and 67 need to be configured in the Scope or Server options on the DHCP server to enable PXE booting from the network using a bootstrap file. Option 66 is the address or name of the TFTP server. Option 67 is the name of the bootstrap file (ARDBP32.BIN).

An alternate method of network startup is available via Boot Device Manager. With Boot Device Manager, a small partition is automatically created on the vDisk (VHD) file by Provisioning Services. The small partition contains all of the information needed to start the target device.

1.

ot

N

To Configure DHCP (Options 66 and 67) for PXE Booting Log on to the VM hosting the DHCP server role using domain administrator credentials.

fo


rr

Click Tools > DHCP in Server Manager to open the DHCP console. Double-click the server name and then double-click IPv4 > Server Options.

es

2. 3.

Double-click AD.training.lab and then double-click IPv4 > Server Options.

al

Right-click Server Options and then click Configure Options. Select 066 Boot Server Host Name in the Available Options list on the General tab. Type the IP address of the TFTP server in the String value field.

e

Type 192.168.10.31 in the String value field.

or

4. 5. 6.

st di

This is the IP address of the Provisioning Service server in our lab environment.

n

io

ut

Select 067 Bootfile Name in the Available Options list on the General tab. Type ARDBP32.BIN in the String value field and then click OK. Close the DHCP console.

rib

7. 8. 9.

Discussion Question Why might you opt to use BDM rather than PXE? When might PXE be a better option than BDM?

Setting Up a Second Provisioning Services Server A single instance of Provisioning Services is a single point of failure. If that instance fails, all of the running target devices will stop because they will experience a hard drive failure due to their vDisk becoming unavailable. You should always configure an additional Provisioning Services server for high-availability protection. Remember that each Provisioning Services server can only be a member of one site at a time. If you want to move a Provisioning Services server to another site, you need to rerun the Configuration wizard on the server being moved. Configuring a second Provisioning Services server is similar to installing the first instance. The administrator must ensure that the second Provisioning Services server has access to the store via shared storage to see the existing vDisks. 192



To Configure a Second Provisioning Services Server 1.

Right-click the second Provisioning Services VM, click Start, and then click Console. Right-click ProvisioningServicesHost-2, click Start, and then click Console.

2.

Log on to the second Provisioning Services VM using domain administrator credentials. Log on to ProvisioningServicesHost-2 using the TRAINING\Administrator and Password1 credentials.

3.

Insert the Provisioning Services installation media in the DVD drive. Select Citrix_ProvisioningServices_7_6_English.ISO in the DVD Drive 1 field.

4. 5.

Click the File Explorer icon in the taskbar and then click This PC. Double-click CD Drive (D:) to start the installation wizard. If the installation wizard does not start, double-click autorun.

Select Server Installation in the wizard window. Click Install to begin the installation of Provisioning Services on the VM. Click Yes in the message to install SQLncx64, if it is presented.

ot

N

6. 7. 8.

fo

SQLncX64 is the SQL native client and is required if you are using database mirroring. If the SQL native client is already on the system, you will not be presented with this message.

rr

Wait for the Citrix Provisioning Services wizard to appear and then click Next.

es

9.

e

al

If the wizard does not appear on the screen, check the taskbar.

or

10. Read and respond to the license agreement.

Select I accept the terms in the license agreement and then click Next.

st di

11. Specify customer information, determine for whom the application will be installed, and then click Next. Click Next to accept the default information.

Click Next to accept the default destination folder.

n

Click Install to begin the installation. Click Finish when the installation is completed. Click OK in the message concerning the PVS Console. Click Next in the Provisioning Services Configuration wizard screen. Specify where DHCP is running and then click Next.

io

13. 14. 15. 16. 17.

ut

rib

12. Specify a destination folder and then click Next.

Select The service that runs on another computer and then click Next. This is done so provisioned machines (vDisks) know where to get instructions to start from the network. Options 66/67 contain the settings required for PXE booting. Options 66/67 are configured within the DHCP Manager. 18. Specify where the PXE Service is running and then click Next. Select The service that runs on another computer and then click Next.



193

You will point to the VM that hosts the bootstrap file which tells the provisioned machines (target devices) to start up from the network. In the lab environment, the bootstrap file is stored on this Provisioning Services server. 19. Decide whether to create a new farm or join an existing farm and then click Next. Select Join existing farm and then click Next. If this is not the first Provisioning Services VM in the environment, you probably want to join a farm instead of create a new farm. 20. Specify the name of database server that is hosting the database to be used by Provisioning Services and then click Next. Type SQL-1 and then click Next. 21. Select the Provisioning Services farm that this server will join and then click Next. Verify that PVS_db:Farm is specified in the Farm name field and then click Next.

ot

N

In the lab environment, PVS_db is the name of the Provisioning Services database and Farm is the name you gave the Provisioning Services farm. 22. Specify the site to be used by the Provisioning Services server and then click Next.

fo

Verify that Existing site is selected and then click Next.

rr

In the lab environment, Site is the name you gave the Provisioning Services site.

al

es 23. Specify the vDisk store to be used by the Provisioning Services server and then click Next.

e

Verify that Existing store is selected and then click Next.

or

In the lab environment, Store is the name you gave the Provisioning Services store.

st di

n

io

Select Specified user account. Type PVS_svc in the User name field. Type training.lab in the Domain field. Type Password1 in the password fields. Click Next.

ut

a. b. c. d. e.

rib

24. Select the account to use for the Stream Services and SOAP Server and then click Next.

25. Verify Automate computer account password updates is selected and then click Next. This ensures that Provisioning Server resets the Active Directory computer accounts of the provisioned endpoints before the computer accounts expire in Active Directory. 26. Specify the network card to be used for streaming and management, specify the ports to use, and then click Next. Verify that 6890 is specified as the First communications port, 54321 is specified as the Console port, and then click Next. 27. Select Use the Provisioning Services TFTP service and then click Next. 28. Specify the boot servers that target devices can contact to complete their start up process and then click Next. Click Next to accept the default Stream Servers Boot List.

194



29. Verify that Automatically Start Services is selected and then click Finish. 30. Click OK in the Windows Firewall message. This message will always appear even if the firewall is turned off.

31. Wait while the configuration completes and then click Done. 32. Click Exit and then eject the installation media from the DVD drive. Click Exit and then click Eject to the right of the DVD Drive 1 field to eject the Provisioning Services installation media. 33. Click the Server Manager icon in the taskbar of the Provisioning Services server and then click Tools > Services. Service startups can fail in high-latency environments. You should configure the following Recovery settings for the Citrix PVS SOAP Server, Citrix PVS Stream Service, and Citrix PVS TFTP Service to ensure that these services start.

ot

N

34. Right-click Citrix PVS Soap Server and then click Properties. 35. Click the Recovery tab, select Restart the Service in the First failure, Second failure, and Subsequent failures fields, and then click OK. 36. Right-click Citrix PVS Stream Service and then click Properties. 37. Click the Recovery tab, select Restart the Service in the First failure, Second failure, and Subsequent failures fields, and then click OK. 38. Right-click Citrix PVS TFTP Service and then click Properties. 39. Click the Recovery tab, select Restart the Service in the First failure, Second failure, and Subsequent failures fields, and then click OK. 40. Close the Services console.

fo

e

al

es

rr

Discussion Question

or

st di

You have virtualized your first Provisioning Services server and then added a second Provisioning Services server for redundancy to prevent a single point of failure. Everything seems to be working as planned. One day, the Help Desk lines light up with numerous calls from end users complaining that their desktops are not available. What might be causing the issue?

rib

Configuring the Bootstrap File for High Availability

ut

n

io

The bootstrap file contains connection information used by the starting target device to locate the Provisioning Services servers. Adding all Provisioning Services servers to the bootstrap file provides the ability for the starting target device connections to be load-balanced among the Provisioning Services servers and to identify the next available Provisioning Services server upon failure of the currently connected Provisioning Services server. After a Provisioning Service server is added, you must update the server information in the bootstrap file (ARDBP32.BIN) using the Provisioning Services Console. Once the bootstrap file is updated, subsequent connections to Provisioning Services are load-balanced between all Provisioning Services servers. An administrator can rebalance the target device connections at any time using the console without impacting VM performance.

To Configure the Bootstrap File for High Availability 1.

Log on to the first Provisioning Services VM using domain administrator credentials. Log on to ProvisioningServicesHost-1 using the TRAINING\Administrator and Password1 credentials.

2. 3.

Click Start, type Provisioning Services Console, and then click Provisioning Services Console. Right-click Provisioning Services Console in the left pane and then click Connect to Farm.



195

4.

Type the NetBIOS name or IP address of the first Provisioning Services server in the Server Information Name field and then click Connect. Type PVS-1 and then click Connect. If you cannot access the farm, restart the Provisioning Services server and try again. This will connect the console to the first Provisioning Services server so you can see information about the farm, the sites, and the stores.

5.

Double-click the farm name > Sites > site name, and then click Servers. Double-click Farm > Sites > Site > Servers.

6.

Right-click the name of the first Provisioning Services server in the Servers node and then click Configure Bootstrap. Right-click PVS-1 and then click Configure Bootstrap.

7.

Click Read Servers from Database, and then click OK.

8.

ot

N

The bootstrap file for the first Provisioning Services server will now include the IP addresses of all Provisioning Services servers in the farm. Right-click the name of the second Provisioning Services server in the Servers node and then click Configure Bootstrap.

fo

Right-click PVS-2 and then click Configure Bootstrap.

rr

9.

Click Read Servers from Database, and then click OK.

es

10. Close the Provisioning Services Console.

e

al

The bootstrap file for the second Provisioning Services server will now include the IP addresses of all Provisioning Services servers in the farm.

or

You can shut down the ProvisioningServicesHost-2 VM to conserve lab resources.

st di n

io

Configuring the Master Target Device

ut

How many Provisioning Services servers can be specified in the bootstrap file?

rib

Discussion Question

A Master Target Device refers to a target device from which a hard disk image is built and stored on a vDisk. Provisioning Services then streams the contents of the vDisk created from the Master Target Device to other target devices. In order to support a single vDisk, that is shared by multiple target devices, those devices must have certain similarities to ensure that the operating system has all required drivers. The three key components that must be consistent include the: • • •

Motherboard Network card Video card The Provisioning Services Common Image Utility allows a single vDisk to simultaneously support different motherboards, network cards, video cards, and other hardware devices.

If target devices will be sharing a vDisk, the Master Target Device serves as a template for all subsequent diskless target devices as they are added to the network. It is crucial that the hard disk of the Master Target Device is prepared properly and that all software is installed on it in the following order: 196



1. 2. 3. 4. 5.

Windows Operating System Device Drivers Service Packs Updates Target Device Software Applications, which can be installed before or after the Target Device Software is installed

Creating the Master Target Device Using Provisioning Services, administrators prepare a Master Target Device for imaging by installing an operating system and software on the device. A vDisk image is then created from the hard drive on the Master Target Device and saved to shared storage.

ot

N fo e

al

es

rr or

st di

Once the vDisk image is available from the network, the target device no longer needs its local hard drive to operate; the target device starts up directly from the network. The Provisioning Services server streams the contents of the vDisk to the target device on demand, in real time. The target device behaves as if it is running from its local hard drive. However, unlike thin-client technology, all processing takes place on the target device. •

n

io

•

Use a physical machine with a configured desktop as the Master Target Device, load the Provisioning Services utilities on the physical machine, and then use the utilities to convert the workload of the physical device to a vDisk (VHD) file. Use a virtual machine with a configured desktop as the Master Target Device, load the Provisioning Services utilities on the virtual machine, and then use the utilities to convert the workload of the virtual machine to a vDisk (VHD) file. Use a headless virtual machine (a machine without a hard drive), associate it with a Provisioning Services server to attach a blank vDisk to it, and then install an operating system and software on the blank vDisk to create the vDisk (VHD) file. You do not need to convert the workload of the virtual machine because it is already a VHD file.

ut

•

rib

When creating a vDisk for use with Provisioning Services, you can:

In this procedure, you will create a virtual machine that will become the Master Target Device. You will then use the utilities to convert the workload of the Master Target Device to a vDisk (VHD) file.

To Create a New Master Target Device 1.

Right-click the Windows Server template in XenCenter and then click New VM wizard to create a VM that will used to create the target devices and vDisks for use with Provisioning Services. Right-click the WinServer2012R2_template template in XenCenter and then click New VM wizard.

2.

Verify that the correct template is selected and then click Next. Verify that WinServer2012R2_template is selected and then click Next.



197

You are using a template that already has the hypervisor tools installed. If you were creating the VM from scratch, you would need to install the hypervisor tools on the VM before you use the VM to create a vDisk. 3.

Type the desired name for the VM in the Name field and then click Next. Type MasterTargetDevice-1 in the Name field and then click Next.

4.

Verify is selected in the DVD drive field and then click Next. You do not need to install an operating system on this VM, because the selected Windows Server 2012 R2 template has the operating system installed on it.

5.

Determine on which XenServer the VM should start and then click Next. Select Place the VM on this server and then click Next.

6.

Specify the number of vCPUs and memory to allocate to the VM and then click Next. Verify that 2 vCPU and 2048 MB memory is allocated and then click Next.

ot

N

The number of vCPUs depends on the workload and should not exceed the logical cores within the hardware. The limit is 16 vCPUs per VM. A typical Provisioning Services VM should have 2 vCPUs. A typical Provisioning Services VM should have 2 GB or more of memory allocated for a 64-bit operating system. Specify the storage settings for this VM and then click Next.

fo

7.

Select the network interfaces that will be used and then click Next.

es

8.

rr

Accept the default storage settings and then click Next.

Verify that Internal is selected and then click Next.

e

Review the settings for this VM for accuracy.

al

9.

or

If changes need to be made, use the Previous button to return to previous pages.

st di

10. Determine if you want to start the VM at this time and then click Create Now.

rib

Verify that Start the virtual machine automatically is selected and then click Create Now. 11. Click the new Master Target Device in the left pane of XenCenter and then click the Console tab.

n

After the VM restarts, you will perform an initial configuration of the VM.

io

ut

Click MasterTargetDevice-1 and then click the Console tab.

12. Select the appropriate region, language, and keyboard layout settings, and then click Next. a.

b.

Verify that: • United States is selected in the Country/Region field. • English (United States) is selected in the Language field. • US is selected in the Keyboard layout field. Click Next.

13. Read and respond to the license agreement. Click I accept.

198



14. Type a password for the local administrator account and then click Finish. Type Password1 in both the Password and Reenter password fields and then click Finish. 15. Log on to the VM using local administrator credentials. Log on using the Administrator and Password1 credentials. 16. Click Local Server in Server Manager and then click the link next to Computer Name. 17. Click Change in the System Properties window. 18. Type a name for the new Master Target Device in the Computer name field. Type MTD-1 in the Computer name field. 19. Select Domain, type the name of the domain in the Domain field, and then click OK. Select Domain, type training.lab, and then click OK. 20. Type the domain administrator credentials in the Computer Name/Domain Changes window and then click OK. Type the Administrator and Password1 credentials and then click OK.

ot

N

21. Wait while the computer joins the domain and then click OK twice. 22. Click Close and then click Restart Now.

fo

Installing the Virtual Delivery Agent

al

es

rr

The Virtual Delivery Agent (VDA) is required to make HDX (ICA) connections to the vDisk from the target device and must be installed on the Master Target Device prior to creating the vDisk and assigning the vDisk to a target device. The Virtual Delivery Agent was formerly known as the Virtual Desktop Agent in previous releases of XenDesktop.

e

To Install the Virtual Delivery Agent

or

In this procedure, you will be installing the standard VDA.

st di

1.

Log on to the Master Target Device using your domain administrator credentials.

2.

rib

Log on to MasterTargetDevice-1 using the TRAINING\Administrator and Password1 credentials. Insert the XenApp and XenDesktop installation media in the DVD drive.

n

Click the File Explorer icon in the taskbar. Click This PC. Double-click CD Drive (D:) to start the installation wizard.

io

3. 4. 5.

ut

Select XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field.


6. 7.

Click Start next to XenDesktop. Click Virtual Delivery Agent for Windows Server OS. The Virtual Delivery Agent for Desktop OS is not available because a Server operating system was detected on the VM.

8. 9.

Select Create a Master Image and then click Next. Verify Citrix Receiver is selected and then click Next.



199

10. Specify how the location of the Delivery Controllers will be configured. Select Do it manually. You cannot allow Machine Creation Services to specify the Delivery Controller locations, because Provisioning Services is being used to deliver the vDisk. 11. Type the FQDN of the first Delivery Controller in the Controller address field, click Test connection, and then click Add. Type c-1.training.lab in the Controller address field, click Test connection, and then click Add. 12. Type the FQDN of the second Delivery Controller in the Controller address field, click Test connection, and then click Add. Type c-2.training.lab in the Controller address field, and then click Add. You are not testing the connection to Controller-2 (c-2.training.lab) in the lab environment, because it is currently shutdown.

N

ot

13. Click Next after all Delivery Controllers have been added. 14. Select the features to install and then click Next.

fo

Verify that all features are selected and then click Next.

rr

es

If you are installing the Virtual Delivery Agent on a workstation OS machine, you will have the option to install Personal vDisk functionality. If you opt to install the Personal vDisk, keep in mind that you must run the Update Personal vDisk tool after the Virtual Delivery Agent installation is completed.

al

15. Select the port configuration method to use and then click Next.

e


or

If the VDA will use the default ports for communication, select Automatically. If the VDA will use alternate port assignments, select Manually to configure the ports after installation.

st di rib

16. Click Install. 17. Click Close and then wait for the Master Target Device to restart.

18. Wait while the Master Target Device updates and automatically restarts again.

n

io

ut

The Master Target Device will restart automatically after a few seconds if you do not click Close. The VDA is configured after the VM is restarted. Do not eject the XenApp and XenDesktop media from the DVD drive. Doing so will cause the installation of the VDA to be incomplete and result in desktops created from the image to fail to register.

This will take approximately 5 minutes.

19. Log on to the Master Target Device on which you installed the VDA using domain administrator credentials to complete the configuration of the VDA. Log on to MasterTargetDevice-1 using the TRAINING\Administrator and Password1 credentials. 20. Wait while the prerequisites and selected core components are installed and initialized. This will take approximately 5 minutes.

21. Verify that Restart machine is selected and then click Finish. 200



22. Wait while the VM restarts. 23. Log on to the Master Target Device using domain administrator credentials. Log on to the MasterTargetDevice-1 using the TRAINING\Administrator and Password1 credentials. 24. Eject the XenApp and XenDesktop media from the DVD drive. Click Eject to the right of the DVD Drive 1 field to remove the XenDesktop media. 25. Install applications on the Master Target Device, if desired. Do not complete this step, or the next step within the lab environment, because you will not be using the Personal vDisk feature in this environment.

Creating the vDisk After the operating system and desired software are installed on the Master Target Device, you must convert the hard drive of the Master Target Device into a vDisk file. The resultant vDisk file is stored on a Provisioning Service server or shared storage so it can be accessed by any Provisioning Services server that will provide the vDisk to target devices.

N

1.

ot

To Convert the Hard Drive of the Master Target Device to a vDisk Log on to the Master Target Device using your domain administrator credentials.

fo

Log on to MasterTargetDevice-1 using the TRAINING\Administrator and Password1 credentials.

rr

2.

Insert the Provisioning Services installation media in the DVD Drive.

Click Desktop and then click the File Explorer icon in the taskbar. Click This PC. Double-click CD Drive (D:) to start the installation wizard.

e

al

3. 4. 5.

es

Select Citrix_ProvisioningServices_7_6_English.ISO in the DVD Drive 1 field.

or


st di

Click Target Device Installation and then click Target Device Installation again. Click Next on the Welcome screen of the Installation wizard. Read and respond to the license agreement. Select I accept the terms in the license agreement and then click Next.

Type the customer information in the appropriate field, determine for whom the application is being installed, and then click Next.

n

9.

io

ut

rib

6. 7. 8.

Click Next to accept the default selections. 10. Specify a destination folder and then click Next. Click Next to accept the default destination folder. 11. 12. 13. 14.

Click Install and wait while the installation completes. Verify that Launch Imaging Wizard is selected and then click Finish. Click Next on the Welcome screen of the Imaging wizard. Type the IP address of the first Provisioning Services VM and then click Next. Type 192.168.10.31 and then click Next.

15. Determine whether a new or existing vDisk will be used and then click Next. Select Create new vDisk and then click Next.



201

16. Type a name for the new vDisk. Type Win2012R2vDisk. 17. Select the vDisk type and then click Next. Select Dynamic and then click Next. The Fixed vDisk type allocates 100% of the space allocated for the vDisk immediately. The Dynamic vDisk type allocates space as it is needed. A Dynamic vDisk starts out small and then grows up to the maximum amount of space allocated as it is needed. 18. Select the Volume Licensing method to be used with the vDisk and then click Next. Select Key Management Service (KMS) and then click Next. 19. Define the size of each volume and then click Next. Click Next to accept the default volume sizes. 20. Type a name for the target device and then click Next. Type Win2012R2TD and then click Next.

N

ot

21. Click Optimize for Provisioning Services, click OK, and then click Finish. 22. Click No in the Reboot message and then click No again.

fo

Do not restart the VM at this point.

es

rr al

23. Click Exit in the Provisioning Services installation program. 24. Eject the installation media from the DVD drive.

e

Click Eject to the right of the DVD Drive 1 field to eject the Provisioning Services installation media.

or

25. Click the General tab for the Master Target Device VM in XenCenter and then click Properties. Click MasterTargetDevice-1 in XenCenter, click the General tab, and then click Properties.

st di

rib

26. Click Boot Options and then select Network. 27. Move Network to the top of the list to force the VM to start up from the network instead of from the hard drive and then click OK.

io

ut

Click Move Up until the Network option is at the top of the list; deselect DVD-Drive and Hard Disk, and then click OK. Recall that the PXE boot option was set during the initial Provisioning Services installation.

n 28. Right-click the Master Target Device VM in XenCenter and then click Reboot. Right-click MasterTargetDevice-1 and then click Reboot. 29. Click Yes in the Reboot VM message. 30. Log on to the Master Target Device VM using your domain administrator credentials. Log on to MasterTargetDevice-1 VM using the TRAINING\Administrator and Password1 credentials. After you log on, you will see the XenConvert progress window for the vDisk capture process. Do not restart the VM until the XenConvert process completes. This process takes around 30-45 minutes. 31. Wait while the XenConvert process completes and then click Finish.

202



32. Shut down the Master Target Device VM. Right-click MasterTargetDevice-1, click Shut Down, and then click Yes to confirm. 33. Log on to the first Provisioning Services VM using the domain administrator credentials. Log on to ProvisioningServicesHost-1 using the TRAINING\Administrator and Password1 credentials. 34. Click Start, type Provisioning Services Console, and then click Provisioning Services Console. 35. Type the NetBIOS name or IP address of the first Provisioning Services server in the Name field and then click Connect. Type PVS-1 and then click Connect. 36. Double-click the farm name > Sites > site name > vDisk Pool in the left pane of the Provisioning Services Console. Double-click Farm (PVS-1) > Sites > Site > vDisk Pool. 37. Verify that the newly created vDisk is listed. Verify that Win2012R2vDisk is listed. 38. Double-click Device Collections > Collection in the left pane of the Provisioning Services Console. 39. Verify that the newly created target device is listed.

N

Verify that Win2012R2TD is listed.

ot

40. Double-click Stores > store name in the left pane of the Provisioning Services Console.

fo

Double-click Stores > Store.

rr

41. Verify that the newly created vDisk is listed.

st di

Setting the vDisk Mode

or

What does XenConvert do?

e

Discussion Question

al

es

Verify that Win2012R2vDisk is listed.

ut

rib

In order to understand the vDisk mode, you must first understand the concept of VHD types. There are two types of VHD files: static and dynamic. A static VHD file will physically be the full size of the configured vDisk. A dynamic VHD file will only be as large as the amount of data written to the vDisk. You can set the VHD type during the XenConvert process.

n

io

For example, if you configure a VHD file for 40 GB, but install only 10 GB of operating system and applications on it and then set the type as static, the VHD will have a foot print of 40 GB. If you set the 40 GB VHD file as dynamic, it will have a foot print of 10 GB. Target devices will see a 40 GB hard drive regardless of the type of VHD file to which they connect. A vDisk can be placed in one of two modes: standard or private. Only one mode can be applied to a vDisk at a time. Any vDisk can be changed from one mode to another as long as there are no current connections to the vDisk. You set the vDisk mode in the Properties of the vDisk using the Provisioning Services Console. A vDisk in private image mode is read/write. In private image mode, only one target device can start up from the vDisk at a time, and that vDisk is most likely dedicated to a specific target device. Because a private vDisk is read/write, there is no need for a write-cache; all system write backs are written directly to the VHD file. A vDisk in standard image mode is read only. In standard image mode, multiple target devices can start up from the same vDisk. Because a vDisk in standard image mode is read only, it requires a write cache file for each started target device. The write-cache contains the information that the system would typically write back to a hard drive. If the hard drive is read only, you need to have a place for the write back information. As a general rule, a write-cache size of 300 - 500 MB per end user should cover mostly text-based workloads and daily restarts. Graphic-based workloads will require a considerably larger write cache. The size of the write cache should be determined using a workload analysis for the organization. If the write cache is placed on the local disk of each Provisioning Services server, there may not be a smooth transition to the remaining Provisioning Services servers in the event of failover, because the write cache will be inaccessible. Therefore, server-side caching on the local disk is not recommended for fault tolerance. Target device RAM provides the best performance for the write cache, but has limited space and is not persistent. © Copyright 2015 Citrix Systems, Inc.


203

To Set the vDisk Mode 1.

Log on to the Provisioning Services VM using domain administrator credentials. Log on to ProvisioningServicesHost-1 using the TRAINING\Administrator and Password1 credentials.

2. 3.

Click Start, type Provisioning Services Console and then click Provisioning Services Console. Type the NetBIOS name or IP address of a Provisioning Services server in the Name field and then click Connect. Verify that PVS-1 appears in the Name field and then click Connect.

4.

Double-click the farm name > Stores > store name to display the contents of the store. Double-click Farm (PVS-1) > Stores > Store.

5.

Right-click the vDisk in the store and click Properties. Right-click Win2012R2vDisk and then click Properties.

6.

Specify the access mode and write cache type on the General page and then click OK. Click Standard Image (multi-device, read-only access) in the Access mode field and and click Cache in device RAM with overflow on hard diskin the Cache type field. Click OK.

N

ot

You cannot manage the vDisk properties if the vDisk is in use by any target device. The vDisk will appear locked and must first be unlocked. Unlocking a vDisk that is in use by any device runs the risk of corrupting data on the vDisk.

fo

es

rr

Discussion Question

al

In Provisioning Services, private image mode identifies a vDisk as being available to only one target device. What term is used in Machine Creation Services to specify that a VM is dedicated to a single end user?

e

In Provisioning Services, standard image mode identifies a vDisk as being available to many target devices. What term is used in Machine Creation Services to specify that a VM can be used by many end users?

or st di

Assigning a vDisk to a Target Device

Manually create the target device in the Provisioning Services console and assign it a vDisk. Import a comma-delimited file with a list of MAC addresses. Auto-add the target device to the Provisioning Services server. This will automatically add the default vDisk to the target device.

n

io

ut

• • •

rib

Whenever a new target device is added to the environment, you must assign a vDisk to it. There are multiple ways to assign a vDisk to a target device:

When a vDisk is assigned to a target device, the MAC address of the target device is mapped to the vDisk. A vDisk in standard image mode can have multiple mappings (multiple target devices/one-to-many). A vDisk in private image mode can have only a single mapping. Target devices are always identified by the MAC address. If you clone a target device and do not randomize the MAC address, you will have multiple target devices with the same MAC address and you will have conflicts in the environment.

To Assign a vDisk to a Target Device The following procedure is provided for information purposes only. You do not need to complete this procedure in the lab environment. 1. 2. 3. 204

Log on to a Provisioning Services VM using domain administrator credentials. Click Start, type Provisioning Services Console, and then click Provisioning Services Console. Type the NetBIOS name or IP address of a Provisioning Services server in the Name field and then click Connect. Module 7: Setting Up Provisioning Services


4. 5. 6. 7.

Double-click the farm name > Sites > site name >Device Collection > collection name. Right-click the name of a target device in the right pane and then click Properties. Click the vDisks tab. Click Add, select the vDisk to add, and then click OK twice. You can remove a vDisk from a target device using the Properties of the target device.

Discussion Question What happens if more than one vDisk is assigned to a target device?

Creating the Machine Catalog

ot

N

The XenApp and XenDesktop Setup Wizard can be used to create machine catalogs of target devices from the Master Target Device and Provisioning Services. Machine catalogs created with the XenApp and XenDesktop Setup Wizard are displayed in Citrix Studio and are managed like machine catalogs created using Machine Creation Services.

To Create a Diskless Target Device Template

fo

1.

es

rr

Prior to creating a machine catalog for use with a vDisk, you must have a template that you can use to create the diskless target devices that start from the network rather than a hard drive. The target devices created from this template will use PXE or BDM to start and will be associated with a vDisk using Provisioning Services. Create a new template or make a copy of an existing template in XenCenter.

al

Right-click WinServer2012R2_template and then select Copy. Type TD with no storage_template in the Name field and then click Copy.

e

a. b.

or

You are using an existing template to simplify the template creation process.

st di

Click the template in XenCenter and then click the General tab.

rib

2.

6. 7. 8.

Click Properties. Click Boot Options in the left pane. Select Network and then click Move Up until Network is the first item listed. Deselect the DVD and Hard Disk options as well. Click OK. Click the Storage tab to remove the hard drive from the target device so you can use PXE or BDM to start and use a vDisk. Select the virtual disk, click Delete, and then click Yes in the Delete System Disk message.

n

3. 4. 5.

io

ut

Click the TD with no storage_template VM in XenCenter and then click the General tab.

Select WinServer2012R2_template, click Delete, and then click Yes in the Delete System Disk message.



205

To Create the Machine Catalog 1.

Log on to the Provisioning Services VM using domain administrator credentials. Log on to ProvisioningServicesHost-1 using the TRAINING\Administrator and Password1 credentials.

2. 3.

Click Start, type Provisioning Services Console, and then click Provisioning Services Console. Type the NetBIOS name or IP address of a Provisioning Services server in the Name field and then click Connect. Verify that PVS-1 appears in the Name field and then click Connect.

4.

Double-click farm name > Sites. Double-click Farm (PVS-1)>Sites.

5.

Right-click the site name and then click XenDesktop Setup Wizard. Right-click Site and then click XenDesktop Setup Wizard.

6. 7.

Click Next on the Welcome screen. Type the name of a Delivery Controller in the XenDesktop Controller address field and then click Next. Type C-1 and then click Next.

N

Select the host network and then click Next.

ot

8.

Select XenApp and XenDesktop Network and then click Next.

fo

9.

Type the log on credentials of the host (XenServer) and then click OK.

rr

Type root in the Username field, type the Password provided to you in the beginning of the lab and then click OK.

es

10. Select a VM template to use for the Master Target Devices and then click Next.

al

Select TD with no storage_template and then click Next.

e

11. Select a Standard image mode vDisk and then click Next.

or

Select Store\Win2012R2vDisk and then click Next.

12. Determine if a new or existing catalog will be used and then click Next.

st di

Select Create a new catalog, type Win2012R2PXE in the Catalog name field, and then click Next.

Select Windows Server Operating System and then click Next.

ut

rib

13. Specify the type of operating system machines to create in the catalog and then click Next.

n

io

You must be careful to select the correct type of desktop at this point. Selecting the incorrect OS will result in an unusable machine catalog. 14. Specify the virtual machines preferences for vCPUs, memory, Personal vDisk size and drive letter, and startup mode, and then click Next. a. b. c. d. e.

Select 1 in the Number of virtual machines to create field. Select 2 in the vCPU field. Select 2048 MB in the Memory field. Select PXE boot (requires a running PXE service). Click Next. Personal vDisk is not available, because you are creating a machine catalog based on the Windows Server OS.

206



15. Determine whether to use existing Active Directory accounts or to create new ones for the new target device machines in the machine catalog and then click Next. Verify that Create new accounts is selected and then click Next. If you are creating new accounts, you must specify the OU where they should be created. The Active Directory organizational units must be created before you complete this step. 16. Specify the domain and OU to which the new target devices in the machine catalog will be added in Active Directory. Select training.lab in the Domain field and then double-click training.lab > Training Virtual Desktops > Servers. 17. Determine the account naming scheme and then click Next. Type Win2012R2PXE-##, verify that the 0-9 enumeration scheme is selected, and then click Next. This will be the naming scheme associated with the target devices that will use the Win2012R2vDisk vDisk.

ot

N

18. Click Finish and wait for the VMs (target devices) to be created in the machine catalog. 19. Verify that the new target devices appear in XenCenter and then click Done. Verify that Win2012R2PXE-01 appears in XenCenter and then click Done.

fo

20. Log on to a computer hosting Studio using domain administrator credentials.

rr


al

es

21. Click Start, type Citrix Studio and then click Citrix Studio. 22. Click Machine Catalogs and then verify that the newly created catalog appears. Click Machine Catalogs and verify that Win2012R2PXE appears in the list.

e or

Discussion Question

rib

Creating the Delivery Group

st di

Personal vDisk can only be used with which type of desktop?

n

io

ut

Creating a Delivery Group is not a Provisioning Services function, but in order for end users to connect to the newly created machine catalog of target devices, you can use Studio to create a Delivery Group. Alternatively, if a Delivery Group already exists, you only need to associate that Delivery Group with the new machine catalog. To learn more about administering XenApp and XenDesktop, attend the CXD-203 Managing App and Desktop Solutions with Citrix XenApp and XenDesktop 7.6 course or search http://docs.citrix.com for the relevant topic.

To Create the Delivery Group 1.

Log on to the computer hosting Citrix Studio using domain administrator credentials. Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials.

2. 3. 4.

Click Start, type Citrix Studio, and then click Citrix Studio. Select the Delivery Groups node in the left pane. Click Create Delivery Group in the right pane.



207

If the Create Delivery Group option is not available, make sure the Delivery Group tab is selected in the center pane. If you receive an error message stating: "There are no available machines in a compatible Machine Catalog. You must create a new Machine Catalog or add machines to an existing one." Use Studio to verify that a machine catalog exists and contains machines that have not been assigned to a Delivery Group. If the machine catalog was newly created and none of its machines have been assigned through a Delivery Group yet, the problem could be that the machine catalog did not create correctly. Create a new machine catalog and delete the corrupted one. 5.

Click Next in the Getting Started with Delivery Groups page. If you previously selected Don't show this again, this page will not appear.

6.

Select a machine catalog, determine the number of machines in the catalog that this Delivery Group will consume, and then click Next. Select Win2012R2PXE, type 1 in the Choose number of machines to add field, and then click Next.

7.

ot

N

Because of the limited storage in the lab environment, you only have a single machine available in the machine catalog. In a real-world environment, you would create enough machines to satisfy the needs of the end users in the environment. Select the service to deliver in the Delivery Type screen and then click Next.

Click Add users to specify which end users will be part of the Delivery Group.

rr

8.

fo

Select Desktops and then click Next.

Type the name of the user or group, click Check Names, and then click OK.

e

9.

al

es

Only those users added to the Delivery Group will be able to access the selected service (desktops, applications, or desktops and applications).

or

Type HelpDesk in the Enter the object names to select field, click Check Names, and then click OK. 10. Verify that the appropriate end users appear in the Assign users field and then click Next.

st di

Verify that TRAINING\HelpDesk appears and then click Next.

n

io

Select Automatically, using the StoreFront servers selected below. Select https://sfs-1.training.lab. Select https://sfs-2.training.lab. Click Next.

ut

a. b. c. d.

rib

11. Determine how to provide the StoreFront server address to Citrix Receiver and then click Next.

12. Type a name for the Delivery Group in the Delivery Group name field that administrators will see. Type Win2012R2Server-HD. 13. Type a Display name in the Display name field that end users will see. Type Win2012R2 Server. 14. Type a description for the machine that end users will see and then click Finish. Leave the description field blank and then click Finish. 15. Right-click the machine associated with the Delivery Group and then click Shut Down. Right-click Win2012R2PXE-01 in XenCenter and then click ShutDown.

208



You are shutting down the VM only to save lab environment resources.

Discussion Question Delivery Groups are used to assign end users and groups to machines. What methods are available for selecting the end users?

Reinforcement Exercise: Creating BDM Target Devices During this exercise, you will not be given step-by-step instructions for performing the task. Instead, you are asked to use what you have just learned to complete it. This exercise is designed to take your newly gained knowledge and stretch it to determine if you can apply that knowledge to perform a task you've never done before. In most instances the default value/choice will be the best choice, but we encourage you to explore and try things out. If you have a question or get stuck, ask the instructor or a fellow student for assistance. Now that you know how to: Install and configure Provisioning Services. Install the Provisioning Services Console. Configure DHCP Options 66 and 67. Configure the bootstrap file for high availability. Create a vDisk and assign it to a target device. Create a machine catalog. Create the Delivery Group.

ot

N

fo

es

rr

• • • • • • •


e

al

You are ready to try your hand at creating a machine catalog and a Delivery Group using a vDisk created in Provisioning Services.

or

You created a machine catalog for Windows 2012 R2 servers using PXE, but now Training wants you to create a machine catalog that uses the Boot Device Manager (BDM) and a vDisk. Once you create this new machine catalog, Training wants to provide these machines to the XenDesktop Admins group of users at Training. Ensure that MasterTargetDevice-1 is shutdown. Use the XenDesktop Setup Wizard in Provisioning Services to create a new machine catalog called Win2012R2BDM. Use root and Password1 as the credentials for the host (XenServer). Base the machine catalog on the TD with no storage_template and Win2012R2vDisk VMs that you created earlier. Create a single target device and set it to start using BDM. Create new accounts for the target devices in the training.lab > Training Virtual Desktops > Servers OU. Use the default account naming scheme for the target devices. Create a new Delivery Group that assigns Desktops to the XenDesktop Admins group from the newly created target device. 9. Specify both StoreFront servers. 10. Set the name of the Delivery Group to Win2012R2Desktop-XDA (Admin view). 11. Set the Display name to Win2012R2 Desktop (End-user view).

n

io

ut


rib

1. 2. 3. 4. 5. 6. 7. 8.

st di



209

ot

N fo e

al

es

rr or st di n

io

ut

rib

210


8

Module 8

Preparing the Environment for Rollout

ot

N fo e

al

es

rr or st di n

io

ut

rib

ot

N fo e

al

es

rr or st di n

io

ut

rib

212


Preparing the Environment for Rollout Overview Prior to rolling the XenApp and XenDesktop environment out for the pilot implementation to internal end users, you should validate that the environment behaves as expected. So far in this course, you have configured a basic implementation of XenApp and XenDesktop to provide internal end users with access to XenApp and XenDesktop resources. Now, you want to test your implementation to ensure that it works correctly before you move on and configure the environment so external end users can access XenApp and XenDesktop resources. By the end of this module, you will be able to: • • • • •

fo

the beginning of this module, the VMs should be in following the states: Controller-1 = On DomainController-1 = On FileServer-1 = On ProvisioningServicesHost-1 = On SQLServer-1 = On SQLServer-Witness = On StoreFrontServer-1 = On StudentManagementConsole-1 = On UniversalPrintServer-1 = On All other VMs = Off

e

al

or

st di

n

io

ut

rib

At • • • • • • • • • •

es


rr

• • •

ot

N

Verify the service account. Verify the DHCP scope. Verify SSL communications with StoreFront. Verify the Provisioning Services vDisks storage location. Verify the end-user environment for: • Hosted applications. • Server OS machines created from a vDisk. • Desktop OS machines containing a Personal vDisk. Verify the Remote Assistance configuration. Verify Delivery Controller high availability. Verify SQL Server mirroring.

Testing a Service Account

In Module 3, you create a policy and applied it to the Training Service Accounts OU in Active Directory to restrict the service accounts used by Provisioning Services (PVS_svc) and SQL Server (SQLAcct1) from being used to log on locally to infrastructure servers. You want to validate that a service account cannot be used to log on locally to any server in the environment.

To Test a Service Account 1.

Verify that you are not using the Remote Desktop mode in XenCenter. a. b.

Switch to the ProvisioningServicesHost-1 console. Verify that Switch to Remote Desktop appears to the right of the DVD Drive 1 field in XenCenter, If it does not appear, click Switch to Default Desktop.


Module 8: Preparing the Environment for Rollout

213

Do not perform this test using Remote Desktop, because the log on may fail because the service account is not a member of the Remote Desktop Users group, not because the service account cannot be used to log on locally. Performing this test using Remote Desktop is not a valid test of the ability to log on locally using a service account. 2.

Log on to the first Provisioning Services VM using the service account credentials. Log on to ProvisioningServicesHost-1 using the Training\PVS_svc service account and Password1 credentials.

3.

Verify that you receive the following message "The sign-in method you're trying to use isn't allowed. For more information, contact your network administrator." and then click OK to return to the logon screen. If you are able to log on, run gpupdate /force from a command line on the server and then retry the log on.

4. 5.

Repeat the test on other servers in the environment, if time permits. Repeat the test using a different service account, if time permits. Repeat the test using the SQLAcct1 account, if time permits.

N ot

Discussion Question

Why should you deny a service account the ability to log on locally?

fo es

rr

Testing the DHCP Scope

e

al

In Module 3, you installed DHCP and configured a scope that provided IP addresses to systems that do not have a static IP address assigned to them in the training.lab domain. You specified IP addresses in the range of 192.168.10.60 - 192.168.10.80. In addition, you created a policy in Module 6 that assigned session printers to systems with IP addresses within the DHCP scope. You want to validate that all dynamically assigned IP addresses are within the specified scope to ensure that your session printer policy will be applied correctly.

or

1.

st di

To Verify IP Addresses Are within the DHCP Scope

Select any newly created VM in XenCenter that does not have a static IP address assigned to it.

2.

n

io

ut

You do not need to start the VM.

rib

Click Win8-Master in XenCenter and then click the Networking tab.

View the IP Address field to determine if the IP address is within the defined DHCP scope.

View the IP Address field and determine if the address is within the 192.168.10.60 - 192.168.10.80 address range. This is the IP address that was assigned to the machine when it was started. If the machine is on, this is the IP address currently being used by the machine. If the machine is off, this is the IP address that was assigned when it was last started. A different IP address may be assigned to the machine when it starts again. 3.

Click the Console tab to return to the console of the VM.

Discussion Question What is the benefit of assigning session printers based on IP addresses?

214



Testing the Certificates In Module 3, you installed the Certificate Authority role on the domain controller and then created certificates to secure communications. You want to validate that certificates have been applied to the StoreFront servers and that communications between StoreFront servers and end users are secure.

To Verify Secure Communications with StoreFront 1.

Start an internal endpoint that has Citrix Receiver installed and then log on using domain end-user credentials. Double-click the EndPoint-Internal VM in XenCenter and then log on using the Training\HRUser1 and Password1 credentials.

2. 3. 4. 5.

Type Receiver on the Start screen and then click Citrix Receiver. Click Log On on the top of the Receiver window. Click Secure connection at the bottom of the Citrix Receiver log on screen. Verify that the certificate was applied to StoreFront by a known Certificate Authority and then click OK.

Click the Internet Explorer icon in the taskbar of the internal endpoint.

ot

6.

N

Verify that sfs-1.training.lab (our first StoreFront server) and Training-AD-CA (our internal Certificate Authority) appear in the Secure connection dialog box, click OK, and then click Cancel.

Click Internet Explorer in taskbar of the Endpoint-Internal VM.

fo

7.

Type the URL for the Receiver for Web site in the Address field and then press Enter.

rr

Verify that the Citrix Receiver log on page appears and that https: appears in the URL in the Address field. Close all open windows.

e

al

8. 9.

es

Type https://sfs-1.training.lab/citrix/store-1Web in the Address field, press Enter, and then click OK in the Security Alert and accept all pop-ups.

or

Discussion Question

st di

For which communications must StoreFront have a valid certificate?

rib

Testing the Provisioning Services Share

To Verify the vDisk Storage Location 1.

n

io

ut

In Module 3, you created a file server and a share on which vDisks created in Provisioning Services would be stored. In Module 7, you created a vDisk from a Master Target Device. You want to validate that Provisioning Services was able to successfully store the Win2012R2vDisk in the proper location on the file server.

Log on to any system in the domain using domain administrator credentials. Log on to StudentManagementConsole-1 using the Training\Administrator and Password1 credentials.

2. 3.

Click the File Explorer icon in the taskbar. Type the UNC path to the shared folder for the vDisks on the file server and then press Enter. Type \\FS-1\vDisks in a blank portion of the location bar at the top of the window and then press Enter.

4.

Verify that the vDisk is listed in the folder. Verify that Win2012R2vDisk appears in the folder.



215

• • • • 5.

The The The The

WriteCache folder contains the writes made to the vDisk. .lok file is the vDisk lock. .pvp file contains the properties associated with the vDisk. .vhd file is the actual vDisk.

Close all open windows.

Discussion Question How might you back up a vDisk?

Verifying Internal Access to Hosted Applications In Module 4, you installed Receiver on an internal endpoint. In Modules 5 and 7, you configured applications and desktops for the end users in the environment, and in Module 6, you configured policies that configure the environment. You want to validate that internal end users can use Receiver to access hosted applications and that the end users' changes are saved appropriately to a profile or to a file share.

N

ot

Citrix Receiver is installed and configured per end user. If a different end user logs on to an endpoint, the end user must configure Citrix Receiver before it can be used. You can install Citrix Receiver from the Receiver for Web site page.

fo rr

To Verify Internal Access to Hosted Applications

es

1.

Select an end-user account that has been granted access to hosted applications.

al

e

In Module 5, you granted AcctUser1, AcctUser2, HRUser1, and HRUser2 access to hosted applications using a Delivery Group.

or

2.

Log on to the internal endpoint using the selected end-user account.

3.

Verify that an end user can log on to Citrix Receiver.

rib

Type Receiver on the Start screen of the internal endpoint and then click Citrix Receiver. Click Log On on the top of the Receiver window. Log on to Receiver using the Training\HRUser1 and Password1 credentials.

io

ut

a. b. c.

st di

Log on to EndPoint-Internal using the Training\HRUser1 and Password1 credentials.

n

Citrix Receiver appears because you previously installed Citrix Receiver for the TrainingHRUser1 end user.

4.

Verify that hosted applications are available to the end user from within Receiver. In Module 5, you installed applications on the Win2012R2-Master VM which was used to create Server2012R2-01 and then published the applications as hosted applications by creating a Delivery Group.

a. b.

216

Click the + sign on the left side of the screen and then click All Applications to add resources to Receiver for the logged on end user. Select Microsoft Excel 2010, Microsoft PowerPoint 2010, and Microsoft Word 2010.



5.

Verify that a hosted application will start. a. b. c. d.

Click Microsoft Word 2010 in Receiver. Wait while the application starts. Click OK in the Enter your initials window, which may be behind the Receiver window. Select Don't make changes in the Welcome to Microsoft Office 2010 screen and click OK. This may take several minutes if the VM hosting the application is off. The Delivery Controller must start the VM. Watch as Server2012R2-01 is started. This is the VM that has the Microsoft applications installed and published. When the rotating circle beneath the application icon in Receiver disappears, the application has successfully started. Look in the taskbar if the application does not appear on the screen.

6.

Verify that a change to a hosted application will be saved to the end-user's profile. In Module 6, you enabled Profile Management in a policy and configured the location where end-users' profile settings would be saved.

Right-click anywhere in the Microsoft Word icon ribbon. Click Show Quick Access Toolbar Below the Ribbon. Click the down arrow in the Quick Access Toolbar. Click E-mail to add the email icon to the Quick Access toolbar. Close Microsoft Word to save the changes to the end-user's profile. Select the down arrow to the right of HRUser1 and then click Log Off.

ot

N

fo

rr

a. b. c. d. e. f.

Click Log On on the top of the Receiver window. Log on to Receiver using the Training\HRUser1 and Password1 credentials. Click Microsoft Word 2010 in Citrix Receiver to re-open the application. Verify that the Quick Access Toolbar is located below the icon ribbon and that the E-mail icon is included on the Quick Access Toolbar proving that the end-user's changes were saved.

e

or

st di

g. h. i. j.

al

es

Due to session lingering, you must wait several minutes prior to logging on to test this functionality.

ut

rib Verify that a file saved to the Documents folder or the Desktop will be redirected to the corresponding folders on the file server.

n

io

7.

In Module 3, you configured a share and permissions on the file server and then configured a policy to redirect files that end users saved to their local Documents folder and the local Desktop to folders on the share. To the end user, it will appear as if the file was saved locally even though it is being saved to the share.



217

a. b. c. d. e. f. g. h. i. j. 8.

Type This is a test. Click File > Save. Click the Desktop folder in the left pane. Type FolderRedirectionTest in the File name field and then click Save. Click the File Explorer icon in the taskbar of EndPoint-Internal. Click in a blank portion of the Address field. Type \\FS-1\Users$\HRUser1 and then press Enter. Double-click the Desktop folder. Verify that the FolderRedirectionTest file appears in the folder proving that folder redirection is working. Close the File Explorer window.

Verify that a session printer is available to the end user. In Module 4, you configured the Universal Print Server to provide printers. In Module 6, you created a Session printers policy that specified that any resource in the 192.168.10.60 - 192.168.10.80 IP address range would be provided with a Color Laser Printer.

ot

fo

Close the Microsoft Word application without printing the document.

Discussion Question

al

es

rr

9.

Click File > Print in Microsoft Word. Click the down arrow for the Printer field. Select Color Laser Printer on ups-1 proving that the session printer was allocated to an endpoint in the DHCP scope.

N

a. b. c.

What methods can be used to provide applications to end users using XenApp and XenDesktop?

e or

Verifying Internal Access to a Server OS Machine (PVS)

st di

In Module 4, you installed Receiver on an internal endpoint. In Modules 5 and 7, you configured applications and desktops for the end users in the environment, and in Module 6, you configured policies that customize the environment. You want to validate that internal end users can use Receiver to access a Server OS machine created from a vDisk and that the end-users' changes are saved appropriately to a profile or a file share.

rib

n

io

ut


To Verify Internal Access to a Server OS Machine Streamed Using PVS 1.

Select an end-user account that has been granted access to a Server OS machine. In Module 7, you granted HDUser1 and HDUser2 access to a Server OS machine that boots using PXE.

2.

Log on to the internal endpoint using the selected end-user account. Log on to EndPoint-Internal using the Training\HDUser1 and Password1 credentials.

3.

Verify that an end user can log on to Citrix Receiver. If this is the first time the end user has logged on to the endpoint, you will need to configure Citrix Receiver for that end user.

218



a. b. c. d. e. f. g. h. i. j.

Click Desktop on the Start screen. Click Internet Explorer in the taskbar. Do not use Internet Explorer from the Start screen. Type https://sfs-1.training.lab/citrix/store-1Web in the Address field and then press Enter. Click OK in the Security Alert message, if it appears. Select I agree with the Citrix license agreement and then click Install. Select Save in the message that appears at the bottom of the window. Click Run in the message that appears when the download is completed. Click Install. Click Finish and then click Log on. Type the Training\HDUser1 and Password1 credentials and then click Log On. If you do not install Citrix Receiver, an .ICA file will be downloaded to the endpoint. You will not be able to open the .ICA file, because Receiver is not installed on the endpoint.

4.

Verify that a Windows Server OS machine is available to the end user within Receiver and that it can be started.

ot

N

There may be a delay after Step 4a while the Win2012R2PXE-01 VM is started by the Controller. You may need to click Win2012R2 Server a second time if the spinning animation stops and the desktop does not launch.

fo

Click Win2012R2 Server. Click Allow in the Internet Explorer Security window, if it appears. Click Save in the message that appears on the bottom of the window. Click Open in the Downloads window. Wait while the desktop starts. Verify that HDUser1 appears in the upper-right corner of the Start screen. Click Read/write access on the HDX File Access window.

e

al

es

rr

a. b. c. d. e. f. g.

or

If the Start screen is not visible, click the Windows Server desktop icon in the taskbar.

st di

Verify that changes to the Windows Server OS machine are saved to the end-user's profile.

rib

5.

a. b. 6.

n

io

ut

In Module 6, you configured a share for Profile Management and configured a policy to direct end-user's changes to a Win2012 folder on the share.

Type WordPad on the Start screen. Right-click WordPad and then click Pin to taskbar to trigger changes to the end-user's profile.

Verify that a file saved to the Documents folder or the Desktop will be redirected to the corresponding folders on the file server. In Module 3, you configured a share and permissions on the file server and then configured a policy to redirect files that end users saved to their local Documents folder and the local Desktop to folders on the share. To the end user, it will appear as if the file was saved locally.



219

a. b. c. d. e. f. g. h. i. j. k. l. 7.

Click WordPad to open it. Type Just a Test into the file. Click File > Save. Click the Desktop folder in the left pane. Type FolderRedirectionTest2 in the Filename field and then click Save. Click the File Explorer icon in the taskbar of Win2012R2 Server. Click the Desktop folder to verify that it appears to the end user that the FolderRedirectionTest2 file was saved locally. Click to the left of the down arrow in the Address field. Type \\FS-1\Users$\HDUser1 and then press Enter. Double-click the Desktop folder. Verify that the FolderRedirectionTest2 file appears in the folder, proving that folder redirection is working. Close the File Explorer window.

Verify that a session printer is available to the end user.

ot

N

In Module 4, you configured the Universal Print Server to provide printers. In Module 6, you created a Session Printer policy that specified that any resource in the 192.168.10.60 - 192.168.10.80 IP address range would be provided with a Color Laser Printer. If you closed WordPad, click the WordPad icon in the taskbar of the Win2012R2 Server to open it.

e

al

es

8.

Click the Win2012R2 Server desktop icon in the taskbar of Endpoint-Internal. Click File > Print in WordPad. Select Color Laser Printer on ups-1 in the Select Printer section of the window, proving that the session printer was allocated to an endpoint in the DHCP scope. Click Cancel to close the Print window.

rr

d.

fo

a. b. c.

or

Verify that a file saved to a folder other than those that are redirected will be copied to the end-user's network copy of their profile.

st di

In Module 3, you configured a share and permissions on the file server and then configured a policy to redirect files that end users saved to the Desktop and the Documents folders on the file server in a UPM$ folder under %username%.%domain%. You did not redirect the My Music folder. Content saved to folders that are not redirected are saved to the end-user's profile. You configured Citrix Profile Management to manage the profiles and to use Active Writeback. Without Active Writeback, files in an end-user's profile are only copied to the network share on log off. Click File > Save As in WordPad. Click This PC and then click the Music folder. Type Song List in the Filename field and then click Save. Close WordPad. Click the File Explorer icon in the taskbar of EndPoint-Internal. Click to the left of the arrow in the Address field of the File Explorer window. Type \\FS-1\UPM$\HDUser1.Training and then press Enter. Double-click Win2012 > UPM_Profile and then double-click the Music folder. Verify that the Song List file exists, proving that content saved to folders that are not redirected are saved to the end-user's profile and then copied to the network because of the use of Citrix Profile Management and Active Writeback. Close the File Explorer window.

n

io

j.

ut

rib

a. b. c. d. e. f. g. h. i.

The Song List file may take a moment or two to appear. Either wait up to two minutes for Citrix Profile Management Active Writeback to copy the file to the end-user's network copy of their profile or sign out of Win2012R2-Server to force the entire profile to be copied to the network.

220



9.

Verify that the end user can successfully log off of a Windows Server OS machine and Citrix Receiver. a. b.

Click Start in the lower-left corner of the Win2012R2 Server desktop. Click HDUser1 on the Start screen and then click Sign out. Closing the desktop window without signing the end user out, disconnects the desktop. The desktop continues to run.

10. Verify that customizations made to an application were saved to the end-user's profile. a. b. c. d. e. f. g.

N

Click Win2012R2 Server. Click Allow in the Internet Explorer Security window, if it appears. Click Save in the message that appears on the bottom of the window. Click Open in the Downloads window. Wait while the desktop starts. Click Desktop on the Start screen or click the Windows Server desktop icon in the taskbar. Verify that WordPad appears in the taskbar, proving that customizations make to an application are saved to the end-user's profile.

Click Start in the lower-left corner of the Win2012R2 Server desktop. Click HDUser1 on the Start screen and then click Sign out. Click HDUser1 at the top of the Citrix Receiver window and then click Log off.

fo

e

al

Discussion Question

es

rr

a. b. c.

ot

11. Log off of the Windows Server OS machine and Citrix Receiver.

or

You want to provide some end users with a Server OS machine and other end users with hosted applications but not a server desktop. What is the most effective way of doing this?

st di

Verifying Internal Access to a Desktop OS Machine

ut

rib

In Module 4, you installed Receiver on an internal endpoint. In Modules 5 and 7, you configured applications and desktops for the end users in the environment, and in Module 6, you configured policies that configure the environment. You want to validate that internal end users can use Receiver to access a Desktop OS machine containing a Personal vDisk and that the end-users' changes are saved appropriately to a profile, to a file share, or the Personal vDisk.

n

io


To Verify Internal Access to a Desktop OS Machine with a Personal vDisk 1.

Select an end-user account that has been granted access to a Desktop OS machine. In Module 5, you granted AcctUser1 and AcctUser2 access to a Desktop OS machine configured to use a Personal vDisk.

2.

Log on to the internal endpoint using the selected domain end-user account. Log on to EndPoint-Internal using the Training\AcctUser1 and Password1 credentials.

3.

Verify that an end user can log on to Citrix Receiver.



221

If this is the first time the end user has logged on to the endpoint, you will need to configure Citrix Receiver for that end user.

a. b. c. d. e. f. g. h. i. j. k. 4.

Click Desktop on the Start screen. Click Internet Explorer in the taskbar. Do not use Internet Explorer from the Start screen. Type https://sfs-1.training.lab/citrix/store-1Web in the Address field and then press Enter. Click OK in the Security Alert message, if it appears. Select I agree with the Citrix license agreement and then click Install. Select Save in the message that appears at the bottom of the window. Click Run in the message that appears when the download is completed. Click Install. Click Finish and then click Log on. Type Training\AcctUser1 in the User name field. Type Password1 in the Password field and then press Enter or click Log On.

Verify that a Windows Desktop OS machine can be started.

N

Click Win8 Desktop. Click Save and then click Open. Verify that AcctUser1 appears in the upper-right corner of the Start screen.

ot

fo

a. b. c.

rr

The logon credentials were passed through from Citrix Receiver to the Windows Desktop OS.

al

es

5.

Verify that changes to the Windows Desktop OS are saved to the end-user's profile.

e

or

In Module 6, you enabled Profile Management in a policy and configured the location where end users' profile settings would be saved.

Type WordPad on the Start screen. Right-click WordPad and then click Pin to taskbar to trigger changes to the end-user's profile.

rib

6.

st di

a. b.

ut

Verify that a file saved to the Documents folder or the Desktop will be redirected to the corresponding folders on the file server.

n

io

In Module 3, you configured a share and permissions on the file server and then configured a policy to redirect files that end users saved to their local Documents folder and the local Desktop to folders on the share. To the end user, it will appear as if the file was saved locally. If the file does not appear in Step 6g, verify that File Explorer was opened on the Win8 Desktop and not on the Endpoint-Internal VM.

222



a. b. c. d. e. f. g. h.

Click WordPad to open it. Type Just a Test into the file. Click File > Save. Click the Desktop folder in the left pane. Type FolderRedirectionTest3 in the Filename field and then click Save. Click the File Explorer icon in the taskbar of Win8 Desktop. Click Read/write access on the HDX File Access window if it appears. Click the Desktop folder to verify that it appears to the end user that the FolderRedirectionTest3 file was saved locally. i. Click to the left of the down arrow in the Address field. j. Type \\FS-1\Users$\AcctUser1 and then press Enter. k. Double-click the Desktop folder. l. Verify that the FolderRedirectionTest3 file appears in the folder, proving that folder redirection is working. m. Close the File Explorer window. 7.

Verify that a session printer that you applied in a policy is available to the end user.

N

ot

In Module 4, you configured the Universal Print Server to provide printers. In Module 6, you created a Session printers policy that specified that any resource in the 192.168.10.60 - 192.168.10.80 IP address range would be provided with a Color Laser Printer. If you closed WordPad, click the WordPad icon in the taskbar of the Win8 Desktop to open it before proceeding.

al

es

Verify that a file saved to a folder other than Documents or Desktop will be redirected to the end-user's Personal vDisk.

e

8.

Click File > Print in WordPad. Select Color Laser Printer on ups-1 in the Select Printer section of the window, proving that the session printer was allocated to an endpoint in the DHCP scope. Click Cancel to close the Print window.

rr

c.

fo

a. b.

or

In Module 3, you configured a share and permissions on the file server and then configured a policy to redirect files that end users saved to the Desktop and the Documents folders on the share. You did not redirect the My Music folder. Content saved to folders that are not redirected are saved to the end-user's profile. Click File > Save as in WordPad. Click This PC and then click the Music folder in the left pane. Type Song List 2 in the Filename field and then click Save. Close WordPad. Click the File Explorer icon in the taskbar of Win8 Desktop. Click This PC. Double-click Citrix Personal vDisk (P:) to open the drive. Double-click the Users > AcctUser1 > Music folders. Verify that Song List 2 appears in the folder. Click AcctUser1 and note that folders that are redirected such as the Desktop folder are not present.

n

io

ut

rib

9.

st di

a. b. c. d. e. f. g. h. i. j.

Verify that a file saved to a folder other than those that are redirected will be copied to the end-user's network copy of their profile. In Module 3, you configured a share and permissions on the file server and then configured a policy to redirect files that end users saved to the Desktop and the Documents folders on the share. You did not redirect the My Music folder. Content saved to folders that are not redirected are saved to the end-user's profile. We configured Citrix UPM to manage the profiles and to use Active Writeback. Without Active Writeback, files in an end-user's profile are only copied to the network share on log off. a.

Click to the left of the down arrow in the Address field of the File Explorer window.



223

b.

Type \\FS-1\UPM$\AcctUser1.Training and then press Enter. In Module 3, you configured Profile Management settings in a group policy to save the profile changes to the file server in a UPM$ folder under %username%.%domain%.

c. d.

Double-click Win8 > UPM_Profile and then double-click the My Music folder. Verify the Song List 2 file exists, proving that content saved to folders that are not redirected are saved to the end-user's profile. e. Close the File Explorer window. 10. Verify that the end user can successfully log off of the desktop. a. b.

Click Start in the lower-left corner of the Win8 Desktop. Click AcctUser1 on the Start screen and then click Sign out. Closing the desktop window without signing the end user out, disconnects the desktop. The desktop continues to run.

fo

st di

Testing Remote Assistance

or

What is the Update Personal vDisk tool?

e

Discussion Question

al

es

rr

d. e.

Click Win8 Desktop. Click Desktop on the Start screen of the Win8 Desktop. Verify that WordPad appears in the taskbar, proving that customizations made to an application are saved to the end-user's profile. Click Start in the lower-left corner of the Win8 Desktop. Click AcctUser1 on the Start screen and then click Sign out.

ot

a. b. c.

N

11. Verify that customizations made to an application were saved to the end-user's profile.

ut

rib

In Module 6, you create a policy that granted members of the Training Users\IT group the ability to use Remote Assistance. You want to validate that a member of this group can access Director and use it to shadow an end-user's session and assist in correcting an issue that the end user may be having.

n

io

You will be using two accounts that are very similar: HRUser1 (Human Resources) and HDUser1 (HelpDesk) and playing the role of the end user and the Help Desk administrator. To avoid issues with this test, verify that you are using the correct system and end-user account.

To Test Remote Assistance 1.

Log on to Endpoint-Internal using the Training\HRUser1 and Password1 credentials. If another end user is logged on the Endpoint-Internal VM, click Start, click the end-user name in the upperright corner of the window, and then click Sign out.

2. 3.

Type Receiver, and then press Enter. Log on to Receiver using an end-user account. Log on to Receiver using the Training\HRUser1 and Password1 credentials.

224



If a message appears stating that some apps are no longer available, click Remove.

4.

Click Microsoft Word to start the application. The environment is now ready for you to begin the test.

If Microsoft Word does not appear, click + > All Applications > Microsoft Word to add it.

5.

Log on to a VM using the authorized Remote Assistance account credentials of an end user that was added to the Remote Assistance policy. Log on to StudentManagementConsole-1 using the Training\HDUser1 and Password1 credentials.

6.

Open a browser.

ot

N

If another end user is logged on to the StudentManagementConsole-1 VM, click Start, click the end-user name in the upper-right corner of the window and then click Sign out.

fo

Click Internet Explorer in the taskbar.

rr

Do not use Internet Explorer on the Start screen.

al

es Click Ask me later, if a Windows Internet Explorer 10 message appears. Type the URL for Director into the Address field of the browser and then press Enter.

e

7. 8.

or

Type https://c-1.training.lab/Director in the Address field and then press Enter to open Director.

Type the Training\HDUser1 and Password1 credentials. Click Log On. Click Not for this site if the message appears to store your password.

ut

rib

a. b. c.

st di

9. Click OK, if a Security Alert message appears. 10. Log on to Director using authorized Remote Assistance account credentials.

n

Type HRUser1 in the Search for users field and then press Enter.

io

11. Type the end-user account to assist in the Search for users field and then press Enter.

12. Click Shadow, click Save, and then click Open in the Invite.msrcincident message. 13. Switch to the VM being used by the end user you are assisting and then click Yes in the Windows Remote Assistance message. Switch to the Endpoint-Internal VM and then click Yes in the Windows Remote Assistance message. This is the message that the end user will see whenever a Remote Assistance session is started by an authorized helper. In Module 6, you set up a policy to allow members of the TrainingHelpDesk, TrainingXenDesktop Admins, and TrainingDomain Admins groups to be helpers. 14. Verify that you can see the end-user's screen from Director. Switch to the StudentManagementConsole-1 VM and verify that you can see the Microsoft Word document and the Windows Remote Assistance toolbar. 15. Click Request control at the top of the Windows Remote Assistance window.



225

16. Switch to the VM being used by the end user, and then click Yes in the "Would you like to allow to share control of your desktop?" message. Switch to Endpoint-Internal and then click Yes in the "Would you like to allow HDUser1 to share control of your desktop?" message. If the end user selects No, the Help Desk person will be able to view the screen, but not use the mouse or keyboard within the end-user's session. 17. Switch to the system that is logged on with Director and move the Windows Remote Assistance toolbar out of the way. Switch to the StudentManagementConsole-1 VM and move the Windows Remote Assistance toolbar out of the way by dragging it lower on the screen. 18. Show HRUser1 how to do something in the application or desktop. a. b. c.

Click the down arrow in the gray bar directly above the blank Word page. Select Spelling & Grammar from the menu. Point out the ABC icon that is now in the Quick Access toolbar.

N

19. Switch to the end-user's VM and verify that the change is visible.

ot

Switch to the Endpoint-Internal VM and verify that the ABC icon is available in the Quick Access toolbar.

fo

20. Click Stop sharing in the Windows Remote Assistance window.

es

rr

If the Windows Remote Assistance window is not visible, click the icon in the Windows taskbar.

e

al

21. Close the Windows Remote Assistance window on the end user's machine. 22. Close the Windows Remote Assistance window on the helper's machine. Switch to the StudentManagementConsole-1 VM and then close the Windows Remote Assistance window.

or

23. Log off of Director.

rib

Discussion Question

st di

Click Log Off on the top right of the Director page and then close Internet Explorer.

Testing Delivery Controller High Availability

n

io

ut

You need to assist an end user using Remote Assistance. When you attempt to start the Remote Assistance session, the Microsoft Remote Assistance (.msra) file does not open. What might be the issue?

In Module 4, you configured redundancy to protect your XenApp and XenDesktop environment in the event that one of your Delivery Controller servers went down. For this test, you will assume that the redundant servers are on different hosts. You need to validate that when one of the Delivery Controllers becomes unavailable, the other server will continue to provide resources without impacting your end users. In addition, you want to verify that once a connection is brokered by a Delivery Controller, the connection will continue to run even though the Delivery Controller is no longer available. In our lab environment, the redundant servers were installed on the same XenServer host due to lab constraints. This means that if the host goes down, the redundant servers in the environment would not provide high availability. In a real-world environment, you would implement your redundant servers (domain controllers, Delivery Controllers, StoreFront servers, Provisioning Services servers, etc.) on different hosts.

226



To Test Delivery Controller High Availability 1.

Verify that the first Delivery Controller is running. Verify that Controller-1 is running.

2.

Shut down the second Delivery Controller. Verify Controller-2 is not running. You are shutting down Controller-2 to force the next connection to start using Controller-1.

3.

Log on to an internal endpoint using the credentials of an end user that has resources made available to them through XenApp and XenDesktop. Log on to EndPoint-Internal using the Training\HRUser1 and Password1 credentials.

4. 5.

Type Receiver on the Start screen and then click Citrix Receiver. Log on to Receiver using the credentials of the end user selected in Step 3.

6.

ot

N

Log on to Receiver using the Training\HRUser1 and Password1 credentials. Start a resource in Receiver.

Wait while the resource starts.

rr

7.

fo

Click Microsoft Word 2010 in Receiver to start the application through Controller-1.

8.

Start the second Delivery Controller.

e

al

es

This may take several minutes if the VM hosting the application or desktop is off because the Delivery Controller must start the VM first. Watch as Server2012R2-01 is started. When the rotating circle beneath the application icon in Receiver disappears, the application or desktop has successfully started. Look in the taskbar if the application or desktop does not appear on the screen.

Wait for the second Delivery Controller to complete its startup and then log on using domain administrator credentials.

st di

9.

or

Right-click Controller-2 and then click Start.

Log on using the Training\Administrator and Password1 credentials.

ut

rib

10. Click Start, type Studio, and then click Citrix Studio on Controller-2. 11. Shut down the first Delivery Controller to force the next connection to be brokered through the second Delivery Controller and to verify that the original end-user's resource continues to work.

n

12. Verify that the resource is still running on the internal endpoint.

io

Right-click Controller-1, click Shut Down, and then click Yes in the Shut Down VM message.

Click EndPoint-Internal and then verify that Microsoft Word is still running which proves that a Delivery Controller is not needed once the connection is brokered. 13. Close the resource and then open another resource. Close Microsoft Word 2010, and then click Microsoft PowerPoint 2010 in Receiver to start the application through Controller-2. 14. Shut down the second Delivery Controller VM. Shut down Controller-2.



227

15. Verify that the resource is still running on the internal endpoint even though no Delivery Controllers are running in the environment. Click EndPoint-Internal and then verify that Microsoft PowerPoint 2010 is still running which proves that a Delivery Controller is not needed once the connection is brokered. 16. Close the resource. Close Microsoft PowerPoint 2010.

17. Start the first Delivery Controller. Right-click Controller-1, click Start and then log on using the Training\Administrator and Password1 credentials.

Discussion Question Why is it important that you configure more than one Delivery Controller in your environment?

N

ot

Testing SQL Server Mirroring

fo

In Module 3, you configured SQL Server mirroring to protect your XenApp and XenDesktop environment in the event that one of your SQL Servers went down or became unavailable. For this test, you will assume that the SQL Servers are on different hosts. You need to validate that when one of the SQL Servers goes down, the SQL Server Witness will immediately notify the other SQL Server to take over. To test this, you need to shut down one of the SQL Servers, make a change in Citrix Studio, and then verify that the information is available to the other SQL Server when it comes back online.

es

rr

e

al

In our lab environment, the SQL Servers were installed on the same XenServer host due to lab constraints. This means that if the host goes down, all of the SQL Servers would be unavailable and XenApp and XenDesktop would fail. In a real-world environment, you would implement your SQL Servers on different hosts.

Shut down the second SQL Server. Verify SQLServer-2 is not running, if it is then shut it down.

st di

1.

or

To Test SQL Server Mirroring

rib

Verify that the first SQL Server and the SQL Server witness are running. Verify that the SQLServer-1 and SQLServer-Witness VMs are running.

n

2.

io

ut

You are shutting down SQLServer-2 to ensure that the change is being reflected on SQLServer1. Remember that the Delivery Controller stores all information in the SQL Server database.

If they are not running, start them before proceeding.

3.

Log on to a Delivery Controller using domain administrator credentials. Log on to Controller-1 using the Training\Administrator and Password1 credentials.

4. 5. 6.

Click Start > Citrix Studio on the Delivery Controller. Click Delivery Groups in the left pane of Citrix Studio. Right-click a Delivery Group and then click Rename Delivery Group. Right-click the Office Apps Delivery Group and then click Rename Delivery Group.

228



7.

Type a new name for the Delivery Group and then click OK. Type Office 2010 Apps in the Specify new name field and then click OK.

8.

Verify that the new name appears in the Delivery Groups node on the Delivery Controller proving that the SQL Server database is available. Verify that Office 2010 Apps appears in the Delivery Groups node.

9.

Start the second SQL Server. Right-click SQLServer-2 and then click Start.

10. Wait for the second SQL Server to start. Wait for the SQLServer-2 to complete its startup. 11. Log on to the first SQL Server, open SQL Server Management Studio, type the name of the first SQL Server in the Server name field, and then click Connect., Log on to SQLServer-1 as Training\Administrator. Open SQL Server Management Studio. Type SQL-1 in the Server name field and then click Connect.

N

a. b. c.

ot

12. Expand Databases, right-click your XenApp and XenDesktop database, and then select Tasks > Launch Database Mirroring Monitor.

fo

Expand Databases. Right-click CitrixMain Site and then select Tasks > Launch Database Mirroring Monitor.

rr

a. b.

es

13. Verify that both SQL Servers have green check marks for the Mirroring State and Witness Connection.

e

al

It may take a couple of minutes for the check marks to appear. Do not proceed to the next step until the check marks are green on both SQL Servers.

or

14. Return to the first Delivery Controller and then click Refresh.

st di

Return to Controller-1 and then click Refresh in the right pane of the Delivery Groups node to refresh the information on the screen. 15. Verify that the new name for the Delivery Group appears.

rib

Verify that Office 2010 Apps appears.

ut

16. Shut down the first SQL Server.

n

17. Wait for the icon for the first SQL Server to turn red in XenCenter. 18. Click Refresh in the console of the first Delivery Controller.

io

Right-click SQLServer-1, click Shut Down, and then click Yes in the Shut Down VM message.

Return to Controller-1 and then click Refresh in the right pane of the Delivery Groups node to refresh the information in the screen. 19. Verify that the new name for the Delivery Group appears, proving that SQL Server mirroring is working. Verify that Office 2010 Apps appears. 20. Change the name of the resource back to its original name. a. b.

Right-click the Office 2010 Apps Delivery Group and then click Rename Delivery Group. Type Office Apps in the Specify new name field and then click OK.

21. Verify that the original name appears in the Delivery Groups node on the Delivery Controller proving that the SQL Server database is available. Verify that Office Apps appears in the Delivery Groups node.



229

Discussion Question In addition to using SQL Server mirroring, what other options are available for protecting the XenApp and XenDesktop and Provisioning Services databases?

Reinforcement Exercise: Verifying Internal Access to a Server OS Machine (MCS) During this exercise, you will not be given step-by-step instructions for performing the task. Instead, you are asked to use what you have just learned to complete it. This exercise is designed to take your newly gained knowledge and stretch it to determine if you can apply that knowledge to perform a task you've never done before. In most instances the default value/choice will be the best choice, but we encourage you to explore and try things out. If you have a question or get stuck, ask the instructor or a fellow student for assistance. Now that you know how to: Verify a service account. Verify a DHCP scope. Verify SSL communications with StoreFront. Verify Provisioning Services vDisks storage location. Verify the end-user environment for: • Hosted applications. • Server OS machines created from a vDisk. • Desktop OS machines containing a Personal vDisk. Verify the Remote Assistance configuration. Verify Delivery Controller high availability. Verify SQL Server mirroring.

ot

N

• • • • •

fo

al

es

rr

• • •

e

You are ready to try your hand at testing a Server OS machine created using Machine Creation Services to see if you can apply what you have learned.

or


st di

During the Reinforcement Exercise in Module 5, you created a Server OS machine for Training using Machine Creation Services. You granted Contractor1 and Contractor2 access to the desktop using a Delivery Group. Now you need to verify that members of the Contractors group can access a Server OS machine and that the end-user experience is as expected.

rib

If you did not complete the Reinforcement Exercise in Module 5, you will not be able to complete this exercise.

5. 6. 7. 8. 9.

230

n

1. 2. 3. 4.

io

ut


Log on to Endpoint-Internal using the Training\Contractor1 and Password1 credentials. Install Citrix Receiver from the Receiver for Web site (https://sfs-1.training.lab/citrix/store-1Web). Verify that Contractor1 can start a Win2012R2 Server desktop. Verify that a file saved to the Documents folder or the Desktop will be redirected to the corresponding folders on the file server. Verify that a file saved to a folder other than Documents or Desktop will be redirected to the end-user's share. Verify that the Color Laser Printer on ups-1 session printer is available to the end user. Pin WordPad to the taskbar. Verify that the change to the Windows Server OS machine (WordPad pinned to the taskbar) is saved to the end-user's profile and are available at next log on. Log off of the Win2012R2 Server desktop, logoff of Citrix Receiver and then close Citrix Receiver.



9

Module 9

Setting Up NetScaler

ot

N fo e

al

es

rr or st di n

io

ut

rib

ot

N fo e

al

es

rr or st di n

io

ut

rib

232


Setting Up NetScaler Overview The Configure NetScaler Gateway for Enterprise Store wizard should not be used with the NetScaler version being used in the lab environment (NetScaler 10.1 Build 123.9). Using this wizard will result in http being used instead of https even though you selected https in the wizard. For this reason, you should follow the steps provided in the exercises rather than use the wizard. The steps in the exercises will bypass this issue. The Citrix NetScaler product line optimizes delivery of applications over the Internet and private networks, combining application-level security, optimization, and traffic management into a single, integrated appliance. You can install a NetScaler appliance in the DMZ and route all connections from the endpoints to your managed servers through it. The NetScaler features that you enable and the policies you set are then applied to incoming and outgoing traffic. The features available in NetScaler are based on the license installed. • •

N

A NetScaler Gateway Platform license allows an unlimited number of end users to access internal XenApp and XenDesktop resources using ICA proxy without compromising the security of your internal network. A NetScaler Gateway Universal license enables a full VPN tunnel, endpoint analysis, policy-based SmartAccess, and clientless access to Web sites and file shares in your internal network.

ot

For more information about NetScaler licensing, search www.citrix.com for "netscaler-data-sheet.pdf". After completing this module, you will be able to:

fo

Perform the initial NetScaler configuration. Configure NetScaler high availability. Load balance StoreFront servers through NetScaler. Enable remote access to the StoreFront store. Configure HDX (ICA) proxy. Configure a pre-authentication policy to scan an endpoint. Configure NetScaler for email-based account discovery.

e

al

es

or

Module Timing: 5.0 hours

rr

• • • • • • •

st di n

io

ut

rib


Module 9: Setting Up NetScaler

233

ot

N

Please perform the following steps to ensure that you will have sufficient lab environment resources available to complete this module. • Shut down the following VMs: • Win2012R2PXE-01 (Wait for this VM to completely shut down before proceeding.) • ProvisioningServicesHost-1 • Server2012R2-01 • UniversalPrintServer-1 • EndPoint-Internal • Start the following VMs: • Controller-2 • EndPoint-External • StoreFrontServer-2 • Verify that the following VMs are started before proceeding: • Controller-1 = On • Controller-2 = On • DomainController-1 = On • EndPoint-External = On • FileServer-1 = On • SQLServer-2 = On • SQLServer-Witness = On • Static-PvD-01 = On • StoreFrontServer-1 = On • StoreFrontServer-2 = On • StudentManagementConsole-1 = On All other VMs should be off.

fo

e

al

es

rr

or

To Import the NetScaler Gateway VPX

st di

ut

rib

The NetScaler VPX has already been imported into the lab environment. You should use the pre-created VMs instead of downloading and importing the NetScaler appliance. To experience importing the NetScaler VPX, we have provided an exercise below. Click the following link and use the steps in this course to complete the exercise: • Importing NetScaler VPX Exercise You can access a list of all simulated exercises from the Student Resource Kit module located in this course.

n

Click File > Import in the XenCenter console. Click Browse and then browse to the location of the NetScaler VPX image file.

io

1. 2.

Click Browse. 3.

Select the image file and then click Open. Select the NSVPX-XEN-10.0-54.7_nc.xva image file and then click Open.

4. 5.

Click Next. Select the location where the imported VM will be placed. Select the XS1 XenServer and then click Next.

6.

Select the local storage repository on which to store the virtual appliance and then click Import to begin the import process. Select NFS virtual disk storage and then click Import.

234



7.

Select the network interface to be used by the VM image and then click Next. Verify that Network 0 is selected on Interface 0 and then click Next.

8.

Review the import settings and then click Finish to complete the import process. The imported NetScaler VPX appears in XenServer after the import is finished. The imported NetScaler VPX will be configured in an exercise later in this module.

9.

Close the XenCenter window. Click the X in the upper-right corner of the XenCenter window to close the exercise.

Discussion Question When is the default IP address of 192.168.100.1 / 255.255.255.0 used to configure a NetScaler?

Creating the NetScaler VM

N

ot

The NetScaler resides in the DMZ between the endpoints and the servers, so that requests for resources and the server responses pass through it. In a typical installation, virtual servers (vServers) configured on the NetScaler provide connection points that endpoints use to access the resources behind the firewall.

fo

es

rr

The NetScaler VMs are already created in the lab environment. The following procedure is provided for informational purposes only. You do not need to create NetScaler VMs in the lab environment.

Open XenCenter. Right-click the NetScaler template in XenCenter and then click New VM wizard.

or

1. 2.

e

al

To Create a NetScaler VPX VM

st di

The NetScaler template in XenCenter was created by converting the imported NetScaler VPX appliance into a template.

rib

Verify that the NetScaler template is selected and then click Next. Type a name for the NetScaler in the Name field. Determine the home server for the VM and then click Next. Specify the vCPU and memory to allocate to the VM and then click Next. Specify the vDisks to use and then click Next. Click Properties, select the DMZ network, and then click OK. Click Next and then click Finish.

n

io

ut

3. 4. 5. 6. 7. 8. 9.

Discussion Question How many concurrent end-user connections can a NetScaler VPX support?

Performing the Initial NetScaler Configuration NetScaler uses FreeBSD as its OS. The NetScaler kernel can be accessed through a browser or an SSH connection. The command-line interface (CLI) on Console 0 is used for the initial configuration of the NetScaler including the network configuration and device name. All other configuration is performed using the SSH client or the NetScaler Configuration utility.



235

You should pay close attention whenever you are asked to type anything into the NetScaler interface. Check and then double-check everything before moving to the next step in all NetScaler procedures. This can reduce the amount of troubleshooting you need to do later.

To Perform the Initial Configuration of the First NetScaler 1.

Right-click the NetScaler VM in XenCenter and then click Start. Right-click NetScaler-1 and then click Start.

2. 3.

Click the Console tab. Type the IPv4 address that you want to assign to the NetScaler at the prompt and then press Enter. Type 192.168.10.33 and then press Enter.

4.

Type the subnet mask for the IP address at the prompt and then press Enter. Type 255.255.255.0 and then press Enter.

5.

Type the default gateway address at the prompt and then press Enter.

Type 4 to save the configuration and then press Enter. Wait approximately 60 seconds for the initialization to finish. Log on to a system that has Java installed to access the NetScaler Configuration utility.

fo

6. 7. 8.

ot

N

Type 192.168.10.1 and then press Enter.

rr

Log on to the StudentManagementConsole-1 VM using the TRAINING\Administrator and Password1 credentials.

es

Open a browser. Double-click Firefox on the desktop.

or

9.

e

al

The StudentManagementConsole-1 VM is being used in this lab to access a browser. Any system with Java installed could be used at this point.

st di

Do not use Internet Explorer to manage the NetScaler in this lab environment.

rib

10. Type the IP address that you assigned to the first NetScaler VM into the Address field and then press Enter.

11. Type the user name and password into the appropriate fields and then click Login.

n

Type nsroot in both fields and then click Login.

io

ut

Type 192.168.10.33 into the Address field and then press Enter.

12. Wait for the Setup Wizard to open. If you receive an error about Java, close the error window, and then restart the Setup Wizard.

13. Verify that the NetScaler IP Address is correct. Verify that the NetScaler IP address is 192.168.10.33

14. Type the Subnet IP (SNIP) in the Subnet IP Address field. Type 192.168.10.34 in the Subnet IP Address field.

236



15. Type the Subnet IP Address Netmask in the Subnet IP Address NetMask field. Type 255.255.255.0 in the Subnet IP Address field. 16. Type a host name in the Host Name field. Type NS-1 in the Host Name field. 17. Select the correct time zone in the Time Zone field. Select GMT-5:00-EST-America/Jamaica. 18. Select Change Administrator Password. 19. Type the new password in both password fields. Type Password1 in both password fields. 20. Click Continue. 21. Click Browse in the Update Licenses section. 22. Browse to the location where the license file is stored. Type \\AD\lab_resources in the File Name field and then press Enter.

N

23. Click the license file and then click Open.

ot

Click ns_license.lic and then click Open.

fo

24. Click Continue. 25. Click Done. 26. Click Yes in the Confirm message to restart the NetScaler.

al

es

rr

Discussion Question

e

How do you access the NetScaler Configuration utility?

or

Configuring NTP

st di

ut

rib

Network Time Protocol (NTP) uses a time server to provide all devices in an environment with an authoritative source from which to synchronize their local clocks. The time server can be private or public. If the servers in the environment do not have their local clocks set consistently, Kerberos authentication may fail and Event Logs may not be time stamped properly. NTP configuration should be configured on the NetScaler immediately after the initial configuration is completed. NTP servers that have been retired or are no longer accessible should be removed from the NetScalers.

n

io

In the lab, you are using the domain controller to provide the NTP service.

To Synchronize the Time on the NetScaler 1.

Log on to a system that has Java installed using domain administrator credentials. Log on to StudentManagementConsole-1 with the TRAINING\Administrator and Password1 credentials.

2.

Open a browser, type the IP address of the NetScaler, and then press Enter. Open Firefox, type 192.168.10.33, and then press Enter.

3.

Log on to the NetScaler with the NetScaler credentials. Type nsroot and Password1 and then press Enter.

4.

Click System > NTP Servers and then click Add at the top of the NTP Servers tab.



237

5.

Type the IP address of the NTP server in the NTP Server field and then click Create. Type 192.168.10.11 in the NTP Server field and then click Create. This step can be repeated to add additional NTP servers. One of the NTP servers can also be set as preferred.

6. 7. 8.

Click Close. Right-click NTP Servers in the left pane and then click NTP Synchronization. Select the desired state and then click OK. Select Enabled and then click OK.

9. Right-click NTP Servers in the left pane and then click NTP Parameters. 10. Set the desired parameters and then click OK. Deselect Authentication and then click OK.

ot

N

Discussion Question

What will happen if the time server configured to provide NTP services to the NetScaler becomes unavailable?

fo

rr

Configuring NetScaler High Availability

al

es

A high availability deployment of two NetScalers can provide uninterrupted operation to any transaction. In a highavailability pair configuration, only one system is active. This system, which is known as the primary, actively accepts connections and manages servers. All shared IP addresses are active on the primary system only.

e

The secondary system monitors the health of the primary system. If the secondary system senses a failure on the primary system, then the secondary system assumes the role of the primary with all of the primary settings. This process prevents downtime and ensures that the services provided by the NetScaler system remain available even if one system ceases to function.

or

1.

Verify that each NetScaler has a unique NSIP (NetScaler IP address.) The NSIP is used to determine which NetScaler is the primary and which is the secondary system. The two NetScalers communicate with each other using the NSIP and a heartbeat packet is sent every 200 milliseconds via UDP port 3003 to determine the health of the systems. Configure one of the NetScalers with the NSIP of the other NetScaler. Enable the HA pair to complete the configuration.

io

ut

rib

2. 3.

st di

To set up a NetScaler HA pair:

n

To Perform the Initial Configuration of the Second NetScaler 1.

Right-click the NetScaler VM in XenCenter and then click Start. Right-click NetScaler-2 and then click Start.

2.

Log on to a system that has Java installed to access the NetScaler Configuration utility. Log on to the StudentManagementConsole-1 VM using the TRAINING\Administrator and Password1 credentials. The StudentManagementConsole-1 VM is being used in this lab to access a browser. Any system with Java installed could be used at this point.

3.

Open a browser. Double-click Firefox on the desktop.

238



Do not use Internet Explorer to manage the NetScaler in this lab environment.

4.

Type the IP address assigned to the NetScaler VM into the Address field and then press Enter. Type 192.168.10.35 into the Address field and then press Enter.

5.

Type the user name and password into the appropriate fields and then click Login. Type nsroot in both fields and then click Login.

6.

Wait for the Setup Wizard to open. If you receive an error about Java, close the error window, and then restart the Setup Wizard.

7.

Verify that the NetScaler IP Address is correct. Verify that the NetScaler IP address is 192.168.10.35

ot

N 8.

Type the Subnet IP (SNIP) in the Subnet IP Address field.

Type the Subnet IP Address Netmask in the Subnet IP Address NetMask field.

rr

9.

fo

Type 192.168.10.36 in the Subnet IP Address field.

es

Type 255.255.255.0 in the Subnet IP Address field. 10. Type a host name in the Host Name field.

e

al

Type NS-2 in the Host Name field.

11. Select the correct time zone in the Time Zone field.

or

Select GMT-5:00-EST-America/Jamaica.

rib

Type Password1 in both password fields.

st di

12. Select Change Administrator Password. 13. Type the new password in both password fields.

n

Type \\AD\lab_resources in the File Name field and then press Enter.

io

ut

14. Click Continue. 15. Click Browse in the Update Licenses section. 16. Browse to the location where the license file is stored.

17. Click the license file and then click Open. Click ns_license.lic and then click Open. 18. Click Continue. 19. Click Done. 20. Click Yes in the Confirm message to restart the NetScaler.

To Configure a Second NetScaler for Redundancy 1.

Start the first NetScaler VPX, if it is not started. Double-click the NetScaler-1 VM in XenCenter.



239

2.

Start the second NetScaler VPX and wait for it to complete its startup process. Double-click the NetScaler-2 VM and wait for approximately 60 seconds for it to complete its startup.

3.

Log on to a system that has Java installed using domain administrator credentials. Log on to StudentManagementConsole-1 using the TRAINING\Administrator and Password1 credentials.

4.

Open a browser, type the IP address of the first NetScaler, and then press Enter. Open Firefox, type 192.168.10.33, and then press Enter.

5.

Log on to the first NetScaler using the NetScaler credentials. Log on to NetScaler-1 using the nsroot and Password1 credentials.

6.

Expand the System > Network node on the first NetScaler, select IPs, and then write down the NetScaler IP (NSIP) address. This is the IP address of the first NetScaler and must be unique in the environment.

ot

8.

Click the Interfaces node in the left pane, scroll to the right in the Interfaces pane, and then verify that HA Monitoring is enabled on interface 1/1. Open another tab in the browser, type the IP address for the second NetScaler, and then press Enter.

N

7.

Log on to the second NetScaler using the NetScaler credentials.

rr

9.

fo

Open another tab in Firefox, type 192.168.10.35, and then press Enter.

es

Log on to NetScaler-2 using the nsroot and Password1 credentials.

e

al

10. Expand the System > Network node on the second NetScaler, select IPs, and then write down the NetScaler IP (NSIP) address. This is the IP address of the second NetScaler and must be unique in the environment.

or st di

11. Click the Interfaces node in the left pane, scroll to the right in the Interfaces pane, and then verify that HA Monitoring is enabled on interface 1/1. 12. Click the tab in the browser for the first NetScaler, browse to the System > High Availability node, and then click Add at the top of the Nodes tab to open the High Availability Setup window.

rib

13. Activate the Java plugin if it is being blocked by your browser.

n

io

ut

Performing this procedure on the wrong NetScaler will result in the first NetScaler becoming the secondary node.

Click the red icon that appears to the left of the URL, click Allow and remember and then click Run. 14. Type the NSIP address of the second NetScaler in the Remote Node IP Address field. Type 192.168.10.35. 15. Verify that Configure remote system to participate in High Availability setup and Turn off HA Monitor on interfaces/channels that are down are both selected. 16. Click OK and then click OK in the Information dialog box. 17. Click the Refresh icon at the top of page for the first NetScaler to refresh the high-availability information. This is not the refresh button for the browser, but a button on the Web page itself.

240



18. Verify that the IP address of the first NetScaler appears as the primary system, the IP address of the second NetScaler system appears as the secondary system, and that both Node states are Up. Verify that 192.168.10.33 appears as the primary NetScaler, 192.168.10.35 appears as the secondary NetScaler, and that both Node states show as Up. 19. Click the tab in the browser for the second NetScaler and then browse to the System > High Availability node. 20. Click the Refresh icon to refresh the high availability information. This is not the refresh button for the browser, but a button on the Web page itself.

21. Verify that the IP address of the first NetScaler appears as the primary system, the IP address of the second NetScaler system appears as the secondary system, and that both Node states are Up. Verify that 192.168.10.33 appears as the primary NetScaler, 192.168.10.35 appears as the secondary NetScaler, and that both Node states show as Up.

Discussion Question

N

ot

In the lab environment you configured the NetScalers with one node acting as the primary node and the other acting as the secondary node. What do these roles mean?

fo rr

Setting Up DNS

es

NetScaler uses DNS for name resolution. In this procedure, you are adding DNS entries for the virtual servers configured on the NetScaler and configuring NetScaler to use a DNS server for name resolution.

e

al

An Address (A) record is an entry in DNS that maps a fully qualified domain name (FQDN) to an IP address. You must set up an A record for the NetScaler and the load-balanced StoreFront servers because you will be creating SSL certificates and the common name will be the FQDN.

or st di n

io

ut

rib

1. 2. 3. 4. 5.

XenApp and XenDesktop components are installed on physical or virtual machines. Each machine that will be load balanced needs a "server" entity to be created on the NetScaler. "Service" entities are created and associated with each "server" entity. Load balancing "virtual servers" are created for each set of "services" you want to load balance. The "services" are bound to the appropriate "virtual server". A monitor is configured for each "service" on the NetScaler to determine if the actual system to be load balanced, as defined in the "service" and "server" entities, is up and ready to accept connections. If it is offline or experiencing issues, the monitor flags the "service" as down so that the load balancing "virtual server" does not direct communications to it.



241

To Configure DNS A Records for the NetScaler 1.

Log on to the domain controller using domain administrator credentials. Log on to DomainController-1 using the TRAINING\Administrator and Password1 credentials.

2. 3.

Click Tools at the top right of the Server Manager window and then click DNS. Browse to the forward lookup zone for the domain. Browse to ad > Forward Lookup Zones > training.lab.

4.

Right-click the domain name and then click New Host (A or AAAA) to create an A record for the NetScaler. Right-click training.lab and then select New Host (A or AAAA).

5.

Type a name for the new NetScaler host in the Name field and then type the IP address of the host. Type access in the Name field and then type 192.168.10.50 in the IP Address field.

6. 7.

Click Add Host and then click OK. Type a name for the new StoreFront host in the Name field and then type its IP address. Type sf and then type 192.168.10.51 in the IP Address field.

N

ot

You will create a virtual server tied to this IP address later.

fo

es

rr

8. Click Add Host and then click OK. 9. Click Done. 10. Log on to a system that has Java installed using domain administrator credentials.

e

al

Log on to StudentManagementConsole-1 using the TRAINING\Administrator and Password1 credentials. 11. Open a browser, type the IP address of the first NetScaler, and then press Enter.

or

Open Firefox, type 192.168.10.33, and then press Enter.

st di

12. Log on to the first NetScaler using the NetScaler credentials.


n

16. Click Close.

io

Type 192.168.10.11 in the IP Address field and then click Create.

ut

rib

13. Expand the Traffic Management > DNS > Name Servers nodes in the left pane of the first NetScaler. 14. Click Add to add a new Name Server. 15. Type the IP address of the DNS server in the environment into the IP Address field and then click Create.

Discussion Question If you add another StoreFront server to the environment, how many more virtual servers (vServers) do you need to add to NetScaler?

Creating Certificates for NetScaler Certificates can be issued by a third-party CA or be self-signed. A self-signed certificate guarantees its own trust and security but has no one to "vouch" for it. A third-party certificate is signed by a trusted third-party Certificate Authority root certificate indicating that the third party "vouches" for it. The root certificates from some large third-party Certificate Authorities are automatically marked as trusted by Web browsers and programs. This is important because browsers check to determine if an encrypted HTTPS connection has a certificate signed by a trusted root certificate. If a certificate is not trusted or is not signed by a trusted root certificate, then end users will be warned that the site should not be trusted. For this reason, all external-facing components in the environment should use certificates signed by a third-party Certificate Authority. 242



Internal components should be signed by certificates issued by an internal enterprise Certificate Authority. The root certificate of the internal Certificate Authority should be trusted by all internal devices. When using the Microsoft Enterprise Certificate Authority role in an Active Directory infrastructure, the root certificate is automatically distributed to and trusted by all domain-joined machines running a Microsoft operating system. These certificates would not be appropriate to use on external-facing services as the majority of browsers that come across the certificate will not trust it and will present a warning.

Creating a Wildcard Certificate for Internal Resource Access Wildcard SSL certificates are processed in the same way as regular SSL certificates. Placing a wildcard character before the domain name (for example, *.training.lab), will secure any FQDN ending in .training.lab, but not its subdomains. The wildcard character only covers one full stop (period) in the address. For example, while the certificate would secure the accounts.training.lab and hr.training.lab FQDNs, it would not secure the new.accounts.training.lab FQDN. If you use a third-party and assign it to the domain, you would need to purchase additional certificates for each FQDN. This could become expensive if you have multiple sub-domains. In addition, you would have to manage the expiration and replacement of multiple certificates instead of just one.

1.

ot

N

To Create a Wildcard Certificate for the Domain Log on to a system that has Java installed using domain administrator credentials.

Open a browser, type the IP address of the first NetScaler, and then press Enter.

rr

2.

fo

Log on to StudentManagementConsole-1 using the TRAINING\Administrator and Password1 credentials.

Log on to the first NetScaler with the NetScaler credentials.

al

3.

es



e

Expand the Traffic Management node in the left pane. Right-click SSL and then click Enable Feature in the NetScaler Configuration utility.

or

4. 5.

st di

While this step is not a part of creating a certificate, SSL must be enabled on the NetScaler in order to use the certificate that you are creating.

rib

Click SSL in the left pane and then click Create RSA Key in the SSL tab. Type a name in the Key Filename field.

Type an appropriate key size in the Key Size (bits) field.

n

8.

io

Type wildcard_training_lab.key in the Key Filename field.

ut

6. 7.

Type 2048 in the Key Size (bits) field. 9.

Select a key format and a PEM encoding algorithm. Select PEM for the key format and then select DES3 for the PEM encoding algorithm.

10. Type a passphrase in the PEM Passphrase and Confirm PEM Passphrase fields and then click OK. Type Password1 in the PEM Passphrase and Confirm PEM Passphrase fields and then click OK. 11. Click Create CSR (Certificate Signing Request) in the SSL tab. 12. Type a name in the Request File Name field. Type wildcard_training_lab.csr in the Request File Name field. 13. Click Browse to the right of the Key Filename field and then double-click the name of the key file created earlier. Click Browse to the right of the Key Filename field and then double-click wildcard_training_lab.key.



243

14. Type the password in the PEM Passphrase field. Type Password1 in the PEM Passphrase field. 15. Select the country and then type the state or province to use for the certificate. Select United States in the Country field and then type Florida in the State or Province field. 16. Specify a name for the organization in the Organization Name field. Type Training in the Organization Name field. 17. Type the FQDN of the company or Web site in the Common Name field and then click OK. Type *.training.lab in the Common Name field and then click OK. You are creating a wildcard certificate, so you are using a wildcard character in the FQDN.

N

18. Click Manage Certificates / Keys / CSRs in the Tools section of the SSL tab. 19. Click Yes to confirm refresh, if a prompt appears. 20. Select the certificate signing request that you created and then click View at the bottom of the window.

ot

Select the wildcard_training_lab.csr file and then click View.

fo

Selecting the wrong file will result in you receiving an "ASN1 bad tag value met" error during the certificate request.

es

rr

Select Internet Explorer in the taskbar of StudentManagementConsole-1. Type http://AD/certsrv/ and then press Enter to access the Certificate Authority. Type TRAINING\Administrator in the User name field, Password1 in the Password field, and then click OK.

or

24. Use the certificate signing request to request the certificate.

st di

a. b. c.

e

al

21. Press Ctrl+A and then press Ctrl+C to copy all of the text to the clipboard. 22. Click Close and then click Close again. 23. Browse to the internal Certificate Authority issuer and follow their steps to generate a certificate.

rib

d. e. f. g. h. i. j. k. l.

244

Click Request a certificate. Click advanced certificate request. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. Click within the Saved Request field and then press Ctrl+V to paste the certificate into the field. Select Web Server in the Certificate Template field and then click Submit. Select Base 64 encoded. Click Download certificate. Click the down arrow next to Save at the bottom of the Internet Explorer window. Click Save as and then click Desktop. Type wildcard_training_lab in the File name field. Click Save. Close Internet Explorer.

n

a. b. c.

io

ut

Every Certificate Authority has slightly different steps. The lab environment uses Microsoft Enterprise Certificate Authority Web Enrollment.



25. Click Traffic Management > SSL >Certificates in the left pane of the NetScaler Configuration utility on the first NetScaler. 26. Click Install. 27. Type a name in the Certificate-Key Pair Name field. Type wildcard_training_lab.certkey in the Certificate-Key Pair Name field. 28. Click the down arrow to the right of the Browse button for the Certificate File Name field and then select Local. 29. Browse to where the certificate file was saved and then double-click the certificate file. Click Desktop and then double-click wildcard_training_lab.cer. 30. Click Browse to the right of the Key Filename field and then double-click the name of the key file you created earlier. Click Browse and then double-click wildcard_training_lab.key. 31. Type the password for the private key in the Password field. Type Password1 in the Password field. 32. Click Create.

ot

N

There is no confirmation message. If you prematurely click Create before all of the information has been entered, you can delete the certificate by selecting the certificate and then clicking Remove in the Traffic Management > SSL > Certificates window.

fo

33. Click Close.

es

rr

Discussion Question

Which two fields on a certificate are used to verify the chain of trust?

e

al Creating a Certificate Signed by a Third-Party Certificate Authority

or

st di

A third-party certificate signed by a public Certificate Authority should be installed on the NetScaler for the public facing services to allow remote end users to communicate via SSL. In this procedure, you are creating and installing a public certificate on the NetScaler.

To Create a Public Certificate for the NetScaler

n

1.

io

ut

rib

You will be using an internal Certificate Authority instead of a public Certificate Authority in this procedure, because of lab environment and monetary constraints.

Log on to a system that has Java installed using domain administrator credentials.

Log on to StudentManagementConsole-1 using the TRAINING\Administrator and Password1 credentials. 2.

Open a browser, type the IP address of the NetScaler, and then press Enter. Open Firefox (located on the desktop), type 192.168.10.33, and then press Enter.

3.


4. 5.

Click Traffic Management > SSL in the left pane and then click Create RSA Key. Type a name in the Key Filename field. Type access_training_lab.key in the Key Filename field.



245

6.

Type an appropriate key size in the Key Size (bits) field. Type 2048 in the Key Size (bits) field.

7.

Select a key format and a PEM encoding algorithm. Select PEM for the key format and then select DES3 for the PEM encoding algorithm.

8.

Type a passphrase in the PEM Passphrase and Confirm PEM Passphrase fields and then click OK. Type Password1 in the PEM Passphrase and Confirm PEM Passphrase fields and then click OK.

9. Click Create CSR (Certificate Signing Request) in the SSL tab. 10. Type a name in the Request File Name field. Type access_training_lab.csr in the Request File Name field. 11. Click Browse to the right of the Key Filename field and then double-click the key file. Click Browse to the right of the Key Filename field and then double-click access_training_lab.key. 12. Type the password in the PEM Passphrase field. Type Password1 in the PEM Passphrase field.

N

ot

13. Select the country and then type the state or province to use for the certificate. Select United States in the Country field and then type Florida in the State or Province field.

fo

14. Type a name in the Organization Name field.

rr

Type Training in the Organization Name field.

es

15. Type the FQDN in the Common Name field and then click OK.

al

Type access.training.lab in the Common Name field and then click OK.

e

16. Click Manage Certificates / Keys / CSRs in the Tools section of the SSL tab. 17. Click Yes to refresh the configuration, if a prompt appears. 18. Select the certificate signing request that you created and then click View at the bottom of the window.

or

st di

Select the access_training_lab.csr file and then click View.

ut

rib

Selecting the wrong file will result in you receiving an "ASN1 bad tag value met" error during the certificate request.

n

io

19. Press Ctrl+A and then press Ctrl+C to copy all of the text to the clipboard. 20. Click Close and then click Close again. 21. Browse to the third-party certificate issuer and follow their steps to generate a certificate.

Every third-party Certificate Authority has slightly different steps. The lab environment does not have a thirdparty Certificate Authority available. In the real world, the NetScaler certificate should use a trusted thirdparty Certificate Authority. In the lab environment, you will receive a warning when an external endpoint attempts to access a resource through the NetScaler. You will use the Enterprise Certificate Authority Web Enrollment for the domain to simulate this using the following steps. a. b.

246

Select Internet Explorer in the toolbar of StudentManagementConsole-1 Type http://ad/certsrv/ and then press Enter to access the Certificate Authority.



22. Obtain the third-party certificate. a. b. c. d. e. f. g. h. i. j. k. l.

Click Request a certificate. Click advanced certificate request. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. Click in the Saved Request field and then press Ctrl+V to paste the certificate into the Saved Request field. Select Web Server in the Certificate Template field and then click Submit. Select Base 64 encoded. Click Download certificate. Click the down arrow next to Save at the bottom of the Internet Explorer window. Click Save as and then click Desktop. Type access_training_lab in the File name field. Click Save. Close Internet Explorer.

ot

N

23. Click Certificates under Traffic Management > SSL in the left pane. 24. Click Install. 25. Type a name in the Certificate-Key Pair Name field. Type access_training_lab.certkey in the Certificate-Key Pair Name field.

fo

rr

26. Select the down arrow next to the Browse button for the Certificate File Name field and then select Local. 27. Browse to where the certificate file was saved and then double-click the certificate file.

es

Click Desktop and then double-click access_training_lab.cer.

al

28. Click Browse to the right of the Key File Name field and then double-click the key file.

e

Click Browse to the right of the Key File Name field and then double-click access_training_lab.key.

Type Password1 in the Password field.

or

29. Type the password for the private key in the Password field.

st di

30. Click Create. There is no confirmation message.

ut

rib n

io

31. Click Close. 32. Click the diskette in the upper-right area of the window and then click Yes to save the NetScaler configuration.

Load Balancing StoreFront Servers One of the built-in features of NetScaler is the ability to load-balance backend resources to provide high availability in a XenApp and XenDesktop environment. In this procedure, you will load balance the StoreFront servers that end users rely on to access their XenApp and XenDesktop resources. Once load balancing is configured, it is a simple task to add StoreFront servers to the load-balancing configuration.



247

N

1.

ot

To Load Balance StoreFront Servers Log on to a system that has Java installed.

fo


rr

2.

Open a browser, type the IP address of the NetScaler, and then press Enter.

es

Open Firefox (located on the desktop), type 192.168.10.33, and then press Enter. Log on to the NetScaler using the NetScaler credentials.

al

3.

e

Log on to the first NetScaler using the nsroot and Password1 credentials. Expand the Traffic Management node, right-click Load Balancing, and then click Enable Feature. Expand the Load Balancing node and then click Servers to create a server for each of your StoreFront servers. Click Add and type a name for the first StoreFront server in the Server Name field.

or

st di

4. 5. 6.

Click Add and then type StoreFrontServer-1 in the Server Name field.

rib

7.

Type the IP address for the first StoreFront server in the IP Address field and then click Create.

io

ut

Type 192.168.10.28 in the IP Address field and then click Create.

NetScaler Gateway will use this IP address to load balance and direct connections to the StoreFront server.

n

8. 9.

Click Close and then click Add to create a server for your second StoreFront server. Type the name of the second StoreFront server in the Server Name field. Type StoreFrontServer-2 in the Server Name field.

10. Type the IP address for the second StoreFront server in the IP Address field and then click Create. Type 192.168.10.29 in the IP Address field and then click Create. NetScaler Gateway will use this IP address to load balance and direct connections to the StoreFront server.

11. Click Close to close the Create Server dialog box.

248



Verify that both servers are enabled.

12. Click Services under the Load Balancing node and then click Add to create a service for each of the StoreFront servers in the environment. 13. Type a name for the first StoreFront service in the Service Name field. Type SFService-1 in the Service Name field. 14. Select the name of the first StoreFront server in the Server field. Select StoreFrontServer-1 (192.168.10.28). 15. Select SSL in the Protocol field. 16. Click the Monitors tab, select the proper StoreFront monitor, and then click Add. Click the Monitors tab, click the https monitor, and then click Add.

N

17. Click Create and then click Close. 18. Click Add in the Services page to add a service for the second StoreFront server. 19. Type a name for the second StoreFront service in the Service Name field.

ot

Type SFService-2 in the Service Name field.

fo

20. Select the name of the second StoreFront server in the Server field.

rr

Select StoreFrontServer-2 (192.168.10.29).

es

21. Select SSL in the Protocol field. 22. Click the Monitors tab, select the proper StoreFront monitor created earlier, and then click Add.

e

23. Click Create and then click Close.

al

Click the Monitors tab, click the https monitor, and then click Add.

or

st di

Verify that both services are in the Up state. If a StoreFront server is off, you can expect the service associated with that server to be down. If the server is on, and the service shows as down, verify that no errors appear in Studio.

rib

24. Select Virtual Servers in the left pane under the Load Balancing node and then click Add in the Virtual Servers tab to create the load balancing virtual server for the StoreFront servers.

io

ut

Only one load balancing virtual server needs to be created regardless of the number of StoreFront servers in the environment.

Type sf_training_lab in the Name field.

n

25. Type an appropriate name in the Name field for the load balancing virtual server used by the StoreFront servers.

26. Select SSL in the Protocol drop-down list box. 27. Type the IP address to use for the load balancing virtual server in the IP Address field. Type 192.168.10.51 in the IP Address field. 28. Select the Services tab and then select the StoreFront services that will be load balanced by this virtual server. Select SFService-1 and then select SFService-2. In this release of NetScaler, do not use Service Groups with StoreFront.



249

29. Click the SSL Settings tab and then select the proper SSL certificate. Click the SSL Settings tab and then select wildcard_training_lab.certkey. 30. Click Add. 31. Click the Method and Persistence tab. 32. Specify the persistence type to be used. Select SOURCEIP in the Persistence field. Do not use COOKIEINSERT as the persistence method in the lab environment.

33. Specify the time out setting. Type 60 in the Time-out (min) field. 34. Click Create and then click Close. 35. Verify that the state of the load balancing virtual server is Up.

N

Verify that the state of the sf_training_lab load balancing virtual server is Up.

ot

36. Click the diskette in the upper-right area of the window and then click Yes to save the configuration.

fo

Configuring NetScaler for Remote Access

rr

al

es

The NetScaler will use LDAP to authenticate with Active Directory. To use LDAP, the NetScaler needs credentials to log on to the Active Directory domain. Using a service account with few privileges provides less of an attack surface than using an account with domain administrator permissions.

e

To only allow certain users to log on, a security group will be created in Active Directory. The NetScaler will then be configured to allow only users in that group to access the environment remotely.

or

1.

st di

To Create a Service Account for LDAP Authentication and the Security Group for Remote Access Log on to the domain controller using domain administrator credentials.

rib


5.

n

Expand training.lab > Training Service Accounts.

io

Click Tools in the Server Manager window. Select Active Directory Users and Computers. Browse to the OU that contains the service accounts.

ut

2. 3. 4.

Right-click the service account OU. Right-click Training Service Accounts.

6. 7.

Select New > User. Type a name for the NetScaler LDAP authentication service account in the Full name field. Type LDAPAuth in the Full name field.

8.

Type a name in the User logon name field and then click Next. Type LDAPAuth in the User logon name field and then click Next.

9.

Type the password for the account in the Password and Confirm password fields. Type Password1 in the Password and Confirm password fields.

250



10. Specify the desired password settings and then click Next. a. b. c. d.

Deselect User must change password at next logon. Select User cannot change password. Select Password never expires. Click Next.

11. Click Finish. You are doing this so that the credentials you type into the NetScaler later on will not be for the domain administrator account. This is not strictly necessary, but may reduce the potential attack surface. It is a good practice to use a relatively long randomized password for service accounts. 12. Right-click the newly created service account and then click Add to a group to add the NetScaler LDAP service account to the service accounts group. Right-click LDAPAuth and then click Add to a group. The service accounts group was created in an earlier exercise.

N

ot

13. Specify the group to which you want to add the service account.

fo

Type Service Accounts.

rr

14. Click Check Names, click OK, and then click OK again.

al

es

Adding the account to the service accounts group will prevent interactive logon because you created a Group Policy Object earlier that disallows log on locally to the service accounts group.

e

15. Browse to the OU that contains the end-user accounts to begin creating a security group for end users that will be allowed remote access through the NetScaler.

or

Expand training.lab > Training Users.

st di

16. Right-click the end-users OU and then click New > Group.

Right-click the Training Users OU and then click New > Group.

rib

17. Type a name for the new group and then click OK.

Type Remote Access in the Group name field and then click OK.

ut

Right-click the Remote Access group and then click Properties.

n

io

18. Right-click the newly created group and then click Properties to begin adding the end users to the security group that will be granted remote access.

19. Click the Members tab and then click Add. 20. Specify the end users to be added to the security group and separate them by a semi-colon. Type hduser1; xdadmin1; xdadmin2; acctuser1; acctuser2; hruser1; hruser2; contractor1; contractor2. Do not include the hduser2 account in the security group so you can use it to verify that end users not included in the group will not be granted remote access. 21. Click Check Names. 22. Click OK and then click OK again.



251

Configuring Active Directory Integration You can configure Active Directory integration with NetScaler so that remote end users can authenticate at the NetScaler. This allows remote end users to authenticate once and have access to all their resources without further authentication prompts. If NetScaler authentication is not configured, remote end users must authenticate at the StoreFront server. A service account is used to enable the LDAP communication from the NetScaler to Active Directory. Once LDAP communication is enabled under the service accounts authority, you can use the service account to send end-users' credentials to Active Directory for authentication, authorization, and auditing (AAA). In the previous procedure you created the service account required for LDAP authentication and the security group that identifies the end users who will be given remote access through the NetScaler. In this procedure, you are configuring the NetScaler to use the service account and security group. The primary configuration will be the LDAP settings.

To Configure Active Directory Integration with NetScaler 1.


N

2.

Open a browser, type the IP address of the first NetScaler, and then press Enter.

ot

Open Firefox, type 192.168.10.33, and then press Enter. Log on to the first NetScaler using the NetScaler credentials.

fo

3.

Right-click NetScaler Gateway in the left pane of the Configuration utility and then click Enable Feature. Click NetScaler Gateway wizard in the NetScaler Gateway tab. Click Next on the Introduction page. Type the IP address to use for the NetScaler Gateway virtual server in the IP Address field.

e

al

es

4. 5. 6. 7.

rr


8.

Specify the port number.

or

Type 192.168.10.50 in the IP Address field.

Type a name for the NetScaler virtual server in the Name field and then click Next. Type access_training_lab in the Name field and then click Next.

10. Select the certificate action to perform and then click Next.

io

ut

rib

9.

st di

Verify that port 443 is specified.

n

Select Use an installed certificate and private key pair in the Certificate Options field, select access_training_lab.certkey in the Certificate field, and then click Next. 11. Specify the IP address of DNS server in the Configured DNS Server field. Verify that 192.168.10.11 is specified in the Configured DNS Server field. 12. Specify the IP address of the WINS server, if it is being used. Leave this field blank. 13. Determine the name lookup priority and then click Next. Select DNS and then click Next. 14. Select LDAP and then click Next. You will configure the LDAP settings in a policy.

252



15. Configure the authorization setting for the LDAP members. Select Allow. 16. Specify the address to redirect users to if they forget to type https to access the NetScaler virtual server and then click Next. a. b. c. 17. 18. 19. 20. 21.

Select Redirect to secure Web address. Type https://access.training.lab to redirect http://access.training.lab requests to https. Click Next.

Select Allow users to log on using Clientless Access Only and then click Next. Click Finish and then click Exit. Click NetScaler Gateway >Policies > Authentication > LDAP to customize the LDAP settings. Click Add to create a new LDAP policy. Type a name for the LDAP policy in the Name field. Type 192.168.10.11_LDAP_pol.

N

22. Click New to create a new LDAP server entity. 23. Type a name in the Name field and then type the IP address of the LDAP server in the IP Address field.

ot

Type LDAP_DomainController-1 in the Name field and then type 192.168.10.11 in the IP Address field.

fo

24. Verify that 389 appears in the Port field. 25. Type the base domain name in the Base DN field.

rr

Type DC=Training,DC=Lab.

es

e

al

If your domain was citrix.com, you would type DC=citrix,DC=com. DC stands for Domain Component. If you want to allow only end users from a specific Organizational Unit (OU), that can also be specified. If you only want end users in the end-user's OU and descendant OUs to be able to authenticate, you would specify OU=users,DC=Training,DC=Lab. For more information about LDAP, see http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol.

or

26. Type the name of the service account to be used in the form of username@domain (FQDN) in the Admin Bind DN field.

st di

Type [email protected] in the Admin Bind DN field.

27. Type the password in the Password and Confirm Password fields.

ut

rib

Type Password1 in the Password and Confirm Password fields.

28. Click Retrieve Attributes to test the connection to the LDAP server and then click OK.

io

If the test fails, verify that the password and the IP address of the LDAP server are correct.

n 29. Type samAccountName in the Server Logon Name Attribute field. Failure to specify a value in this field will result in remote users receiving an Incorrect Password error.

30. Type a value in the Search Filter field to only allow end users that are a member of the proper group to access the environment remotely. Type memberOf=CN=Remote Access,OU=Training Users,DC=Training,DC=Lab in the Search Filter field.



253

There must be a space between "Remote" and "Access" and "Training" and "Users." Remote Access is a group that you created in an earlier exercise. It is used to group the user accounts that will be allowed remote access into the environment. By specifying a group, you can limit who can access the environment remotely through the NetScaler. For more information about configuring LDAP settings, refer to CTX111079 on the www.citrix.com Web site. 31. Specify a group attribute. Verify that memberOf appears in the Group Attribute field. 32. Type a sub attribute. Verify that CN appears in the Sub Attribute Name field. 33. 34. 35. 36.

N

Click Create. Select True value for the General named expression and then click Add Expression. Click Create and then click Close. Click the NetScaler Gateway node in the left pane and then click Change group settings and user permissions to bind the LDAP policy to the NetScaler virtual server. 37. Expand the Virtual Servers node in the left pane and then expand Authentication Policies in the center pane. 38. Drag and drop the LDAP policy on the NetScaler virtual server in the left pane.

ot

Drag and drop the 192.168.10.11_LDAP policy on the access_training_lab virtual server.

fo

39. Click Close. 40. Click the diskette in the upper-right area of the window and then click Yes to save the NetScaler configuration.

rr

es

Redirecting HTTP Requests for StoreFront

e

al

During the configuration of NetScaler, you configured NetScaler to intercept http requests to the NetScaler virtual server and redirect them to https (see Step 16 in the previous exercise).

or

Because the NetScaler virtual server FQDN will be used by remote end users, their requests will redirected. However, internal users will access resources by pointing to the Load Balancing virtual server for StoreFront. To redirect their http requests to https, you must configure a virtual server on NetScaler.

st di

To Redirect HTTP Requests for StoreFront

rib

1.

Log on to a system that has Java installed using domain administrator credentials.

Open a browser, type the IP address of the NetScaler, and then press Enter.

3.

n


io

2.

ut



4. 5.

Expand Traffic Management > Load Balancing in the left pane of the Configuration utility and then click Virtual Servers. Click the virtual server that is used to redirect http requests for the NetScaler and then click Add. Click 192.168.10.50_http_redirect and then click Add. This will allow you to use the existing virtual server as a template for the new virtual server. Notice that the virtual server for http redirect is in the Down state because it does not have a server, service, or monitor bound to it. This is normal. Redirect virtual servers should always be in the Down state.

6.

Type a name for the new virtual server in the Name field. Replace 50 in the existing name with 51 so the new name in the Name field is 192.168.10.51_http_redirect.

254



7.

Specify the IP address for the load balancing virtual server for StoreFront in the IP Address field. Replace 50 in the existing IP address with 51 so the new IP address is 192.168.10.51.

8.

Click the Advanced tab and type the URL for the load balanced StoreFront server in the Redirect URL field. Click Advanced and then type https://sf.training.lab in the Redirect URL field.

9.

Click Create and then click Close.

Discussion Question Your http redirect virtual server is in the Down state. Why is this?

Modifying StoreFront to Integrate with NetScaler You now want to use NetScaler to load balance the traffic to the StoreFront servers. To use NetScaler load-balancing, you will need to configure StoreFront and the NetScaler. This procedure only needs to be done once. After it is set up, adding StoreFront servers to the environment requires only the addition of servers in the NetScaler that represent the new StoreFront servers.

ot

N To Modify StoreFront to Work with NetScaler

fo

1.

Log on to the first StoreFront server with domain administrator credentials.

rr

Log on to StoreFrontServer-1 using the TRAINING\Administrator and Password1 credentials.

es

Click Start in the taskbar. Type StoreFront and then click Citrix StoreFront in the Start screen.

al

2. 3.

e

If you receive an Add Snap-in error, click Cancel in the End Snap-in message and the console will open. Do not click End Now.

or

Click Stores in the left pane and then select the proper store. Click Stores and then select Store-1.

Click Manage Delivery Controllers in the right pane, verify that the Delivery Controllers are listed in the Servers column, and then click OK.

rib

5.

st di

4.

Click Authentication in the left pane and then click Add/Remove Methods. Select the desired authentication methods and then click OK. a. b. c.

n

6. 7.

io

ut

Click Manage Delivery Controllers in the right pane, verify that c-1.training.lab and c-2.training.lab are listed in the Servers column, and then click OK.

Verify that User name and password is selected. Select Domain pass-through. Select Pass-through from NetScaler Gateway and then click OK. You are selecting Domain pass-through so that the Receiver on domain-joined endpoints can authenticate without the end user re-entering credentials.

8. 9.

Click NetScaler Gateway in the left pane and then click Add NetScaler Gateway in the right pane. Type an appropriate name in the Display name field. Type access.training.lab in the Display name field.



255

Remote end users will use this name to configure Citrix Receiver preferences.

10. Type the FQDN to the NetScaler in the NetScaler Gateway URL field. Type https://access.training.lab in the NetScaler Gateway URL field. 11. Select the correct logon type. Verify Domain is selected as the logon type. 12. Type the FQDN to the NetScaler in the Callback URL field and then click Next. Type https://access.training.lab in the Callback URL field and then click Next. 13. Click Add, and then type the URL to the STA in the STA URL field to add Secure Ticket Authorities (STAs). Click Add and then type https://c-1.training.lab in the STA URL field. /scripts/ctxsta.dll will automatically be appended to the end of the URL for the STA. Each Controller is a Secure Ticket Authority (STA).

N

ot

14. Click OK. 15. Click Add and then type the URL for the next STA in the STA URL field.

fo

Click Add and then type https://c-2.training.lab in the STA URL field.

rr

e

16. Click OK. 17. Click Create and then click Finish.

al

es

Ensure that you type https for both entries.

or st di

Discussion Question

rib

You just configured NetScaler to load balance your StoreFront servers. What do you need to configure on your StoreFront servers to direct traffic through the NetScaler?

io

ut

Creating Beacons

n

You can specify URLs inside and outside your internal network to be used as beacon points. Citrix Receiver uses beacon points to determine whether end users are connected from internal or external networks and then selects the appropriate access method. By default, StoreFront uses the server URL or load-balanced URL of your deployment as the internal beacon point. The Citrix Web site and the virtual server or end-user logon point URL of the first NetScaler deployment you add are used as external beacon points by default. If you change any beacon points, ensure that end users update Citrix Receiver with the modified beacon information. If a Receiver for Web site is configured for a store, end users can obtain an updated Citrix Receiver provisioning file from the site. If a Receiver for Web site is not configured for the store, you can export a provisioning file for the store and make this file available to your end users.

To Create a Beacon Point This may be done automatically by StoreFront using the information previously entered in the various fields. If you attempt to create the beacons before configuring the other NetScaler entries, you will need to complete these steps. Verify that the information specified in the Beacon Contact Points session is correct using the following steps. 256



1.

Log on to the first StoreFront server using domain administrator credentials. Log on to StoreFrontServer-1 using the TRAINING\Administrator and Password1 credentials.

2. 3. 4. 5.

Click Start, type StoreFront, and then click Citrix StoreFront. Click Beacons in the left pane. Click Manage Beacons in the right pane. Verify that the URL for the first external beacon is listed. Verify that https://access.training.lab appears.

6.

Verify that the URL for the second external beacon appears. Verify that http://www.citrix.com appears. This URL will not resolve because there is no Internet access in the lab environment.

7.

Select Specify beacon address and then type the URL for the load balanced virtual server for StoreFront.

ot

N

Select Specify beacon address and then type https://sf.training.lab in the Specify beacon address field.

fo

You are specifying the URL for the load balanced virtual server for StoreFront here. Because the service URL (the load-balanced StoreFront server) is accessible from all lab machines, you need to use a different beacon address for the inside. In the real world, the service URL should not be accessible from the outside. Firewall rules would only allow external access to specific IP addresses and ports to the DMZ.

rr

8.

Click OK.

es

e

al

From now on in the lab environment, internal users will use https://sf.training.lab to access resources. External users will access resources using the https://access.training.lab URL.

or

Enabling Remote Access to the Store

st di

The default deployment of StoreFront allows only internal users to access it directly. Remote users cannot access a StoreFront directly. You can enable StoreFront to accept remote user connections from a designated NetScaler appliance. Once enabled, the setting is synchronized among all current and future StoreFront servers.

io

ut

1.

rib

To Enable Remote Access to the Store

Log on to the first StoreFront server using the domain administrator credentials.

n

Log on to StoreFrontServer-1 using the TRAINING\Administrator and Password1 credentials. 2. 3.

Click Start, type StoreFront, and then click Citrix StoreFront. Click Stores in the left pane of the StoreFront console and then select the appropriate store. Click Stores in the left pane and then click Store-1.

4. 5.

Click Enable Remote Access in the right pane. Determine how remote access will be configured for end user access from external networks. Select No VPN tunnel.

6.

Select the NetScalers to provide remote access. If multiple appliances are selected, select a default appliance.



257

Select access.training.lab. 7.

Click OK.

Propagating Settings to the StoreFront Server Group A server group is a container for the StoreFront servers in the Site. The servers in the group each have a data file that contains their settings. The end-user settings in the data file for each StoreFront must be synchronized with the other StoreFront servers in the server group. In addition, you can force the propagation of administrative settings from the current StoreFront server to the other servers in the group. Any configuration changes made on other servers in the group are discarded. While running this task, you cannot make any further configuration changes until all the servers in the group have been updated. If you plan to make change to StoreFront: 1. Make the administrative configuration changes from a single StoreFront server. 2. Propagate the administrative configuration changes to the other servers in the group.

Log on to a StoreFront server using domain administrator credentials.

ot

1.

N

To Propagate the StoreFront Settings

Click Start, type StoreFront, and then click Citrix StoreFront. Click Server Group in the left pane of the StoreFront console. Click Propagate Changes in the right pane and then click OK. Verify that the propagation completed successfully and then click OK.

e

al

es

rr

2. 3. 4. 5.

fo

Log on to StoreFrontServer-1 using the TRAINING\Administrator and Password1 credentials.

Discussion Question

or

rib

Configuring ICA Proxy

st di

John is changing the configuration settings on StoreFrontServer-1. Kelly is changing the configuration settings on StoreFrontServer-2. John selects Propagate Changes. What happens?

n

io

ut

ICA proxy allows multiple end users in the external network to access multiple resources in the internal network via a single IP address and port configured on the external interface of the firewall. This requires fewer configured openings on the firewall, which provides a more secure environment.

258



ot

N ICA proxy communications include:

e

al

es

5.

rr

2. 3. 4.

The end user browses to the NetScaler URL. NetScaler optionally runs an endpoint analysis scan before authentication. If the scan is successful, NetScaler presents the authentication page to the end user. The end user authenticates to NetScaler. The NetScaler then sends an LDAP query to the domain controller. If authentication is successful, the credentials are forwarded to StoreFront, which passes the results to the Controller. The Controller queries the database and returns a list of all resources for the end user and then forwards that list to the StoreFront. StoreFront converts the list into icons and passes them to the end user via the NetScaler. The end user clicks a resource in the store and the request is sent to StoreFront. StoreFront forwards the request to the Controller to be load balanced. The Controller makes a load balancing decision and forwards back to StoreFront the selected resource. StoreFront converts the selected resource into an HDX (ICA) file and then forwards the HDX (ICA) file to the STA and retrieves a session ticket. StoreFront generates an HDX (ICA) file that includes a session ticket generated by the Secure Ticket Authority (STA) on the Controller. The new HDX (ICA) file is delivered to the end user via the NetScaler. The Receiver on the endpoint processes the HDX (ICA) file and presents the HDX (ICA) session ticket to NetScaler. NetScaler validates the ticket. If the ticket is valid, the STA responds with the IP address of the load-balanced object. The NetScaler then creates a proxy from the external network into the internal network. NetScaler establishes a connection between the Receiver on the endpoint and the load-balanced object.

fo

1.

or

7.

1.

n

To Configure the NetScaler for ICA Proxy

io

ut

rib

8.

st di

6.


2.


3.


4. 5. 6.

Click NetScaler Gateway in the left pane and then click Published applications wizard in the NetScaler Gateway tab. Click Next on the Introduction page. Select the virtual server for the NetScaler and then click Next. Select access_training_lab and then click Next.



259

7.

Type the URL for the Receiver for Web site using the FQDN to the Store Front load Balancing virtual server in the Web Interface Address field. Type https://sf.training.lab/Citrix/Store-1Web in the Web Interface Address field. This is the load balancing virtual server for StoreFront on the NetScaler. If sf.training.lab fails to resolve, use the IP address of 192.168.10.51 instead.

8.

Type the domain name in the Single Sign-on Domain field. Type Training in the Single Sign-on Domain field.

9. Click Add in the Secure Ticket Authority field. 10. Type the URL to the Secure Ticket Authority on the first Controller and then click Create. Type https://c-1.training.lab and then click Create. The STAs specified on the NetScaler Gateway must be identical to the ones specified in StoreFront. If you remove an STA in the future from StoreFront, then it must be removed from NetScaler Gateway. The same goes for adding new STAs.

N

ot

11. Click Add. 12. Type the URL to the Secure Ticket Authority on the second Controller and then click Create.

fo

Type https://c-2.training.lab and then click Create.

rr

Click Next in the Configure Client Connections page after all URLs are specified. Click Next in the Configure SmartAccess page. Click Finish and then click Exit. Click NetScaler Gateway > Virtual Servers. Double-click the virtual server for the NetScaler and then click the Published Applications tab to view the STAs.

e

or

st di

13. 14. 15. 16. 17.

al

es

The STAs specified on the NetScaler Gateway must be identical to the ones specified in StoreFront. If you remove an STA in the future from StoreFront, then it must be removed from NetScaler Gateway. The same goes for adding new STAs.

Double-click access_training_lab, click the Published Applications tab, and then verify that both STAs are UP.

rib

If both Delivery Controllers are running, both STAs should be UP. If the STAs are in a DOWN state, power on the server or recreate the STA. Deselecting an STA and clicking OK will delete the STA.

io

ut n

18. Click OK to close the Configure NetScaler Gateway Virtual Server window. 19. Click the diskette in the upper-right area of the Configuration utility and then click Yes to save the configuration.

Discussion Question Why might you implement ICA proxy instead of a VPN?

Configuring Pre-Authentication Policies NetScaler can run pre-authentication policies and post-authentication policies (session policies). With both types of policies, NetScaler makes decisions about the connection based on the results of a scan of the endpoint. NetScaler performs the following basic steps using pre-authentication policies: 1. 2.

260

Examines an initial set of information about the endpoint to determine which scans to apply. Runs all applicable scans.



3. 4.

Compares property values detected on the endpoint with desired property values listed in your configured preauthentication policies. Produces an output verifying whether or not the desired property values are found.

When end users try to connect, NetScaler checks the endpoint for the requirements specified within all pre-authentication policies. If the endpoint passes the pre-authentication policy scans, end users are allowed to log on and the post authentication policy scans are run. If the pre-authentication policy scans fail, end users can be denied access or redirected to another logon page. For example, you can set up a pre-authentication policy to determine if the endpoint has a particular registry entry. If the endpoint passes the test, the end user is allowed to log on using their domain credentials. If the endpoint fails the test, the end user can be required to log on using a two-factor authentication method. Pre-authentication policy scans complete before the end-user's session uses a license.

Enabling XML Service Trust If you intend to use SmartAccess endpoint analysis, pass-through authentication, or smart card authentication with XenApp and XenDesktop, you must configure XenApp and XenDesktop to trust XML Services.

N

ot

To Enable XML Service Trust Log on to the first Delivery Controller using domain administrator credentials.

fo

1.

Click the PowerShell icon in the taskbar. Type Add-PSSnapin Citrix* and then press Enter. Type Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true and then press Enter.

al

es

2. 3. 4.

rr


e

Ensure that you add a space before the -Trust variable and before the $true variable.

or

Tab completion can be used to make command entry easier. You can press the Tab key after typing part of the command. Note that certain parts of the command will still need to be typed. Type Exit and then press Enter.

st di

5.

rib

Configuring a Pre-Authentication Policy

• • • • • •

Antivirus Firewall Processes Files Registry Entries Operating Systems

n

io

ut

A pre-authentication policy allows you to check for client-side security before authentication. An example of a scan is a check to see if a particular version of anti-virus software is installed or not. Pre-authentication policies govern exactly what the system is going to scan and are associated with pre-authentication profiles, which determine the action to take. Common checks for a pre-authentication policy include:

A pre-authentication policy will either allow or disallow end-user logon based on the result of the scan of the endpoint. You will create a policy that scans for a running process on the endpoint to determine if an end user will be allowed to log on.



261

To Configure a Pre-Authentication Policy 1.


2.


3.


4. 5.

Click NetScaler Gateway in the left pane and then click Policies > Pre-Authentication in the NetScaler Gateway tab. Click Add, type a name for the new policy in the Name field, and then click New to the right of the Request Profile field. Click Add, type deny_logon_policy in the Name field, and then click New to the right of the Request Profile field.

6.

Type a name for the new profile in the Name field and then select the action the profile will perform. Type deny_logon_profile in the Name field and then select DENY in the Action field.

N

The profile defines the action that the policy will take.

ot fo

Click Create to create the profile that will be associated with the policy. Click Add in the Expression section of the Create Pre-authentication Policy window. Select the type of expression to add from the Expression Type field.

es

rr

7. 8. 9.

Select Client Security in the Expression Type field.

al

10. Select the type of component to check during the pre-authentication process.

e

Select Process from the Component field.

or

11. Type the name of the component in the Name field and then click OK.

12. Verify that the expression appears in the Expression field.

st di

Type notepad.exe in the Name field and then click OK.

ut

13. Click Create and then click Close.

rib

Verify that CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS appears in the Expression field.

n

io

The policy has now been created, but it is not bound to anything. It will not have an effect on the environment until it is bound. You will bind it to the NetScaler virtual server (access_training_lab). 14. Click the NetScaler Gateway > Virtual Servers node. 15. Select a virtual server. Select the access_training_lab virtual server. 16. Click Open, verify SmartAccess Mode is selected, and then click OK. 17. Click NetScaler Gateway in the left pane and then click Change group settings and user permissions. 18. Expand the Virtual Servers node in the left pane of the NetScaler Gateway Policy Manager. You will see the virtual server that is assigned to the NetScaler.

19. Expand the Pre-authentication Policies node in the center pane of the NetScaler Gateway Policy Manager.

262



20. Drag the desired policy from the center pane to the virtual server in the left pane. Drag the deny_logon_policy policy to the access_training_lab virtual server and drop it. 21. Verify that the policy now exists in the Pre-authentication Policies node for the virtual server in the left pane. Verify that the deny_logon_policy policy appears under the access_training_lab > Pre-authentication Policies node in the left pane of the NetScaler Gateway Policy Manager. 22. Click Close. 23. Click the diskette in the upper-right area of the Configuration utility and then click Yes to save the configuration.

Discussion Question What is a policy profile?

Configuring NetScaler for Email-Based Account Discovery

ot

N

You can configure NetScaler Gateway to accept connections from internal end-users that use an email address to discover the StoreFront URL. To allow internal end users to connect to their desktops and applications with an email address, you need to add the StoreFront URL to NetScaler.

fo

To Configure NetScaler for Email-Based Account Discovery

rr

Log on to a system that has Java installed using domain administrator credentials. Open a browser, type the IP address of the first NetScaler, and then press Enter. Log on to the NetScaler Configuration utility with the NetScaler credentials. Expand NetScaler Gateway and then click the Global Settings node. Click Change global settings under Settings and then click the Published Applications tab. Type the Store URL in the Account Services Address on the Published Applications tab and then click OK.

e

al

or

st di

1. 2. 3. 4. 5. 6.

es

You already completed this task in the lab environment when you configured ICA proxy in an earlier task. You do not need to complete this procedure in the lab environment.

io

ut

rib

If NetScaler is being used to load balance the StoreFront servers, you should specify the URL of the load balancing virtual server for the StoreFront servers. For example: https://sf.training.lab/Citrix/Store-1Web.

n

Testing Access through NetScaler The NetScaler is now configured for: • • • • •

High availability Load balancing of StoreFront servers Http redirect for both NetScaler and StoreFront Pre-authentication endpoint analysis ICA proxy access to internal resources for remote end users.

You will need to validate that end-users can access the environment as configured.

To Test HTTP Redirection Requests for StoreFront Servers 1.

Log on to an internal endpoint using domain credentials. Log on to StudentManagementConsole-1 using the TRAINING\Administrator and Password1 credentials.



263

2. 3.

Click Internet Explorer in the taskbar. Type the URL for the Receiver for Web site using http and then press Enter. Type http://sf.training.lab/citrix/Store-1Web and then press Enter. Internal end users will use this URL or https://sf.training.lab/citrix/Store-1Web to access Store-1 using the Receiver for Web site. End users that use Citrix Receiver will access their resources using http://sf.training.lab or https://sf.training.lab. This will ensure that the load on the StoreFront servers is balanced between the servers.

4.

Verify that a Security Alert informing you that you are about to view pages over a secure connection appears and then click OK. This message appears even though you specified a non-secure URL, proving that http is being redirected to https.

5. 6.

Verify that the URL has changed to https. Close Internet Explorer.

N

ot

To Test External Access to the Environment

fo

You need to validate that end users on an external endpoint can access resources in the environment. You must use a non-domain joined system to test this access. You can also use this test to verify that http redirect is working for the NetScaler and that a remote end user that is not a member of the Remote Access group (TRAININGHRUser2) cannot access resources remotely.

rr

Log on to an external endpoint using local user credentials.

es

1.

e

al

Log on to Endpoint-External using the ExternalUser and Password1 credentials. If Endpoint-External is not started, double-click the VM in XenCenter to start it.

or

Important: In the lab environment, you used the internal Certificate Authority to simulate a trusted thirdparty Certificate Authority. Because Endpoint-External is not joined to the domain, it does not trust the root certificate of the internal Certificate Authority that signed the certificate bound to the StoreFront load balancing virtual server on the NetScaler.

st di

ut

rib

Before you can test external access to resources, you must configure the Endpoint-External VM to trust the root certificate of the internal Certificate Authority. This task would not be necessary in an environment where a third-party Certificate Authority were used to provide the NetScaler certificates. To configure the Endpoint-External VM to trust the root certificate of the internal Certificate Authority: Click Desktop. If the Windows Update window appears, click Close. Click Internet Explorer in the taskbar of Endpoint-External. Type http://ad.training.lab/certsrv/ and then press Enter. Type TRAININGAdministrator in the User name field, Password1 in the Password field, and then click OK. f. Click Download a CA certificate, certificate chain, or CRL. g. Click Download CA certificate and then click Open. h. Click Open and then click Install Certificate. i. Select Local Machine, click Next, and then click Yes. j. Select Place all certificates in the following store. k. Click Browse, select Trusted Root Certification Authorities, and then click OK. l. Click Next, click Finish, and then click OK. m. Close Internet Explorer and then click OK in the Certificate window.

n

264

io

a. b. c. d. e.



2.

Open a browser to test external access to the resources in the environment. Click Internet Explorer in the taskbar of Endpoint-External.

3. 4. 5. 6. 7.

Click the Tools icon on the top right. Click Compatibility View Settings. Verify that training.lab appears in the Add this website field. Click Add and then click Close. Type the URL for the NetScaler and then press Enter. Type http://access.training.lab and then press Enter. Remote end users will use this URL or https://access.training.lab to access Store-1 using the Receiver for Web site.

8.

Verify https now appears in the URL bar even though you originally typed http. This proves that http is being redirected to https.

N

ot

9. Click Download on the Checking System Configuration on your device screen and then click Run. 10. Click Yes on the User Account Control window if it appears. 11. Click Run, respond affirmatively to any security prompts, and then click Install.

fo

rr

If you receive a note stating that This webpage wants to run 'nsepaclass Class', click Run control.

al

es e

12. Wait for the installation to complete, click Finish, and then click Yes to run the scan. 13. Verify that the Log On page is displayed.

or

At this point, the Log On page being displayed is the Log On page for the NetScaler.

st di

14. Log on to the Web site using domain user credentials.

rib

Log on to the Web site using the AcctUser1 and Password1 credentials.

ut

15. If Receiver is not installed, select I agree with the Citrix license agreement, and then click Install.

n

io

Receiver is already installed on EndPoint-External in the lab environment. If you logged on to the endpoint with different domain user credentials, you may need to install Citrix Receiver. 16. 17. 18. 19. 20. 21.

Click Run. Click Yes on the User Account Control window. Click Install. Click Finish. Click Allow twice. Verify that resources are available to the end user. If resources were previously added for the end user, resources will appear in the Citrix Receiver window. If both applications and desktops have been added, tabs will be available at the bottom of the Citrix Receiver window, if no applications or desktops have been added for the end user, a plus sign will appear on the left side of Citrix Receiver.

22. Verify that a resource launches successfully for the remote end user. Click Win8 Desktop, click Allow, click Open, and then verify that it starts. © Copyright 2015 Citrix Systems, Inc.


265

23. Close the resource and then log off of Citrix Receiver. Close Win8 Desktop, click the arrow to the left of AcctUser1 in Citrix Receiver, and then click Log Off. 24. Close Internet Explorer. 25. Open a browser to verify that end users that are not part of the Remote Access group in Active Directory cannot log on remotely to access resources. Click Internet Explorer in the taskbar of Endpoint-External. 26. Type the URL for the NetScaler and then press Enter. Type https://access.training.lab and then press Enter. 27. Click OK in the Security Alert window. 28. Click Yes to run the Security scan. 29. Verify that the Welcome screen is displayed. At this point, the Log On page being displayed is the Log On page for the NetScaler.

N

30. Log on to the Web site using domain user credentials for a user not in the Remote Access group.

ot

Log on to the Web site using the HDUser2 and Password1 credentials.

fo

Recall that TRAININGHDUser2 was not added to the Remote Access group.

es

rr or

To Test a Pre-Authentication Policy

e

al

31. Verify that the user is denied access to resources because they are not a member of the Remote Access group. 32. Close Internet Explorer.

Log on to an external endpoint using local user credentials.

rib

1.

st di

You need to validate that you are denied access to the environment if the policy requirements are met (Notepad is running). You must use a non-domain joined system to test this policy since pass-through authentication is enabled for domain-joined systems.

Log on to Endpoint-External using the ExternalUser and Password1 credentials.

ut n

io

If Endpoint-External is not started, double-click the VM in XenCenter to start it.

2. 3.

Click Start, type Notepad, and then press Enter. Start a browser. Click Internet Explorer in the taskbar of Endpoint External.

4.

Type the URL for the NetScaler and then press Enter. Type https://access.training.lab and then press Enter.

5. 6. 7. 8. 9.

266

Click Yes to run the scan. Verify that Access Denied is displayed on the Access Gateway screen. Close Notepad. Click the Back button under the Access Denied message. Click Yes to run the scan.



The Endpoint Analysis prompt may be hidden behind Internet Explorer.

10. Verify that the Welcome screen appears. The remaining steps in this procedure will disable the pre-authentication policy in the lab environment to prevent it from affecting future exercises. 11. Return to the system that has Java installed. Return to the StudentManagementConsole-1. 12. Click the tab in the browser for the first NetScaler. Click the NetScaler-1 tab in Firefox.

N

13. Click NetScaler Gateway in the left pane and then click Change group settings and user permissions on the tab for the first NetScaler. 14. Expand the Virtual Servers, the Load Balancing virtual server, and the Pre-authentication Policies nodes in the left pane of the NetScaler Gateway Policy Manager.

ot

Click Virtual Servers, access_training_lab, and the Pre-authentication Policies nodes. 15. Right-click the policy, click Unbind, and then click Yes to prevent the policy from affecting future exercises.

fo

Right-click deny_logon_policy, click Unbind, and then click Yes to prevent the policy from affecting future exercises.

rr

al

es

16. Click Close. 17. Click the diskette icon in the upper-right area of the window and then click Yes to save the NetScaler configuration.

e

Reinforcement Exercise: Scanning an Endpoint for a File

or


st di

n

io

Perform the initial NetScaler configuration. Configure NetScaler high availability. Load balance StoreFront servers through NetScaler. Enable remote access to the StoreFront store. Configure HDX (ICA) proxy. Configure a pre-authentication policy to scan an endpoint. Configure NetScaler for email-based account discovery.

ut

• • • • • • •

rib


You are ready to try your hand at creating a pre-authentication scan that scans an endpoint for a specific file. Approximate time to complete: 20 minutes Training wants you to ensure that a specific file exists on an endpoint to ensure that it has the appropriate software installed on it. This will give you a greater level of security by ensuring that all endpoints meet the minimum corporate criteria in order to access company resources. You decide to use a pre-authentication scan to determine whether an endpoint can be used to access the environment. If the file exists on the endpoint being used, the end user will be allowed to access the environment. If the file does not exist on the endpoint being used, the end user will not be allowed to access the environment. Here is what you need to do: 1. 2.

Log on to the NetScaler using Firefox. Create a pre-authentication policy named no_file_policy.



267

3. 4.

Create a profile named no_file_profile that is set to DENY access. Add a Client Security expression to check for the c:\\windows\\write.exe file on the endpoint. Be sure to specify two backslashes in the path.

5.

Set the operator to NOTEXISTS. If the file does not exist, the endpoint will fail the scan and the user will be denied access.

6. 7. 8. 9.

Bind the no_file_policy to the access_training_lab virtual server. Verify that https://access.training.lab presents the Access Denied screen when the file does not exist. Use an external endpoint and the TRAINING\HRUser1 account to verify that https://access.training.lab presents the Welcome log on screen when the file exists. Verify that endpoint will fail the scan if the file does not exist, by unbinding the policy, changing the policy to scan for c:\\windows\\write1.exe, and then rebinding the policy.

ot

N fo e

al

es

rr or st di n

io

ut

rib

268



ot

N fo e

al

es

rr or st di n

io

ut

rib


269

ot

N fo e

al

es

rr or st di rib

851 West Cypress Creek Road Fort Lauderdale, FL 33309 USA (954) 267 3000 www.citrix.com

n

io

© Copyright 2015 Citrix Systems, Inc. All rights reserved.

ut

Rheinweg 9 8200 Schaffhausen Switzerland +41 (0) 52 63577 00 www.citrix.com

CXD 300 6I en StudentManual

Recommend Documents