Author: CarlStalhood-legacy

Director 2402 LTSR CU2

Last Modified: Feb 8, 2025 @ 7:44 am

8 Comments

Navigation

💡 = Recently Updated

Change Log

Director Licensing – Premium Edition

Here’s a list of Director features that require CVAD Premium Edition licensing.

  • Up to a year’s worth of performance data
    • Other editions keep up to 30 days of performance data
  • Probes
  • Alerts
  • OS usage reporting
  • Create customized reports
  • Reboot warnings
  • NetScaler Console integration – HDX Insight

See Citrix Docs Feature compatibility matrix for a list of which Director feature came with each version, and the licensing Edition needed for each feature.

Install/Upgrade Director 2402 LTSR CU2 on Standalone Server

Current Release vs LTSR – Director version 2402 is a Long Term Support Release, which is supported for 5 years from its February 2024 release date. Citrix Support might require you to install the latest Cumulative Update for 2402.

Install on Delivery Controller? – The Citrix Virtual Apps and Desktops (CVAD) Delivery Controller metainstaller has an option to install Director on the Delivery Controller machine. Or you can install Director on separate, dedicated machines.

  • If Director will connect to multiple sites/farms, then install Director on its own servers.
  • For small environments, it might be OK to install Director on the Delivery Controller machines. Otherwise, Director is usually installed on separate machines.
  • Director is an IIS website. If you install Director, then IIS is also installed.

Scripted install – To install and configure Director using a script, see Dennis Span Citrix Director unattended installation with PowerShell.

Manual installation – To install Director manually:

  1. Run AutoSelect.exe from the Citrix Virtual Apps and Desktops 2402 LTSR CU2 ISO.
  2. In the Extend Deployment section, on the bottom left, click Citrix Director.
  3. In the Licensing Agreement page, select I have read, understand, and accept the terms, and click Next.
  4. In the Core Components page, click Next.
  5. In the Delivery Controller page, it will ask you for the location of one Delivery Controller in each farm. Only enter one Delivery Controller per farm. If you have multiple Director servers, each Director server can point to a different Delivery Controller in each farm.
    • From Citrix Docs: Director automatically discovers all other Delivery Controllers in the same Site and falls back to those other Delivery Controllers if the Controller you specified fails. Click Test Connection, and then click Add.
  6. You can optionally force SSL/TLS for the Monitoring service by following the instructions at Data Access Security at Citrix Developer Documentation. Also see CTX224433 Error: “Cannot Retrieve Data” on Citrix Director Dashboard After Securing OData Interface Through TLS.
  7. In the Features page, click Next.
  8. In the Firewall page, click Next.
  9. In the Summary page, click Install.
  10. In the Finish page, click Finish.
  11. In IIS Manager, go to Default Web Site > Director > Application Settings, find Service.AutoDiscoveryAddresses and make sure it points to one Delivery Controller in the farm and not to localhost. From Citrix Docs: Director automatically discovers all other Delivery Controllers in the same Site and falls back to those other Delivery Controllers if the Delivery Controller you specified fails.
  12. If you built multiple Director servers, use NetScaler to load balance them.
  13. Reconfigure the default domain in LogOn.aspx since upgrading overwrote your domain name configuration.
  14. For info on the new monitoring features in Director, see Use Director below.

Director Default Web Page

From Carl Webster How to Make Director the Default Page within IIS: If Director is installed on a standalone server, do the following to set /Director as the default path. If Director and StoreFront are on the same server, then you’ll probably want StoreFront Receiver for Web as the default web page instead of Director.

  1. Open Notepad elevated (as administrator) and paste the following text: 
    <script type="text/javascript">
<!--
window.location="https://director.corp.com/Director";
// -->
</script>
  2. Adjust the window.location line to match your FQDN.
  3. Select File > Save As and browse to the IIS folder, by default C:\inetpub\wwwroot is the IIS folder.
  4. Select the Save as type to All types.
  5. Type a file name with an html extension and select Save.
  6. Open IIS Manager.
  7. Select the SERVERNAME node (top-level), and double-click Default Document, as shown in the following screen shot:
  8. On the right, click Add…,
  9. Enter the file name of the .html file provided in Step 5.
  10. Ensure the .html file is located at the top of the list, as shown in the following screen shot:

Director Domain Field

On the Director servers, locate and edit the ‘LogOn.aspx’ file. By default, you can find it at C:\inetpub\wwwroot\Director\Logon.aspx

In line 472 you will have the following. To find the line, search for ID=”Domain”.

<asp:TextBox ID="Domain" runat="server" CssClass="text-box" onfocus="showIndicator(this);" onblur="hideIndicator(this);"></asp:TextBox>

In the ID=”Domain” element, insert a Text attribute and set it to your domain name inside quotes. Don’t change or add any other attributes. Save the file.

<asp:TextBox ID="Domain" runat="server" Text="Corp.local" CssClass="text-box" onfocus="showIndicator(this);" onblur="hideIndicator(this);"></asp:TextBox>

This configuration prepopulates the domain field text box with your domain name and still allow the user to change it, if that should be required. Note: this only seems to work if Single Sign-on is disabled.

Director Tweaks

Session timeout

By default, the idle time session limit of the Director is 65 min. If you wish to change the timeout, here is how to do it:

  1. Log on to the Director Server as an administrator.
  2. Open the ‘IIS Manager’
  3. Browse to ‘Sites > Default Web Site > Director’ in the left-hand pane.
  4. Open ‘Session State’ in the right-hand pane.
  5. Change the ‘Time-out (in minutes)’ value under ‘Cookie Settings’
  6. Click ‘Apply’ in the Actions list

SSL Check

If you are not securing Director with an SSL certificate you will get this error at the logon screen.

To stop this:

  1. Log on to the Director Server as an administrator
  2. Open the ‘IIS Manager’
  3. Browse to ‘Sites > Default Web Site > Director’ in the left-hand pane.
  4. Open ‘Application Settings’ in the right-hand pane.
  5. Set UI.EnableSslCheck to false.

Disable Activity Manager

From Disable the visibility of running applications in the Activity Manager in Advanced Configuration at Citrix Docs: By default, the Activity Manager in Director displays a list of all the running applications and the Windows description in the title bars of any open applications for the user’s session. This information can be viewed by all administrators that have access to the Activity Manager feature in Director. For Delegated Administrator roles, this includes Full administrator, Delivery Group administrator, and Help Desk Administrator.

To protect the privacy of users and the applications they are running, you can disable the Applications tab from listing running applications.

  • On the VDA, modify the registry key located at HKLM\Software\Citrix\Director\TaskManagerDataDisplayed. By default, the key is set to 1. Change the value to 0, which means the information will not be displayed in the Activity Manager.
  • On the server with Director installed, modify the setting that controls the visibility of running applications. By default, the value is true, which allows visibility of running applications in the Applications tab. Change the value to false, which disables visibility. This option affects only the Activity Manager in Director, not the VDA. Modify the value of the following setting:
    UI.TaskManager.EnableApplications = false

Large Active Directory / Multiple Forests

From CTX133013 Desktop Director User Account Search Process is Slow or Fails: By default, all the Global Catalogs for the Active Directory Forest are searched using Lightweight Directory Access Protocol (LDAP). In a large Active Directory environment, this query can take some time or even time out.

If multiple forests, see Citrix Blog Post Using Citrix Director in a MultiForest Environment.

  1. In Information Server (IIS) Management, under the Desktop Director site, select Application Settings and add a new value called Connector.ActiveDirectory.ForestSearch. Set it to False. This disables searching any domain except the user’s domain and the server’s domain.
  2. To search more domains, add the searchable domain or domains in the Connector.ActiveDirectory.Domains field.

Site Groups

From Citrix Blog Post Citrix Director 7.6 Deep-Dive Part 4: Troubleshooting Machines:

If there are a large number of machines, the Director administrator can now configure site groups to perform machine search so that they can narrow down searching for the machine inside a site group. The site groups can be created on the Director server by running the configuration tool via command line by running the command:

C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /createsitegroups

Then provide a site group name and IP address of the delivery controller of the site to create the site group.

Director – Saved Filters

In Director, you can create a filter and save it.

The saved filter is then accessible from the right side of the Filters node by clicking the Saved Filters tab.

The saved filters are stored on each Director server at C:\Inetpub\wwwroot\Director\UserData. Each user has their own saved filters. The saved filters are not replicated across Director servers.

You can instead configure multiple Director servers to store the filters on a shared UNC path:

  1. Create and share a folder (e.g. DirectorData).
  2. The Director server computer accounts need Modify permission to the share.
  3. On each Director server, run IIS Manager.
  4. Go to Sites > Default Web Site > Director. In the middle, double-click Application Settings.
  5. Change the Service.UserSettingsPath setting to the UNC path of the new share.
  6. Repeat this on other load balanced Director servers.

Director and HDX Insight

You can connect Director to NetScaler Console (formerly ADM) to add Network tabs to Director’s Trends and Machine Details views. Citrix Blog Post Configure Director with NetScaler Management & Analytics System (MAS).

  1. Run “C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe” /confignetscaler
  2. Select NetScaler Management and Analytics System

Director Grooming

If Citrix Virtual Apps and Desktops (CVAD) is not Premium Edition, then all historical Director data is groomed at 30 days.

For Citrix Virtual Apps and Desktops (CVAD) Premium Edition, by default, most of the historical Director data is groomed at 90 days. This can be adjusted up to 367 days by running a PowerShell cmdlet.

  1. On a Delivery Controller, run Get-MonitorConfiguration to see the current grooming settings.
  2. Run Set-MonitorConfiguration to change the grooming settings.

More details on Monitor Service data aggregation and retention can be found at Data granularity and retention at Citrix Docs.

Director Single Sign-on

You can configure Director to support Integrated Windows Authentication (Single Sign-on). Note: there seem to be issues when not connecting from the local machine or when connecting through a load balancer.

  1. Run IIS Manager. You can launch it from Server Manager (Tools menu), or from the Start Menu, or by running inetmgr.
  2. On the left, expand Sites, expand Default Web Site, and click Director.
  3. In the middle, double-click Authentication in the IIS section.
  4. Right-click Windows Authentication and Enable it.
  5. Right-click Anonymous Authentication and Disable it.
  6. Pass-through auth won’t work from another computer until you set the http SPN for the Director server. See Director 7.7 Windows Authentication not working with NS LB at Citrix Discussions.
  7. If Director is not installed on a Controller, then you’ll need to configure Kerberos delegation.
  8. If you are load balancing Director then additional config is required. See Director 7.7 Windows Authentication not working with NS LB at Citrix Discussions for more info.
    1. The FQDN for Director load balancing should be different than the FQDN for StoreFront load balancing.
    2. Create an AD service account that will be used as the Director’s ApplicationPoolIdentity.
    3. Create SPN and link it to the service account. 
      setspn -S http/loadbalanced_URL domain\user
    4. Trust the user account for delegation to any service (Kerberos only) (trust the Director servers for delegation is not necessary in this case). You have to create the SPN before you can do this step.
    5. In IIS manager, on the Application Pools (Director), specify the Identity as user we have created earlier.
    6. In IIS manager, expand Default Web Site, select Director, and open the Configuration Editor (bottom of the middle pane).
    7. Use the drop-down to navigate to the following section: system.webServer/security/authentication/windowsAuthentication
    8. Set useAppPoolCredentials = True, and useKernelMode = False. Click Apply on the top right.

  9. When you connect to Director you will be automatically logged in. You can change the login account by first logging off.
  10. Then change the drop-down to User credentials.

Director – Multiple Citrix Virtual Apps and Desktops (CVAD) Sites/Farms

  1. Run IIS Manager. You can launch it from Server Manager (Tools menu) or from the Start Menu, or by running inetmgr.
  2. On the left, expand Sites, expand Default Web Site, and click Director.
  3. In the middle pane, double-click Application Settings.
  4. Find the entry for Service.AutoDiscoveryAddresses, and double-click it.
  5. If Director is installed on a Controller, localhost should already be entered.
  6. Add a comma, and the NetBIOS name of one of the controllers in the 2nd Citrix Virtual Apps and Desktops Site (farm). Only enter one Delivery Controller name. If you have multiple Director servers, you can point each Director server to a different Delivery in the 2nd Citrix Virtual Apps and Desktops Site (farm).
    1. From Citrix Docs: Director automatically discovers all other Delivery Controllers in the same Site and falls back to those other Delivery Controllers if the Delivery Controller you specified fails.
    2. You can optionally force SSL/TLS for the Monitoring service by following the instructions at Data Access Security at Citrix Developer Documentation.

Director Process Monitoring

Director has Process Monitoring, which is detailed in Citrix Blog Post Citrix Director: CPU, Memory Usage and Process Information.

Process Monitoring is disabled by default. To enable it, configure the Enable process monitoring setting in a Citrix Policy. For Citrix Policies in a GPO, find this setting in the computer half of the GPO. Note: this setting could significantly increase the size of the Monitoring database.

Director Alerts and Notifications

Director supports alert conditions and email notifications. This feature requires Citrix Virtual Apps and Desktops (CVAD) to be licensed with Premium Edition. See Citrix Blog Post Configuring & Managing Alerts and Notifications Using Director for more information.

For CPU, Memory, and ICT RTT alerts, see Citrix Blog Post 7 New Categories in Director for Proactive Notifications & Alerts

Director supports Hypervisor Alerts from vSphere and Citrix Hypervisor. The alerts are configured in the hypervisor (e.g., vCenter). When triggered, the hypervisor alerts can be viewed in Director. Director can send email notifications when hypervisor alerts are triggered.

  • Hypervisors can generate many alerts, but Director does not have a bulk method of clearing those alerts. Citrix wrote a PowerShell script named DismissAlerts.ps1 that runs a SQL query to clear the Hypervisor alerts.

To configure alerts in Director:

  1. While logged into Director, click the Alerts node.
  2. On the right, switch to the Email Server Configuration tab.
  3. Enter your SMTP information and click Send Test Message. Then click Save.


  4. Switch to the Citrix Alerts Policies tab.
  5. There are four high-level categories of alerts: Site Policy, Delivery Group Policy, Multi-session OS Policy (aka Server OS Policy), and User Policy. Click whichever one you want to configure.
  6. Director has built-in alert policies. All you need to do is add notification email addresses to the built-in policies.
  7. In Director 1811 and newer, in the Site Policy tab, click Edit for the built-in Hypervisor Health policy.

    • In the Send mails field, enter a destination email address and click Add. Click Save when done.
  8. On the Delivery Group Policies tab, find the built-in Smart Alert, and then click Edit. Note: this Smart Alert might not appear until you create a Delivery Group in Citrix Studio.

    1. Notice the Conditions that are already enabled. You can change them or add more.
    2. At the bottom of the page, you can enter a destination email address and click Add. Then click Save.
  9. You can create custom Alert Policies by clicking the Create button on any of these tabs.
  10. For Multi-session OS Policy (aka Server OS Policy) and User Policy, there are ICA RTT alerts.
  11. Citrix has an experimental Desktop Notification Tool. See Citrix Blog Post Desktop Notification Tool For Citrix XenDesktop.

Director – StoreFront Probes

If you are licensed for Premium Edition, then you can install probe agents on remote machines and the probe agents can periodically check if an application can be launched through StoreFront.

Custom Studio Role for Probe Administrator

  1. Create a new user account just for probe administration (e.g CORP\ProbeAdmin).
  2. In Citrix Web Studio, at Administrators, on the Roles tab, create a new Role with the permissions shown below.

    • Delivery Groups > Read-only
    • Director > Create\Edit\Remove Alert Email Server Configuration
    • Director > Create\Edit\Remove Probe Configurations
    • Director > View Applications page
    • Director > View Configurations page
    • Director > View Trends page
  3. On the Administrators tab, add an administrator, select your ProbeAdmin account, and assign it the custom Probe Administrator role that you just created.

StoreFront HTTP Basic Authentication

  1. In StoreFront Console, right-click your Store, and click Manage Authentication Methods.
  2. Check the box next to HTTP Basic, and click OK.

Install Probe Agent

To automate the installation and configuration of the Probe Agent, see CTX493268 Automating Citrix Probe Agent Installation and Configuration, or see CTA Dennis Span Citrix Application Probe Agent unattended installation.

On one or more remote machines, download and install the Probe Agent.

  1. Download the Citrix Application Probe Agent 2402 LTSR CU2. To see it, expand Edition specific components and then click Premium Edition components.

  2. On a physical machine in a remote office, install Workspace app 1903 or newer if it isn’t installed already.
  3. Run the downloaded CitrixProbeAgent2402.msi.
  4. In the Welcome to the Citrix Probe Agent Setup Wizard page, click Next.
  5. In the End-User License Agreement page, check the box next to I accept the terms, and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Ready to install Citrix Probe Agent page, click Install.
  8. In the Completed the Citrix Probe Agent Setup Wizard page, click Finish.

Configure Probe Agent

  1. Every Probe Agent machine should have unique StoreFront test user credentials. Create unique accounts for each machine.
  2. From the Start Menu of the remote machine, launch Citrix Probe Agent.
  3. Click Start.
  4. In the Configure Workspace Credentials page, enter the StoreFront Receiver for Web URL, or enter a Citrix Gateway URL.
    • For Citrix Gateway, the Citrix Gateway Virtual Server must be configured with RfWebUI theme. Other themes, like X1 theme, do not work.
    • Probe Agent 2308 and newer support Citrix Gateway authentication with Native OTP.
  5. Enter the username and password for the probe user for this machine.
  6. Click Next.
  7. In the Configure to Display Probe Result page, enter the URL to Director. Make sure you include /Director at the end of the URL.
  8. Enter the Probe Admin credentials and click Validate.
  9. Select a Site (farm) if there’s more than one.
  10. Click Next.
  11. In the View Summary page, you may close the window.
  12. Login to Director as the Probe Admin account.
  13. On the left, click Probes. On the right, click the Configuration tab.
  14. At the top of the page, select either Application Probe, or Desktop Probe.
  15. Click Create Probe.
  16. In the Create Probe page:
    1. Give the probe configuration a name.
    2. Select one or more Applications or Desktops to test.
    3. Select the registered Probe Agent machine(s) to run the probe from.
    4. Enter an email address for probe result notifications.
    5. Select one time per day to run the probe. You can create multiple probe configurations to run the probe multiple times per day.
  17. Click Save.
  18. The probe configurations are stored in the Monitoring database so there shouldn’t be any concerns with load balancing of Director.
  19. To view the probe results, switch to the Probe Runs tab.

Director – Custom Reports

In Director, in the Trends view, there’s a Custom Reports tab that guides you through creating a custom OData Query. This tab only appears if you have Citrix Virtual Apps and Desktops (CVAD) Premium Edition.

The Monitoring database contains more data than is exposed in Director. To view this data, the Monitoring service has an OData Data Feed that can be queried.

Use Director

The newer Director features usually require Delivery Controllers and VDAs to be at the same version or newer than Director. Director depends on the Monitoring Service that is built into the Delivery Controller. The Monitoring Service gathers data from the VDAs.

See Site Analytics at Citrix Docs.

See the various Troubleshoot topics at Citrix Docs.

Director 2402 new features

Director 2402 has a new theme. Tabs are now shown on the left.

When you Search for a user and select a session you see the Activity Manager page. It has a new theme.

The User Details page also has a new theme. Search for the user and then click View Details.

The Session Performance tab shows you trends of some network metrics. See Diagnose Session Performance issues.

Session Details shows if Teams is optimized or not. Teams 2.1 is supported in Director 2402 with VDA 2402.

Session Details has an option to enable Session Recording for the session. Dynamic Session Recording requires the Session Recording cloud service. Policy based Session Recording requires running C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /configsessionrecording on the Director server.
 

The Session Selector button lets you play recordings.

Session Logon tab in the User Details page has an enhanced visualization of the logon duration phases. The new representation shows the overlapping of the individual logon phases.

Virtual Delivery Agent (VDA) 2402 LTSR CU2

Last Modified: Apr 2, 2025 @ 4:14 pm

10 Comments

Navigation

💡 = Recently Updated

Change Log

Hardware

Hypervisor Host Hardware

  • G0-EUC Moore’s law of Windows 10 1903 – Newer versions of Windows 10 have lower density than older versions
  • Citrix Blog Post Citrix Scalability — The Rule of 5 and 10: Simply take the number of physical cores in a hypervisor host, multiply it by 5 or 10, and the result will be your Single Server Scalability. Use 5 if you’re looking for the number of Virtual Desktop VMs you can host on a box, and use 10 if you’re looking for the number of Virtual Apps user sessions you can host on a box.

Virtual Machine Hardware

  1. Operating system version support: VDA version 2402 CU2 supports Windows 11, Windows 10 64-bit (1607 and newer), Windows Server 2022, Windows Server 2019, and Windows Server 2016.
    • Windows Server 2025 is not supported.
    • Windows Server 2012 R2 is no longer supported. For Windows Server 2012 R2, install VDA 1912 with the latest Cumulative Update. VDA 1912 will work with newer Delivery Controllers (e.g., Delivery Controller 2402 CU2).
  2. Cloud VDAs licensing – Cloud VDAs are supported if you are licensed for Citrix Cloud with Hybrid Usage rights or Universal licenses. See CTX270373 Citrix Virtual Apps and Desktops: Public cloud support with Current Releases and Long Term Service Releases.
  3. Windows 11 and vSphere – Citrix supports Windows 11 on vSphere 7 or newer. Windows 11 requires TPM. vSphere requires VM encryption of the VM files before it will let you add a TPM to the virtual machine. VM encryption requires a Key Provider. vSphere 7 has a Native Key Provider that does not need any additional servers or licenses. See VMware Tech Zone Windows 11 Support on vSphere.
    1. In vSphere Client, in Inventory, click the vCenter object. On the right, on the Configure tab, scroll down to Key Providers and add a Native Key Provider.
    2. After it’s added, select it and then click Back-up to activate it.

  4. Microsoft TechNet Blog – Say No to Windows 10 Long Term Servicing Channel (LTSC)
    • No Edge
    • From January 2020, Microsoft Office 365 will not be supported on LTSC.
    • Non-security operating system fixes and enhancements may not get back-ported to LTSC.
  5. CTX224843 Windows 10 compatibility with Citrix Virtual Desktops

  6. Hypervisor Support – CTX131239 Supported Hypervisors for Virtual Desktops (XenDesktop) and Provisioning Services
    • vSphere 7 is supported with CVAD 2106 and newer.
    • SCVMM 2022 is supported with CVAD 2203 and newer.
  7. Firewall – the UDP-based EDT protocol is enabled by default. Make sure the UDP ports are open for ICA/HDX:
    1. UDP 1494
    2. UDP 2598
    3. UDP 443 – from Internet to Citrix Gateway.
    4. UDP 443 can also be used by internal ICA connections if VDA SSL is configured.
    5. For EDT through Citrix Gateway, make sure your Citrix ADC firmware is up to date, preferably 12.1 or newer. Then enable DTLS on the Gateway Virtual Server.
    6. TCP 443 and UDP 443 for HDX Direct.
    7. Citrix Blog Post What’s new with HDX in the 2402 LTSR
  8. VDA virtual machine sizing:
    1. For Windows 11 or Windows 10 virtual desktops, give the virtual machine: 2+ vCPU and 4+ GB of RAM – higher RAM for browsers running on the VDA
    2. For Windows Server 2022, 2019, or 2016 RDSH, give the virtual machine 8 vCPU, and 24-48 GB of RAM
  9. If using memory caching (MCSIO or PvS) for storage, add more RAM for the cache.
  10. Remove the floppy drive.
  11. Remove any serial or LPT ports.
  12. If Windows 11 on vSphere:
    1. When creating the Windows 11 virtual machine, enable Encrypt this virtual machine.
    2. In the Select a guest OS screen, if you don’t see Windows 11, then select Windows 10.
    3. On the Customize hardware page, make sure VM configuration files are encrypted. Hard disk encryption is not required, and you can deselect it. Only the VM configuration files must be encrypted.
    4. Then you can use the Add New Device drop-down to add a Trusted Platform Module.
  13. If vSphere:
    1. To reduce disk space, reserve memory. Memory reservations reduce or eliminate the virtual machine .vswp file.
    2. The NIC should be VMXNET3.
    3. For vGPU, set vgpu.hotmigrate.enabled Advanced vCenter Server Setting to true. (source = William Lam How to enable vGPU vMotion in vSphere 6.7 Update 1)
  14. App Layering and UEFI – In Citrix App Layering 2003 and newer, import UEFI images by running a script instead of using a connector.
  15. If this VDA will boot from Citrix Provisioning:
    1. For vSphere, the NIC Adapter Type must be VMXNET3.
    2. For vSphere, configure the CD/DVD Drive to boot from IDE instead of SATA. SATA won’t work with PVS.
    3. Make sure you remove the SATA Controller after you change the CD/DVD Drive to be IDE.
  16. Install the latest version of hypervisor drivers (e.g., VMware Tools).
  17. The vSphere Activity Monitoring Feature with NSX Guest Introspection feature uses a TDI driver (vnetflt.sys), which might cause a “Connection Interrupted” message when users log off of Citrix. See CTX221206 “Connection Interrupted” error message displayed while logging off ICA session.

If vSphere, disable NIC Hotplug

  1. Users could use the systray icon to Eject the Ethernet Controller. Obviously, this is bad.
  2. To disable this functionality, power off the virtual machine.
  3. Once powered off, right-click the virtual machine, and click Edit Settings.
  4. Switch to the tab named VM Options.
  5. Expand Advanced and then click Edit Configuration.
  6. Click the button labelled Add Configuration Params.
  7. For the Name, enter devices.hotplug.
  8. For the Value, enter false. Then click OK.
  9. The VM can then be powered on.

Windows Preparation

  1. Computer Group Policy – Make sure the Master VM is in the same OU as the Linked Clones so that the Master VM will get the computer-level GPO settings in its registry. Run gpupdate on the master after moving the VM to the correct OU. When Clones are created from the Master, the computer-level GPO settings will already be applied, thus eliminating timing issues.
  2. If Server OS, disable IE Enhanced Security Configuration in Server Manager > Local Server.
  3. Run Windows Update. Do not skip this step. Many VDA installation problems are fixed by simply updating Windows.

  4. Defer Feature Updates – For Windows 10, since Citrix VDA does not immediately support new Windows 10 versions, configure Windows Update to defer feature updates. In Windows 11, or in newer versions of Windows 10, defer updates can only be configured using group policy.
  5. Add your Citrix Administrators group to the local Administrators group on the VDA. Computer Management.
  6. The Remote Desktop Services “Prompt for Password” policy prevents Single Sign-on to the Virtual Delivery Agent. Check registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services. If fPromptForPassword = 1 then you need to fix group policy. The following GPO setting will prevent Single Sign-on from working.
    Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Security | Always prompt for password upon connection
    Or set the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Portica\AutoLogon (DWORD) = 0x1. This registry value only applies to Single-session OS (aka Desktop OS), not Multi-session OS (aka Server OS). (source = comments)
  7. For Remote Assistance in Citrix Director, configure the GPO setting Computer Configuration | Policies | Administrative Templates | System | Remote Assistance | Offer Remote Assistance. See Jason Samuel – How to setup Citrix Director Shadowing with Remote Assistance using Group Policy for more details.

Install Virtual Delivery Agent (VDA) 2402 LTSR CU2

Mixed versions – You can upgrade the VDAs before you upgrade the Delivery Controllers resulting in VDAs being newer than the Delivery Controllers. You can upgrade the Delivery Controllers before you upgrade the VDAs. In other words, you can mix and match VDA versions and Delivery Controller versions.

CLI Install:

Command Line Install Options are detailed at Install using the command line at Citrix Docs.

Scripted Upgrade:

To automate the upgrade of VDA software on persistent machines, see Updated VDA Install / Upgrade / RDS Install / Desktop / Server / App Install Script by Kris Davis.

GUI Install:

  1. Mount the downloaded Citrix Virtual Apps and Desktops 7 2402 LTSR CU2 ISO and run AutoSelect.exe.

    • Alternatively, you can download the standalone VDA package and run that instead. Go the main Citrix Virtual Apps and Desktops 7 2402 CU2 download page. Expand the section labelled Components that are in the ISO but also available separately. There is also a VDA installer called Single-session OS Core Services that is designed for Remote PC deployments.
  2. Click Start next to either Virtual Apps or Virtual Apps and Desktops. The only difference is the product name displayed in the installation wizard.
  3. On the top right, click Virtual Delivery Agent for Windows Multi-session OS (aka RDSH, aka Server OS), or Windows Single-session OS (aka virtual desktop, aka Desktop OS), depending on which type of VDA you are building.

  4. In the Environment page, select Create a master MCS Image or Create master image to be used for Citrix Provisioning (PVS) streaming, and click Next.

  5. In the Core Components page, if you don’t need Citrix Workspace App installed on your VDA, then leave the box unchecked. Workspace app is usually only needed for double-hop ICA connections (connect to first VDA, and then from there, connect to second VDA). Click Next.
  6. In the Additional Components page:
    1. Workspace Environment Management agent is no longer an option on this screen and is instead a separate box on the main splash screen.
    2. Single-session OS (not Multi-session OS) has an option for Citrix User Personalization Layer (UPL). This component comes from Citrix App Layering but does not need any of the App Layering infrastructure.

      • Do not enable User Personalization Layer if you are also using Citrix App Layering.
      • Warning: A Citrix Policy setting activates Citrix User Personalization Layer by setting the UNC path to where the User Personalization Layers should be stored. The Citrix Policy setting should only be deployed to non-persistent machines. If you deploy the Citrix Policy Setting to your Master Image, then your Master Image will be hosed, and you must rebuild it from scratch.
    3. There’s an option for Machine Creation Services (MCS) storage optimization. This is also known as MCS I/O. In VDA 1912 and newer, the MCSIO driver is now the exact same driver as the driver used in Citrix Provisioning. MCS I/O in older VDAs has performance problems.
    4. The new Images node (Image Management) in Web Studio requires MCSIO to be installed.
    5. VDA 2109 and newer have an option for VDA Upgrade Agent for Citrix Cloud deployments.
    6. There’s an option for Citrix Backup and Restore Service that creates a restore point before installation or upgrade.
  7. Click Next.
  8. In the Delivery Controller page, select Do it manually. Enter the FQDN of each Delivery Controller (at least two). Click Test connection. And then make sure you click Add. Click Next when done.

    • VDA registration normally occurs over port 80. VDA 2402 LTSR CU2 supports VDA registration over SSL 443 (WebSockets). This requires trusted SSL certificates on the Delivery Controllers and registry values on the Delivery Controllers and the VDAs. See WebSocket communication between VDA and Delivery Controller at Citrix Docs.
  9. In the Features page, if you want to use the features, then check the boxes. Remote Assistance is for Director. The Cloud checkbox is only for telemetry and does not affect installation. Then click Next.
  10. In the Firewall page, VDA 2112 and newer have ports 52525 – 52625 for Screen Sharing. Port TCP/UDP 443 is for HDX Direct. Click Next.
  11. In the Summary page, click Install.

  12. Click Close if you are prompted to restart.
  13. After the machine reboots twice, login and installation should continue.
    1. If you see a Locate ‘Citrix Virtual Apps and Desktops 7’ installation media window, don’t click anything.
    2. Go to the Citrix_Virtual_Apps_and_Desktops_7_2402_LTSR_CU2_2100.iso file and mount it.
    3. Go back to the Locate ‘Citrix Virtual Apps and Desktops 7’ installation media window.
    4. On the left, expand This PC, and click the DVD Drive.
    5. Click Select Folder.
    6. Repeat these instructions every time you’re prompted to restart.
  14. Installation will continue automatically.
  15. Note: NT SERVICE\CitrixTelemetryService needs permission to login as a service.
  16. In the Diagnostics page, you can optionally check the box next to Collect diagnostic information, click Connect, enter your Citrix account credentials, and then click Next.
  17. In the Finish page, click Finish to restart the machine again.

Microsoft FSLogix

If you need to roam the user’s Outlook .OST file (Outlook Cached Mode), Outlook Search Index, OneDrive cache, OneNote data, SharePoint data, Skype data, and/or Teams data, then download, install, and configure Microsoft FSLogix. A common architecture is to enable FSLogix Office Container for the Office cache files and use Citrix Profile Management for all other roaming profile files and registry keys.

Microsoft FSLogix is free for all Microsoft RDS CALs, Microsoft Virtual Desktop Access per-user CALs, and all Microsoft Enterprise E3/E5 per-user licenses. Notice that per-device licenses are excluded. See Licensing Requirements at Microsoft Docs.

Microsoft Teams 2.1 requires FSLogix 2210 Hotfix 3.

Do the following to install Microsoft FSLogix on the VDA machine:

  1. Go to https://docs.microsoft.com/en-us/fslogix/install-ht and click the download link.
  2. Extract the downloaded .zip file.
  3. In the FSLogix \x64\Release folder, run FSLogixAppsSetup.exe.
  4. Check the box next to I agree to the license terms and conditions and click Install.
  5. In the Setup Successful page, click Restart.
  6. Make sure the Windows Search service is set to Automatic and Running.
  7. If Office is already installed, then repair the Office installation after installing and starting the Windows Search Service.

FSLogix is configured through Group Policy or by editing registry values on each FSLogix Agent machine.

Citrix Desktop Service

To prevent Citrix Desktop Service (BrokerAgent) from starting and registering with the Delivery Controllers before the boot process is complete, see Jeremy Saunders Controlling the Starting of the Citrix Desktop Service (BrokerAgent).

Customer Experience Improvement Program (CEIP)

Customer Experience Improvement Program (CEIP) is enabled by default. To disable it, create the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Telemetry\CEIP\Enabled (DWORD), and set it to 0 (zero). Also see CEIP at Citrix Insight Services at Citrix Docs.

See https://docs.jeffriechers.com/delivery-controller-cr-and-licensing/#ceip for additional places where CEIP is enabled.

Connection Quality Indicator

The Connection Quality Indicator tells the user the quality of the connection. Position of the indicator is configurable by the user. Thresholds are configurable through group policy.

Download it from CTX220774 Connection Quality Indicator and install it. The article is very detailed.

Group Policy templates are located at C:\Program Files (x86)\Citrix\Connection Quality Indicator\Configuration. Copy the files and folder to <Sysvol>\Policies\PolicyDefinitions, or C:\Windows\PolicyDefinitions.

Find the Group Policy settings under Computer Config | Policies | Administrative Templates | Citrix Components | Virtual Desktop Agent | CQI

Version 1.2 adds the GPO settings to the user half of a GPO, which lets you disable CQI for some users and enable it for others.

Notification display settings lets you customize the user notifications or disable them.

Connection Threshold Settings lets you set the notification thresholds.

Adaptive Transport

Adaptive Transport is an HDX/ICA protocol feature that tries to use UDP ports (EDT protocol) if they are open and falls back to TCP ICA if UDP connection is not successful. On higher latency connections, EDT (UDP) tends to perform better than traditional TCP ICA.

The Citrix Policy setting HDX Adaptive Transport defaults to Preferred, which means Adaptive Transport is enabled by default.

The newer Citrix EDT protocol use UDP Ports 1494/2598 for HDX connections to the VDA. The UDP ports should already be open in the VDA’s Windows Firewall. In other words, HDX/ICA uses both TCP and UDP ports.

For EDT (and Adaptive Transport) through Citrix Gateway, make sure your Citrix ADC firmware is up to date, preferably 12.1 or newer. Then make sure DTLS is enabled on the Gateway Virtual Server. DTLS is the UDP version of SSL/TLS.

See Citrix Blog Post What’s new with HDX in the 2402 LTSR for new EDT features in 2402.

Slow Logons

Marvin Neys at XenApp slow logon times, user get black screen for 20 seconds at Citrix Discussions says that deleting HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC at logoff reduces logon times from 40 seconds to 6 seconds.

Remove-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\UFH\SHC

 

For additional logon delay troubleshooting, see Alexander Ollischer XenApp/XenDesktop – “Please Wait For Local Session Manager” message when logging into RDS. He found some Windows Updates that caused a logon delay.

 

VDA recalculates WMI filters on every reconnect. CTX212610 Session Reconnect 30 sec Delay – DisableGPCalculation – WMI Filters indicates that recalculation can be disabled by setting HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Reconnect\DisableGPCalculation (DWORD) to 1. Note: this registry value might stop Citrix Policies from being re-evaluated when users reconnect (source = Citrix Discussions).

Verify that the VDA registered with a Delivery Controller

  1. If you restart the Virtual Delivery Agent machine, or restart the Citrix Desktop Service
  2. In Event Viewer > Windows Logs > Application log, you should see an event 1012 from Citrix Desktop Service saying that it successfully registered with a delivery controller.
  3. If you don’t see successful registration, then you’ll need to fix the ListOfDDCs registry key.
    1. See VDA registration with Controllers at Citrix Docs.
    2. See The Most Common VDA Registration Issues & Troubleshooting Steps at Citrix Blogs.
  4. You can also run Citrix’s Health Assistant on the VDA.

Citrix Workspace app

If you want to run Workspace app on the VDA machine, then upgrade it to Workspace app 2402 LTSR CU3.

Download and install Workspace app:

  1. Download Citrix Workspace app 2402 LTSR CU3.
  2. On the VDA, as administrator, run the downloaded CitrixWorkspaceFullInstaller.exe.
  3. Wait for prerequisites to install.
  4. In the Welcome to Citrix Workspace app page, click Continue.
  5. In the CITRIX LICENSE AGREEMENT page, check the box next to I agree and click Continue.
  6. In the Add-on(s) page, check the box next to Enable single sign-on. The Teams VDI Plugin is usually only needed on the endpoint device, not on the VDA. Click Install.

Citrix File Access 2.0.4 for Workspace app for Chrome OS

  1. If you support Workspace app for Chrome OS (Chromebook) and want published applications to open files on Google Drive, install Citrix File Access on the VDAs. Get it from the Citrix File Access for Chrome.
  2. Go to the extracted Citrix_File_Access_2.0.4 and run FileAccess.msi.
  3. In the Please read the File Access License Agreement page, check the box next to I accept the terms, and click Install.
  4. In the Completed the File Access Setup Wizard page, click Finish.
  5. File Access is listed in Apps & Features or Programs and Features as version 2.0.4.34.

  6. File Access has a default list of supported file extensions. The list can be expanded by editing the registry on the VDA. See CTX219983 Receiver for Chrome Error: Invalid command line arguments: Unable to open the file as it has an unsupported extension.
  7. To open a file from Google Drive, right-click the file and open the file using Citrix Workspace app.

Remote Desktop Licensing Configuration

On Windows 2016 and newer RDSH, the only way to configure Remote Desktop Licensing is using group policy (local or domain). This procedure is not needed on virtual desktops.

  1. For local group policy, run gpedit.msc. Alternatively, you can configure this in a domain GPO.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.
  3. Double-click Use the specified Remote Desktop license servers. Change it to Enabled, and enter the names of the RDS Licensing Servers (typically installed on Delivery Controllers). Click OK.
  4. Double-click Set the Remote Desktop licensing mode. Change it to Enabled and select Per User. Click OK.
  5. Optionally, you can install the Remote Desktop Licensing Diagnoser Tool. In the Server Manager > Add Roles and Features Wizard, on the Features page, expand Remote Server Administration Tools, expand Role Administration Tools, expand Remote Desktop Services Tools, and select Remote Desktop Licensing Diagnoser Tool. Then Finish the wizard.
  6. If it won’t install from Server Manager, you can install it from PowerShell by running Install-WindowsFeature rsat-rds-licensing-diagnosis-ui.
  7. In Server Manager, open the Tools menu, expand Remote Desktop Services (or Terminal Services), and click Remote Desktop Licensing Diagnoser.

  8. The Diagnoser should find the license server and indicate the licensing mode. If you’re configured for Per User licenses, then it’s OK if there are no licenses installed on the Remote Desktop License Server.

Several people in Citrix Discussions reported the following issue: If you see a message about RD Licensing Grace Period has expired even though RD Licensing is properly configured, see Eric Verdumen No remote Desktop Licence Server availible on RD Session Host server 2012. The solution was to delete the REG_BINARY in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod only leaving the default. You must take ownership and give admin users full control to be able to delete this value.

C: Drive Permissions

This section is more important for multi-session VDAs.

The default permissions allow users to store files on the C: drive in places other than their profile.

  1. Open the Properties dialog box for C:.
  2. On the Security tab, click Advanced.
  3. If UAC is enabled, click Change permissions.
  4. Highlight the line containing Users and Create Folders and click Remove.
  5. Highlight the line containing Users and Create files (or Special) and click Remove. Click OK.
  6. Click Yes to confirm the permissions change.
  7. If you see any of these Error Applying Security windows, click Continue. This window should appear multiple times.
  8. Click OK to close the C: drive properties.

Pagefile

If this image will be converted to a Citrix Provisioning vDisk, then you must ensure the pagefile is smaller than the cache disk. For example, if you allocate 20 GB of RAM to your VDA, and if the cache disk is only 15 GB, then Windows will have a default pagefile size of 20 GB, and Citrix Provisioning will be unable to move it to the cache disk. This causes Citrix Provisioning to cache to server instead of caching to your local cache disk (or RAM).

  1. Open System.
    1. The quickest method of opening advanced system parameters is to run sysdm.cpl.
    2. In Windows Server 2016 and newer, you can right-click the Start button, and click System.
    3. In Windows 10 1703 or newer (or Windows Server 2019 or newer), search the Start Menu for advanced system settings.
    4. Another option is to open File Explorer, right-click This PC, and click Properties. This works in Windows 10 1703 and newer.
  2. Click Advanced system settings.

  3. On the Advanced tab, click the top Settings button.
  4. On the Advanced tab, click Change.
  5. Uncheck the box next to Automatically manage paging file size for all drives. Then either turn off the pagefile, or set the pagefile to be smaller than the cache disk. Don’t leave it set to System managed size. Click OK several times.

Direct Access Users

When Citrix Virtual Delivery Agent (VDA) is installed on a machine, non-administrators can no longer RDP to the machine. A new local group called Direct Access Users is created on each Virtual Delivery Agent. Add your non-administrator RDP users to this local group so they can RDP directly to the machine.



From CTX228128 What is the HKLM\Software\Citrix\PortICA\DirectAccessUsers registry function: The HKLM\Software\Citrix\PortICA\DirectAccessUsers registry key determines which Local group the VDA references to determine if a user should be allowed Unbrokered RDP access. Members of the Local Administrators group will always be granted access. If the Registry Key does not exist, or gets deleted, VDA will always allow the Unbrokered RDP Connection. The Registry key and local group are created as part of the VDA installation process.

Registry

Links:

  • Citrix Docs has a list of HDX features managed through the registry. Example settings:
    • Devices – Bloomberg keyboard, execute from client drive, Windows Image Acquisition application allow list
    • General – HDX Reducer V4, EDT connection timeout, Rendezvous version (default V2), two-minute warning for idle or active sessions, audio loss tolerant mode
    • Content Redirection
    • Graphics – GPU acceleration of CUDA and OpenCL, Windows Presentation Foundation (WPF) rendering on GPU
    • Multimedia – High-definition webcam streaming
  • Citrix Blog Post What’s new with HDX in the 2402 LTSR

New Teams (version 2.1 or newer) no longer needs the msedgewebview2.exe registry entry as it is now whitelisted by default in VDA 2402 and newer.

ShellBridge for Published Apps

ShellBridge is a new Windows feature that fixes the following published app issues:

ShellBridge is enabled by default. If enabled, when users launch published apps, Windows will load background programs, like system tray icons, from the Run registry key. These extra processes might prevent sessions from closing after a user closes the published app. More info at CTX573346 Sessions not logging out after enabling Shellbridge.

You can disable ShellBridge by setting the following registry value. Disabling ShellBridge might prevent Office apps from signing in correctly.

  • Key = HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Citrix Virtual Desktop Agent
    • Value (DWORD) = ShellBridge = 0

Black Screen when launch Published Apps on Windows Server 2016

From CTX225819 When Launching an Application Published from Windows Server 2016, a Black Screen Appears for Several Seconds Before Application is Visible: Citrix and Microsoft have worked together to deliver code fixes for both Windows Server 2016 and Citrix Virtual Apps. Microsoft is targeting their KB4034661 patch for the third week of August 2017. This fix requires a registry edit to enable.

  • Key = HKLM\SOFTWARE\Citrix\Citrix Virtual Desktop Agent
    • Value (DWORD) = DisableLogonUISuppression = 0

Faster Login

From CTP James Rankin The ultimate guide to Windows logon time optimizations, part #6: DelayedDesktopSwitchTimeout tells the logon process to wait for a shorter time before switching from session 0 to the actual session in use.

  • Key = HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    • Value (DWORD) = DelayedDesktopSwitchTimeout  = 1

Published App Launch Timeout

From CTX128009 Published Application Fails to Appear: By default, VDA only waits 60 seconds for a published app to start. This is frequently too short.

  • Key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI
    • Value (DWORD) = ApplicationLaunchWaitTimeoutMS = 180000 (time-out, in milliseconds)

Screen Saver

From Citrix CTX205214 Screensaver Not Working in XenDesktop: By default, Screen Saver doesn’t work on Desktop OS. To enable it, on the VDA, configure the following registry value:

  • Key = HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Graphics
    • Value (DWORD) = SetDisplayRequiredMode = 0

You might also have to enable the Citrix Policy setting named Allow windows screen lock. This setting was added in VDA 2402.

Logon Disclaimer Window Size

From CTX231945 How to Modify LogonUI to view Windows Disclaimer Message in Full Size when Launching Published Applications: If your logon disclaimer window has scroll bars, set the following registry values:

  • Key = HKEY_LOCAL_MACHINE\Software\Wow6432node\Citrix\CtxHook\AppInit_DLLS\Multiple Monitor Hook
    • Value (DWORD) = LogonUIWidth = 800
    • Value (DWORD) = LogonUIHeight = 600

Login Timeout

From Citrix CTX203760 VDI Session Launches Then Disappears: VDA, by default, only allows 180 seconds to complete a logon operation. The timeout can be increased by setting the following:

  • Key = HKLM\SOFTWARE\Citrix\PortICA
    • Value (DWORD) = AutoLogonTimeout = decimal 240 or higher (up to 3599).

Workspace app for HTML5/Chrome Upload Folder

The Workspace app for HTML5 (or Chrome) lets upload files.

By default, the user is prompted to select a upload location. If you use the Upload feature multiple times, the last selected folder is not remembered.

Citrix CTX217351 How to Customize File Upload and Download Using Receiver for HTML5 and Receiver for Chrome. You can specify a default uploads location by editing HKLM\Software\Citrix\FileTransfer\UploadFolderLocation on the VDA. Environment variables are supported. When this value is configured, users are no longer prompted to select an upload location. The change takes effect at next logon.

Note: HTML5/Chrome Workspace app also adds a Save to My Device location to facilitate downloads.

Legacy Client Drive Mapping

Citrix CTX127968 How to Enable Legacy Client Drive Mapping Format on XenApp: Citrix Client Drive Mapping no longer uses drive letters and instead they appear as local disks. This is similar to RDP drive mapping.

The old drive letter method can be enabled by setting the registry value:

  • Key = HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\UncLinks (create the key)
    • Value (DWORD) = UNCEnabled = 0

When you reconnect, the client drives will be mapped as drive letters (starts with V: and goes backwards).

Print Driver for Mac/Linux Clients

Workspace app for Mac version 2112 and newer support PDF printing instead of Postscript printing. With PDF, it’s no longer necessary to install the HP Color LaserJet 2800 Series PS driver on the VDA. Citrix Policy setting Universal driver preference must be adjusted to enable PDF printing as higher priority than PS (postscript) printing. See Citrix Docs for more details.

For Linux clients or older Mac clients, from CTX140208 Client printing from Mac and Linux clients on Windows 10, Server 2012 R2, and Server 2016. By default, non-Windows clients cannot map printers due to a missing print driver on the VDA machine.

  1. Download the HP Color LaserJet 2800 Series PS driver directly from Microsoft Catalog as detailed at CTX283355 Client Printing from Linux/MAC is not working on Windows Server 2016 and 2019. The Catalog is at https://www.catalog.update.microsoft.com/. Then search for hp color laserjet 2800. Pick the 6.1.7600.16385 driver version
  2. Extract the .cab file using 7-zip or similar.
  3. In Windows 10 1803+, open Printers & scanners. On the right (or scroll down) is a link to Print Server Properties.

  4. In older versions of Windows, you can get to Print server properties from Devices and Printers.
    1. In Windows prior to Windows 10 1703, click Start, and run Devices and Printers.
    2. In Windows 10 1703, open Printers & scanners, then scroll down, and click Devices and printers.

  5. In the Printers section, highlight a local printer (e.g. Microsoft XPS Document Writer). Then in the toolbar, click Print server properties.
  6. Switch to the Drivers tab and click Change Driver Settings.
  7. Then click Add.
  8. In the Welcome to the Add Printer Driver Wizard page, click Next.
  9. In the Processor Selection page, click Next.
  10. In the Printer Driver Selection page, click Have Disk and browse to the .inf that you extracted from the .cab file.

  11. Select HP Color LaserJet 2800 Series PS and click Next.
  12. In the Completing the Add Printer Driver Wizard page, click Finish.

SSL for VDA

If you intend to use HTML5 Workspace app directly to VDAs, install certificates on the VDAs so that the browsers can connect WebSockets to the VDAs on TCP/SSL 443. Alternatively, HTML5 users can use Citrix Gateway ICA Proxy without installing any certs on the VDAs.

  • If you install SSL certificates on the VDAs, you can enforce encrypted SSL connections from normal Workspace apps to the VDAs instead of the default unencrypted (or RC5) ICA protocol.
  • HDX Direct is a preview feature that uses self-signed certs instead of CA-issued certs.

Notes:

  • Each Virtual Delivery Agent needs a machine certificate that matches the machine name. This is feasible for a small number of persistent VDAs. For non-persistent VDAs, you’ll need some automatic means for creating machine certificates every time they reboot.
  • As detailed in the following procedure, use PowerShell on the Delivery Controller to enable SSL for the Delivery Group. This forces SSL for every VDA in the Delivery Group, which means every VDA in the Delivery Group must have SSL certificates installed.

The following instructions for manually enabling SSL on VDA can be found at Configure TLS on a VDA using the PowerShell script at Citrix Docs.

  1. On the VDA machine, run certlm.msc.
  2. Right-click Personal, expand All Tasks, and click Request New Certificate to request a certificate from your internal Certificate Authority. You can use either the Computer template or the Web Server template.

    • You can also use group policy to enable Certificate Auto-Enrollment for the VDA computers.
  3. Browse to the Citrix Virtual Apps and Desktops ISO. In the Support\Tools\SslSupport folder, shift+right-click the Enable-VdaSSL.ps1 script, and click Copy as path.
  4. Run PowerShell as administrator (elevated).
  5. Run the command Set-ExecutionPolicy unrestricted. Enter Y to approve.
  6. In the PowerShell prompt, type in an ampersand (&), and a space.
  7. Right-click the PowerShell prompt to paste in the path copied earlier.
  8. At the end of the path, type in -Enable
  9. If there’s only one certificate on this machine, press Enter.
  10. If there are multiple viable certificates, then you’ll need to specify the thumbprint of the certificate you want to use. Open the Certificates snap-in, open the properties of the machine certificate you want to use, and copy the Thumbprint from the Details tab.

    In the PowerShell prompt, at the end of the command, enter ‑CertificateThumbPrint, add a space, and type quotes (").
    Right-click the PowerShell prompt to paste the thumbprint.
    Type quotes (") at the end of the thumbprint. Then remove all spaces from the thumbprint. The thumbprint needs to be wrapped in quotes.
  11. There are additional switches to specify minimum SSL Version and Cipher Suites.
  12. Press <Enter> to run the Enable-VdaSSL.ps1 script.
  13. Press <Y> twice to configure the ACLs and Firewall.
  14. You might have to reboot before the settings take effect.
  15. Login to a Delivery Controller and run PowerShell as Administrator (elevated).
  16. Run the command asnp Citrix.*
  17. Enter the command: 
    Get-BrokerAccessPolicyRule -DesktopGroupName '<delivery-group-name>' | Set-BrokerAccessPolicyRule ‑HdxSslEnabled $true

    where <delivery-group-name> is the name of the Delivery Group containing the VDAs.

  18. You can run Get-BrokerAccessPolicyRule -DesktopGroupName '<delivery-group-name>' to verify that HDX SSL is enabled.
  19. Also run the following command to enable DNS resolution. 
    Set-BrokerSite –DnsResolutionEnabled $true

  20. Since the UDP-based EDT protocol is enabled by default, open port UDP 443 to the VDAs.

You should now be able to connect to the VDA using the HTML5 Workspace app from internal machines.

The Citrix blog post How To Secure ICA Connections in XenApp and XenDesktop 7.6 using SSL has a method for automatically provisioning certificates for non-persistent virtual desktops by enabling certificate auto-enrollment and setting up a task that runs after the certificate has been enrolled.

  • From Russ Hargrove at A note on VDA certificates in 7.14 at Citrix Discussions: Citrix installs a new “Citrix XenApp/XenDesktop HDX Service” certificate in the Personal store which breaks the automation of the Enable-VdaSSL.ps1 script. To fix the problem, modify the task scheduler powershell script to: 
    Enable-VdaSSL.ps1 -Enable -CertificateThumbPrint (Get-ChildItem -path cert:\LocalMachine\My | Where-Object -FilterScript {$_.Subject -eq ""} | Select-Object -ExpandProperty Thumbprint) -Confirm:$False

Anonymous Accounts

If you intend to publish apps anonymously then follow this section.

  1. Anonymous accounts are created locally on the VDAs. When VDA creates Anon accounts, it gives them an idle time as specified at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\AnonymousUserIdleTime. The default is 10 minutes. Adjust as desired.
  2. Pre-create the Anon accounts on the VDA by running "C:\Program Files\Citrix\ICAConfigTool\CreateAnonymousUsersApp.exe". If you don’t run this tool, then anonymous users can’t login.
  3. You can see the local Anon accounts by opening Computer Management, expanding System Tools, expanding Local Users and Groups and clicking Users.
  4. If you want profiles for anonymous users to delete at logoff, then you’ll need to add the local Anon users to the local Guests group.
  5. If you open one of the accounts, on the Sessions tab, notice that idle timeout defaults to 10 minutes. Feel free to change it.

Group Policy for Anonymous Users

Since Anonymous users are local accounts on each Virtual Delivery Agent, domain-based GPOs will not apply. To work around this limitation, you’ll need to edit the local group policy on each Virtual Delivery Agent.

  1. On the Virtual Delivery Agent, run mmc.exe.
  2. Open the File menu, and click Add/Remove Snap-in.
  3. Highlight Group Policy Object Editor, and click Add to move it to the right.
  4. In the Welcome to the Group Policy Wizard page, click Browse.
  5. On the Users tab, select Non-Administrators.
  6. Click Finish.
  7. Now you can configure group policy to lock down sessions for anonymous users. Since this is a local group policy, you’ll need to repeat the group policy configuration on every Virtual Delivery Agent image. Also, Group Policy Preferences is not available in local group policy.

Antivirus

Install antivirus using your normal procedure. Instructions vary for each Antivirus product.

Microsoft’s virus scanning recommendations (e.g., exclude group policy files) – http://support.microsoft.com/kb/822158.

Every antivirus vendor has their own guidance for VDI. Search their knowledgebase for “non-persistent”, “VDI”, or “clones”.

Citrix’s Recommended Antivirus Exclusions

Citrix Tech Zone Endpoint Security and Antivirus Best Practices: provides guidelines for configuring antivirus software in Citrix Virtual Apps and Desktops environments.

Citrix Blog Post Citrix Recommended Antivirus Exclusions: the goal here is to provide you with a consolidated list of recommended antivirus exclusions for your Citrix virtualization environment focused on the key processes, folders, and files that we have seen cause issues in the field:

  • Set real-time scanning to scan local drives only and not network drives
  • Disable scan on boot
  • Remove any unnecessary antivirus related entries from the Run key
  • Exclude the pagefile(s) from being scanned
  • Exclude Windows event logs from being scanned
  • Exclude IIS log files from being scanned

See the Blog Post for exclusions for each Citrix component/product including: StoreFront, VDA, Controller, and Citrix Provisioning. The Blog Post also has links to additional KB articles on antivirus.

Windows Defender Antivirus

Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment – Microsoft Docs

Configuring Microsoft Defender Antivirus for non-persistent VDI machines – Microsoft Blog

Disable Network protection and configure Citrix’s antivirus exclusions (source = Citrix CTX319676 Users sessions are getting disconnected – Connection Interrupted)

Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP

Optimize Performance

Citrix Optimizer

Download Citrix Optimizer and run it.

James Rankin Improving Windows 10 logon time:

David Wilkinson links:

Citrix Links:

Microsoft links:

Optimization Notes:

Applications

Choose installers that install to C:\Program Files instead of to %appdata% or %localappdata%. Search for VDI or Enterprise versions of the following applications. These VDI versions do not auto-update, so you’ll have to update them manually.

Seal and Shut Down

If this VDA will be a master image in a Machine Creation Services or Citrix Provisioning catalog, after the master is fully prepared (including applications), do the following:

  1. Go to the properties of the C: drive and run Disk Cleanup.
  2. If Disk Cleanup is missing, you can run cleanmgr.exe instead.
  3. Windows 10 1703 and newer has a new method for cleaning up temporary files.
    1. Right-click the Start button and click System.
    2. Click Storage on the left and click This PC (C:) on the right.
    3. Click Temporary Files.
    4. Check boxes and click Remove files.
  4. On the Tools tab of the local C: drive Properties, click Optimize to defrag the drive.
    `
  5. If KMS Server licensing, run slmgr.vbs /dlv and make sure it is licensed with KMS Server and has at least one rearm remaining. It is not necessary to manually rearm licensing since MCS will do it automatically.
  6. Run Delprof2 to clean up local profiles. Get it from http://helgeklein.com/download/.
  7. Machine Creation Services and Citrix Provisioning require DHCP.
  8. Session hosts (RDSH) commonly have DHCP reservations.
  9. Base Image Script Framework (BIS-F) automates many sealing tasks. The script is configurable using Group Policy.
  10. Shut down the master image. You can now use Studio (Machine Creation Services) or Citrix Provisioning to create a catalog of linked clones.

Uninstall VDA

Uninstall the VDA from Apps & Features or Programs and Features.

Then see CTX209255 VDA Cleanup Utility.

To run the VDA Cleanup Tool silently:

  1. Execute VDACleanupUtility.exe /silent /noreboot to suppress reboot.
  2. Once the VDACleanupUtility has finished executing, setup Auto logon for the current user.
  3. Reboot.
  4. After reboot, tool will launch automatically to continue Cleanup.

Another option is to delete CitrixVdaCleanup value under HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce. Then after reboot, run VDACleanupUtility.exe /silent /reboot to indicate that it’s running after the reboot.

Related Pages

Delivery Controller 2402 LTSR CU2 and Licensing

Last Modified: Feb 8, 2025 @ 7:42 am

28 Comments

Navigation

💡 = Recently Updated

Change Log

Upgrade

If you are performing a new install of Delivery Controller, then skip to the next section.

You can in-place upgrade directly from any Delivery Controller version 7.0 or newer. The operating system must be Windows Server 2016 or newer. And SQL must be SQL 2016 or newer.

During the upgrade of Delivery Controller, be aware that a database upgrade is required. Either get a DBA to grant you temporary sysadmin permission or use Citrix Site Manager to generate SQL scripts that a DBA must then run in SQL Studio.

  1. CVAD Versions you can upgrade from – XenApp/XenDesktop 7.15 with CU5 or newer, CVAD 1912 with any Cumulative Update, any supported Current Release version.
  2. Virtual Channel Allow List – the Citrix Policy setting named Virtual Channel Allow List is enabled by default in VDA 2203 and newer. Whitelist your non-Citrix (e.g., Zoom) virtual channels before upgrading your VDAs, or else your non-Citrix virtual channels will stop working.
  3. Lost Policy Settings after upgrade – Before upgrading, run the GPO Scanner Tool on a Delivery Controller to find invalid policy settings.
  4. NVIDIA – ensure your NVIDIA Virtual GPU software supports the version of CVAD that you are upgrading to.
  5. Consider Utilizing Local Host Cache for Nondisruptive Database Upgrades at Citrix Docs.
  6. License Server Upgrade – Before upgrading to Delivery Controller 2402 CU2, upgrade your Citrix License Server to 11.17.2.0 Build 51000.

    • Citrix now requires Licensing telemetry as described in CTX477614 Citrix License Telemetry FAQ. The build must be 40000 or newer and you must upgrade within 6 months of release.
    • You can run LicServVerify.exe from the Citrix Virtual Apps and Desktops (CVAD) ISO to verify that the License Server is compatible. Example syntax is: "E:\x64\XenDesktop Setup\LicServVerify.exe" -h myLicenseServer -p 27000 -v

  7. Current Release– Citrix Virtual Apps and Desktops (CVAD) 2402 CU2 is a Long Term Support Release (LTSR), which receives periodic (usually twice per year) Cumulative Updates with bug fixes, but no new features. See Lifecycle Milestones for Citrix Virtual Apps & Citrix Virtual Apps and Desktops. See CTX205549 FAQ: Citrix Virtual Apps and Desktops and Citrix Hypervisor Long Term Service Release (LTSR).
  8. Delivery Controller OS Compatibility – Delivery Controller 2402 CU2 is supported on Windows Server 2022, Windows Server 2019 and Windows Server 2016. Windows Server 2025 is not supported.
  9. SQL Compatibility – Delivery Controller 2402 CU2 does not support several older database engines, including the previously included SQL 2014 LocalDB database engine for the Local Host Cache.
    • SQL Server 2022 is supported with Delivery Controller 2308 and newer.
    • SQL Server 2014, SQL Server 2012, and SQL Server 2008 R2, are no longer supported for the site database.
    • SQL Server Express LocalDB version 2014 is no longer supported for the local host cache database. The Delivery Controller installer does not upgrade this component, so you’ll have to do it manually. See Replace SQL Server Express LocalDB at Citrix Docs.
  10. VDA OS Compatibility – Virtual Delivery Agent (VDA) 2402 CU2 is only supported on a limited number of Windows operating system versions, specifically, Windows 10 (1607+), Windows Server 2016, Windows Server 2019, and Windows Server 2022.
    • Windows Server 2025 is not supported.
    • For VDAs running Windows Server 2012 R2, leave their VDA at version 1912 LTSR (with latest Cumulative Update). VDA 1912 LTSR can communicate with Delivery Controllers 2402 CU2.
    • For VDA machines running Windows 7 or Windows Server 2008 R2, leave their VDA software at version 7.15 LTSR (with latest Cumulative Update). VDA 7.15 LTSR can communicate with Delivery Controllers 2402 CU2. Note that 7.15 is no longer supported by Citrix.
  11. Cloud VDAs support – Delivery Controller 2203 and newer support public cloud (native Azure, native AWS, native Google Cloud) hosting connections, but only if your Citrix licenses are Citrix Cloud licenses with Hybrid rights or Citrix Universal Licenses. Normal on-prem licenses won’t work. If you used cloud hosting connections in CVAD 1912, then you must upgrade your licenses before you upgrade to Delivery Controller 2402 CU2. See CTX270373 Citrix Virtual Apps and Desktops: Public cloud support with Current Releases and Long Term Service Releases.
  12. Snapshot. Take a snapshot of the Delivery Controller machine before attempting the upgrade. The Citrix installer requires a reboot before upgrading, so it’s probably best to shut down the machine before you snapshot it.
  13. Download the Citrix Virtual Apps and Desktops 7 2402 CU2 ISO.
  14. On an existing Delivery Controller, run AutoSelect.exe from the 2402 CU2 ISO.
  15. On the top left, in the Upgrade box, click Studio and Server Components.
  16. In the Licensing Agreement page, select I have read, understand, and accept the terms, and click Next.
  17. In the Ensure Successful Upgrade page, read the steps, check the box next to I’m ready to continue, and click Next.
  18. If you see the Unsupported Features and Platforms page, read the list, check the box next to I understand the risk of upgrading a deployment that has unsupported features or platforms, then click Next.
  19. If you see a Licensing Errors page, then you need to upgrade your License Server or install an updated license file.

  20. If you see a SQL Server version error, then you might need to upgrade your SQL Server, or move the Citrix databases to a supported SQL server.
  21. If you see a SQL Server Express LocalDB version error, then click the Learn More link to see instructions to upgrade it.
  22. If you see a window saying “We cannot determine which SQL version is currently installed”, click OK.
  23. In the Preliminary Site Tests page, click Start Preliminary Tests.
  24. The tests will take a few minutes. Click Next when done.
  25. In the Firewall page, click Next.
  26. In the Summary page, click Upgrade. Notice that StoreFront is not in this list. StoreFront is upgraded separately.
  27. Click OK when asked to start the upgrade.
  28. The machine will probably restart a couple times.

    1. After the reboot, and after logging in again, you might see a Locate ‘Citrix Virtual Apps and Desktops 7’ installation media window. Don’t click anything yet.
    2. Go to the Citrix_Virtual_Apps_and_Desktops_7_2402_LTSR_CU2_2100.iso file and mount it.
    3. Go back to the Locate ‘Citrix Virtual Apps and Desktops 7’ installation media window.
    4. On the left, expand This PC, and click the DVD Drive.
    5. Click Select Folder.
  29. If the upgrade fails:
    1. Look for MetaInstaller log files under %localappdata%\Temp\Citrix\XenDesktop Installer\MSI Log Files.
    2. Citrix has a MSI Log Analyzer.
  30. If you see a License Server Data page, click Next.
  31. In the Finish page, check the box next to Launch Citrix Site Manager and click Finish.

Site Manager – Upgrade Database, Catalogs, and Delivery Groups

  1. After Site Manager launches, if you have sysadmin permissions on SQL, then click Start the automatic Site upgrade. If you don’t have full SQL permission, then get a DBA to help you, click Manually upgrade this site, and follow the instructions.

    • If you choose to Manually upgrade this site, then note that there might not be an upgrade for the Logging Database schema, depending on what version you are upgrading from.

    • Run the DisableServices.ps1 script before upgrading the database.
    • In SQL Studio, the .sql scripts must be run in SQLCMD mode. Re-enable SQLCMD mode for each script. Run each of the .sql scripts.
    • Then run EnableServices.ps1.

CVAD 2212 and newer include Web Studio at https://ControllerFQDN/citrix/studio or from the Start Menu.

Other Citrix Virtual Apps and Desktops components can also be in-place upgraded:

New Install Preparation

Current Release

Citrix Virtual Apps and Desktops (CVAD) 2402 CU2 is a Long Term Support Release (LTSR), which receives periodic (usually twice per year) Cumulative Updates with bug fixes but no new features. See Lifecycle Milestones for Citrix Virtual Apps & Citrix Virtual Apps and Desktops. See CTX205549 FAQ: Citrix Virtual Apps and Desktops and Citrix Hypervisor Long Term Service Release (LTSR).

OS Compatibility

Delivery Controller 2402 CU2 is supported on Windows Server 2022, Windows Server 2019 and Windows Server 2016. Windows Server 2012 R2 and older are no longer supported. Windows Server 2025 is not supported.

Virtual Delivery Agent (VDA) 2402 CU2 is only supported on a limited number of Windows operating system versions, specifically, Windows 11, Windows 10 (1607+), Windows Server 2016, Windows Server 2019, and Windows Server 2022. Windows Server 2025 is not supported.

  • If you have older VDA machines running Windows Server 2012 R2, you can install VDA software version 1912 LTSR. Citrix supports VDA 1912 LTSR communicating with Delivery Controller 2402 CU2.

Citrix Licensing

Upgrade your Citrix License Server to 11.17.2.0 build 51000.

  • Citrix now requires Licensing telemetry as described in CTX477614 Citrix License Telemetry FAQ. The build must be 40000 or newer and you must upgrade within 6 months of release.
  • You can run LicServVerify.exe from the Citrix Virtual Apps and Desktops (CVAD) ISO to verify that the License Server is compatible. Example syntax is: "E:\x64\XenDesktop Setup\LicServVerify.exe" -h myLicenseServer -p 27000 -v

Multiple License Types – Multiple license types (but not multiple editions) are supported in a single farm. See CTX223926 How to Configure Multiple License Types within a Single XenApp and XenDesktop Site.

Cloud VDAs support – Delivery Controller 2203 and newer support public cloud (native Azure, native AWS, native Google Cloud) hosting connections, but only if your Citrix licenses are Citrix Cloud licenses with Hybrid rights. Normal on-prem licenses won’t work. See CTX270373 Citrix Virtual Apps and Desktops: Public cloud support with Current Releases and Long Term Service Releases.

SQL Databases for Citrix Virtual Apps and Desktops

  • Citrix article CTX114501 – Supported Databases for Virtual Apps and Desktops (XenApp and XenDesktop) AND Provisioning (Provisioning Services)
    • SQL Server 2022 is supported with Delivery Controller 2308 and newer.
    • Citrix Virtual Apps and Desktops (CVAD) 2203 and newer no longer support SQL 2014 and older.
  • Citrix CTX209080 XenDesktop 7.x: Database Sizing Tool
  • Three databases – There are typically three databases: one for the Site (aka farm), one for Logging (audit log) and one for Monitoring (Director).
    • The name of the monitoring database must not have any spaces in it. See CTX200325 Database Naming Limitation when Citrix Director Accesses Monitoring Data Using OData APIs
    • If you want Citrix Site Manager to create the SQL databases automatically, then the person running Studio must be a sysadmin on the SQL instances. No lesser SQL role will work. sysadmin permissions can be granted temporarily and revoked after installation.
    • Alternatively, you can use Citrix Site Manager to create SQL scripts and then ask a DBA to run those scripts on the SQL server. In that case, the person running the scripts only needs the dbcreator and securityadmin roles.
    • It is possible to create the three databases in advance. However, you must use the non-default collation named Latin1_General_100_CI_AS_KS
  • SQL High Availability Options:
    • Basic Availability Groups – Build two SQL 2016 (or newer) Standard Edition servers, and create three Basic Availability Groups, one for each database. Each Basic Availability Group has its own Listener.
    • AlwaysOn Availability Group – Build two SQL Enterprise Edition servers, and create one AlwaysOn Availability Group with one Listener.
    • Failover Clustering – Build two SQL Enterprise Edition servers, and configure SQL Database Failover Clustering.
  • Cloud – Azure SQL is not supported. AWS RDS is supported by AWS, but not by Citrix. You’ll need to build your own SQL Servers on IaaS VMs.

Windows Feature

Installing Group Policy Management (GPMC) on the Delivery Controllers lets you edit Citrix-targeted Group Policy Objects (GPOs) directly from the Delivery Controllers.

Citrix has a Citrix Group Policy Management Plug-in that adds the Citrix Policies node to the Group Policy Editor. The Citrix Group Policy Management Plug-in is included with the installation of Citrix Studio, meaning that running GPMC on the Delivery Controller automatically grants you access to the Citrix Policies node in the GPOs. If you edit GPOs on a machine that doesn’t have Citrix Studio installed, then you won’t see the Citrix Policies node in GPOs until you manually install the Citrix Group Policy Management Plug-in.

vCenter Service Account

Create a role in vSphere Client. Assign a service account to the role at the vCenter Datacenter or higher level. Delivery Controller will use this service account to login to vCenter.

Delivery Controller New Install

  1. A typical size for the Controller VMs is 2-4 vCPU and 8+ GB of RAM. If all components (Delivery Controller, StoreFront, Licensing, Director, SQL Express) are installed on one server, then you might want to bump up memory to 10 GB or 12 GB. 5 GB is the minimum memory.
  2. From Local Host Cache sizing and scaling at Citrix Docs:
    1. Add two cores for LHC.
    2. For LHC SQL LocalDB, assign the Controller VMs a single CPU socket with multiple cores. SQL LocalDB uses a maximum of one CPU socket. Configure the Delivery Controller VM with four cores per socket.
    3. Add at least three more Gigs of RAM and watch the memory consumption.
    4. Since there’s no control over LHC election, ensure all Controllers in the site/farm have the same specs.
  3. Operating System: Citrix Virtual Apps and Desktops (CVAD) 2402 CU2 is supported on Windows Server 2022, Windows Server 2019 and Windows Server 2016. Windows Server 2012 R2 and older are no longer supported. Windows Server 2025 is not supported.
  4. Make sure the User Right Log on as a service includes NT SERVICE\ALL SERVICES or add NT SERVICE\CitrixTelemetryService to the User Right.
  5. Download the Citrix Virtual Apps and Desktops 2402 LTSR CU2 ISO.
  6. On two Delivery Controllers, to install the Delivery Controller software, run AutoSelect.exe from the mounted 2402 CU2 ISO.
  7. Click Start next to either Virtual Apps or Virtual Apps and Desktops. The only difference is the product name displayed in the installation wizard.
  8. On the top left, click Delivery Controller.
  9. In the Licensing Agreement page, select I have read, understand, and accept the terms, and click Next.
  10. In the Core Components page, you can install all components on one server, or on separate servers. Splitting out the components is only necessary in large environments, or if you have multiple farms and want to share the Licensing, and Director components across those farms. Notice that StoreFront is no longer an option and must be installed separately.
  11. CVAD 2212 and newer include Web Studio as an option. Studio is no longer selected by default. Citrix says that Web Studio and StoreFront should be installed on separate servers. Click Next.
  12. CVAD 2212 and newer let you add a Delivery Controller that Web Studio will manage.
  13. In the Features page, uncheck the box next to Install Microsoft SQL Server 2022 Express CU9, and click Next.
  14. In the Firewall page, click Next.
  15. In the Summary page, click Install.
  16. The machine will probably restart a couple times.

    1. After the reboot, and after logging in again, you might see a Locate ‘Citrix Virtual Apps and Desktops 7’ installation media window. Don’t click anything yet.
    2. Go to the Citrix_Virtual_Apps_and_Desktops_7_2402_LTSR_CU2_2100.iso file and mount it.
    3. Go back to the Locate ‘Citrix Virtual Apps and Desktops 7’ installation media window.
    4. On the left, expand This PC, and click the DVD Drive.
    5. Click Select Folder.
    6. Installation will resume. Repeat these instructions after each reboot.
  17. If you see a Diagnostics page, you can optionally Collect diagnostic information by clicking Connect and entering your Citrix Cloud or MyCitrix.com credentials. Click Next.
  18. In the Finish page, click Finish. Citrix Site Manager will automatically launch.
  19. Anti-affinity – Ensure the two Delivery Controller VMs do not run on the same hypervisor host. Create an anti-affinity rule at vSphere Cluster > Manage > VM/Host Rules > Add. Set the Type to Separate Virtual Machines.
  20. Citrix Tech Zone Endpoint Security and Antivirus Best Practices: provides guidelines for configuring antivirus software in Citrix Virtual Apps and Desktops environments.

Create Site – Create Database

There are several methods of creating the databases for Citrix Virtual Apps and Desktops (CVAD):

  • If you have sysadmin permissions to SQL, let Citrix Site Manager create the databases automatically.
  • If you don’t have sysadmin permissions to SQL, then use Citrix Site Manager to generate SQL scripts and send the SQL scripts to a DBA.

Use Citrix Site Manager to Create the Databases Automatically

  1. Launch Citrix Site Manager. After it loads, click Deliver applications and desktops to your users.
  2. In the Introduction page, enter a Site Name (aka farm name) and click Next. Only administrators see the farm name.
  3. In the Databases page, if you are building two Delivery Controllers, click Select near the bottom of the same page.

    1. Click Add.
    2. Enter the FQDN of the second Delivery Controller and click OK. Note: the Delivery Controller software must already be installed on that second machine.
    3. Then click Save.
  4. If the person running Citrix Site Manager has sysadmin permissions to the SQL Server, then enter the SQL server name/instance in the three Location fields and click Next.
  5. If you don’t have sysadmin permission, then jump to the SQL Scripts section below.
  6. On the Licensing page, enter the name of the Citrix License Server, and click Connect. If you installed Citrix Licensing with your Delivery Controller, then simply enter localhost.
  7. If the Certificate Authentication appears, select Connect me, and click Confirm.
  8. Select your license type, and click Next. If you see both User/Device and Concurrent, then you usually must select User/Device licenses. Also see Multi-type licensing at Citrix Docs.
  9. In the Summary page, if your databases are mirrored or in an Availability Group, each database will show high availability servers and the name of the Mirror server. Click Finish.

  10. It will take some time for the site to be created.
  11. Once done, skip to the Second Delivery Controller section.

Use Citrix Site Manager to create SQL scripts

  1. If you don’t have SQL sysadmin permissions, then change the selection to Generate scripts to manually set up databases on the database server. Change the database names if desired and click Next.
  2. In the Summary page, click Generate scripts.
  3. A folder will open with many scripts.
    • There’s a Principal script for each of the three databases.
    • The Mixed scripts and SysAdmin scripts create SQL Server logins whereas the DbOwner scripts do not. Either run the Mixed scripts that contain all tasks or run the SysAdmin and DbOwner scripts separately. The idea is that the separate scripts are run by different SQL admins that have different permissions.
    • The Replicas scripts add logons to secondary SQL servers.
  4. Before running the scripts, create the three databases.

    1. At the top of each script is the Database Name that was entered in Citrix Site Manager. The database name needs to match the script.
    2. On the Options tab, change the Collation to Latin1_General_100_CI_AS_KS.
    3. In the bottom part, find Is Read Committed Snapshot On and set it to True.
    4. Repeat this for all three databases.
    5. You can then add these three databases to an AlwasyOn Availability Group.
  5. Now do the following to run either the Mixed scripts or run the SysAdmin and DbOwner scripts separately. The scripts must be run in SQLCMD mode.
    1. On the Principal SQL Server, open the file Site_Mixed_Principal.sql.

    2. Open the Query menu, and click SQLCMD Mode to enable it.
    3. Then execute the script.
    4. If SQLCMD mode was enabled properly, then the output should look something like this:
    5. If you have a mirrored database, then run the Replicas script on the mirror SQL instance. Make sure SQLCMD mode is enabled.
    6. Repeat for the Logging_Mixed_Principal.sql script.
    7. You’ll have to enable SQLCMD Mode for each script you open.


    8. Repeat for the Monitoring_Mixed_Principal.sql script.
    9. Once again enable SQLCMD Mode.


    10. The person running Citrix Site Manager must be added to the SQL Server as a SQL Login and granted the public server role so that that account can enumerate the databases.

  6. Back in Citrix Site Manager, click the Continue database configuration and Site setup button.
  7. In the Databases page, enter the SQL server name and instance name, and then click Next.

  8. On the Licensing page, enter the name of the Citrix License Server, and click Connect. If you installed Citrix Licensing with your Delivery Controller, then simply enter localhost.
  9. If the Certificate Authentication window appears, select Connect me, and click Confirm.
  10. Then select your license and click Next. See CTX223926 How to Configure Multiple License Types within a Single XenApp and XenDesktop Site.
  11. In the Summary page, if your databases are mirrored, each database will show high availability servers and the name of the Mirror server. Click Finish.

  12. It will take some time for the site to be created.

Second Controller

During Site creation on the first Delivery Controller, in the Site Setup wizard, you might have selected more than one Delivery Controller.  In that case, on the second Delivery Controller, simply run Citrix Site Manager and it should already be configured.

Otherwise, additional Delivery Controllers need to be added to the SQL databases.

  • If you have sysadmin permissions to SQL, let Citrix Site Manager modify the databases automatically.
  • If you don’t have sysadmin permissions to SQL, then use Citrix Site Manager to generate SQL scripts and send them to a DBA.

To use Citrix Site Manager to create the SQL Scripts:

  1. On the first Delivery Controller, if StoreFront is installed on the Controller, then delete the default StoreFront store (/Citrix/Store) and recreate it with your desired Store name (e.g. /Citrix/Company).
  2. On the second Delivery Controller machine, install Delivery Controller as detailed earlier.
  3. After installation, launch Citrix Site Manager on the second controller, and click Connect this Delivery Controller to an existing Site.
  4. Enter the name of the first Delivery Controller and click OK.
  5. If you don’t have full SQL permissions (sysadmin), click No when asked if you want to update the database automatically.
  6. Click Generate scripts.
  7. A folder will open with multiple SQL scripts. These SQL script files follow the same pattern as the first Delivery Controller where the Mixed scripts do everything, but the DbOwner and SysAdmin scripts are intended to be run by different SQL administration roles. Always run each of these scripts in SQLCMD mode. There are separate scripts for mirrored databases.

    1. On the SQL Server, open one of the .sql files.

    2. Open the Query menu and click SQLCMD Mode.
    3. Then execute the SQL script.
    4. If SQLCMD mode was enabled properly, then the output should look something like this:
  8. Repeat for the remaining script files. Enable SQLCMD mode for each script.
  9. Back in Citrix Site Manager, click OK.
  10. In Citrix Site Manager you should see both controllers.

SSL for Delivery Controller

SSL certificates should be installed on each Delivery Controller to encrypt the traffic between StoreFront and Delivery Controller. The traffic between StoreFront and Delivery Controller contains user credentials.

The SSL certificate on each Delivery Controller needs to match the FQDN of the Delivery Controller.

  • If StoreFront is installed on the Delivery Controller, then you have two FQDNs to consider: the Delivery Controller FQDN, and the StoreFront FQDN. Make sure the certificate matches the Delivery Controller FQDN, but it’s usually not necessary for the same certificate to also match the StoreFront FQDN.
    • The StoreFront certificate is usually hosted on a NetScaler Load Balancing Virtual Server. Users connect to NetScaler instead of directly to the StoreFront servers. The StoreFront certificate only needs to be valid between the user and the NetScaler.
    • For the connection between NetScaler and StoreFront server, NetScaler does not validate the certificate, so the certificate on the StoreFront server can be anything. That means you can install a certificate that matches the Delivery Controller FQDN and there’s no need for the certificate to match the StoreFront FQDN.

To enable SSL for a Delivery Controller:

  1. Run certlm.msc, go to Personal > Certificates and create or install a server certificate that matches the Delivery Controller’s FQDN. This can be an internally-signed certificate if the StoreFront server trusts internally-signed certificates.
  2. If IIS is installed on the Delivery Controller, then simply run IIS Manager, go to Default Web Site, click Edit Bindings, and add an https binding using the chosen certificate.

If IIS is not installed on the Delivery Controller, then we need to build a command line to bind the certificate to the Citrix Broker Service.

  1. Open a command prompt as administrator.
  2. Enter the following text but don’t press Enter yet. 
    netsh http add sslcert ipport=0.0.0.0:443 certhash=
  3. Right after certhash= paste the certificate thumbprint using the following procedure:
    1. Go to certlm.mscPersonal Certificates.
    2. Double-click the certificate you want to bind.
    3. On the Details tab, scroll down to Thumbprint and copy the thumbprint.
    4. Paste the thumbprint into the command line we’re building.
    5. Remove the special character at the beginning of the thumbprint.
    6. Remove the spaces.
  4. Add the following to the command line: 
     appid=
  5. Michael Shuster at HowTo: Enable SSL on Citrix Delivery Controllers – Easy Method says you can run the following PowerShell to get the Broker Service GUID. 
    Get-WmiObject -Class Win32_Product | Select-String -Pattern "broker service"
  6. Paste the GUID for Citrix Broker Service that you got from the Get-WmiObject. Make sure the GUID has curly braces on both sides with no space between appid and the left curly brace.
  7. Press <Enter> to run the command.
  8. If you entered everything correctly, then it should say SSL Certificate successfully added.
  9. To confirm the certificate binding, run the following: 
    netsh http show sslcert ipport=0.0.0.0:443

Concurrent Logon Hard Limit

From Samuel Legrand XenApp 7.14 – (Really) Manage a DR! – Citrix Policies has a setting called Concurrent Logon Tolerance. However, it is not a hard limit, meaning once the limits are reached, it continues to let users connect. You can configure the Controllers to make it a hard limit by setting the following registry value on the Delivery Controllers:

  • HKLM\Software\Policies\Citrix\DesktopServer
    • LogonToleranceIsHardLimit (DWORD) = 1

Local Host Cache

Local Host Cache (LHC) allows new sessions to be started even if SQL database is unavailable.

From Local Host Cache sizing and scaling at Citrix Docs:

  1. For LHC LocalDB, assign the Controller VMs a single CPU socket with multiple CPU cores.
  2. Add two CPU cores for LHC.
  3. Add at least three more Gigs of RAM and watch the memory consumption.
  4. Since there’s no control over LHC election, ensure all Controllers have the same specs.
  5. The Docs article has scripts for monitoring LHC performance.

As mentioned by Citrix Docs, make sure PowerShell Execution Policy is set to RemoteSigned, Unrestricted, or Bypass.

If you did a fresh install of 2402, then Local Host Cache should be enabled by default. In PowerShell, you can run Get-BrokerSite to confirm.

If not enabled, you can run some PowerShell commands to enable Local Host Cache:

Set-BrokerSite -ConnectionLeasingEnabled $false
Set-BrokerSite -LocalHostCacheEnabled $true

George Spiers Local Host Cache XenApp & XenDesktop shows the Event Log entries when LHC is enabled.

Database Maintenance

Enable Read-Committed Snapshot

The Delivery Controller Database can become heavily utilized under load in a large environment. Therefore, Citrix recommends enabling the Read_Committed_Snapshot option on the Delivery Controller databases to remove contention on the database from read queries. This can improve the interactivity of Studio and Director. It should be noted that this option may increase the load on the tempdb files. See Citrix article CTX137161 How to Enable Read-Committed Snapshot in XenDesktop for configuration instructions.

Change Database Connection Strings

Sometimes the database connection strings need to be modified:

  • When moving the SQL databases to a different SQL server
  • For AlwaysOn Availability Groups, to add MultiSubnetFailover to the SQL connection strings
  • For SQL mirroring, to add Failover Partner to the SQL connection strings

Here are general instructions for moving the database and assigning the correct permissions:

  1. Backup the three Citrix databases on the original SQL server and restore them on the new SQL server. See Microsoft’s documentation for details.
  2. In SQL Management Studio > Security > Logins, add the Delivery Controller computer accounts (e.g., CORP\DDC01$)
  3. When adding the SQL Login, on the User Mapping page, select the three Citrix databases (Site database, Monitoring database, and Logging database)
  4. For each of the three Citrix databases, add the Delivery Controller computer account to the various database roles as listed below. The Site database has many more roles than the Logging and Monitoring databases.
    • Site database – ADIdentitySchema_ROLE
    • Site database – Analytics_ROLE (7.8 and newer)
    • Site database – AppLibrarySchema_ROLE (7.8 and newer)
    • Site database – chr_Broker
    • Site database – chr_Controller
    • Site database – ConfigLoggingSchema_ROLE
    • Site database – ConfigLoggingSiteSchema_ROLE
    • Site database – ConfigurationSchema_ROLE
    • Site database – DAS_ROLE
    • Site database – DesktopUpdateManagerSchema_ROLE
    • Site database – EnvTestServiceSchema_ROLE
    • Site database – HostingUnitServiceSchema_ROLE
    • Site database – Monitor_ROLE
    • Site database – MonitorData_ROLE
    • Site database – OrchestrationSchema_ROLE (7.11 and newer)
    • Site database – public
    • Site database – StorefrontSchema_ROLE (7.8 and newer)
    • Site database – TrustSchema_ROLE (7.11 and newer)
    • Monitoring database – Monitor_ROLE
    • Monitoring database – public
    • Logging database – ConfigLoggingSchema_ROLE
    • Logging database – public

From Citrix Docs Update database connection strings when using SQL Server high availability solutions: Citrix offers several PowerShell scripts that update Delivery Controller database connection strings when you are using SQL Server high availability database solutions such as AlwaysOn and mirroring. The scripts, which use the Citrix Virtual Apps and Desktops PowerShell API, are:

  • DBConnectionStringFuncs.ps1: The core script that does the actual work. This script contains common functions that the other scripts use.
  • Change_XD_Failover_Partner_v1.ps1: Updates (adds, changes, or removes) the failover partner. This script prompts for the failover partner location (FQDN) for each database. (Providing a blank failover partner removes the failover partner. You can also use the ClearPartner option to remove a partner.) Do not set the failover partner to the same location as the principal database server.
  • Change_XD_To_ConnectionString.ps1: Uses the provided connection strings to update the connection strings to the databases. This script ensures that certain Citrix services are up and running, and then updates those services in the correct order on all Controllers in the site. Enclose connection string information for each database in quotes.
  • Change_XD_To_MultiSubnetFailover.ps1: Toggles the addition and removal of MultiSubnetFailover=true. If you use AlwaysOn Availability Groups, Microsoft recommends that the connection string include MultiSubnetFailover=true. This option speeds up recovery when a high availability event occurs, and is recommended for both single and multi-subnet environments. Run this script once to add the option. Run the script again to remove it.
  • Change_XD_To_Null.ps1: Resets all the connection strings on the localhost because something has gone wrong. By resetting the connection strings to null, this script places the Controller into an “initial” state. If you run Studio after running this script, you’ll be asked if you want to create a site or join an existing site. This is useful if something has gone wrong and a reset is needed. After the reset, you can try again to set the connection strings.

Here are the DB Connections that must be changed. Make sure you include all of the DB Connections shown below. You can get the full list of database commands by running Get-Command Set-*DBConnection. When changing the DB connections, AdminDBConnection must be the last to be set to NULL, and the first to be configured with the new connection string. Repeat these instructions on all Delivery Controllers in the farm.

Remove the existing Database connections

At the Delivery Controller, open PowerShell as Administrator and run the following commands to clear the existing database connections.

## Disable configuration logging for the XD site:
Set-LogSite -State Disabled

## ## Clear the current Delivery Controller database connections
## Note: AdminDBConnection must be the last command
Set-ConfigDBConnection -DBConnection $null
Set-AppLibDBConnection -DBConnection $null    #7.8 and newer
Set-OrchDBConnection -DBConnection $null      #7.11 and newer
Set-TrustDBConnection -DBConnection $null     #7.11 and newer
Set-AcctDBConnection -DBConnection $null
Set-AnalyticsDBConnection -DBConnection $null # 7.6 and newer
Set-HypDBConnection -DBConnection $null
Set-ProvDBConnection -DBConnection $null
Set-BrokerDBConnection -DBConnection $null
Set-EnvTestDBConnection -DBConnection $null
Set-SfDBConnection -DBConnection $null
Set-MonitorDBConnection -DataStore Monitor -DBConnection $null   #Monitoring Database
Set-MonitorDBConnection -DBConnection $null                      #Site Database
Set-LogDBConnection -DataStore Logging -DBConnection $null       #Logging Database
Set-LogDBConnection -DBConnection $null                          #Site Database
Set-AdminDBConnection -DBConnection $null -force

Specify the new Database connection strings

Run the following commands to set the new SQL connection strings. Adjust the variables to match your desired connection string. For example, if you wish to add “;MultiSubnetFailover=True” to the connection strings, then set the $csSite variable to "Server=$ServerName;Initial Catalog=$SiteDBName;Integrated Security=True;MultiSubnetFailover=True". Repeat this for the $csLogging and $csMonitoring variables.

## Replace <dbserver> with the SQL server name, and instance if present, e.g "ServerName\SQLInstanceName". If no SQL Instance name is mentioned, this commandlet will try to connect to the default SQL instance.
## Replace <dbname> with the name of your restored Database
## Note: AdminDBConnection should be first

$ServerName = "<dbserver>"
$SiteDBName = "<SiteDbName>"
$LogDBName = "<LoggingDbName>"
$MonitorDBName = "<MonitorDbName>"
$csSite = "Server=$ServerName;Initial Catalog=$SiteDBName;Integrated Security=True;MultiSubnetFailover=True"
$csLogging = "Server=$ServerName;Initial Catalog=$LogDBName;Integrated Security=True;MultiSubnetFailover=True"
$csMonitoring = "Server=$ServerName;Initial Catalog=$MonitorDBName;Integrated Security=True;MultiSubnetFailover=True"

Set-AdminDBConnection -DBConnection $csSite
Set-ConfigDBConnection -DBConnection $csSite
Set-AcctDBConnection -DBConnection $csSite
Set-AnalyticsDBConnection -DBConnection $csSite # 7.6 and newer
Set-HypDBConnection -DBConnection $csSite 
Set-ProvDBConnection -DBConnection $csSite
Set-AppLibDBConnection –DBConnection $csSite # 7.8 and newer
Set-OrchDBConnection –DBConnection $csSite # 7.11 and newer
Set-TrustDBConnection –DBConnection $csSite # 7.11 and newer
Set-BrokerDBConnection -DBConnection $csSite
Set-EnvTestDBConnection -DBConnection $csSite
Set-SfDBConnection -DBConnection $csSite
Set-LogDBConnection -DBConnection $csSite
Set-LogDBConnection -DataStore Logging -DBConnection $null
Set-LogDBConnection -DBConnection $null
Set-LogDBConnection -DBConnection $csSite
Set-LogDBConnection -DataStore Logging -DBConnection $csLogging
Set-MonitorDBConnection -DBConnection $csSite
Set-MonitorDBConnection -DataStore Monitor -DBConnection $null
Set-MonitorDBConnection -DBConnection $null
Set-MonitorDBConnection -DBConnection $csSite
Set-MonitorDBConnection -DataStore Monitor -DBConnection $csMonitoring
Set-LogSite -State Enabled

Test the new Database connection strings

Run the following commands to verify connectivity to the database:

## Copy these variables from the previous step
## If you haven’t closed your PowerShell window, then the variables might still be defined. In that case, just run the Test commands
$ServerName = "<dbserver>"
$SiteDBName = "<SiteDbName>"
$LogDBName = "<LoggingDbName>"
$MonitorDBName = "<MonitorDbName>"
$csSite = "Server=$ServerName;Initial Catalog=$SiteDBName;Integrated Security=True"
$csLogging = "Server=$ServerName;Initial Catalog=$LogDBName;Integrated Security=True"
$csMonitoring = "Server=$ServerName;Initial Catalog=$MonitorDBName;Integrated Security=True"

Test-AcctDBConnection -DBConnection $csSite
Test-AdminDBConnection -DBConnection $csSite
Test-AnalyticsDBConnection -DBConnection $csSite # 7.6 and newer
Test-AppLibDBConnection -DBConnection $csSite # 7.8 and newer
Test-BrokerDBConnection -DBConnection $csSite
Test-ConfigDBConnection -DBConnection $csSite
Test-EnvTestDBConnection -DBConnection $csSite
Test-HypDBConnection -DBConnection $csSite
Test-LogDBConnection -DBConnection $csSite
Test-LogDBConnection -DataStore Logging -DBConnection $csLogging
Test-MonitorDBConnection -DBConnection $csSite
Test-MonitorDBConnection -Datastore Monitor -DBConnection $csMonitoring
Test-OrchDBConnection -DBConnection $csSite # 7.11 and newer
Test-ProvDBConnection -DBConnection $csSite
Test-SfDBConnection -DBConnection $csSite
Test-TrustDBConnection -DBConnection $csSite # 7.11 and newer

Director Grooming

If your Citrix Virtual Apps and Desktops is not Premium Edition, then all historical Director data is groomed at 30 days.

For Citrix Virtual Apps and Desktops Premium Edition, by default, most of the historical Director data is groomed at 90 days. This can be adjusted up to 367 days by running a PowerShell cmdlet.

  1. On a Delivery Controller, run PowerShell elevated (as administrator).
  2. Run Get-MonitorConfiguration to see the current grooming settings.
  3. Run Set-MonitorConfiguration to change the grooming settings.

View Logging Database

To view the contents of the Logging Database, in Web Studio, click the Logging node. On the right is Create Custom Report. See Citrix article CTX138132 Viewing Configuration Logging Data Not Shown for more info.

The Logging Database can be queried using Get-LogLowLevelOperation. See Stefan Beckmann Get user who set maintenance mode for a server or client for an example script that uses this PowerShell cmdlet.

Logging Database Grooming

By default, the Logging Database does not groom old entries. You can enable grooming in Citrix PowerShell by running the Set-LogSite cmdlet with the -LoggingDBPurgeDurationDays parameter. More info at Schedule periodic data deletion at Citrix Docs.

Studio Administrators

Full Administrators

  1. In Web Studio click the Administrators node and then click Create Administrator.
  2. In the Administrator and Scope page, Browse to a group (e.g. Citrix Admins) that will have permissions to Citrix Web Studio and Director.

  3. These groups typically have access to all objects, so select the All scope. Alternatively, you can create a Scope to limit the objects. Click Next.
  4. On the Role page, select a role, and then click Next. For example:
    • Full Administrator for the Citrix Admins group
    • Help Desk Administrator for the Help Desk group
    • Machine Catalog Administrator for the desktop team
  5. In the Summary page, click Finish.

Help Desk

  1. In Web Studio, click the Administrators node. On the Administrators tab, click Create Administrator.
  2. In the Administrator and Scope page, Browse to a Help Desk group that will have permissions to Web Studio and Director. Select the All scope. And click Next.
  3. On the Role page, select the Help Desk Administrator role, and then click Next.
  4. In the Summary page, click Finish.
  5. When administrators in the Help Desk role log into Director, all they see is this.

    To jazz it up a little, add the Help Desk group to the read-only role.
  6. Right-click the Help Desk Administrator and click Edit Administrator.
  7. Click Add.
  8. In the Scope page, select a scope, and click Next.
  9. In the Role page, select Read Only Administrator, and click Next.
  10. In the Summary page, click Finish.
  11. Then click Save. Now Director will display the dashboard.

Customer Experience Improvement Program

Citrix Virtual Apps and Desktops enables CEIP by default.

If desired, you can disable it in Citrix Web Studio (CVAD 2212 and newer):

  1. Go to https://ControllerFQDN/Citrix/Studio
  2. On the left, click Settings.
  3. On the top right, move the slider for Citrix Customer Experience Improvement Program.
  4. Click Apply at the bottom.

Citrix Studio collects data for Google Analytics. You can disable this in the registry at HKLM\Software\Citrix\DesktopStudio\GAEnabled = 0.

Each Citrix Virtual Apps and Desktops component has a separate configuration for disabling Customer Experience Improvement Program:

Web Studio Settings

Web Studio 2311 and newer under Logging can show you PowerShell and APIs that Web Studio is using.

Web Studio has a Settings page:

  1. Web Studio 2308 and newer support Integrated Windows authentication.
  2. Web Studio 2308 and newer let you configure an Inactivity timeout.
  3. Web Studio 2311 and newer have multiple site management in the Settings node.

    • Use the Site selector at the top right of the page.
  4. Web Studio 2308 and newer support Vertical load balancing.

    • CVAD 2311 and newer let you set Vertical load balancing at the Delivery Group instead of only at the Site.
  5. Web Studio 2308+ lets you create folders of Machine Catalogs.
  6. Web Studio 2308+ lets you create folders of Delivery Groups.
  7. Web Studio 2402+ supports machine profile when using MCS on vSphere. MCS copies machine specifications (e.g., TPM) from the template machine to the MCS machines.
  8. Web Studio 2402+ has an Images node with Image Definitions and Image Versions that are prepared prior to creating or updating Catalogs. Now you can pre-replicate the baseDisk to datastores and later use the prepared image to quickly update the Catalogs. The Image Versions can also be shared by multiple Catalogs.

Hosting Connection – VMware vCenter

Citrix Virtual Apps and Desktops uses an Active Directory service account to log into VMware vCenter. This service account needs specific permissions in vCenter. To facilitate assigning these permissions, create a new vCenter role and assign it to the service account. The permissions should be applied at the vCenter datacenter object or higher level.

Import vCenter Root Certificate

If the vCenter certificate is valid and trusted, then you can skip to the Hosting Resource section.

For newer versions of vCenter, you can import the root certificate that signed the vCenter Server/Appliance certificate.

  1. Point your browser to the root path of the vCenter Server URL.
  2. On the bottom right, click Download trusted root CA certificates.
  3. Extract the downloaded files.
  4. Go to \certs\win.
  5. Sort the files by date, and double-click the newest .crt file.
  6. On the General tab, click Install Certificate.
  7. In the Welcome to the Certificate Import Wizard page, change the Store Location selection to Local Machine, and click Next.
  8. In the Certificate Store page, click Browse.
  9. Select Trust Root Certification Authorities, and click OK.
  10. In the Completing the Certificate Import Wizard page, click Finish.
  11. If you close your browser and reopen it, and then go to the vCenter URL, there should no longer be any certificate errors.
  12. Skip to the Hosting Resource section.

Import vCenter Certificate

If the vCenter certificate is valid and trusted, then you can skip to the Hosting Resource section.

Alternatively, you can import the actual vCenter Server certificate (instead of the root certificate). This is the only option for older self-signed vCenter certificates.

Newer versions of Citrix Virtual Apps and Desktops (CVAD) have the ability to import the vCenter certificate thumbprint into the database so that every Delivery Controller trusts it. However, it is difficult to update the thumbprint whenever the vCenter certificate changes. It might instead be more reliable to use the older method of configuring the Trusted People store on the Delivery Controllers. Whenever the vCenter certificate is changed, you’ll need to repeat these steps.

  1. Get the vCenter certificate.
    1. Open a browser and point it to the vCenter URL. Note: this procedure to get the certificate won’t work in Internet Explorer.
    2. If Google Chrome, click the Secure box in the address bar, and then click Certificate.
    3. On the Details tab, click Copy to File.
    4. In the Welcome to the Certificate Export Wizard page, click Next.
    5. In the Export File Format page, either format will work. Click Next.
    6. In the File to Export page, browse to a new file, and click Next.
    7. In the Completing the Certificate Export Wizard page, click Finish.
  2. On the Delivery Controller, run certlm.msc. This opens the MMC console with the Certificates snap-in already added and pointing to Local computer.
  3. On the left, right-click the Trusted People node, expand All Tasks, and click Import.
  4. In the Welcome to the Certificate Import Wizard page, click Next.
  5. In the File to Import page, browse to the certificate you saved earlier, and click Next.
  6. In the Certificate Store page, click Next.
  7. In the Completing the Certificate Import Wizard page, click Finish.
  8. Click OK to acknowledge that the import was successful.
  9. Repeat these steps on the second Delivery Controller. It is important that you import the certificate on all Delivery Controllers before you add the Hosting Resource in Web Studio.
  10. If you open a browser and point to the vCenter Server, there should be no certificate errors.

Hosting Resources

Hosting Resources are used by both Machine Creation Services (MCS) and by Citrix Provisioning’s CVAD Setup Wizard.

A Hosting Resource = vCenter + Cluster (Resource Pool) + Storage + Network. When you create a machine catalog, you select a previously created Hosting Resource and the new virtual machines are created on the Cluster, Storage, and Network defined in the Hosting Resource object. If you need some VDA machines on a different Cluster+Storage+Network, then you’ll need to define more Hosting Resources in Studio.

Hosting Connections and Hosting Resources are two different objects. The Hosting Connection defines the type of hypervisor and the credentials that Delivery Controller uses to log into the hypervisor. A single Hosting Connection can have multiple Hosting Resources for multiple clusters, multiple datastores, etc. The first time you run the wizard both objects are created. Later you can add Hosting Resources to a pre-existing Hosting Connection.

Citrix CTX131239 Supported Hypervisors for Virtual Desktops and Provisioning (Provisioning Services). vSphere 7 is supported in CVAD 2203 and newer. vSphere 8 is supported in CVAD 2212 and newer. SCVMM 2022 is supported in CVAD 2203 and newer.

  1. In Web Studio click Hosting.
  2. On the right, click Add Connection and Resources.
  3. In the Connection page, for Connection type, select VMware vSphere.
  4. Notice there’s a Learn about user permissions blue link to an article that describes the necessary permissions.
  5. In the Connection address field, enter a vCenter URL similar to https://vcenter01.corp.local/sdk. The URL must contain the FQDN of the vCenter server.
  6. Enter credentials of a service account that can log into vCenter.
  7. In the Connection name field, give the connection a name. Typically, this matches the name of the vCenter server.
  8. If you are not using Machine Creation Services (MCS) or Citrix Provisioning (PVS) and instead only need the vCenter connection for machine power management, change the Create virtual machines using selection to Other Tools.
  9. If you intend to use MCS or PVS, leave Create virtual machines using set to Studio Tools.
  10. Click Next.

  11. In the Storage Management page, click Browse and select a vSphere cluster.
    • Note: as detailed at CTX223662, make sure there’s no comma in the datacenter name.
  12. Select Use storage shared by hypervisors.
  13. Beware of Optimize temporary data on available local storage. From Mark Syms at Citrix Discussions: “If you use just MCS caching to local storage then the VM is not agile at all and cannot be moved even when powered off as it has a virtual disk permanently associated with a single host.”
  14. Click Next.
  15. In the Storage Selection page, OS and Temporary must be selected on at least one datastore.

    • For maximum virtual machine placement flexibility, only select one datastore per Hosting Resource. To select additional datastores, run this wizard again to create a separate Hosting Resource for each datastore.
    • When creating a Machine Catalog you select a Hosting Resource. If the Hosting Resource only has one datastore selected, then you know which datastore the new VMs will be placed on. However, if the Hosting Resource has multiple datastores selected, then the datastores are selected round robin and you don’t have any control over which datastore is selected for each new machine.
  16. In the Network page, enter a name for the Hosting Resource. Since each Hosting Resource is a combination of vCenter, Cluster, Network, and Datastores include those names in this field (e.g. vCenter01-Cluster01-Network01-Datastore01).
  17. Select a network and click Next.
  18. In the Summary page, click Finish.
  19. If you need to rename Storage, Network, or Datacenters in vCenter, see Citrix CTX225019 XA/XD 7.13: Renaming Storage, Network or Datacenters When Used With MCS or PVS. Either run Update-HypHypervisorConnection -LiteralPath "XDHyp:\Connections\MyConnection", or right-click the Hosting Resource and click Edit Storage. You can cancel the wizard.

If you have multiple datastores for your VDAs, then create multiple Hosting Resources (one for each datastore):

  1. Run the Add Connection and Resources wizard again.
  2. You can use the existing vCenter connection.
  3. This time, select a different datastore. Remember, don’t select more than one datastore per Hosting Resource.
  4. Give the Hosting Resource a name that indicates the chosen datastore.

When you later create a MCS Machine Catalog:

  1. Select the Hosting Resource for the datastore where you want the VDAs to be placed.
  2. You can create multiple Machine Catalogs, with each of them on different datastores. You can then combine the Catalogs into a single Delivery Group.

Citrix License Server

Upgrade Citrix License Server to version 11.17.2.0 build 51000, which might be newer than what’s on the CVAD ISO.

New License Server

If you’re building a new standalone Citrix License Server:

  1. Citrix now requires Licensing telemetry as described in CTX477614 Citrix License Telemetry FAQ. The build must be 40000 or newer and you must upgrade within 6 months of release.
  2. Extract the downloaded Citrix License 11.17.2.0 build 51000.
  3. Run CitrixLicensing.exe
  4. In the Software License Agreement page, check the box next to I have read, understand, and accept the terms, and click Next.
  5. In the Install Location page, click Next.
  6. In the Configure Ports page, click Next.
  7. In the Configure Customer Success Services Renewal page, click Install.
  8. In the Summary page, choose an option for sharing license server data with Citrix and then click Finish.

Upgrade License Server

Upgrade your Citrix License Server to 11.17.2.0 build 51000 if it isn’t already.

  1. Citrix now requires Licensing telemetry as described in CTX477614 Citrix License Telemetry FAQ. The build must be 40000 or newer and you must upgrade within 6 months of release.
  2. Go to the downloaded Citrix License 11.17.2.0 build 51000 and run CitrixLicensing.exe.

  3. If you see the Subscription Advantage Renewal page, make a selection, and click Next.
  4. In the Upgrade page, click Upgrade.
  5. If you login to the Citrix Licensing Manager (:8083), the top of the page shows the version number 11.17.2.0 build 51000.

Citrix Licensing Manager

Newer versions of License Server come with a new management web site.

  1. From the Start Menu, run Citrix Licensing Manager. Or go to https://<My_Licensing_Server>:8083
  2. You might be prompted to login.

    • To eliminate this login, add the License Server URL to the Local Intranet zone.
  3. Licensing Manager might prompt you to register with Citrix Cloud. This is for the new automatic License Activation Service added in License Server build 51000. Alternatively, you can still use the Legacy method of activating licenses.

    1. On the Settings > Register page, click Register.
    2. You’ll see a screen with a registration code. Click the Copy button and then click Register to be take to Citrix Cloud.
    3. The Register button in the Citrix License Server takes you to Identity and Access Management > API Access > Product Registrations. Click Register.
    4. Paste in the copied code and then click Continue.
    5. Click Register.
    6. Back in the on-premises Licensing Manager, it will eventually show as Registered.
    7. On theUsage & Statistics page, scroll down, and then click Upload now. This should cause data to upload to Citrix Cloud and show up in Citrix Cloud Licensing.
  4. Licensing Manager 11.17.2.0 build 43000 and newer has a Product Information tab showing you component versions.
  5. Licensing Manager has a Dashboard page that shows installed licenses.

    • The default view is for License Activation Service. Click the arrow next to a license to view expiration details. These licenses are activated for 30 days, and activation is automatically extended by the License Activation Service before 30 days has passed. Multiple License Servers can be deployed for these same licenses. There is no enforcement of licensed limits.
    • There’s also an option for Citrix Licenses (Legacy) that is based on downloaded license files. These licenses can only be installed on one License Server. License quantities are enforced.
  6. If you click the gear icon on the top right…
  7. On the Account tab, you can add License Server Administrators.
  8. The Update Licenses tab lets you check for license renewals and download them.

Activate Citrix License

The easy way to install and activate a Citrix license using the Legacy method is through Citrix Web Studio. Alternatively, the License Activation Service can activate licenses automatically.

  1. In Web Studio, click the Licensing node.
  2. On the right, if you see a Log On button, click it and log on to the license server.
  3. Click More and then click Allocate License.
  4. Enter the license access code and click Show.
  5. Back in Web Studio, enter the License Access Code, click Show, and then click the Allocate licenses button at the bottom.

    • Another method of allocating licenses is in the Citrix Licensing Manager at https://MyLicenseServer:8083 > Install Licenses tab.
  6. After licenses are installed, click Edit Product Edition at the top of the Licensing page.
  7. Change the edition to match your licenses. If you see both Virtual Apps and Virtual Desktops licenses, you must select Virtual Desktops. If you see both Concurrent and User/Device, then you must select User/Device. Click Save when done.

  8. Citrix Virtual Apps and Desktops supports mixed licensing in a single site/farm. See the following:

License Server CEIP

Citrix License Server enables CEIP by default. This can be disabled:

  1. In the Citrix Licensing Manager (https://MyLicenseServer:8083) by clicking the gear icon.
  2. Switch to the Usage and Statistics tab and make a selection in the Share license server data with Citrix section.

Citrix License Server Monitoring

Citrix Licensing Manager has historical usage reporting:

  1. Run Citrix Licensing Manager from the Start Menu. Or use a browser to connect to https://MyLicenseServer:8083
  2. On the Historical Use tab, use the drop-down menus to select a license type, select dates, and export to a .csv file.
  3. At the bottom of this page is a link to change the retention period.

Jonathan Medd Monitor Citrix License Usage With PowerShell.

Lal Mohan – Citrix License Usage Monitoring Using Powershell

Remote Desktop Licensing Server

Install Remote Desktop Licensing Server

Do the following on your Delivery Controllers:

  1. In Server Manager, open the Manage menu, and click Add Roles and Features.
  2. In the Installation Type page, select Role-based or feature-based installation.
  3. Click Next until you get to the Server Roles page. Check the box next to Remote Desktop Services, and click Next.
  4. Click Next until you get to the Role Services page. Check the box next to Remote Desktop Licensing, and click Next.
  5. Click Add Features if prompted.
  6. Then finish the wizard to install the role service.

Activate Remote Desktop Licensing

  1. After RD Licensing is installed, in Server Manager, open the Tool menu, expand Terminal Services (or Remote Desktop Services), and click Remote Desktop Licensing Manager.
  2. The tool should find the local server. If it does not, right-click All servers, click Connect, and type in the name of the local server.
  3. Once the local server can be seen in the list, right-click the server and click Activate Server.
  4. In the Welcome to the Activate Server Wizard page, click Next.
  5. In the Connection Method page, click Next.
  6. In the Company Information page, enter the required information, and click Next.
  7. All of the fields on the Company Information page are optional, so you do not have to enter anything. Click Next.
  8. In the Completing the Activate Server Wizard page, uncheck the box next to Start Install Licenses Wizard now, and click Finish. Since the session hosts will be configured to pull Per User licenses, there is no need to install licenses on the RD Licensing Server.
  9. In RD Licensing Manager, right-click the server, and click Review Configuration.
  10. Ensure you have green check marks. If the person installing Remote Desktop Licensing does not have permissions to add the server to the Terminal Server License Servers group in Active Directory, ask a domain admin to do it manually. If you have the proper permissions, click Add to Group.
  11. Click Continue when prompted that you must have Domain Admins privileges.
  12. Click OK when prompted that the computer account has been added.
  13. Click OK to close the window.

Citrix Scout

Delivery Controller includes Citrix Scout that can be launched from the Start Menu.

The tool can run a manual collection, run a trace, schedule periodic collection, or run a Health Check.

Health Check:

  1. When adding machines, you can select StoreFront or Windows VDA.
  2. When you select machines, it might tell you to enable PSRemoting.
  3. Winrm is usually not enabled on desktop machines. Login to the machine, open command prompt as administrator, and run winrm quickconfig. It’s also possible to use Group Policy to enable winrm.
  4. Go back to Citrix Scout and click Continue.
  5. Click Start Checking.
  6. You can click View Details to view the issues it found.

Collect:

  1. The wizard is identical to the Health Check wizard, except there’s another screen to upload the data.

  2. If Citrix Cloud credentials, then you need to Generate a token.
  3. After logging into Citrix Cloud, copy the token.
  4. Go back to Citrix Scout and paste the token. Click Continue.
  5. Click Start Upload.
  6. Click View Analysis.

Links with more information:

Citrix Virtual Apps and Desktops Health Check

Sacha Thomet Finally 1.0 – but never finalized!: XenApp & XenDesktop 7.x Health Check script has now Version 1.0.

Pavan900 posted a PowerShell-based Health Check script at Citrix Studi – Colors for Maintenance Mode at Citrix Discussions.

Andrew Morgan – New Free Tool: Citrix Director Notification Service: The Citrix Director Notification service sits on an edge server as a service (or local to the delivery controller) and periodically checks the health of:

  • Citrix Licensing.
  • Database Connections.
  • Broker Service.
  • Core Services.
  • Hypervisor Connections.

And if any of these items fall out of bounds, an SMTP alert is sent to the mailbox of your choice for action. The tool will also send “All Clear” emails when these items are resolved, ensuring you are aware when the service has resumed a healthy state.

Related Pages

Citrix Director 2203 LTSR CU6

Last Modified: Feb 18, 2025 @ 5:36 pm

2 Comments

Navigation

💡 = Recently Updated

Change Log

Director Licensing – Premium Edition

Here’s the list of Director features that require Premium Edition (aka Platinum Edition) licensing.

  • Up to a year’s worth of performance and usage data
    • Other editions keep up to 30 days of performance and usage data
  • Application Probing
  • Alerting, including SNMP integration
  • SCOM alerts
  • Single session OS (aka Desktop OS) and Multi-session OS (aka Server OS) usage reporting
  • Create customized reports
  • Reboot warnings
  • Citrix ADM integration – HDX Insight

See Citrix Docs Feature compatibility matrix for a list of which Director feature came with each version, and the licensing Edition needed for each feature.

Install/Upgrade Director 2203 CU6 on Standalone Server

Current Release vs LTSR – Director version 2203 is a Long Term Service Release, which is supported for 5 years from its release date in March 2022. Citrix Support might require you to install the latest Cumulative Update for 2203. CU6 (Cumulative Update 6) is the latest update for Director 2203.

Install on Delivery Controller? – The Citrix Virtual Apps and Desktops (CVAD) Delivery Controller metainstaller has an option to install Director on the Delivery Controller machine. Or you can install Director on separate, dedicated machines.

  • If Director will connect to multiple sites/farms, then install Director on its own servers.
  • For small environments, it might be OK to install Director on the Delivery Controller machines. Otherwise, Director is usually installed on separate machines.
  • Director is an IIS website. If you install Director, then IIS is also installed.

Director and Delivery Controller versions – Director 2203 supports Delivery Controllers 2112 and newer, and Delivery Controller 1912.

Installation guidance – For Director installation guidance, see the following:

Scripted install – To install and configure Director using a script, see Dennis Span Citrix Director unattended installation with PowerShell.

Manual installation – To install Director manually:

  1. Run AutoSelect.exe from the Citrix Virtual Apps and Desktops 2203 CU6 ISO.
  2. In the Extend Deployment section on the bottom left, click Citrix Director.
  3. In the Licensing Agreement page, select I have read, understand, and accept the terms, and click Next.
  4. In the Core Components page, click Next.
  5. In the Delivery Controller page, it will ask you for the location of one Delivery Controller in each site/farm. Only enter one Delivery Controller per site/farm. If you have multiple Director servers, each Director server can point to a different Delivery Controller in each farm.
    • From Citrix Docs: Director automatically discovers all other Delivery Controllers in the same Site and falls back to those other Delivery Controllers if the Controller you specified fails. Click Test Connection, and then click Add.
  6. You can optionally force SSL/TLS for the Monitoring service by following the instructions at Data Access Security at Citrix Developer Documentation. Also see CTX224433 Error: “Cannot Retrieve Data” on Citrix Director Dashboard After Securing OData Interface Through TLS.
  7. In the Features page, click Next.
  8. In the Firewall page, click Next.
  9. In the Summary page, click Install.
  10. A machine restart will probably be needed.
  11. After the restart, login.
    1. If you see a Locate ‘Citrix Virtual Apps and Desktops 7 LTSR’ installation media window, don’t click anything.
    2. Go to the Citrix_Virtual_Apps_and_Desktops_7_2203_5000.iso file and mount it.
    3. Go back to the Locate ‘Citrix Virtual Apps and Desktops 7 LTSR’ installation media window.
    4. On the left, expand This PC, and click the DVD Drive.
    5. Click Select Folder.
    6. Installation will resume.
  12. In the Finish page, click Finish.
  13. In IIS Manager, go to Default Web Site > Director > Application Settings, find Service.AutoDiscoveryAddresses, and make sure it points to one Delivery Controller in the site/farm, and not to localhost. From Citrix Docs: Director automatically discovers all other Delivery Controllers in the same Site and falls back to those other Delivery Controllers if the Delivery Controller you specified fails.
  14. If you built multiple Director servers, use Citrix ADC to load balance them.
  15. If you are upgrading Director, run C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /upgrade to complete the upgrade process.
  16. Reconfigure the default domain in LogOn.aspx since upgrading overwrote your domain name configuration.
  17. For info on the new monitoring features in Director, see Use Director below.

Director Default Web Page

If Director is installed on a standalone server, do the following to set /Director as the default path. If Director and StoreFront are on the same server, then you’ll probably want StoreFront Receiver for Web as the default web page instead of Director.

  1. Open Notepad elevated (as administrator) and paste the following text: 
    <script type="text/javascript">
<!--
window.location="https://director.corp.com/Director";
// -->
</script>
  2. Adjust the window.location line to match your FQDN.
  3. Select File > Save As and browse to the IIS folder, by default C:\inetpub\wwwroot is the IIS folder.
  4. Select the Save as type to All types.
  5. Type a file name with an html extension, and select Save.
  6. Open IIS Manager.
  7. Select the SERVERNAME node (top-level), and double-click Default Document, as shown in the following screen shot:
  8. On the right, click Add…,
  9. Enter the file name of the .html file provided in Step 5.
  10. Ensure the .html file is located at the top of the list as shown in the following screen shot:

Director Spinning Circle

If after login to Director the spinning circle doesn’t go away…

…then do the following to fix it:

  1. Edit the file C:\inetpub\wwwroot\Director\web.config using an elevated text editor.
  2. Search for <serviceHostingEnvironment (line 279).
  3. Add the following attribute: 
    multipleSiteBindingsEnabled="true"

Also see CTX202564 Citrix Director Becomes Unresponsive after Submitting the Credentials when IIS X-Frame-Options is enabled

Director Domain Field

On the Director servers, locate and edit the ‘LogOn.aspx’ file. By default, you can find it at C:\inetpub\wwwroot\Director\Logon.aspx

In line 472 you will have the following. To find the line, search for ID=”Domain”.

<asp:TextBox ID="Domain" runat="server" CssClass="text-box" onfocus="showIndicator(this);" onblur="hideIndicator(this);"></asp:TextBox>

In the ID=”Domain” element, insert a Text attribute and set it to your domain name. Don’t change or add any other attributes. Save the file.

<asp:TextBox ID="Domain" runat="server" Text="Corp.local" CssClass="text-box" onfocus="showIndicator(this);" onblur="hideIndicator(this);"></asp:TextBox>

This configuration prepopulates the domain field text box with your domain name and still allows the user to change it, if that should be required. Note: this only seems to work if Single Sign-on is disabled.

How to hide the domain from Director Logon Page:

  1. Edit the file C:\inetpub\wwwroot\Director\LogOn.aspx using an elevated text editor.
  2. Locate the tag which starts with: <asp:Label ID="DomainLabel"
  3. Immediately prior to that label, locate the tag: <div class='label eight'>
  4. Add the following before <div class=’label eight’>: <div style='display:none'>
  5. In between “</asp:Textbox> <br />” add the following: </div>

Director Tweaks

Session timeout

By default, the idle time session limit of the Director is 245 min. If you wish to change the timeout, here is how to do it:

  1. Log on to the Director Server as an administrator
  2. Open the ‘IIS Manager’
  3. Browse to ‘Sites > Default Web Site > Director’ in the left hand pane.
  4. Open ‘Session State’ in the right hand pane.
  5. Change the ‘Time-out (in minutes)’ value under ‘Cookie Settings’
  6. Click ‘Apply’ in the Actions list

SSL Check

If you are not securing Director with an SSL certificate you will get this error at the logon screen.

To stop this:

  1. Log on to the Director Server as an administrator
  2. Open the ‘IIS Manager’
  3. Browse to ‘Sites > Default Web Site > Director’ in the left hand pane.
  4. Open ‘Application Settings’ in the right hand pane.
  5. Set UI.EnableSslCheck to false.

Disable Activity Manager

From Disable the visibility of running applications in the Activity Manager in Advanced Configuration at Citrix Docs: By default, the Activity Manager in Director displays a list of all the running applications and the Windows description in the title bars of any open applications for the user’s session. This information can be viewed by all administrators that have access to the Activity Manager feature in Director. For Delegated Administrator roles, this includes Full administrator, Delivery Group administrator, and Help Desk Administrator.

To protect the privacy of users and the applications they are running, you can disable the Applications tab from listing running applications.

  • On the VDA, modify the registry key located at HKLM\Software\Citrix\Director\TaskManagerDataDisplayed. By default, the key is set to 1. Change the value to 0, which means the information will not be displayed in the Activity Manager.
  • On the server with Director installed, modify the setting that controls the visibility of running applications. By default, the value is true, which allows visibility of running applications in the Applications tab. Change the value to false, which disables visibility. This option affects only the Activity Manager in Director, not the VDA. Modify the value of the following setting:
    UI.TaskManager.EnableApplications = false

Large Active Directory / Multiple Forests

From CTX133013 Desktop Director User Account Search Process is Slow or Fails: By default, all the Global Catalogs for the Active Directory Forest are searched using Lightweight Directory Access Protocol (LDAP). In a large Active Directory environment, this query can take some time or even time out.

If multiple forests, see Citrix Blog Post Using Citrix Director in a MultiForest Environment.

  1. In Internet Information Server (IIS) Management, under the Desktop Director site, select Application Settings and add a new value called Connector.ActiveDirectory.ForestSearch. Set it to False. This disables searching any domain except the user’s domain and the server’s domain.
  2. To search more domains, add the searchable domain or domains in the Connector.ActiveDirectory.Domains field.

Site Groups

From Citrix Blog Post Citrix Director 7.6 Deep-Dive Part 4: Troubleshooting Machines:

If there are a large number of machines, the Director administrator can now configure site groups to perform machine search so that they can narrow down searching for the machine inside a site group. The site groups can be created on the Director server by running the configuration tool via command line by running the command:

C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /createsitegroups

Then provide a site group name and IP address of the delivery controller of the site to create the site group.

Director Configuration Script

Johan Greefkes at Script for configuring Director at Citrix Discussions was kind enough to provide a script that does the following:

  • Sets the Delivery Controllers that Director communicates with
  • Disables SSL Check
  • Sets Logon.aspx file to default to a domain name
  • Adds a footer that displays the name of the Director server

The same DirectorReconfigureWithLogonMod.ps1 script seems to be available at Citrix’s Github\Powershell-Scripts repository.

Director – Saved Filters

In Director, you can create a filter and save it.

The saved filter is then accessible from the Filters menu structure.

The saved filters are stored on each Director server at C:\Inetpub\wwwroot\Director\UserData. Each user has their own saved filters. The saved filters are not replicated across multiple Director servers.

You can instead configure multiple Director servers to store the filters on a shared UNC path:

  1. Create and share a folder (e.g. DirectorData).
  2. The Director server computer accounts need Modify permission to the share.
  3. On each Director server, run IIS Manager.
  4. Go to Sites > Default Web Site > Director. In the middle, double-click Application Settings.
  5. Change the Service.UserSettingsPath setting to the UNC path of the new share.
  6. Repeat this on other load balanced Director servers.

Director and HDX Insight

You can connect Director to Citrix Application Delivery Management (ADM) to add Network tabs to Director’s Trends and Machine Details views. Citrix Blog Post Configure Director with NetScaler Management & Analytics System (MAS).

Director Grooming

If Citrix Virtual Apps and Desktops (CVAD) is not Premium Edition, then all historical Director data is groomed at 30 days.

For Citrix Virtual Apps and Desktops (CVAD) Premium Edition, by default, most of the historical Director data is groomed at 90 days. This can be adjusted up to 367 days by running a PowerShell cmdlet.

  1. On a Delivery Controller,  run Get-MonitorConfiguration to see the current grooming settings.
  2. Run Set-MonitorConfiguration to change the grooming settings.

More details on Monitor Service data aggregation and retention can be found at Data granularity and retention at Citrix Docs.

Director Single Sign-on

You can configure Director to support Integrated Windows Authentication (Single Sign-on). Note: there seem to be issues when not connecting from the local machine or when connecting through a load balancer.

  1. Run IIS Manager. You can launch it from Server Manager (Tools menu), or from the Start Menu, or by running inetmgr.
  2. On the left, expand Sites, expand Default Web Site, and click Director.
  3. In the middle, double-click Authentication in the IIS section.
  4. Right-click Windows Authentication and Enable it.
  5. Right-click Anonymous Authentication, and Disable it.
  6. Pass-through auth won’t work from another computer until you set the http SPN for the Director server. See Director 7.7 Windows Authentication not working with NS LB at Citrix Discussions.
  7. If Director is not installed on a Delivery Controller, then you’ll need to configure Kerberos delegation.
  8. If you are load balancing Director then additional config is required. See Director 7.7 Windows Authentication not working with NS LB at Citrix Discussions for more info.
    1. The FQDN for Director load balancing should be different than the FQDN for StoreFront load balancing.
    2. Create an AD service account that will be used as the Director’s ApplicationPoolIdentity.
    3. Create SPN and link it to the service account. 
      setspn -S http/loadbalanced_URL domain\user
    4. Trust the user account for delegation to any service (Kerberos only) (trust the Director servers for delegation is not necessary in this case). You have to create the SPN before you can do this step.
    5. In IIS manager, on the Application Pools (Director), specify the Identity as user we have created in step 2.
    6. In IIS manager, expand Default Web Site, select Director, and open the Configuration Editor (bottom of the middle pane).
    7. Use the drop-down to navigate to the following section: system.webServer/security/authentication/windowsAuthentication
    8. Set useAppPoolCredentials = True, and useKernelMode = False. Click Apply on the top right.

  9. When you connect to Director you will be automatically logged in. You can change the login account by first logging off.
  10. Then change the drop-down to User credentials.

Director – Multiple Citrix Virtual Apps and Desktops (CVAD) Sites/Farms

  1. Run IIS Manager. You can launch it from Server Manager (Tools menu) or from the Start Menu, or by running inetmgr.
  2. On the left, expand Sites, expand Default Web Site, and click Director.
  3. In the middle pane, double-click Application Settings.
  4. Find the entry for Service.AutoDiscoveryAddresses and double-click it.
  5. If Director is installed on a Delivery Controller, then localhost should already be entered.
  6. Add a comma and the NetBIOS name of one of the Delivery Controllers in the 2nd Citrix Virtual Apps and Desktops Site (farm). Only enter one Delivery Controller name. If you have multiple Director servers, you can point each Director server to a different Delivery Controller in the 2nd Citrix Virtual Apps and Desktops Site (farm).
    1. From Citrix Docs: Director automatically discovers all other Delivery Controllers in the same Site and falls back to those other Delivery Controllers if the Delivery Controller you specified fails.
    2. You can optionally force SSL/TLS for the Monitoring service by following the instructions at Data Access Security at Citrix Developer Documentation. Also see CTX224433 Error: “Cannot Retrieve Data” on Citrix Director Dashboard After Securing OData Interface Through TLS.

Director Process Monitoring

Director has Process Monitoring, which is detailed in Citrix Blog Post Citrix Director: CPU, Memory Usage and Process Information.

Process Monitoring is disabled by default. To enable it, configure the Enable process monitoring setting in a Citrix Policy. For Citrix Policies in a GPO, find this setting in the computer half of the GPO. Note: this setting could significantly increase the size of the Monitoring database.

Director Alerts and Notifications

Director supports alert conditions and email notifications. This feature requires Citrix Virtual Apps and Desktops (CVAD) to be licensed with Premium Edition. See Citrix Blog Post Configuring & Managing Alerts and Notifications Using Director for more information.

For CPU, Memory, and ICT RTT alerts, see Citrix Blog Post 7 New Categories in Director for Proactive Notifications & Alerts

Director supports Hypervisor Alerts from vSphere and Citrix Hypervisor. The alerts are configured in the hypervisor (e.g., vCenter). When triggered, the hypervisor alerts can be viewed in Director. Director can send email notifications when hypervisor alerts are triggered.

  • Hypervisors can generate many alerts but Director does not have a bulk method of clearing those alerts. Citrix wrote a PowerShell script named DismissAlerts.ps1 that runs a SQL query to clear the Hypervisor alerts.

To configure alerts in Director:

  1. While logged into Director, at the top of the page, click the Alerts button.
  2. Switch to the Email Server Configuration tab.
  3. Enter your SMTP information and click Send Test Message. Then click Save.


  4. Switch to the Citrix Alerts Policy tab.
  5. There are four high-level categories of alerts: Site Policy, Delivery Group Policy, Multi-session OS Policy (aka Server OS Policy), and User Policy. Click whichever one you want to configure.

  6. Director has built-in alert policies. All you need to do is add notification email addresses to the built-in policies.
  7. In the Site Policy tab, click Edit for the built-in Hypervisor Health policy.

    1. On the bottom right, in the Notification preferences section, click Add.
    2. Enter an email address and then click Add.
    3. Click Done when done.
    4. On the bottom, click the Save button.
  8. On the Delivery Group Policy tab, find the built-in Smart Alert and then click Edit. Note: this Smart Alert might not appear until you create a Delivery Group in Citrix Studio.

    1. Notice the Conditions that are already enabled. You can change them or add more.
    2. On the bottom right, in the Notification preferences section, click Add.
    3. Enter an email address and click Done.
    4. On the bottom, click Save.
  9. You can create custom Alert Policies by clicking the Create button on any of these tabs.
  10. For Multi-session OS Policy (aka Server OS Policy) and User Policy, there are ICA RTT alerts.
  11. You can configure alerts to generate an SNMP trap. This is configured in PowerShell as described at Developer Docs. 
    Set-MonitorNotificationSnmpServerConfiguration        #see Docs for parameter details
Set-MonitorNotificationPolicy -IsSnmpEnabled $true -Uid <Policy ID>
  12. Citrix has an experimental Desktop Notification Tool. See Citrix Blog Post Desktop Notification Tool For Citrix XenDesktop.

Director – StoreFront Probes

If you are licensed for Premium Edition, then you can install probe agents on remote machines and the probe agents can periodically check if an application can be launched through StoreFront.

Custom Studio Role for Probe Administrator

  1. Create a new user account just for probe administration (e.g., CORP\ProbeAdmin).
  2. In Citrix Studio, at Configuration > Administrators, on the Roles tab, create a new Role with the permissions shown below.

    • Delivery Groups > Read-only
    • Director > Create\Edit\Remove Alert Email Server Configuration
    • Director > Create\Edit\Remove Probe Configurations
    • Director > View Applications page
    • Director > View Configurations page
    • Director > View Trends page
  3. On the Administrators tab, add an administrator, select your ProbeAdmin account, and assign it the custom Probe Administrator role that you just created.

StoreFront HTTP Basic Authentication

  1. In StoreFront Console, right-click your Store, and click Manage Authentication Methods.
  2. Check the box next to HTTP Basic, and click OK.

Install Probe Agent

To automate the installation and configuration of the Probe Agent, see CTA Dennis Span Citrix Application Probe Agent unattended installation.

On one or more remote machines, download and install the Probe Agent.

  1. Download the Citrix Application Probe Agent 2103. Find it on the CVAD 2203 Premium Components downloads page after expanding Components that are on the Component ISO but also packaged separately.
  2. On a physical machine in a remote office, install Workspace app if it isn’t installed already.
  3. Run the downloaded CitrixAppProbeAgent_2103.msi.
  4. In the Welcome to the Citrix Probe Agent Setup Wizard page, click Next.
  5. In the End-User License Agreement page, check the box next to I accept the terms, and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Ready to install Citrix Probe Agent page, click Install.
  8. In the Completed the Citrix Probe Agent Setup Wizard page, click Finish.
  9. Apps & features or Programs and Features shows the Citrix Probe Agent version as 2103.1.0.0.

Configure Probe Agent

  1. Every Probe Agent machine should have unique StoreFront test user credentials. Create unique accounts for each machine.
  2. From the Start Menu of the remote machine, launch Citrix Probe Agent.
  3. Click Start.
  4. In the Configure Workspace Credentials page, enter the StoreFront Receiver for Web URL, or enter a Citrix Gateway URL.
    • For Gateway, the Gateway Virtual Server must be configured with RfWebUI theme. Other themes, like X1 theme, do not work.
  5. Enter the username and password for the probe user for this machine.
  6. Click Next.
  7. In the Configure to Display Probe Result page, enter the URL to Director. Make sure you include /Director at the end of the URL.
  8. Enter the Probe Admin credentials and click Validate.
  9. Select a Site (farm) if there’s more than one.
  10. Click Next.
  11. In the View Summary page, you may close the window.
  12. Login to Director as the Probe Admin account.
  13. On the top middle, click the Configuration button.
  14. At the top of the page, select either Application Probe, or Desktop Probe.
  15. Click Create Probe.
  16. In the Create Probe page:
    1. Give the probe configuration a name.
    2. Select one or more Applications or Desktops to test.
    3. Select the registered Probe Agent machine(s) to run the probe from.
    4. Enter an email address for probe result notifications.
    5. Select one time per day to run the probe. You can create multiple probe configurations to run the probe multiple times per day.
  17. Click Save.
  18. If you go back to the Configuration page, to edit a probe configuration, select one, and then click the Edit link.
  19. The probe configurations are stored in the Monitoring database, so there shouldn’t be any concerns with load balancing of Director.
  20. To view the probe results, on the top, click Trends. Then switch to the Probe Results tab. This page seems to not tell you anything more than if the probe was successful or not.

Director – SCOM Integration

Director can display alerts from System Center Operations Manager (SCOM) 2012 or newer. This feature requires Citrix Virtual Apps and Desktops (CVAD) Premium Edition.

  1. See Configure SCOM integration at Citrix Docs for detailed configuration instructions. Also see Marius Sandbu Integrating Citrix XenDesktop 7.7 and System Center Operations Manager.
  2. On Director server, run C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /configscom
  3. FYI, the DirectorConfig.exe /configscom command enables the following features on the Director server: /FeatureName:IIS-NetFxExtensibility45 /FeatureName:IIS-ASPNET45 /FeatureName:WCF-HTTP-Activation45
  4. FYI, the System Center Operations Manager server is listed in IIS Manager at Default Web Site > Director > Application Settings (middle pane) > Connector.SCOM.ManagementServer.
  5. On the System Center Operations Manager server, edit the Remote Management Users local group, and then add Citrix Admins and other Director users.
  6. In System Center Operations Manager Console, go to Administration > User Roles and edit Operations Manager Operators. Add the Citrix Admins, and other Director users.
  7. See Citrix Blog Post SCOM Alerts in Citrix Director for information on how to view System Center Operations Manager alerts in Director.

Director – Custom Reports

In Director, in the Trends view, there’s a Custom Reports tab that guides you through creating a custom OData Query. This tab only appears if you have Citrix Virtual Apps and Desktops (CVAD) Premium Edition.

The Monitoring database contains more data than is exposed in Director. To view this data, the Monitoring service has an OData Data Feed that can be queried.

Use Director

The newer Director features usually require Delivery Controllers and VDAs to be at the same version or newer than Director. Director depends on the Monitoring Service that is built into the Delivery Controller. The Monitoring Service gathers data from the VDAs.

See Site Analytics at Citrix Docs.

See the various Troubleshoot topics at Citrix Docs.

Server OS is renamed to Multi-session OS. Desktop OS is renamed to Single session OS.

Analytics button lets you upload Director data to Citrix Cloud Performance Analytics. See Configuring on-premises Sites with Citrix Analytics for Performance at Citrix Docs.

The Trends views got a face lift.

Session Auto Reconnects

  • At Trends > Sessions, on the bottom is Session Details. Director also shows you the number of Session Auto Reconnects.
  • If you click the number, you’ll see more info on the reconnect. Note: it might take a few minutes for the reconnect status to appear in Director.

Workspace App Session Startup breakdown

  • After searching for a user and selecting a session, click Details on the top right.
  • Scroll down and you’ll see the Session Startup section with a new Workspace App Session Startup sub-section.

Profile Load Drilldown

  • In a Session Details screen, scroll down to the Logon Duration panel. Hover your mouse over the Profile Load bar and then click Detailed Drilldown. You see the size of profile, and the size of the Folders inside the profile.

  • By default, all folder names are visible. To hide the folder names, add a registry value on the VDA machines:
    • Key = HKEY_LOCAL_MACHINE\Software\Citrix\Director\
      • DWORD Value ProfileFoldersNameHidden  = 1

RDS Licensing status

  • The Machine Details panel shows the status of RDS Licensing for Multi-session OS (aka Server OS, aka RDSH) VDAs.

GPO Duration Drilldown

Interactive Session drilldown

  • In the Logon Duration panel, hover your mouse over the Interactive Session bars to see this phase broken down. More info at Diagnose user logon issues at Citrix Docs.

Export of Filter Views to CSV file

  • Open one of the Filter Views. Then click the Export button in the top right.

Health Assistant link

  • In Director, you can view the details of a VDA machine (instead of a user session). If the machine is unregistered, then there’s a link to Health Assistant, which opens Troubleshoot machines at Citrix Docs.

Application Analytics

Citrix Blog Post – Citrix Director 7.16 Can Now Shadow Linux App & Desktop

For one-way trusts, see Citrix Blog Post Citrix Director Supports Domain local groups in XenApp & XenDesktop 7.16!

Citrix Monitor Service API

  • The Monitor Service API uses the Open Data (OData) protocol, which is a Web protocol for querying and updating data, built upon Web technologies such as HTTP. You can use the API to:
    • Analyze historical trends for future planning
    • Perform detailed troubleshooting of connection and machine failures
    • Extract information for feeding into other tools and processes; for example, using Microsoft Excel’s PowerPivot tables to display the data in different ways
    • Build a custom user interface on top of the data that the API provides
    • Run aggregation queries with the OData Version 4 endpoints to get basic grouping and aggregation functionality.

Citrix Hypervisor Console access:

  • Troubleshoot machines at Citrix Docs details the Console access to VDAs running on Citrix Hypervisor 7.3 and newer.

CTX223927 How to use Director to troubleshoot application launch errors. This feature is configured in Citrix Policy Settings located in the Computer half at Virtual Delivery Agent Settings > Monitoring. Also see Citrix Blog Post Application Related Session Failure Reporting in Citrix Director 7.15.

CTX223928 How to use Director to monitor storage performance.

Citrix Blog Post Citrix Director Now Provides Disk Usage Information!:

  • IOPS and disk latency data is enabled by default.
  • IOPS and disk latency is pushed to the database from each VDA at 1 hour interval.
  • Approximately 276 KB of disk space is required to store the CPU, memory, IOPS and disk latency data for one VDA over a period of one year.

CTX223925 How to use Director to monitor NVIDIA GPU usage.

Citrix Director has an Application Instances tab on the Filters page that lets you filter published application sessions based on Session Idle Time (RDS sessions only), Application Name, and all other existing fields, like machine name, and so on. Requires Premium Edition licensing. See Citrix Blog Post Monitoring Idle Applications and Sessions in Citrix Director. See Troubleshoot applications at Citrix Docs.

If the idle time column shows n/a, then you need to wait 10-15 minutes.

In Director, the Session Details panel can show if Enlightened Data Transport (EDT, aka HDX on UDP) is enabled in the user’s session. See Citrix Blog Post HDX Adaptive Transport Protocol Monitoring via Director.

CTP George Spiers has a comprehensive guide of all Director 7.16 features at http://www.jgspiers.com/citrix-director/.

Connection Failure Details, see CTX223812 Citrix Director Failure Codes.

Process Monitoring, which is detailed in Citrix Blog Post Citrix Director: CPU, Memory Usage and Process Information.

Logon Duration improvements.

Citrix Blog Post Interactive Session of Logon Duration in Citrix Director – Explained: Interactive Session Duration = Desktop Ready Event Timestamp (EventId 1000 on VDA) – User Profile Loaded Event Timestamp (EventId 2 on VDA). More details in the Blog Post.

Citrix Blog Post Director 7.6 Failure Reasons Demystified lists possible failure reasons behind an Unregistered alert, and the true meaning of failure reasons such as Connection Refused and Communication Error. It details each failure reason, defines the meanings of these failures, and lists action items that serve as a starting point for troubleshooting the specific scenario.

Citrix Virtual Delivery Agent (VDA) 2203 LTSR CU6

Last Modified: Jan 9, 2025 @ 2:27 am

112 Comments

Navigation

💡 = Recently Updated

Change Log

Hardware

Hypervisor Host Hardware

  • G0-EUC Moore’s law of Windows 10 1903 – Newer versions of Windows 10 have lower density than older versions
  • Citrix Blog Post Citrix Scalability — The Rule of 5 and 10: Simply take the number of physical cores in a hypervisor host, multiply it by 5 or 10, and the result will be your Single Server Scalability. Use 5 if you’re looking for the number of Virtual Desktop VMs you can host on a box, and use 10 if you’re looking for the number of Virtual Apps user sessions you can host on a box.

Virtual Machine Hardware

  1. Operating system version support: VDA version 2203 LTSR supports Windows 11, Windows 10 64-bit (1607 and newer), Windows Server 2022, Windows Server 2019, and Windows Server 2016.
    • Windows Server 2022 supports Microsoft 365 Apps (aka Office 365) 2302 and newer.
    • Windows Server 2012 R2 is no longer supported. For Windows Server 2012 R2, install VDA 1912 LTSR with the latest Cumulative Update. VDA 1912 LTSR will work with newer Delivery Controllers (e.g., Delivery Controller 2203 LTSR).
    • For older operating systems (e.g., Windows 7 or Windows Server 2008 R2), install VDA 7.15 LTSR with the latest Cumulative Update. VDA 7.15 LTSR will work with newer Delivery Controllers (e.g., Delivery Controller 2203 LTSR).
  2. Cloud VDAs – Cloud VDAs are supported if you are licensed for Citrix Cloud with Hybrid Usage rights. See CTX270373 Citrix Virtual Apps and Desktops: Public cloud support with Current Releases and Long Term Service Releases.
  3. Windows 11 and vSphere – Citrix supports Windows 11 on vSphere 7 or newer. Windows 11 requires TPM. vSphere requires VM encryption before it will let you add a TPM to the virtual machine. VM encryption requires a Key Provider. vSphere 7 has a Native Key Provider that does not need any additional servers or licenses. See VMware Tech Zone Windows 11 Support on vSphere.
    1. In vSphere Client, in Inventory, click the vCenter object. On the right, on the Configure tab, scroll down to Key Providers and add a Native Key Provider.
    2. After it’s added, select it and then click Back-up to activate it.

  4. Microsoft TechNet Blog – Say No to Windows 10 Long Term Servicing Channel (LTSC)
    • No Edge
    • From January 2020, Microsoft Office 365 will not be supported on LTSC.
    • Non-security operating system fixes and enhancements may not get back-ported to LTSC.
  5. CTX224843 Windows 10 compatibility with Citrix Virtual Desktops (XenDesktop). This article also has links to several other articles listing known issues with Windows 10 releases.
  6. Hypervisor Support – CTX131239 Supported Hypervisors for Virtual Desktops (XenDesktop) and Provisioning Services
  7. Firewall – the UDP-based EDT protocol is enabled by default. Make sure the UDP ports are open for ICA/HDX:
    1. UDP 1494
    2. UDP 2598
    3. UDP 443 – from Internet to Citrix Gateway.
    4. UDP 443 can also be used by internal ICA connections if VDA SSL is configured.
    5. For EDT through Citrix Gateway, make sure your Citrix ADC firmware is up to date, preferably 12.1 or newer. Then enable DTLS on the Gateway Virtual Server.
  8. VDA virtual machine sizing:
    1. For Windows 11 or Windows 10 virtual desktops, give the virtual machine: 2+ vCPU and 4+ GB of RAM – higher RAM for browsers
    2. For Windows Server 2022, 2019, or 2016 RDSH, give the virtual machine 8 vCPU, and 24-48 GB of RAM
    3. See Daniel Feller Sizing Windows 2016, Windows 2012 And Windows 10 Virtual Machines
  9. If using RAM caching (MCSIO or PvS), add more RAM for the cache.
  10. Remove the floppy drive.
  11. Remove any serial or LPT ports.
  12. If Windows 11 on vSphere:
    1. When creating the Windows 11 virtual machine, enable Encrypt this virtual machine.
    2. In the Select a guest OS screen, if you don’t see Windows 11, then select Windows 10.
    3. On the Customize hardware page, make sure VM configuration files are encrypted. Hard disk encryption is not required and you can deselect it. Only the VM configuration files must be encrypted.
    4. Then you can use the Add New Device drop-down to add a Trusted Platform Module.
  13. If vSphere:
    1. To reduce disk space, reserve memory. Memory reservations reduce the size or eliminate the virtual machine .vswp file.
    2. The NIC should be VMXNET3.
    3. For vGPU, set vgpu.hotmigrate.enabled Advanced vCenter Server Setting to true. (source = William Lam How to enable vGPU vMotion in vSphere 6.7 Update 1)
  14. App Layering and UEFI – Citrix App Layering 2003 and newer can import UEFI images by running a script instead of using a connector.
  15. If this VDA will boot from Citrix Provisioning:
    1. For vSphere, the NIC Adapter Type must be VMXNET3.
    2. For vSphere, configure the CD/DVD Drive to boot from IDE instead of SATA. SATA won’t work with PVS.
    3. Make sure you remove the SATA Controller after you change the CD/DVD Drive to be IDE.
  16. Install the latest version of hypervisor drivers (e.g. VMware Tools).

If vSphere, disable NIC Hotplug

  1. Users could use the systray icon to Eject the Ethernet Controller. Obviously this is bad.
  2. To disable this functionality, power off the virtual machine.
  3. Once powered off, right-click the virtual machine, and click Edit Settings.
  4. Switch to the tab named VM Options.
  5. Expand Advanced and then click Edit Configuration.
  6. Click the button labelled Add Configuration Params.
  7. For the Name, enter devices.hotplug.
  8. For the Value, enter false. Then click OK.
  9. The VM can then be powered on.

Windows Preparation

  1. Computer Group Policy – Make sure the Master VM is in the same OU as the Linked Clones so that the Master VM will get the computer-level GPO settings in its registry. Run gpupdate on the master after moving the VM to the correct OU. When Clones are created from the Master, the computer-level GPO settings will already be applied, thus eliminating timing issues.
  2. If Server OS, disable IE Enhanced Security Configuration in Server Manager > Local Server.
  3. Run Windows Update. Do not skip this step. Many VDA installation problems are fixed by simply updating Windows.

    • Defer Feature Updates – For Windows 10, since Citrix VDA does not immediately support new Windows 10 versions, configure Windows Update to defer feature updates. In Windows 11, or in newer versions of Windows 10, defer updates can only be configured using group policy.
  4. Add your Citrix Administrators group to the local Administrators group on the VDA. Computer Management.
  5. The Remote Desktop Services “Prompt for Password” policy prevents Single Sign-on to the Virtual Delivery Agent. Check registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services. If fPromptForPassword = 1 then you need to fix group policy. The following GPO setting will prevent Single Sign-on from working.
    Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Security | Always prompt for password upon connection
    Or set the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Portica\AutoLogon (DWORD) = 0x1. This registry value only applies to Single-session OS (aka Desktop OS), not Multi-session OS (aka Server OS). (source = comments)
  6. For Remote Assistance in Citrix Director, configure the GPO setting Computer Configuration | Policies | Administrative Templates | System | Remote Assistance | Offer Remote Assistance. See Jason Samuel – How to setup Citrix Director Shadowing with Remote Assistance using Group Policy for more details.

Install/Upgrade Virtual Delivery Agent (VDA) 2203 LTSR CU6

Mixed versions – You can upgrade the VDAs before you upgrade the Delivery Controllers resulting in VDAs being newer than the Delivery Controllers. You can upgrade the Delivery Controllers before you upgrade the VDAs. In other words, you can mix and match VDA versions and Delivery Controller versions.

For a list of HDX improvements in VDA 2203 LTSR, see Citrix Blog Post Get to know the top HDX enhancements in the 2203 LTSR.

CLI Install:

Command Line Install Options are detailed at Install using the command line at Citrix Docs.

Scripted Upgrade:

To automate the upgrade of VDA software on persistent machines, see Dennis Parker at How to automate unattended VDA upgrade at Citrix Discussions for a sample script.

GUI Install:

  1. Virtual Channel Allow List – the Citrix Policy setting named Virtual Channel Allow List is enabled by default in VDA 2203. Whitelist your non-Citrix (e.g., Zoom) virtual channels before upgrading your VDAs, or else your non-Citrix virtual channels will stop working.
  2. NVIDIA – ensure your NVIDIA Virtual GPU software supports the version of VDA that you are upgrading to.
  3. CU6 – Download the CVAD 2203 CU6 ISO.
  4. Mount the ISO and run AutoSelect.exe.
  5. Click either of the Start buttons. Both buttons do the same thing.
  6. On the top right, click Virtual Delivery Agent.

  7. In the Environment page, select Create a master MCS Image or Create a master image using Citrix Provisioning, and click Next.

  8. In the Core Components page, if you don’t need Citrix Workspace App installed on your VDA, then leave it unchecked. Workspace app is usually only needed for double-hop ICA connections (connect to first VDA, and then from there, connect to second VDA). Click Next.
  9. In the Additional Components page:
    1. VDA has an option to install the Workspace Environment Management agent, but this option has been deprecated.
    2. Single-session OS (not Multi-session OS) has an option for Citrix User Personalization Layer (UPL). This component comes from Citrix App Layering but does not need any of the App Layering infrastructure.

      • Do not enable User Personalization Layer if you are also using Citrix App Layering.
      • Warning: A Citrix Policy setting activates Citrix User Personalization Layer by setting the UNC path to where the User Personalization Layers should be stored. The Citrix Policy setting should only be deployed to non-persistent machines. If you deploy the Citrix Policy Setting to your Master Image, then your Master Image will be hosed, and you must rebuild it from scratch.
    3. There’s an option for Machine Creation Services (MCS) storage optimization. This is also known as MCS I/O. This feature is only needed if you have slow storage.
  10. Click Next.
  11. In the Delivery Controller page, select Do it manually. Enter the FQDN of each Delivery Controller (at least two). Click Test connection. And then make sure you click Add. Click Next when done.
  12. If you see the WEM page, change it to WEM On-Premises, enter the address of the WEM Server, click Test connection, and then click Add. Click Next.
  13. In the Features page, if you want to use the features, then check the boxes. Remote Assistance is for Director. Use Screen Sharing allows users to share their sessions with other users. Then click Next.
  14. In the Firewall page, there are ports 52525 – 52625 for Screen Sharing. Click Next.
  15. In the Summary page, there’s an optional Enable restore on failure checkbox. click Install.

  16. Click Close if you are prompted to restart.
  17. After the machine reboots, login and installation should continue.
    1. After the reboot, and after logging in again, you might see a Locate ‘Citrix Virtual Apps and Desktops 7 LTSR’ installation media window. Don’t click anything yet.
    2. Go to the Citrix_Virtual_Apps_and_Desktops_7_2203_5000.iso file and mount it.
    3. Go back to the Locate ‘Citrix Virtual Apps and Desktops 7 LTSR’ installation media window.
    4. On the left, expand This PC, and click the DVD Drive.
    5. Click Select Folder.
    6. Installation will resume. Repeat these instructions after each reboot.
  18. Note: NT SERVICE\CitrixTelemetryService needs permission to login as a service.
  19. In the Diagnostics page, you can optionally check the box next to Collect diagnostic information, click Connect, enter your Citrix account credentials, and then click Next.
  20. In the Finish page, click Finish to restart the machine again.

  21. From CTX225819 When Launching an Application Published from Windows Server 2016, a Black Screen Appears for Several Seconds Before Application is Visible
    • HKLM\SOFTWARE\Citrix\Citrix Virtual Desktop Agent\DisableLogonUISuppression (DWORD) should be set to 0.

If you need to roam the user’s Outlook .OST file (Outlook Cached Mode), Outlook Search Index, OneDrive cache, OneNote data, SharePoint data, Skype data, and/or Teams data, then download, install, and configure Microsoft FSLogix. FSLogix has more Office roaming features than Citrix Profile Management. A common architecture is to enable FSLogix Office Container for the Office cache files and use Citrix Profile Management for all other roaming profile files and registry keys.

Microsoft FSLogix is free for all Microsoft RDS CALs, Microsoft Virtual Desktop Access per-user CALs, and all Microsoft Enterprise E3/E5 per-user licenses. Notice that per-device licenses are excluded. See Licensing Requirements at Microsoft Docs.

Do the following to install Microsoft FSLogix on the VDA machine:

  1. Go to https://docs.microsoft.com/en-us/fslogix/install-ht and click the download link.
  2. Extract the downloaded .zip file.
  3. In the FSLogix \x64\Release folder, run FSLogixAppsSetup.exe.
  4. Check the box next to I agree to the license terms and conditions and click Install.
  5. In the Setup Successful page, click Restart.
  6. The installed version is shown in Apps & features.
  7. Make sure the Windows Search service is set to Automatic and Running.
  8. If Office is already installed, then repair the Office installation after installing and starting the Windows Search Service.

FSLogix is configured through Group Policy or by editing registry values on each FSLogix Agent machine.

Citrix Desktop Service

To prevent Citrix Desktop Service (BrokerAgent) from starting and registering with the Delivery Controllers before the boot process is complete, see Jeremy Saunders Controlling the Starting of the Citrix Desktop Service (BrokerAgent).

Customer Experience Improvement Program (CEIP)

Customer Experience Improvement Program (CEIP) is enabled by default. To disable it, create the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Telemetry\CEIP\Enabled (DWORD), and set it to 0 (zero). Also see CEIP at Citrix Insight Services at Citrix Docs.

See https://docs.jeffriechers.com/delivery-controller-2203-ltsr-and-licensing/#ceip for additional places where CEIP is enabled.

Connection Quality Indicator

The Connection Quality Indicator tells the user the quality of the connection. Position of the indicator is configurable by the user. Thresholds are configurable through group policy.

Download it from CTX220774 Connection Quality Indicator and install it. The article is very detailed.

Group Policy templates are located at C:\Program Files (x86)\Citrix\Connection Quality Indicator\Configuration. Copy the files and folder to <Sysvol>\Policies\PolicyDefinitions, or C:\Windows\PolicyDefinitions.

Find the Group Policy settings under Computer Config | Policies | Administrative Templates | Citrix Components | Virtual Desktop Agent | CQI

The user half of a GPO lets you disable CQI for some users and enable it for others.

Notification display settings lets you customize the user notifications, or disable them.

Connection Threshold Settings lets you set the notification thresholds.

Adaptive Transport

Adaptive Transport is a HDX/ICA protocol feature that tries to use UDP ports (EDT protocol) if they are open, and falls back to TCP ICA if UDP connection is not successful. On higher latency connections, EDT (UDP) tends to perform better than traditional TCP ICA.

The Citrix Policy setting HDX Adaptive Transport defaults to Preferred, which means Adaptive Transport is enabled by default.

The Citrix EDT protocol use UDP Ports 1494/2598 for HDX connections to the VDA. The UDP ports should already be open in the VDA’s Windows Firewall. In other words, HDX/ICA uses both TCP and UDP ports.

For EDT (and Adaptive Transport) through Citrix Gateway, make sure your Citrix ADC firmware is up to date, preferably 12.1 or newer. Then make sure DTLS is enabled on the Gateway Virtual Server. DTLS is the UDP version of SSL/TLS. Also, open UDP 2598 and UDP 1494 from the ADC SNIP to the VDAs.

Verify that the VDA registered with a Controller

  1. If you restart the Virtual Delivery Agent machine, or restart the Citrix Desktop Service
  2. In Windows Logs > Application log, you should see an event 1012 from Citrix Desktop Service saying that it successfully registered with a controller.
  3. If you don’t see successful registration, then you’ll need to fix the ListOfDDCs registry key.
    1. See VDA registration with Controllers at Citrix Docs.
    2. See The Most Common VDA Registration Issues & Troubleshooting Steps at Citrix Blogs.
  4. You can also run Citrix’s Health Assistant on the VDA.

Citrix Workspace app

If you want to run Workspace app on the VDA machine, then install or upgrade.

Download and install Workspace app:

  1. Download Citrix Workspace app 2409.1 (Current Release).

  2. On the VDA, as administrator, run the downloaded CitrixWorkspaceApp.exe.
  3. In the Welcome to Citrix Workspace page, click Start.
  4. In the License Agreement page, check the box next to I accept the license agreement, and click Next.
  5. In the Enable Single Sign-on page, check the box next to Enable single sign-on, and click Install.
  6. In the Installation successful page, click Finish.
  7. Click Yes when asked to restart now.

Citrix File Access 2.0.4 for Workspace app for Chrome

  1. If you support Workspace app for Chrome (Chromebook) and want published applications to open files on Google Drive, install Citrix File Access on the VDAs. Get it from the Citrix File Access for Chrome.
  2. Go to the extracted Citrix_File_Access_2.0.4, and run FileAccess.msi.
  3. In the Please read the File Access License Agreement page, check the box next to I accept the terms, and click Install.
  4. In the Completed the File Access Setup Wizard page, click Finish.
  5. File Access is listed in Apps & Features or Programs and Features as version 2.0.4.34.

  6. File Access has a default list of supported file extensions. The list can be expanded by editing the registry on the VDA. See CTX219983 Receiver for Chrome Error: Invalid command line arguments: Unable to open the file as it has an unsupported extension.
  7. To open a file from Google Drive, right-click and and open the file using Citrix Workspace app.

Remote Desktop Licensing Configuration

On Windows Server 2016 and newer RDSH, the only way to configure Remote Desktop Licensing is using group policy (local or domain). This procedure is not needed on virtual desktops.

  1. For local group policy, run gpedit.msc. Alternatively, you can configure this in a domain GPO.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.
  3. Double-click Use the specified Remote Desktop license servers. Change it to Enabled, and enter the names of the RDS Licensing Servers (typically installed on Delivery Controllers). Click OK.
  4. Double-click Set the Remote Desktop licensing mode. Change it to Enabled and select Per User. Click OK.
  5. Optionally, you can install the Remote Desktop Licensing Diagnoser Tool. In the Server Manager > Add Roles and Features Wizard, on the Features page, expand Remote Server Administration Tools, expand Role Administration Tools, expand Remote Desktop Services Tools, and select Remote Desktop Licensing Diagnoser Tool. Then Finish the wizard.
  6. If it won’t install from Server Manager, you can install it from PowerShell by running Install-WindowsFeature rsat-rds-licensing-diagnosis-ui.
  7. In Server Manager, open the Tools menu, expand Remote Desktop Services (or Terminal Services), and click Remote Desktop Licensing Diagnoser.

  8. The Diagnoser should find the license server and indicate the licensing mode. If you’re configured for Per User licenses, then it’s OK if there are no licenses installed on the Remote Desktop License Server.

Several people in Citrix Discussions reported the following issue: If you see a message about RD Licensing Grace Period has expired even though RD Licensing is properly configured, see Eric Verdumen No remote Desktop Licence Server availible on RD Session Host server 2012. The solution was to delete the REG_BINARY in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod only leaving the default. You must take ownership and give admin users full control to be able to delete this value.

C: Drive Permissions

This section is more important for shared VDAs like RDSH (Windows Server 2016, Windows Server 2019, and Windows Server 2022).

The default permissions for C: drive allow users to store files on the C: drive in places other than their profile.

  1. Open the Properties dialog box for C:.
  2. On the Security tab, click Advanced.
  3. If UAC is enabled, click Change permissions.
  4. Highlight the line containing Users and Create Folders, and click Remove.
  5. Highlight the line containing Users and Create files (or Special), and click Remove. Click OK.
  6. Click Yes to confirm the permissions change.
  7. If you see any of these Error Applying Security windows, click Continue. This window should appear multiple times.
  8. Click OK to close the C: drive properties.

Pagefile

If this image will be converted to a Citrix Provisioning vDisk, then you must ensure the pagefile is smaller than the cache disk. For example, if you allocate 20 GB of RAM to your Remote Desktop Session Host, and if the cache disk is only 15 GB, then Windows will have a default pagefile size of 20 GB and Citrix Provisioning will be unable to move it to the cache disk. This causes Citrix Provisioning to cache to server instead of caching to your local cache disk (or RAM).

  1. Open System.
    1. The quickest method of opening advanced system parameters is to run sysdm.cpl.
    2. In Windows Server 2016 and newer, you can right-click the Start button, and click System.
    3. In Windows 10 1703 or newer (or Windows Server 2019 or newer), search the Start Menu for advanced system settings.
    4. Another option is to open File Explorer, right-click This PC, and click Properties. This works in Windows 10 1703 and newer.
  2. Click Advanced system settings.

  3. On the Advanced tab, click the top Settings button.
  4. On the Advanced tab, click Change.
  5. Uncheck the box next to Automatically manage paging file size for all drives. Then either turn off the pagefile, or set the pagefile to be smaller than the cache disk. Don’t leave it set to System managed size. Click OK several times.

Direct Access Users

When Citrix Virtual Delivery Agent (VDA) is installed on a machine, non-administrators can no longer RDP to the machine. A new local group called Direct Access Users is created on each Virtual Delivery Agent. Add your non-administrator RDP users to this local group so they can RDP directly to the machine.



The HKLM\Software\Citrix\PortICA\DirectAccessUsers registry key determines which Local group the VDA references to determine if a user should be allowed Unbrokered RDP access. Members of the Local Administrators group will always be granted access. If the Registry Key does not exist, or gets deleted, VDA will always allow the Unbrokered RDP Connection. The Registry key and local group are created as part of the VDA installation process.

Registry

ShellBridge

ShellBridge is a new Windows feature that fixes the following published app issues:

VDA 2203 CU1 and newer support the ShellBridge feature. Windows must be Windows Server 2019 or newer (or Windows 10/11) running Windows patches from June 2022 or later. To enable it:

  • Key = HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Citrix Virtual Desktop Agent
    • Value (DWORD) = ShellBridge = 1

EDT MTU Discovery

EDT MTU Discovery prevents EDT packet fragmentation that might result in performance degradation or failure to establish a session. This feature requires the following:

  • Citrix Workspace app 1911 for Windows or newer
  • Citrix ADC 13.0.52.24 or newer
  • Citrix ADC 12.1.56.22 or newer

In VDA 2203 MtuDiscovery is enabled by default. You can also set the following registry value on the VDA.

  • Key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\icawd
    • Value (DWORD) = MtuDiscovery = 1

Black Screen when launch Published Apps on Windows Server 2016

From CTX225819 When Launching an Application Published from Windows Server 2016, a Black Screen Appears for Several Seconds Before Application is Visible: Citrix and Microsoft have worked together together to deliver code fixes for both Windows Server 2016 and Citrix Virtual Apps. Microsoft is targeting their KB4034661 patch for the third week of August 2017. This fix requires a registry edit to enable.

  • Key = HKLM\SOFTWARE\Citrix\Citrix Virtual Desktop Agent
    • Value (DWORD) = DisableLogonUISuppression = 0

Faster Login

From CTP James Rankin The ultimate guide to Windows logon time optimizations, part #6: DelayedDesktopSwitchTimeout tells the logon process to wait for a shorter time before switching from session 0 to the actual session in use.

  • Key = HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    • Value (DWORD) = DelayedDesktopSwitchTimeout  = 1

Published Explorer

From Citrix CTX128009 Explorer.exe Fails to Launch: When publishing the seamless explorer.exe application, the session initially begins to connect as expected. After the loading, the dialog box disappears, and the Explorer application fails to appear. On the VDA, use the following registry change to set the length of time a client session waits before disconnecting the session:

  • Key = HKLM\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI
    • Value (DWORD) = LogoffCheckerStartupDelayInSeconds = 10 (Hexadecimal)

Logon Disclaimer Window Size

If your logon disclaimer window has scroll bars, set the following registry values:

  • Key = HKEY_LOCAL_MACHINE\Software\Wow6432node\Citrix\CtxHook\AppInit_DLLS\Multiple Monitor Hook
    • Value (DWORD) = LogonUIWidth = 300
    • Value (DWORD) = LogonUIHeight = 200

Login Timeout

From Citrix CTX203760 VDI Session Launches Then Disappears: VDA, by default, only allows 180 seconds to complete a logon operation. The timeout can be increased by setting the following:

  • Key = HKLM\SOFTWARE\Citrix\PortICA
    • Value (DWORD) = AutoLogonTimeout = decimal 240 or higher (up to 3599).

From Citrix CTX138404 Application Connection Starts but Disappears after Timeout: after loading the published application, the dialog box disappears, and the application fails to appear.

  •  Key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI
    • Value (DWORD) =ApplicationLaunchWaitTimeoutMS = decimal 60000

Workspace app for HTML5/Chrome Upload Folder

The Workspace app for HTML5 (or Chrome) lets upload files.

By default, the user is prompted to select a upload location. If you use the Upload feature multiple times, the last selected folder is not remembered.

Citrix CTX217351 How to Customize File Upload and Download Using Receiver for HTML5 and Receiver for Chrome. You can specify a default uploads location by editing HKLM\Software\Citrix\FileTransfer\UploadFolderLocation on the VDA. Environment variables are supported. When this value is configured, users are no longer prompted to select an upload location. The change takes effect at next logon.

Note: HTML5/Chrome Workspace app also adds a Save to My Device location to facilitate downloads.

4K Monitors

From Citrix Knowledgebase article CTX218217 Unable to span across multiple monitors after upgrade to 7.11 VDA, Black/Blank screen appears on the monitors while connecting to ICA session:

  1. Calculate the video memory that is required for monitors using the following formula:
    SumOfAllMons (Width * Height) * 4 / 0.3, where width and height are resolution of the monitor. Note: There is no hard and fast rule that will work for all cases.
    Example: Consider the resolution of monitor 1 is 1920*1200 and monitor 2 is 1366*768. Then SumOfAllMons will be (1920*1200 + 1366*768)
  2. CTX115637 Citrix Session Graphics Memory Reference describes how multi-monitor resolution is determined.
  3. Open the registry (regedit) and navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vbdenum
  4. Increase the value of “MaxVideoMemoryBytes” REG_DWORD value to the above calculated memory.
  5. Reboot the VDA.

Citrix Policies also control graphics performance.

COM Port Threads

CTX212090 COM Port Intermittently Inaccessible During ICA Sessions: increase the default value of “MaxThreads” under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\picaser\Parameters from 20 to a value greater than the number of COM port connections you want to support. For example, if a VDA server supports 100 sessions and each session opens two COM ports, the value of “MaxThreads” should be greater than 200.

NVIDIA vGPU GRID License

Allow NVIDIA vGPU GRID License to apply after the session is started. (Source = Jan Hendrik Meier NVIDIA GRID license not applied before the user connects – License Restriction will not be removed until the user reconnects)

  • Key = HKLM\SOFTWARE\NVIDIA Corporation\Global\GridLicensing
    • Value (DWORD) = IgnoreSP = 1

Legacy Client Drive Mapping

Citrix CTX127968 How to Enable Legacy Client Drive Mapping Format on XenApp: Citrix Client Drive Mapping no longer uses drive letters and instead they appear as local disks. This is similar to RDP drive mapping.

The old drive letter method can be enabled by setting the registry value:

  • Key = HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\UncLinks (create the key)
    • Value (DWORD) = UNCEnabled = 0

When you reconnect, the client drives will be mapped as drive letters (starts with V: and goes backwards).

Print Driver for Mac/Linux Clients

Workspace app for Mac version 2203 and newer along with VDA 2112 and newer supports PDF printing instead of Postscript printing. With PDF, it’s no longer necessary to install the HP Color LaserJet 2800 Series PS driver on the VDA. Citrix Policy setting Universal driver preference must be adjusted to enable PDF printing as higher priority than PS (postscript) printing. See Citrix Docs for more details.

For Linux clients or older Mac clients, from CTX140208 Citrix Workspace App for Mac and Linux fail to Redirect Local printer to Citrix Sessions. By default, non-Windows clients cannot map printers due to a missing print driver on the VDA machine.

  1. Download the HP Color LaserJet 2800 Series PS driver directly from Microsoft Catalog as detailed at CTX283355 Client Printing from Linux/MAC is not working on Windows Server 2016 and 2019. The Catalog is at https://www.catalog.update.microsoft.com/. Then search for hp color laserjet 2800. Pick the 6.1.7600.16385 driver version.
  2. Extract the .cab file using 7-zip or similar.
  3. In Windows 10 1803+, open Printers & scanners. On the right (or scroll down) is a link to Print Server Properties.

  4. In older versions of Windows, you can get to Print server properties from Devices and Printers.
    1. In Windows prior to Windows 10 1703, click Start, and run Devices and Printers.
    2. In Windows 10 1703, open Printers & scanners, then scroll down, and click Devices and printers.

  5. In the Printers section, highlight a local printer (e.g. Microsoft XPS Document Writer). Then in the toolbar, click Print server properties.
  6. Switch to the Drivers tab and click Change Driver Settings.
  7. Then click Add.
  8. In the Welcome to the Add Printer Driver Wizard page, click Next.
  9. In the Processor Selection page, click Next.
  10. In the Printer Driver Selection page, click Have Disk and browse to the .inf that you extracted from the .cab file.

  11. Select HP Color LaserJet 2800 Series PS and click Next.
  12. In the Completing the Add Printer Driver Wizard page, click Finish.

SSL for VDA

If you intend to use HTML5 Workspace app internally, install certificates on the VDAs so the WebSockets (and ICA) connection will be encrypted. Internal HTML5 Workspace app will not accept clear text WebSockets. External users don’t have this problem since they are SSL-proxied through Citrix Gateway.

Notes:

  • Each Virtual Delivery Agent needs a machine certificate that matches the machine name. This is feasible for a small number of persistent VDAs. For non-persistent VDAs, you’ll need some automatic means for creating machine certificates every time they reboot.
  • As detailed in the following procedure, use PowerShell on the Delivery Controller to enable SSL for the Delivery Group. This forces SSL for every VDA in the Delivery Group, which means every VDA in the Delivery Group must have SSL certificates installed.

The following instructions for manually enabling SSL on VDA can be found at Configure TLS on a VDA using the PowerShell script at Citrix Docs.

  1. On the VDA machine, run certlm.msc.
  2. Right-click Personal, expand All Tasks, and click Request New Certificate to request a certificate from your internal Certificate Authority. You can use either the Computer template or the Web Server template.

    • You can also use group policy to enable Certificate Auto-Enrollment for the VDA computers.
  3. Browse to the Citrix Virtual Apps and Desktops ISO. In the Support\Tools\SslSupport folder, shift+right-click the Enable-VdaSSL.ps1 script, and click Copy as path.
  4. Run PowerShell as administrator (elevated).
  5. Run the command Set-ExecutionPolicy unrestricted. Enter Y to approve.
  6. In the PowerShell prompt, type in an ampersand (&), and a space.
  7. Right-click the PowerShell prompt to paste in the path copied earlier.
  8. At the end of the path, type in -Enable
  9. If there’s only one certificate on this machine, press Enter.
  10. If there are multiple certificates, then you’ll need to specify the thumbprint of the certificate you want to use. Open the Certificates snap-in, open the properties of the machine certificate you want to use, and copy the Thumbprint from the Details tab.

    In the PowerShell prompt, at the end of the command, enter ‑CertificateThumbPrint, add a space, and type quotes (").
    Right-click the PowerShell prompt to paste the thumbprint.
    Type quotes (") at the end of the thumbprint. Then remove all spaces from the thumbprint. The thumbprint needs to be wrapped in quotes.
  11. There are additional switches to specify minimum SSL Version and Cipher Suites. Also see Citrix CTX226049 Disabling Triple DES on the VDA breaks the VDA SSL connection.
  12. Press <Enter> to run the Enable-VdaSSL.ps1 script.
  13. Press <Y> twice to configure the ACLs and Firewall.
  14. You might have to reboot before the settings take effect.
  15. Login to a Delivery Controller and run PowerShell as Administrator (elevated).
  16. Run the command asnp Citrix.*
  17. Enter the command: 
    Get-BrokerAccessPolicyRule -DesktopGroupName '<delivery-group-name>' | Set-BrokerAccessPolicyRule ‑HdxSslEnabled $true

    where <delivery-group-name> is the name of the Delivery Group containing the VDAs.

  18. You can run Get-BrokerAccessPolicyRule -DesktopGroupName '<delivery-group-name>' to verify that HDX SSL is enabled.
  19. Also run the following command to enable DNS resolution. 
    Set-BrokerSite –DnsResolutionEnabled $true

  20. Since the UDP-based EDT protocol is enabled by default, open port UDP 443 to the VDAs.

You should now be able to connect to the VDA using the HTML5 Workspace app from internal machines.

The Citrix blog post How To Secure ICA Connections in XenApp and XenDesktop 7.6 using SSL has a method for automatically provisioning certificates for pooled virtual desktops by enabling certificate auto-enrollment and setting up a task that runs after the certificate has been enrolled.

  • From Russ Hargrove at A note on VDA certificates in 7.14 at Citrix Discussions: Citrix installs a new “Citrix XenApp/XenDesktop HDX Service” certificate in the Personal store which breaks the automation of the Enable-VdaSSL.ps1 script. To fix the problem, modify the task scheduler powershell script to: 
    Enable-VdaSSL.ps1 -Enable -CertificateThumbPrint (Get-ChildItem -path cert:\LocalMachine\My | Where-Object -FilterScript {$_.Subject -eq ""} | Select-Object -ExpandProperty Thumbprint) -Confirm:$False

For certificate auto-enrollment on non-persistent Remote Desktop Session Hosts (aka Multi-session OS, aka Server OS VDAs), see Non-Persistent Server SSL to VDA by Alfredo Magallon Arbizu at CUGC.

# First of all, make registry coherent with the listener status
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\Wds\icawd" -Name "SSLEnabled" -Value 1 -Type DWORD
# Then, shut down the listener, as it is not configured
C:\Scripts\EnableSSL\Enable-VDASsl.ps1 -Disable -Confirm:$false
# Finally, configure and start listener
C:\Scripts\EnableSSL\Enable-VDASsl.ps1 -Enable -CertificateThumbPrint $Cert.Thumbprint -Confirm:$false

You can launch the above script from a scheduled task that triggers when certificate auto-enroll is complete.

SCHTASKS.EXE /CREATE /RU "SYSTEM" /SC "ONEVENT" /EC
"Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
/MO
"*[System[Provider[@Name='Microsoft-Windows-CertificateServicesClient-Lifecycle-System']
and (EventID=1006)]]" /TN "yourtaskname" /TR "powershell.exe
-ExecutionPolicy ByPass -File yourscript.ps1"

Anonymous Accounts

If you intend to publish apps anonymously, then follow this section.

  1. Anonymous accounts are created locally on the VDAs. When VDA creates Anon accounts, it gives them an idle time as specified at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\AnonymousUserIdleTime. The default is 10 minutes. Adjust as desired.
  2. Pre-create the Anon accounts on the VDA by running "C:\Program Files\Citrix\ICAConfigTool\CreateAnonymousUsersApp.exe". If you don’t run this tool, then anonymous users can’t login.
  3. You can see the local Anon accounts by opening Computer Management, expanding System Tools, expanding Local Users and Groups and clicking Users.
  4. If you want profiles for anonymous users to delete at logoff, then you’ll need to add the local Anon users to the local Guests group.
  5. If you open one of the accounts, on the Sessions tab, notice that idle timeout defaults to 10 minutes. Feel free to change it.

Group Policy for Anonymous Users

Since Anonymous users are local accounts on each Virtual Delivery Agent, domain-based GPOs will not apply. To work around this limitation, you’ll need to edit the local group policy on each Virtual Delivery Agent.

  1. On the Virtual Delivery Agent, run mmc.exe.
  2. Open the File menu, and click Add/Remove Snap-in.
  3. Highlight Group Policy Object Editor, and click Add to move it to the right.
  4. In the Welcome to the Group Policy Wizard page, click Browse.
  5. On the Users tab, select Non-Administrators.
  6. Click Finish.
  7. Now you can configure group policy to lock down sessions for anonymous users. Since this is a local group policy, you’ll need to repeat the group policy configuration on every Virtual Delivery Agent image. Also, Group Policy Preferences is not available in local group policy.

Antivirus

Install antivirus using your normal procedure. Instructions vary for each Antivirus product.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Citrix’s Recommended Antivirus Exclusions

Citrix Tech Zone Endpoint Security and Antivirus Best Practices: provides guidelines for configuring antivirus software in Citrix Virtual Apps and Desktops environments.

Citrix Blog Post Citrix Recommended Antivirus Exclusions: the goal here is to provide you with a consolidated list of recommended antivirus exclusions for your Citrix virtualization environment focused on the key processes, folders, and files that we have seen cause issues in the field:

  • Set real-time scanning to scan local drives only and not network drives
  • Disable scan on boot
  • Remove any unnecessary antivirus related entries from the Run key
  • Exclude the pagefile(s) from being scanned
  • Exclude Windows event logs from being scanned
  • Exclude IIS log files from being scanned

See the Blog Post for exclusions for each Citrix component/product including: StoreFront, VDA, Controller, and Citrix Provisioning. The Blog Post also has links to additional KB articles on antivirus.

Symantec

Symantec links:

Trend Micro

Citrix CTX312452 Grey Screen when launching the applications or desktops – Ctxuvi event ID 1005 and 1003: Trend Micro have released a fix for their Deep Security Agent 20.0.0-2593 (20 LTS Update 2021-07-01).

Trend Micro Slow login on Citrix environment after installing OfficeScan (OSCE): The following registries can be used to troubleshoot the issue. These registries will allow a delay on the startup procedure of OSCE until the system has launched successfully. This avoids deadlock situations during login.

Citrix CTX136680 – Slow Server Performance After Trend Micro Installation. Citrix session hosts experience slow response and performance more noticeable while users try to log in to the servers. At some point the performance of the servers is affected, resulting in issues with users logging on and requiring the server to be restarted. This issue is more noticeable on mid to large session host infrastructures.

Trend Micro has provided a registry fix for this type of issue. Create the following registry on all the affected servers. Add new DWORD Value as:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmFilterParameters] “DisableCtProcCheck”=dword:00000001

Trend Micro Links:

Sophos

CTX238012 Logon process to VDAs is extremely slow when Citrix UPM is enabled. Set the following registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\Application
    • DisableAsyncScans (DWORD) = 1

Sophos Endpoint Security and Control: Best Practice for running Sophos on virtual systems: we’ve amassed the following practical information about how you can optimize our software to work with this technology.

Sophos Endpoint Security and Control: Installation and configuration considerations for Sophos Anti-Virus on a Remote Desktop Services server: It maybe desirable to disable the Sophos AutoUpdate shield icon

Sophos Endpoint Security and Control: How to include current version of Sophos in a disk image for cloned virtual machines: This procedure will make sure that the produced target/cloned computers:

  • Get their distinct identity with Enterprise Console, under which they can be subsequently managed.
  • Have the desired version of Sophos Anti-Virus already installed and configured on the created image.

Palo Alto Traps

  • Install Traps Agent for Windows:
    • Virtual desktop infrastructure (VDI) installation—Intended for non-persistent endpoints that replicate (also referred to as spawn) from a golden image which has Traps installed.
    • Temporary session—Intended for either physical or virtual endpoints (such as a Remote Desktop Server) that repeatedly revert to a snapshot (or image) on which Traps is not installed.

Windows Defender Antivirus

Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment – Microsoft Docs

Configuring Microsoft Defender Antivirus for non-persistent VDI machines – Microsoft Blog

Disable Network protection and configure Citrix’s antivirus exclusions (source = Citrix CTX319676 Users sessions are getting disconnected – Connection Interrupted)

Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP

Cylance

CTX232722 Unable to launch application with Cylance Memory Protection Enabled. Cylance must be run in compatibility mode in order to the VDA and Cylance to run on the same machine. See the article for detailed instructions.

Optimize Performance

Citrix Optimizer

Download Citrix Optimizer and run it.

Microsoft links:

Optimization Notes:

Applications

Choose application installers that install to C:\Program Files instead of to %appdata%. Search for VDI or Enterprise versions of the following applications. These VDI versions do not auto-update, so you’ll have to update them manually.

Seal and Shut Down

If this VDA will be a master image in a Machine Creation Services or Citrix Provisioning catalog, after the master is fully prepared (including applications), do the following:

  1. Go to the properties of the C: drive, and run Disk Cleanup.
  2. If Disk Cleanup is missing, you can run cleanmgr.exe instead.
  3. Windows 10 1703 and newer has a new method for cleaning up temporary files.
    1. Right-click the Start button, and click System.
    2. Click Storage on the left, and click This PC (C:) on the right.
    3. Click Temporary Files.
    4. Check boxes, and click Remove files.
  4. On the Tools tab of the local C: drive Properties, click Optimize to defrag the drive.
    `
  5. Run slmgr.vbs /dlv and make sure it is licensed with KMS and has at least one rearm remaining. It is not necessary to manually rearm licensing since MCS will do it automatically.
  6. Run Delprof2 to clean up local profiles. Get it from http://helgeklein.com/download/.
  7. Machine Creation Services and Citrix Provisioning require DHCP.
  8. Session hosts (RDSH) commonly have DHCP reservations.
  9. Base Image Script Framework (BIS-F) automates many sealing tasks. The script is configurable using Group Policy.
  10. Shut down the master image. You can now use Studio (Machine Creation Services) or Citrix Provisioning to create a catalog of linked clones.

Uninstall VDA

Uninstall the VDA from Apps & Features or Programs and Features. Then see CTX209255 VDA Cleanup Utility.

To run the VDA Cleanup Tool silently:

  1. Execute VDACleanupUtility.exe /silent /noreboot to suppress reboot.
  2. Once the VDACleanupUtility has finished executing, set up Auto logon for the current user.
  3. Reboot.
  4. After reboot, the tool will launch automatically to continue Cleanup.

Another option is to delete CitrixVdaCleanup value under HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce. Then after reboot, run VDACleanupUtility.exe /silent /reboot to indicate that it’s running after the reboot.

Related Pages

Delivery Controller 2203 LTSR CU6 and Licensing

Last Modified: Jan 9, 2025 @ 2:22 am

25 Comments

Navigation

💡 = Recently Updated

Change Log

Upgrade

If you are performing a new install of Delivery Controller, then skip to the next section.

You can in-place upgrade directly from any Delivery Controller version 7.0 or newer. The operating system must be Windows Server 2016 or newer. And SQL must be SQL 2016 or newer.

During the upgrade of Delivery Controller, be aware that a database upgrade is required. Either get a DBA to grant you temporary sysadmin permission or use Citrix Studio to generate SQL scripts that a DBA must then run in SQL Studio.

  1. CVAD Versions you can upgrade from – XenApp/XenDesktop 7.15 with CU5 or newer, CVAD 1912 with any Cumulative Update, any supported Current Release version.
  2. Virtual Channel Allow List – the Citrix Policy setting named Virtual Channel Allow List is enabled by default in VDA 2203. Whitelist your non-Citrix (e.g., Zoom) virtual channels before upgrading your VDAs, or else your non-Citrix virtual channels will stop working.
  3. NVIDIA – ensure your NVIDIA Virtual GPU software supports the version of CVAD that you are upgrading to.
  4. Consider Utilizing Local Host Cache for Nondisruptive Database Upgrades at Citrix Docs.
  5. License Server Upgrade – Before upgrading to Delivery Controller 2303, upgrade your Citrix License Server to 11.17.2.0 Build 51000. Citrix now requires Licensing telemetry as described in CTX477614 Citrix License Telemetry FAQ

    • You can run LicServVerify.exe from the Citrix Virtual Apps and Desktops (CVAD) ISO to verify that the License Server is compatible. Example syntax is: "E:\x64\XenDesktop Setup\LicServVerify.exe" -h myLicenseServer -p 27000 -v

  6. LTSR– Citrix Virtual Apps and Desktops (CVAD) 2203 is a Long Term Support Release (LTSR), which receives periodic (usually twice per year) Cumulative Updates with bug fixes, but no new features. See Lifecycle Milestones for Citrix Virtual Apps & Citrix Virtual Apps and Desktops. See CTX205549 FAQ: Citrix Virtual Apps and Desktops and Citrix Hypervisor Long Term Service Release (LTSR).
  7. Delivery Controller OS Compatibility – Delivery Controller 2203 LTSR is supported on Windows Server 2022, Windows Server 2019 and Windows Server 2016.
  8. SQL Compatibility – Delivery Controller 2203 LTSR does not support several older database engines, including the previously included SQL 2014 LocalDB database engine for the Local Host Cache.
    • SQL Server 2014, SQL Server 2012, and SQL Server 2008 R2, are no longer supported for the site database.
    • SQL Server Express LocalDB version 2014 is no longer supported for the local host cache database. The Delivery Controller installer does not upgrade this component, so you’ll have to do it manually. See Replace SQL Server Express LocalDB at Citrix Docs.
  9. VDA OS Compatibility – Virtual Delivery Agent (VDA) 2203 is only supported on a limited number of Windows operating system versions, specifically, Windows 10 (1607+), Windows Server 2016, Windows Server 2019, and Windows Server 2022.
    • For VDAs running Windows Server 2012 R2, leave their VDA at version 1912 LTSR (with latest Cumulative Update). VDA 1912 LTSR can communicate with Delivery Controllers 2203 LTSR.
    • For VDA machines running Windows 7 or Windows Server 2008 R2, leave their VDA software at version 7.15 LTSR (with latest Cumulative Update). Citrix supports VDA 7.15 LTSR to communicate with Delivery Controllers 2203 LTSR.
  10. Cloud VDAs support – Delivery Controller 2203 restores public cloud (native Azure, native AWS, native Google Cloud) hosting connections, but only if your Citrix licenses are Citrix Cloud licenses with Hybrid rights. Normal on-prem licenses won’t work. If you used cloud hosting connections in CVAD 1912, then you must upgrade your licenses before you upgrade to Delivery Controller 2203. See CTX270373 Citrix Virtual Apps and Desktops: Public cloud support with Current Releases and Long Term Service Releases.
  11. Snapshot. Take a snapshot of the Delivery Controller machine before attempting the upgrade. The Citrix installer requires a reboot before upgrading, so it’s probably best to shut down the machine before you snapshot it.
  12. Download the Citrix Virtual Apps and Desktops 7 2203 CU6 ISO.
  13. On an existing Delivery Controller, run AutoSelect.exe from the 2203 CU6 ISO.
  14. On the top left, in the Upgrade box, click Studio and Server Components.
  15. In the Licensing Agreement page, select I have read, understand, and accept the terms, and click Next.
  16. In the Ensure Successful Upgrade page, read the steps, check the box next to I’m ready to continue, and click Next.
  17. In the Unsupported Features and Platforms page, read the list, check the box next to I understand the risk of upgrading a deployment that has unsupported features or platforms, then click Next.
  18. If you see a License Errors page, then you need to upgrade your License Server.
  19. If you see a SQL Server version error, then you might need to upgrade your SQL Server, or move the Citrix databases to a supported SQL server.
  20. If you see a SQL Server Express LocalDB version error, then click the Learn More link to see instructions to upgrade it.
  21. If you see a window saying “We cannot determine which SQL version is currently installed”, click OK.
  22. In the Preliminary Site Tests page, click Start Preliminary Tests.
  23. The tests will take a few minutes. Click Next when done.
  24. In the Firewall page, click Next.
  25. In the Summary page, click Upgrade. Notice that StoreFront is not in this list. StoreFront is upgraded separately.
  26. Click OK when asked to start the upgrade.
  27. The machine will probably restart a couple times.

    1. After the reboot, and after logging in again, you might see a Locate ‘Citrix Virtual Apps and Desktops 7 LTSR’ installation media window. Don’t click anything yet.
    2. Go to the Citrix_Virtual_Apps_and_Desktops_7_2203_5000.iso file and mount it.
    3. Go back to the Locate ‘Citrix Virtual Apps and Desktops 7 LTSR’ installation media window.
    4. On the left, expand This PC, and click the DVD Drive.
    5. Click Select Folder.
    6. Installation will resume. Repeat these instructions after each reboot.
  28. If the upgrade fails:
    1. Look for MetaInstaller log files under %localappdata%\Temp\Citrix\XenDesktop Installer\MSI Log Files.
    2. Look for StoreFront log files under C:\Program Files\Citrix\Receiver StoreFront\Admin\logs.
    3. Citrix has a MSI Log Analyzer.
  29. If you see a Diagnostics page, either connect to Citrix Cloud, or uncheck the box for Collect diagnostic information. Click Next.
  30. In the Finish page, check the box next to Launch Studio, and click Finish.
  31. SQL Server Express LocalDB – the 2203 Delivery Controller installer does not upgrade the Local Host Cache database engine. After the Delivery Controller is upgraded to 2003 or newer, see Replace SQL Server Express LocalDB at Citrix Docs.

Studio – Upgrade Database, Catalogs, and Delivery Groups

  1. After Citrix Studio launches, if you have sysadmin permissions on SQL, then click Start the automatic Site upgrade. If you don’t have full SQL permission, then get a DBA to help you, click Manually upgrade this site, and follow the instructions.

    • If you choose to Manually upgrade this site, then note that there might not be an upgrade for the Logging Database schema, depending on what version you are upgrading from.

    • Run the DisableServices.ps1 script before upgrading the database.
    • The .sql scripts must be run in SQLCMD mode. Re-enable SQLCMD mode for each script.
  2. After all Controllers and VDAs are upgraded to 2112, in Citrix Studio, view your Machine Catalog for the current functional level (Set to VDA version). Citrix Virtual Apps and Desktops (CVAD) 2112 lets you upgrade your Catalogs and Delivery Groups to functional level 2003 assuming all of the VDAs are running 2003 and newer.

    1. Don’t upgrade the Catalog or Delivery Group until all VDAs within the Catalog and Delivery Group are VDA version 2003 or newer.
    2. Right-click the Catalog, and click Upgrade Catalog.
    3. Review the message regarding suitability of the upgrade and then click Upgrade.
    4. Then upgrade the Delivery Groups by right-clicking on a Delivery Group and clicking Upgrade Delivery Group.
    5. Review the suitability message and then click Upgrade.

Other Citrix Virtual Apps and Desktops components can also be in-place upgraded:

New Install Preparation

Long Term Support Release

Citrix Virtual Apps and Desktops (CVAD) 2203 is a Long Term Support Release (LTSR), which receives periodic (usually twice per year) Cumulative Updates with bug fixes, but no new features. CU6 (Cumulative Update 6) is the latest update for 2203. See Lifecycle Milestones for Citrix Virtual Apps & Citrix Virtual Apps and Desktops. See CTX205549 FAQ: Citrix Virtual Apps and Desktops and Citrix Hypervisor Long Term Service Release (LTSR).

OS Compatibility

Delivery Controller 2203 LTSR is supported on Windows Server 2022, Windows Server 2019 and Windows Server 2016. Windows Server 2012 R2 and older are no longer supported.

Virtual Delivery Agent (VDA) 2203 LTSR is only supported on a limited number of Windows operating system versions, specifically, Windows 10 (1607+), Windows Server 2016, Windows Server 2019, and Windows Server 2022.

  • If you have older VDA machines running Windows Server 2012 R2, you can install VDA software version 1912 LTSR. Citrix supports VDA 1912 LTSR communicating with Delivery Controller 2203 LTSR.
  • If you have older VDA machines running Windows 7 or Windows Server 2008 R2, you can install VDA software version 7.15 LTSR. Citrix supports VDA 7.15 LTSR communicating with Delivery Controller 2203 LTSR.

Citrix Licensing

Upgrade your Citrix License Server to 11.17.2.0 build 51000.

  • Citrix now requires Licensing telemetry as described in CTX477614 Citrix License Telemetry FAQ. The build must be 40000 or newer and you must upgrade within 6 months of release.
  • You can run LicServVerify.exe from the Citrix Virtual Apps and Desktops (CVAD) ISO to verify that the License Server is compatible. Example syntax is: "E:\x64\XenDesktop Setup\LicServVerify.exe" -h myLicenseServer -p 27000 -v

Multiple License Types – Multiple license types (but not multiple editions) are supported in a single farm. See CTX223926 How to Configure Multiple License Types within a Single XenApp and XenDesktop Site.

Cloud VDAs support – Delivery Controller 2203 LTSR restores public cloud (native Azure, native AWS, native Google Cloud) hosting connections, but only if your Citrix licenses are Citrix Cloud licenses with Hybrid rights. Normal on-prem licenses won’t work. See CTX270373 Citrix Virtual Apps and Desktops: Public cloud support with Current Releases and Long Term Service Releases.

SQL Databases for Citrix Virtual Apps and Desktops

  • Citrix article CTX114501 – Supported Databases for Virtual Apps and Desktops (XenApp and XenDesktop) AND Provisioning (Provisioning Services)
    • SQL 2022 is supported in CU4 and newer.
    • Citrix Virtual Apps and Desktops (CVAD) 2203 no longer supports SQL 2014 and older.
  • Citrix CTX209080 XenDesktop 7.x: Database Sizing Tool
  • Three databases – There are typically three databases: one for the Site (aka farm), one for Logging (audit log) and one for Monitoring (Director).
    • The name of the monitoring database must not have any spaces in it. See CTX200325 Database Naming Limitation when Citrix Director Accesses Monitoring Data Using OData APIs
    • If you want Citrix Studio to create the SQL databases automatically, then the person running Studio must be a sysadmin on the SQL instances. No lesser SQL role will work. sysadmin permissions can be granted temporarily and revoked after installation.
    • Alternatively, you can use Citrix Studio to create SQL scripts and then ask a DBA to run those scripts on the SQL server. In that case, the person running the scripts only needs the dbcreator and securityadmin roles.
    • It is possible to create the three databases in advance. However, you must use the non-default collation named Latin1_General_100_CI_AS_KS
  • SQL High Availability Options:
    • Basic Availability Groups – Build two SQL 2016 (or newer) Standard Edition servers, and create three Basic Availability Groups, one for each database. Each Basic Availability Group has its own Listener.
    • AlwaysOn Availability Group – Build two SQL Enterprise Edition servers, and create one AlwaysOn Availability Group with one Listener.
    • Failover Clustering – Build two SQL Enterprise Edition servers, and configure SQL Database Failover Clustering.
  • Cloud – Azure SQL is not supported. AWS RDS is supported by AWS, but not by Citrix. You’ll need to build your own SQL Servers on IaaS VMs.

Windows Feature

Installing Group Policy Management (GPMC) on the Delivery Controllers lets you edit Citrix-targeted Group Policy Objects (GPOs) directly from the Delivery Controllers.

Citrix has a Citrix Group Policy Management Plug-in that adds the Citrix Policies node to the Group Policy Editor. The Citrix Group Policy Management Plug-in is included with the installation of Citrix Studio, meaning that running GPMC on the Delivery Controller automatically grants you access to the Citrix Policies node in the GPOs. If you edit GPOs on a machine that doesn’t have Citrix Studio installed, then you won’t see the Citrix Policies node in GPOs until you manually install the Citrix Group Policy Management Plug-in.

vCenter Service Account

Create a role in vSphere Client. Assign a service account to the role at the vCenter Datacenter or higher level. Delivery Controller will use this service account to login to vCenter.

  • vSphere 7 is supported with CVAD 2203.

Delivery Controller New Install

  1. A typical size for the Controller VMs is 2-4 vCPU and 8+ GB of RAM. If all components (Delivery Controller, StoreFront, Licensing, Director, SQL Express) are installed on one server, then you might want to bump up memory to 10 GB or 12 GB. 5 GB is the minimum memory.
  2. From Local Host Cache sizing and scaling at Citrix Docs:
    1. Add two cores for LHC.
    2. For LHC SQL LocalDB, assign the Controller VMs a single CPU socket with multiple cores. SQL LocalDB uses a maximum of one CPU socket. Configure the Delivery Controller VM with four cores per socket.
    3. Add at least three more Gigs of RAM and watch the memory consumption.
    4. Since there’s no control over LHC election, ensure all Controllers in the site/farm have the same specs.
  3. Operating System: Citrix Virtual Apps and Desktops (CVAD) 2203 is supported on Windows Server 2022, Windows Server 2019 and Windows Server 2016. Windows Server 2012 R2 and older are no longer supported.
  4. Make sure the User Right Log on as a service includes NT SERVICE\ALL SERVICES or add NT SERVICE\CitrixTelemetryService to the User Right.
  5. Download the Citrix Virtual Apps and Desktops 7 2203 CU6 ISO.
  6. On two Delivery Controllers, to install the Delivery Controller software, run AutoSelect.exe from the mounted 2203 CU6 ISO.
  7. Click Start next to either Virtual Apps or Virtual Apps and Desktops. The only difference is the product name displayed in the installation wizard.
  8. On the top left, click Delivery Controller.
  9. In the Licensing Agreement page, select I have read, understand, and accept the terms, and click Next.
  10. In the Core Components page, you can install all components on one server, or on separate servers. Splitting out the components is only necessary in large environments, or if you have multiple farms and want to share the Licensing, and Director components across those farms. Notice that StoreFront is no longer an option and must be installed separately. Click Next.
  11. In the Features page, uncheck the box next to Install Microsoft SQL Server 2019 Express CU22, and click Next.
  12. In the Firewall page, click Next.
  13. In the Summary page, click Install.
  14. The machine will probably restart a couple times.

    1. After the reboot, and after logging in again, you might see a Locate ‘Citrix Virtual Apps and Desktops 7 LTSR’ installation media window. Don’t click anything yet.
    2. Go to the Citrix_Virtual_Apps_and_Desktops_7_2203_5000.iso file and mount it.
    3. Go back to the Locate ‘Citrix Virtual Apps and Desktops 7 LTSR’ installation media window.
    4. On the left, expand This PC, and click the DVD Drive.
    5. Click Select Folder.
    6. Installation will resume. Repeat these instructions after each reboot.
  15. In the Diagnostics page, you can optionally Collect diagnostic information by clicking Connect and entering your Citrix Cloud or MyCitrix.com credentials. Click Next.
  16. In the Finish page, click Finish. Citrix Studio will automatically launch.
  17. Ensure the two Delivery Controller VMs do not run on the same hypervisor host. Create an anti-affinity rule at vSphere Cluster > Manage > VM/Host Rules > Add. Set the Type to Separate Virtual Machines.
  18. Citrix Tech Zone Endpoint Security and Antivirus Best Practices: provides guidelines for configuring antivirus software in Citrix Virtual Apps and Desktops environments

Create Site – Create Database

There are several methods of creating the databases for Citrix Virtual Apps and Desktops (CVAD):

  • If you have sysadmin permissions to SQL, let Citrix Studio create the databases automatically.
  • If you don’t have sysadmin permissions to SQL, then use Citrix Studio to generate SQL scripts, and send the scripts to a DBA.

Use Citrix Studio to Create the Databases Automatically

  1. Launch Citrix Studio. After it loads, click Deliver applications and desktops to your users.
  2. In the Introduction page, select An empty, unconfigured site. This reduces the number of pages in this Setup wizard. The removed pages will be configured later.
  3. Enter a Site Name (aka farm name), and click Next. Only administrators see the farm name.
  4. In the Databases page, if you are building two Delivery Controllers, click Select near the bottom of the same page.

    1. Click Add.
    2. Enter the FQDN of the second Delivery Controller, and click OK. Note: the Delivery Controller software must already be installed on that second machine.
    3. Then click Save.
  5. If the person running Citrix Studio has sysadmin permissions to the SQL Server, then enter the SQL server name/instance in the three Location fields, and click Next.
  6. If you don’t have sysadmin permission, then jump to the SQL Scripts section below.
  7. On the Licensing page, enter the name of the Citrix License Server, and click Connect. If you installed Citrix Licensing with your Delivery Controller, then simply enter localhost.
  8. If the Certificate Authentication appears, select Connect me, and click Confirm.
  9. Select your license type, and click Next. If you see both User/Device and Concurrent, then you usually must select User/Device licenses. Also see Multi-type licensing at Citrix Docs.
  10. In the Summary page, if your databases are mirrored or in an Availability Group, each database will show high availability servers, and the name of the Mirror server. Click Finish.

  11. It will take some time for the site to be created.
  12. Once done, skip to the Second Delivery Controller section.

Use Citrix Studio to create SQL scripts

  1. If you don’t have SQL sysadmin permissions, then change the selection to Generate scripts to manually set up databases on the database server. Change the database names if desired, and click Next.
  2. In the Summary page, click Generate scripts.
  3. A folder will open with many scripts.
    • There’s a Principal script for each of the three databases.
    • The Mixed scripts and SysAdmin scripts create SQL Server logins whereas the DbOwner scripts do not. Either run the Mixed scripts that contain all tasks or run the SysAdmin and DbOwner scripts separately. The idea is that the separate scripts are run by different SQL admins that have different permissions.
    • The Replicas scripts add logons to secondary SQL servers.
  4. Before running the scripts, create the three databases.

    1. At the top of each script is the Database Name that was entered in Citrix Studio. The database name needs to match the script.
    2. On the Options tab, change the Collation to Latin1_General_100_CI_AS_KS.
    3. In the bottom part, find Is Read Committed Snapshot On and set it to True.
    4. Repeat this for all three databases.
    5. You can then add these three databases to an AlwasyOn Availability Group.
  5. Now do the following to run either the Mixed scripts or run the SysAdmin and DbOwner scripts separately. The scripts must be run in SQLCMD mode.
    1. On the Principal SQL Server, open the file Site_Mixed_Principal.sql.

    2. Open the Query menu, and click SQLCMD Mode to enable it.
    3. Then execute the script.
    4. If SQLCMD mode was enabled properly, then the output should look something like this:
    5. If you have a mirrored database, then run the Replicas script on the mirror SQL instance. Make sure SQLCMD mode is enabled.
    6. Repeat for the Logging_Mixed_Principal.sql script.
    7. You’ll have to enable SQLCMD Mode for each script you open.


    8. Repeat for the Monitoring_Mixed_Principal.sql script.
    9. Once again enable SQLCMD Mode.


    10. The person running Citrix Studio must be added to the SQL Server as a SQL Login and granted the public server role so that account can enumerate the databases.

  6. Back in Citrix Studio, click the Continue database configuration and Site setup button.
  7. In the Databases page, enter the SQL server name and instance name, and then click Next.

  8. On the Licensing page, enter the name of the Citrix License Server, and click Connect. If you installed Citrix Licensing with your Delivery Controller, then simply enter localhost.
  9. If the Certificate Authentication window appears, select Connect me, and click Confirm.
  10. Then select your license, and click Next. See CTX223926 How to Configure Multiple License Types within a Single XenApp and XenDesktop Site.
  11. In the Summary page, if your databases are mirrored, each database will show high availability servers and the name of the Mirror server. Click Finish.

  12. It will take some time for the site to be created.

Second Controller

During Site creation on the first Delivery Controller, in the Site Setup wizard, you might have selected more than one Delivery Controller.  In that case, on the second Delivery Controller, simply run Citrix Studio and it should already be configured.

Otherwise, additional Delivery Controllers need to be added to the SQL databases.

  • If you have sysadmin permissions to SQL, let Citrix Studio modify the databases automatically.
  • If you don’t have sysadmin permissions to SQL then use Citrix Studio to generate SQL scripts and send them to a DBA.

To use Citrix Studio to create the SQL Scripts:

  1. On the first Delivery Controller, if StoreFront is installed on the Controller, then delete the default StoreFront store (/Citrix/Store) and recreate it with your desired Store name (e.g. /Citrix/Company).
  2. On the second Delivery Controller machine, install Delivery Controller as detailed earlier.
  3. After installation, launch Citrix Studio on the second controller, and click Connect this Delivery Controller to an existing Site.
  4. Enter the name of the first Delivery Controller, and click OK.
  5. If you don’t have full SQL permissions (sysadmin), click No when asked if you want to update the database automatically.
  6. Click Generate scripts.
  7. A folder will open with multiple SQL scripts. These SQL script files follow the same pattern as the first Delivery Controller where the Mixed scripts do everything, but the DbOwner and SysAdmin scripts are intended to be run by different SQL administration roles. Always run each of these scripts in SQLCMD mode. There are separate scripts for mirrored databases.

    1. On the SQL Server, open one of the .sql files.

    2. Open the Query menu, and click SQLCMD Mode.
    3. Then execute the SQL script.
    4. If SQLCMD mode was enabled properly, then the output should look something like this:
  8. Repeat for the remaining script files. Enable SQLCMD mode for each script.
  9. Back in Citrix Studio, click OK.
  10. In Citrix Studio, under Configuration > Controllers, you should see both controllers.

SSL for Delivery Controller

SSL certificates should be installed on each Delivery Controller to encrypt the traffic between StoreFront and Delivery Controller. The traffic between StoreFront and Delivery Controller contains user credentials.

The SSL certificate on each Delivery Controller needs to match the FQDN of the Delivery Controller.

  • If StoreFront is installed on the Delivery Controller, then you have two FQDNs to consider: the Delivery Controller FQDN, and the StoreFront FQDN. Make sure the certificate matches the Delivery Controller FQDN, but it’s usually not necessary for the same certificate to also match the StoreFront FQDN.
    • The StoreFront certificate is usually hosted on a Citrix ADC SSL Load Balancing Virtual Server. Users connect to Citrix ADC instead of directly to the StoreFront servers. The StoreFront certificate only needs to be valid between the user and the ADC.
    • For the connection between ADC and StoreFront server, ADC does not validate the certificate, so the certificate on the StoreFront server can be anything. That means you can install a certificate that matches the Delivery Controller FQDN and there’s no need for the certificate to match the StoreFront FQDN.

To enable SSL for a Delivery Controller:

  1. Run certlm.msc, go to Personal > Certificates and create or install a server certificate that matches the Delivery Controller’s FQDN. This can be an internally-signed certificate if the StoreFront server trusts internally-signed certificates.
  2. If IIS is installed on the Delivery Controller, then simply run IIS Manager, go to Default Web Site, click Edit Bindings, and add an https binding using the chosen certificate.

If IIS is not installed on the Delivery Controller, then we need to build a command line to bind the certificate to Citrix Broker Service. Binding Your SSL Server Certificate to the Citrix Broker Service by Ray Kareer at CUGC has a script to automate this process.

  1. Open a command prompt as administrator.
  2. Enter the following text but don’t press Enter yet. 
    netsh http add sslcert ipport=0.0.0.0:443 certhash=
  3. Right after certhash= paste the certificate thumbprint using the following procedure:
    1. Go to certlm.mscPersonal Certificates.
    2. Double-click the certificate you want to bind.
    3. On the Details tab, scroll down to Thumbprint and copy the thumbprint.
    4. Paste the thumbprint into the command line we’re building.
    5. Remove the special character at the beginning of the thumbprint.
    6. Remove the spaces.
  4. Add the following to the command line: 
     appid=
  5. Michael Shuster at HowTo: Enable SSL on Citrix Delivery Controllers – Easy Method says you can run the following PowerShell to get the Broker Service GUID. 
    Get-WmiObject -Class Win32_Product | Select-String -Pattern "broker service"
  6. Paste the GUID for Citrix Broker Service that you got from the Get-WmiObject. Make sure the GUID has curly braces on both sides with no space between appid and the left curly brace.
  7. Press <Enter> to run the command.
  8. If you entered everything correctly, then it should say SSL Certificate successfully added.
  9. To confirm the certificate binding, run the following: 
    netsh http show sslcert ipport=0.0.0.0:443

Studio – Slow Launch

If your Delivery Controller or Citrix Studio machine doesn’t have Internet access, then the following adjustment can be made if Citrix Studio starts slowly:

  • Within Internet Explorer, go to Tools – Internet Options – Tab Advanced – Section Security, and uncheck the option Check for publisher’s certificate revocation

Registry setting (can be deployed using Group Policy Preferences):

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
    • State“=dword:00023e00

Concurrent Logon Hard Limit

From Samuel Legrand XenApp 7.14 – (Really) Manage a DR! – Citrix Policies has a setting called Concurrent Logon Tolerance. However, it is not a hard limit, meaning once the limits are reached, it continues to let users connect. You can configure the Controllers to make it a hard limit by setting the following registry value on the Delivery Controllers:

  • HKLM\Software\Policies\Citrix\DesktopServer
    • LogonToleranceIsHardLimit (DWORD) = 1

Local Host Cache

Local Host Cache (LHC) allows new sessions to be started even if SQL database is unavailable.

From Local Host Cache sizing and scaling at Citrix Docs:

  1. For LHC LocalDB, assign the Controller VMs a single CPU socket with multiple CPU cores.
  2. Add two CPU cores for LHC.
  3. Add at least three more Gigs of RAM and watch the memory consumption.
  4. Since there’s no control over LHC election, ensure all Controllers have the same specs.
  5. The Docs article has scripts for monitoring LHC performance.

From XenApp 7.12, LHC and a reboot at Citrix Discussions:

  • If the rebooted Delivery Controller is the elected one, a different DDC will take over (causing registration storm) and when the Delivery Controller gets back, it will take over brokering causing second registration storm. Site will sort itself out and all will work.
  • If the rebooted Delivery Controller is not the elected one, it will not impact any functionality.
  • If you turn the Delivery Controller down when site is working, and start it during outage, LHC will not trigger on that machine. This Delivery Controller will not impact the LHC unless it would become the elected one. In that scenario it will take control, however, not start LHC and resources would not be available.

Trentent Tye at Citrix XenDesktop/XenApp 7.15 – The local host cache in action has a video showing LHC in action.

As mentioned by Citrix Docs, make sure PowerShell Execution Policy is set to RemoteSigned, Unrestricted, or Bypass.

If you did a fresh install of 2203, then Local Host Cache should be enabled by default. In PowerShell, you can run Get-BrokerSite to confirm.

If not enabled, you can run some PowerShell commands to enable Local Host Cache:

Set-BrokerSite -ConnectionLeasingEnabled $false
Set-BrokerSite -LocalHostCacheEnabled $true

George Spiers Local Host Cache XenApp & XenDesktop shows the Event Log entries when LHC is enabled.

Database Maintenance

Enable Read-Committed Snapshot

The Delivery Controller Database can become heavily utilized under load in a large environment. Therefore, Citrix recommends enabling the Read_Committed_Snapshot option on the Delivery Controller databases to remove contention on the database from read queries. This can improve the interactivity of Studio and Director. It should be noted that this option may increase the load on the tempdb files. See Citrix article CTX137161 How to Enable Read-Committed Snapshot in XenDesktop for configuration instructions.

Change Database Connection Strings

Sometimes the database connection strings need to be modified:

  • When moving the SQL databases to a different SQL server
  • For AlwaysOn Availability Groups, to add MultiSubnetFailover to the SQL connection strings
  • For SQL mirroring, to add Failover Partner to the SQL connection strings

Citrix article CTX114501 – Supported Databases for Virtual Apps and Desktops (XenApp and XenDesktop) AND Provisioning (Provisioning Services)

  • SQL 2022 is supported in CU4 and newer.

Here are general instructions for moving the database and assigning the correct permissions:

  1. Backup the three Citrix databases on the original SQL server and restore them on the new SQL server. See Microsoft’s documentation for details.
  2. In SQL Management Studio > Security > Logins, add the Delivery Controller computer accounts (e.g., CORP\DDC01$)
  3. When adding the SQL Login, on the User Mapping page, select the three Citrix databases (Site database, Monitoring database, and Logging database)
  4. For each of the three Citrix databases, add the Delivery Controller computer account to the various database roles as listed below. The Site database has many more roles than the Logging and Monitoring databases.
    • Site database – ADIdentitySchema_ROLE
    • Site database – Analytics_ROLE (7.8 and newer)
    • Site database – AppLibrarySchema_ROLE (7.8 and newer)
    • Site database – chr_Broker
    • Site database – chr_Controller
    • Site database – ConfigLoggingSchema_ROLE
    • Site database – ConfigLoggingSiteSchema_ROLE
    • Site database – ConfigurationSchema_ROLE
    • Site database – DAS_ROLE
    • Site database – DesktopUpdateManagerSchema_ROLE
    • Site database – EnvTestServiceSchema_ROLE
    • Site database – HostingUnitServiceSchema_ROLE
    • Site database – Monitor_ROLE
    • Site database – MonitorData_ROLE
    • Site database – OrchestrationSchema_ROLE (7.11 and newer)
    • Site database – public
    • Site database – StorefrontSchema_ROLE (7.8 and newer)
    • Site database – TrustSchema_ROLE (7.11 and newer)
    • Monitoring database – Monitor_ROLE
    • Monitoring database – public
    • Logging database – ConfigLoggingSchema_ROLE
    • Logging database – public

From Citrix Docs Update database connection strings when using SQL Server high availability solutions: Citrix offers several PowerShell scripts that update Delivery Controller database connection strings when you are using SQL Server high availability database solutions such as AlwaysOn and mirroring. The scripts, which use the Citrix Virtual Apps and Desktops PowerShell API, are:

  • DBConnectionStringFuncs.ps1: The core script that does the actual work. This script contains common functions that the other scripts use.
  • Change_XD_Failover_Partner_v1.ps1: Updates (adds, changes, or removes) the failover partner. This script prompts for the failover partner location (FQDN) for each database. (Providing a blank failover partner removes the failover partner. You can also use the ClearPartner option to remove a partner.) Do not set the failover partner to the same location as the principal database server.
  • Change_XD_To_ConnectionString.ps1: Uses the provided connection strings to update the connection strings to the databases. This script ensures that certain Citrix services are up and running, and then updates those services in the correct order on all Controllers in the site. Enclose connection string information for each database in quotes.
  • Change_XD_To_MultiSubnetFailover.ps1: Toggles the addition and removal of MultiSubnetFailover=true. If you use AlwaysOn Availability Groups, Microsoft recommends that the connection string include MultiSubnetFailover=true. This option speeds up recovery when a high availability event occurs, and is recommended for both single and multi-subnet environments. Run this script once to add the option. Run the script again to remove it.
  • Change_XD_To_Null.ps1: Resets all the connection strings on the localhost because something has gone wrong. By resetting the connection strings to null, this script places the Controller into an “initial” state. If you run Studio after running this script, you’ll be asked if you want to create a site or join an existing site. This is useful if something has gone wrong and a reset is needed. After the reset, you can try again to set the connection strings.

Here are the DB Connections that must be changed. Make sure you include all of the DB Connections shown below. You can get the full list of database commands by running Get-Command Set-*DBConnection. When changing the DB connections, AdminDBConnection must be the last to be set to NULL, and the first to be configured with the new connection string. Repeat these instructions on all Delivery Controllers in the farm.

Remove the existing Database connections

At the Delivery Controller, open PowerShell as Administrator and run the following commands to clear the existing database connections.

## Disable configuration logging for the XD site:
Set-LogSite -State Disabled

## ## Clear the current Delivery Controller database connections
## Note: AdminDBConnection must be the last command
Set-ConfigDBConnection -DBConnection $null
Set-AppLibDBConnection -DBConnection $null    #7.8 and newer
Set-OrchDBConnection -DBConnection $null      #7.11 and newer
Set-TrustDBConnection -DBConnection $null     #7.11 and newer
Set-AcctDBConnection -DBConnection $null
Set-AnalyticsDBConnection -DBConnection $null # 7.6 and newer
Set-HypDBConnection -DBConnection $null
Set-ProvDBConnection -DBConnection $null
Set-BrokerDBConnection -DBConnection $null
Set-EnvTestDBConnection -DBConnection $null
Set-SfDBConnection -DBConnection $null
Set-MonitorDBConnection -DataStore Monitor -DBConnection $null   #Monitoring Database
Set-MonitorDBConnection -DBConnection $null                      #Site Database
Set-LogDBConnection -DataStore Logging -DBConnection $null       #Logging Database
Set-LogDBConnection -DBConnection $null                          #Site Database
Set-AdminDBConnection -DBConnection $null -force

Specify the new Database connection strings

Run the following commands to set the new SQL connection strings. Adjust the variables to match your desired connection string. For example, if you wish to add “;MultiSubnetFailover=True” to the connection strings, then set the $csSite variable to "Server=$ServerName;Initial Catalog=$SiteDBName;Integrated Security=True;MultiSubnetFailover=True". Repeat this for the $csLogging and $csMonitoring variables.

## Replace <dbserver> with the SQL server name, and instance if present, e.g "ServerName\SQLInstanceName". If no SQL Instance name is mentioned, this commandlet will try to connect to the default SQL instance.
## Replace <dbname> with the name of your restored Database
## Note: AdminDBConnection should be first

$ServerName = "<dbserver>"
$SiteDBName = "<SiteDbName>"
$LogDBName = "<LoggingDbName>"
$MonitorDBName = "<MonitorDbName>"
$csSite = "Server=$ServerName;Initial Catalog=$SiteDBName;Integrated Security=True;MultiSubnetFailover=True"
$csLogging = "Server=$ServerName;Initial Catalog=$LogDBName;Integrated Security=True;MultiSubnetFailover=True"
$csMonitoring = "Server=$ServerName;Initial Catalog=$MonitorDBName;Integrated Security=True;MultiSubnetFailover=True"

Set-AdminDBConnection -DBConnection $csSite
Set-ConfigDBConnection -DBConnection $csSite
Set-AcctDBConnection -DBConnection $csSite
Set-AnalyticsDBConnection -DBConnection $csSite # 7.6 and newer
Set-HypDBConnection -DBConnection $csSite 
Set-ProvDBConnection -DBConnection $csSite
Set-AppLibDBConnection –DBConnection $csSite # 7.8 and newer
Set-OrchDBConnection –DBConnection $csSite # 7.11 and newer
Set-TrustDBConnection –DBConnection $csSite # 7.11 and newer
Set-BrokerDBConnection -DBConnection $csSite
Set-EnvTestDBConnection -DBConnection $csSite
Set-SfDBConnection -DBConnection $csSite
Set-LogDBConnection -DBConnection $csSite
Set-LogDBConnection -DataStore Logging -DBConnection $null
Set-LogDBConnection -DBConnection $null
Set-LogDBConnection -DBConnection $csSite
Set-LogDBConnection -DataStore Logging -DBConnection $csLogging
Set-MonitorDBConnection -DBConnection $csSite
Set-MonitorDBConnection -DataStore Monitor -DBConnection $null
Set-MonitorDBConnection -DBConnection $null
Set-MonitorDBConnection -DBConnection $csSite
Set-MonitorDBConnection -DataStore Monitor -DBConnection $csMonitoring
Set-LogSite -State Enabled

Test the new Database connection strings

Run the following commands to verify connectivity to the database:

## Copy these variables from the previous step
## If you haven’t closed your PowerShell window, then the variables might still be defined. In that case, just run the Test commands
$ServerName = "<dbserver>"
$SiteDBName = "<SiteDbName>"
$LogDBName = "<LoggingDbName>"
$MonitorDBName = "<MonitorDbName>"
$csSite = "Server=$ServerName;Initial Catalog=$SiteDBName;Integrated Security=True"
$csLogging = "Server=$ServerName;Initial Catalog=$LogDBName;Integrated Security=True"
$csMonitoring = "Server=$ServerName;Initial Catalog=$MonitorDBName;Integrated Security=True"

Test-AcctDBConnection -DBConnection $csSite
Test-AdminDBConnection -DBConnection $csSite
Test-AnalyticsDBConnection -DBConnection $csSite # 7.6 and newer
Test-AppLibDBConnection -DBConnection $csSite # 7.8 and newer
Test-BrokerDBConnection -DBConnection $csSite
Test-ConfigDBConnection -DBConnection $csSite
Test-EnvTestDBConnection -DBConnection $csSite
Test-HypDBConnection -DBConnection $csSite
Test-LogDBConnection -DBConnection $csSite
Test-LogDBConnection -DataStore Logging -DBConnection $csLogging
Test-MonitorDBConnection -DBConnection $csSite
Test-MonitorDBConnection -Datastore Monitor -DBConnection $csMonitoring
Test-OrchDBConnection -DBConnection $csSite # 7.11 and newer
Test-ProvDBConnection -DBConnection $csSite
Test-SfDBConnection -DBConnection $csSite
Test-TrustDBConnection -DBConnection $csSite # 7.11 and newer

Director Grooming

If your Citrix Virtual Apps and Desktops is not Premium Edition, then all historical Director data is groomed at 30 days.

For Citrix Virtual Apps and Desktops Premium Edition, by default, most of the historical Director data is groomed at 90 days. This can be adjusted up to 367 days by running a PowerShell cmdlet.

  1. On a Delivery Controller, run PowerShell elevated (as administrator).
  2. Run Get-MonitorConfiguration to see the current grooming settings.
  3. Run Set-MonitorConfiguration to change the grooming settings.

View Logging Database

To view the contents of the Logging Database, in Studio, click the Logging node. On the right is Create Custom Report. See Citrix article CTX138132 Viewing Configuration Logging Data Not Shown for more info.

The Logging Database can be queried using Get-LogLowLevelOperation. See Stefan Beckmann Get user who set maintenance mode for a server or client for an example script that uses this PowerShell cmdlet.

Logging Database Grooming

By default, the Logging Database does not groom old entries. You can enable grooming in Citrix PowerShell by running the Set-LogSite cmdlet with the -LoggingDBPurgeDurationDays parameter. More info at Schedule periodic data deletion at Citrix Docs.

Export/Import Configuration

Ryan Butler has a PowerShell script that can export configuration from one Citrix Virtual Apps and Desktops farm and import it to another.

Kaspars Vilde at XenDesktop/XenApp 7.X Applications – Exporting / Importing at Citrix Discussions has scripts to export published apps from one farm and import to another farm.

Studio Administrators

Full Administrators

  1. In the Studio, under Configuration, click the Administrators node. The first time you access the node you’ll see a Welcome page. Feel free to check the box to Don’t show this again, and then click Close.
  2. On the Administrators tab, right-click, and click Create Administrator.
  3. In the Administrator and Scope page, Browse to a group (e.g. Citrix Admins) that will have permissions to Citrix Studio and Director. These groups typically have access to all objects, so select the All scope. Alternatively, you can create a Scope to limit the objects. Click Next.
  4. On the Role page, select a role, and then click Next. For example:
    • Full Administrator for the Citrix Admins group
    • Help Desk Administrator for the Help Desk group
    • Machine Catalog Administrator for the desktop team
  5. In the Summary page, click Finish.

Help Desk

  1. In Citrix Studio, under Configuration, click the Administrators node. On the Administrators tab, right-click, and click Create Administrator.
  2. In the Administrator and Scope page, Browse to a Help Desk group that will have permissions to Citrix Studio and Director. Select the All scope. And click Next.
  3. On the Role page, select the Help Desk Administrator role, and then click Next.
  4. In the Summary page, click Finish.
  5. When administrators in the Help Desk role log into Director, all they see is this.

    To jazz it up a little, add the Help Desk group to the read-only role.
  6. Right-click the Help Desk Administrator, and click Edit Administrator.
  7. Click Add.
  8. In the Scope page, select a scope, and click Next.
  9. In the Role page, select Read Only Administrator, and click Next.
  10. In the Summary page, click Finish.
  11. Then click OK. Now Director will display the dashboard.

Customer Experience Improvement Program

Citrix Virtual Apps and Desktops enables CEIP by default. If desired, you can disable it in Citrix Studio:

  1. On the left, go to the Configuration node.
  2. On the right, switch to the Product Support tab.
  3. Click End.
  4. Click Yes.

Citrix Studio collects data for Google Analytics. You can disable this in the registry at HKLM\Software\Citrix\DesktopStudio\GAEnabled = 0.

Each Citrix Virtual Apps and Desktops component has a separate configuration for disabling Customer Experience Improvement Program:

Hosting Connection – VMware vCenter

Citrix Virtual Apps and Desktops uses an Active Directory service account to log into VMware vCenter. This service account needs specific permissions in vCenter. To facilitate assigning these permissions, create a new vCenter role and assign it to the service account. The permissions should be applied at the vCenter datacenter object or higher level.

Import vCenter Root Certificate

If the vCenter certificate is valid and trusted, then you can skip to the Hosting Resource section.

For newer versions of vCenter, you can import the root certificate that signed the vCenter Server/Appliance certificate.

  1. Point your browser to the root path of the vCenter Server URL.
  2. On the bottom right, click Download trusted root CA certificates.
  3. Extract the downloaded files.
  4. Go to \certs\win.
  5. Sort the files by date, and double-click the newest .crt file.
  6. On the General tab, click Install Certificate.
  7. In the Welcome to the Certificate Import Wizard page, change the Store Location selection to Local Machine, and click Next.
  8. In the Certificate Store page, click Browse.
  9. Select Trust Root Certification Authorities, and click OK.
  10. In the Completing the Certificate Import Wizard page, click Finish.
  11. If you close your browser and reopen it, and then go to the vCenter URL, there should no longer be any certificate errors.
  12. Skip to the Hosting Resource section.

Import vCenter Certificate

If the vCenter certificate is valid and trusted, then you can skip to the Hosting Resource section.

Alternatively, you can import the actual vCenter Server certificate (instead of the root). This is the only option for older self-signed vCenter certificates.

Newer versions of Citrix Virtual Apps and Desktops (CVAD) have the ability to import the vCenter certificate thumbprint into the database so every Delivery Controller trusts it. However, it is difficult to update the thumbprint whenever the vCenter certificate changes. It might instead be more reliable to use the older method of configuring the Trusted People store on the Delivery Controllers. Whenever the vCenter certificate is changed, you’ll need to repeat these steps.

  1. Get the vCenter certificate.
    1. Open a browser and point it to the vCenter URL. Note: this procedure to get the certificate won’t work in Internet Explorer.
    2. If Google Chrome, click the Secure box in the address bar, and then click Certificate.
    3. On the Details tab, click Copy to File.
    4. In the Welcome to the Certificate Export Wizard page, click Next.
    5. In the Export File Format page, either format will work. Click Next.
    6. In the File to Export page, browse to a new file, and click Next.
    7. In the Completing the Certificate Export Wizard page, click Finish.
  2. On the Delivery Controller, run certlm.msc. This opens the MMC console with the Certificates snap-in already added and pointing to Local computer.
  3. On the left, right-click the Trusted People node, expand All Tasks, and click Import.
  4. In the Welcome to the Certificate Import Wizard page, click Next.
  5. In the File to Import page, browse to the certificate you saved earlier, and click Next.
  6. In the Certificate Store page, click Next.
  7. In the Completing the Certificate Import Wizard page, click Finish.
  8. Click OK to acknowledge that the import was successful.
  9. Repeat these steps on the second Delivery Controller. It is important that you import the certificate on all Delivery Controllers before you add the Hosting Resource in Citrix Studio.
  10. If you open a browser and point to the vCenter Server, there should be no certificate errors.

Hosting Resources

Hosting Resources are used by both Machine Creation Services (MCS) and by Citrix Provisioning’s CVAD Setup Wizard.

A Hosting Resource = vCenter + Cluster (Resource Pool) + Storage + Network. When you create a machine catalog, you select a previously created Hosting Resource and the new virtual machines are created on the Cluster, Storage, and Network defined in the Hosting Resource object. If you need some VDA machines on a different Cluster+Storage+Network, then you’ll need to define more Hosting Resources in Studio.

Hosting Connections and Hosting Resources are two different objects. The Hosting Connection defines the type of hypervisor and the credentials that Delivery Controller uses to log into the hypervisor. A single Hosting Connection can have multiple Hosting Resources for multiple clusters, multiple datastores, etc. The first time you run the wizard both objects are created. Later you add Hosting Resources to a pre-existing Hosting Connection.

Citrix CTX131239 Supported Hypervisors for Virtual Desktops and Provisioning (Provisioning Services). vSphere 7 is supported in CVAD 2203. SCVMM 2019 is supported in CVAD 2203.

  1. In Citrix Studio, expand Configuration and click Hosting. Right-click Hosting, and click Add Connection and Resources.
  2. In the Connection page, for Connection type, select VMware vSphere.
  3. Notice there’s a Learn about user permissions blue link to an article that describes the necessary permissions.
  4. In the Connection address field, enter a vCenter URL similar to https://vcenter01.corp.local/sdk. The URL must contain the FQDN of the vCenter server.
  5. Enter credentials of a service account that can log into vCenter.
  6. In the Connection name field, give the connection a name. Typically, this matches the name of the vCenter server.
  7. If you are not using Machine Creation Services (MCS) or Citirx Provisioning (PVS) and instead only need the vCenter connection for machine power management, change the Create virtual machines using selection to Other Tools.
  8. If you intend to use MCS or PVS, leave Create virtual machines using set to Studio Tools.
  9. Click Next.

  10. In the Storage Management page, click Browse and select a vSphere cluster.
    • Note: as detailed at CTX223662, make sure there’s no comma in the datacenter name.
  11. Select Use storage shared by hypervisors.
  12. Beware of Optimize temporary data on available local storage. From Mark Syms at Citrix Discussions: “If you use just MCS caching to local storage then the VM is not agile at all and cannot be moved even when powered off as it has a virtual disk permanently associated with a single host.”
  13. Click Next.
  14. In the Storage Selection page, OS and Temporary must be selected on at least one datastore.

    • For maximum virtual machine placement flexibility, only select one datastore per Hosting Resource. To select additional datastores, run this wizard again to create a separate Hosting Resource for each datastore.
    • When creating a Machine Catalog you select a Hosting Resource. If the Hosting Resource only has one datastore selected, then you know which datastore the new VMs will be placed on. However, if the Hosting Resource has multiple datastores, then the datastores are selected round robin and you don’t have any control over which datastore is selected for each new machine.
  15. If you selected the temporary data on local storage option, on the bottom, click Select, and choose the datastores you want to use for disk caching. By default, all local datastores are selected. Click Next when done.
  16. In the Network page, enter a name for the Hosting Resource. Since each Hosting Resource is a combination of vCenter, Cluster, Network, and Datastores include those names in this field (e.g. vCenter01-Cluster01-Network01-Datastore01).
  17. Select a network and click Next.
  18. In the Summary page, click Finish.
  19. If you need to rename Storage, Network, or Datacenters in vCenter, see Citrix CTX225019 XA/XD 7.13: Renaming Storage, Network or Datacenters When Used With MCS or PVS. Either run Update-HypHypervisorConnection -LiteralPath "XDHyp:\Connections\MyConnection", or right-click the Hosting Resource and click Edit Storage. You can cancel the wizard.

If you have multiple datastores for your VDAs, then create multiple Hosting Resources (one for each datastore):

  1. Run the Add Connection and Resources wizard again.
  2. You can use the existing vCenter connection.
  3. This time, select a different datastore. Remember, don’t select more than one datastore per Hosting Resource.
  4. Give the Hosting Resource a name that indicates the chosen datastore.

When you later create a MCS Machine Catalog:

  1. Select the Hosting Resource for the datastore where you want the VDAs to be placed.
  2. You can create multiple Machine Catalogs, with each of them on different datastores. You can then combine the Catalogs into a single Delivery Group.
  3. Later in the Machine Catalog wizard, you’re given an option to enable MCS memory caching and select a cache size. This is similar to the Citrix Provisioning (PVS) option “Cache in RAM with overflow to disk”. Only enable MCS memory caching if your storage is not “all flash” and thus needs IOPS reduction. This MCS memory caching requires the MCSIO driver to be selected when installing Citrix Virtual Delivery Agent software on the VDA machines.

Citrix License Server

Upgrade Citrix License Server to version 11.17.2.0 build 51000, which might be newer than what’s on the CVAD ISO.

New License Server

If you’re building a new standalone Citrix License Server:

  1. Citrix now requires Licensing telemetry as described in CTX477614 Citrix License Telemetry FAQ. The build must be 40000 or newer and you must upgrade within 6 months of release.
  2. Extract the downloaded Citrix Licensing 11.17.2.0 build 51000.
  3. Run CitrixLicensing.exe
  4. In the Software License Agreement page, check the box next to I have read, understand, and accept the terms, and click Next.
  5. In the Install Location page, click Next.
  6. In the Configure Ports page, click Next.
  7. In the Configure Customer Success Services Renewal page, click Install.
  8. In the Summary page, click Finish.

Upgrade License Server

Upgrade your Citrix License Server to 11.17.2.0 build 51000 if it isn’t already.

  1. Citrix now requires Licensing telemetry as described in CTX477614 Citrix License Telemetry FAQ. The build must be 40000 or newer and you must upgrade within 6 months of release.
  2. Go to the downloaded Citrix Licensing 11.17.2.0 build 51000 and run CitrixLicensing.exe.

  3. If you see the Subscription Advantage Renewal page, make a selection, and click Next.
  4. In the Upgrade page, click Upgrade.
  5. Click Finish.
  6. Citrix License Server no longer includes the License Administration Console (:8082). Use Citrix Licensing Manager (:8083) instead.
  7. If you login to the Citrix Licensing Manager (:8083), the top of the page shows the version number.

  8. After upgrading Citrix License Server, in Citrix Studio, go to Configuration > Licensing.
  9. On the right, click Authenticate Certificate.
  10. Change the selection to Connect me, and click Confirm.

Citrix Licensing Manager

Newer versions of License Server come with a new management web site.

  1. From the Start Menu, run Citrix Licensing Manager. Or go to https://<My_Licensing_Server>:8083
  2. You might be prompted to login.

    • To eliminate this login, add the License Server URL to the Local Intranet zone.
  3. Licensing Manager might prompt you to register with Citrix Cloud.

    1. On the Settings > Usage and Statistics page, in the Share usage statistics with Citrix section, click Register.
    2. You’ll see a screen with a registration code. Click the Copy button and then click Register to be take to Citrix Cloud.
    3. The Register button in the Citrix License Server takes you to Identity and Access Management > API Access > Product Registrations. Click Register.
    4. Paste in the copied code and then click Continue.
    5. Click Register.
    6. Back in the on-premises Licensing Manager, it will eventually show as Registered.
    7. On the same Usage & Statistics page, scroll down, and then click Upload now. This should cause data to upload to Citrix Cloud and show up in Citrix Cloud Licensing.
  4. Licensing Manager 11.17.2.0 build 43000 and newer has a Product Information tab showing you component versions.
  5. Licensing Manager has a new Dashboard page to replace the one in the License Administration Console.

    • Click the arrow next to a license to see when it expires and the number of licenses in use.
  6. If you click the gear icon on the top right…
  7. On the Account tab, you can add License Server Administrators.
  8. The Update Licenses tab lets you check for license renewals and download them.

Activate Citrix License

The easy way to install and activate a Citrix license is through Citrix Studio:

  1. In Citrix Studio, expand Configuration, right-click Licensing, and click Allocate Licenses.
  2. Enter the license access code and click Show.
  3. Then click the Allocate licenses button.

    • Another method of allocating licenses is in the Citrix Licensing Manager at https://MyLicenseServer:8083 > Install Licenses tab.
  4. After licenses are installed, right-click the Licensing node, and click Edit Product Edition
  5. Change the edition to match your licenses. If you see both Virtual Apps and Virtual Desktops licenses, you must select Virtual Desktops. If you see both Concurrent and User/Device, then you must select User/Device. Click OK when done.
  6. Citrix Virtual Apps and Desktops supports mixed licensing in a single site/farm. See the following:

License Server CEIP

Citrix License Server enables CEIP by default. This can be disabled:

  1. In the Citrix Licensing Manager (https://MyLicenseServer:8083) by clicking the gear icon.
  2. Switch to the Usage and Statistics tab and make a selection in the Share usage statistics with Citrix section.

Citrix License Management Service

Citrix License Server includes the Citrix License Management Service. This service helps you avoid prohibited practices:

  • Duplication of licenses outside a Disaster Recovery (DR) environment
  • Use of legacy licenses for new product versions
  • Use of rescinded licenses

Citrix License Server Monitoring

Citrix Licensing Manager has historical usage reporting:

  1. Run Citrix Licensing Manager from the Start Menu. Or use a browser to connect to https://MyLicenseServer:8083
  2. On the Historical Use tab, use the drop-down menus to select a license type, select dates, and export to a .csv file.
  3. At the bottom of this page is a link to change the retention period.

Jonathan Medd Monitor Citrix License Usage With PowerShell.

Lal Mohan – Citrix License Usage Monitoring Using Powershell

Remote Desktop Licensing Server

Install Remote Desktop Licensing Server

Do the following on your Delivery Controllers:

  1. In Server Manager, open the Manage menu, and click Add Roles and Features.
  2. In the Installation Type page, select Role-based or feature-based installation.
  3. Click Next until you get to the Server Roles page. Check the box next to Remote Desktop Services, and click Next.
  4. Click Next until you get to the Role Services page. Check the box next to Remote Desktop Licensing, and click Next.
  5. Click Add Features if prompted.
  6. Then finish the wizard to install the role service.

Activate Remote Desktop Licensing

  1. After RD Licensing is installed, in Server Manager, open the Tool menu, expand Terminal Services (or Remote Desktop Services), and click Remote Desktop Licensing Manager.
  2. The tool should find the local server. If it does not, right-click All servers, click Connect, and type in the name of the local server.
  3. Once the local server can be seen in the list, right-click the server and click Activate Server.
  4. In the Welcome to the Activate Server Wizard page, click Next.
  5. In the Connection Method page, click Next.
  6. In the Company Information page, enter the required information, and click Next.
  7. All of the fields on the Company Information page are optional, so you do not have to enter anything. Click Next.
  8. In the Completing the Activate Server Wizard page, uncheck the box next to Start Install Licenses Wizard now, and click Finish. Since the session hosts will be configured to pull Per User licenses, there is no need to install licenses on the RD Licensing Server.
  9. In RD Licensing Manager, right-click the server, and click Review Configuration.
  10. Ensure you have green check marks. If the person installing Remote Desktop Licensing does not have permissions to add the server to the Terminal Server License Servers group in Active Directory, ask a domain admin to do it manually. If you have the proper permissions, click Add to Group.
  11. Click Continue when prompted that you must have Domain Admins privileges.
  12. Click OK when prompted that the computer account has been added.
  13. Click OK to close the window.

Citrix Scout

Delivery Controller includes Citrix Scout that can be launched from the Start Menu.

The tool can run a manual collection, run a trace, schedule periodic collection, or run a Health Check.

Health Check:

  1. When adding machines, you can select StoreFront or Windows VDA.
  2. When you select machines, it might tell you to enable PSRemoting.
  3. Winrm is usually not enabled on desktop machines. Login to the machine, open command prompt as administrator, and run winrm quickconfig. It’s also possible to use Group Policy to enable winrm.
  4. Go back to Citrix Scout and click Continue.
  5. Click Start Checking.
  6. You can click View Details to view the issues it found.

Collect:

  1. The wizard is identical to the Health Check wizard, except there’s another screen to upload the data.

  2. If Citrix Cloud credentials, then you need to Generate a token.
  3. After logging into Citrix Cloud, copy the token.
  4. Go back to Citrix Scout and paste the token. Click Continue.
  5. Click Start Upload.
  6. Click View Analysis.

Links with more information:

Citrix Virtual Apps and Desktops Health Check

Sacha Thomet Finally 1.0 – but never finalized!: XenApp & XenDesktop 7.x Health Check script has now Version 1.0.

Pavan900 posted a PowerShell-based Health Check script at Citrix Studi – Colors for Maintenance Mode at Citrix Discussions.

Andrew Morgan – New Free Tool: Citrix Director Notification Service: The Citrix Director Notification service sits on an edge server as a service (or local to the delivery controller) and periodically checks the health of:

  • Citrix Licensing.
  • Database Connections.
  • Broker Service.
  • Core Services.
  • Hypervisor Connections.

And if any of these items fall out of bounds, an SMTP alert is sent to the mailbox of your choice for action. The tool will also send “All Clear” emails when these items are resolved, ensuring you are aware when the service has resumed a healthy state.

Related Pages

NetScaler Console 14.1 – Citrix ADM 13.1

Last Modified: Feb 27, 2025 @ 8:08 am

23 Comments

Navigation

In early 2024, NetScaler renamed Application Delivery Management (ADM) to NetScaler Console.

This post is for versions NetScaler Console 14.1 through Citrix ADM 13.1.

💡 = Recently Updated

Change Log

Planning

Why NetScaler Console?

NetScaler Console 14.1 build 38.53 and newer have a new GUI. 

NetScaler Console (formerly ADM) enables every NetScaler administrator to achieve the following:

  • Alert notifications – Receive email alerts whenever something goes down. For example, if a Load Balancing service goes down, you can receive an email alert.
    • NetScaler Console can email you for any SNMP trap produced by any NetScaler ADC appliance.
  • Automatically backup all NetScaler ADC instances.
    • NetScaler Console can even transfer the backups to an external system, which is then backed up by a normal backup tool.
  • SSL Certificate Expiration – Alert you when SSL certificates are about to expire.
    • Show you all SSL certificates across all NetScaler ADC appliances.
  • Configuration Record and Play – Use the Configuration Recorder to configure one NetScaler ADC appliance, and then push out the same configuration changes to additional appliances. This is the easiest method of managing NetScaler ADC appliances in multiple datacenters.
  • AppFlow Reporting – Receive ICA AppFlow traffic from NetScaler Gateway and show it in graphs.
    • Integrate NetScaler Console with Citrix Director so Help Desk can see the AppFlow data.

Everything listed above is completely free, so there’s no reason not to deploy NetScaler Console.

NetScaler Console Overview

For an overview of NetScaler Console, see Citrix’s YouTube video Citrix NetScaler MAS: Application visibility and control in the cloud.

Citrix Tech Zone Citrix Application Delivery Management (ADM) Overview Cheat Sheet

Cloud vs on-prem

NetScaler Console is available both on-premises and as a Cloud Service.

The Cloud version of NetScaler Console has new features that are not available in the on-premises version of NetScaler Console.

For the Cloud Service, you import a NetScaler Console Agent appliance to an on-prem hypervisor or deploy a NetScaler Console Agent to AWS or Azure. The NetScaler Console Agent is the proxy between the Cloud Service and the on-prem (or cloud hosted) NetScaler ADC appliances. For more info on the NetScaler Console Cloud Service, see the following:

The rest of this article focuses on the on-premises version, but much of it also applies to the Cloud Service.

On-premises NetScaler Console Licensing:

  • Instance management is free (unlimited). This includes Configuration Jobs, Instance Backups, Network Functions/Reporting. Basically everything in the Infrastructure node is free.
  • Analytics and Application monitoring are free in NetScaler Console build 21 and newer.

NetScaler Console version – The version/build of NetScaler Console must be the same or newer than the version/build of the NetScaler ADC appliances being monitored. NetScaler Console 14.1 can monitor many NetScaler ADC appliance versions including version 11.1, version 12.1, version 13.0, version 13.1, and version 14.1.

HDX Insight

See CTX239748 for a list of HDX Insight Quality Improvements in Citrix Gateway 12.1 and newer. These include:

  • NSAP protocol for reduced performance impact on NetScaler ADC
  • EDT support

HDX Insight Requirements (aka AppFlow Analytics for Citrix ICA traffic):

  • Your NetScaler ADC appliance must be running Advanced Edition or Premium Edition.
  • For EDT (UDP-based ICA), NetScaler ADC must be 12.1 build 49 or newer.
  • AppFlow statistics are only generated when ICA traffic flows through a Citrix Gateway. Internally, when a user clicks an icon from StoreFront, an ICA connection is established directly from Workspace app to the VDA, thus bypassing the internal NetScaler Gateway. Here are some methods of getting ICA traffic to flow through an internal NetScaler ADC:
    • Implement NetScaler Gateway ICA Proxy (SSL) internally.
    • Route ICA traffic (TCP/UDP 1494 and TCP/UDP 2598) through a NetScaler ADC SNIP, and NetScaler ADC routes it to the VDAs.
    • NetScaler ADC can proxy ICA traffic through a SOCKS protocol Cache Redirection Virtual Server.
    • NetScaler Docs Enabling HDX Insight Data Collection details additional ICA routing/proxy considerations – Transparent Mode, Citrix Gateway Single-Hop and Double-Hop, LAN User Mode (NetScaler ADC as SOCKS Proxy), Multi-Hop (NetScaler ADC connection chaining)
  • A new Workspace app Virtual Channel named NetScaler App Experience or NSAP can dramatically reduce the CPU needed on the NetScaler ADC to process AppFlow. Details at Citrix Blog Post HDX Insight 2.0.
  • For ICA round trip time calculations, in a Citrix Policy, enable the following settings:
    • ICA > End User Monitoring > ICA Round Trip Calculation
    • ICA > End User Monitoring > ICA Round Trip Calculation Interval
    • ICA > End User Monitoring > ICA Round Trip Calculation for Idle Connections
  • Citrix CTX215130 HDX Insight Diagnostics and Troubleshooting Guide contains the following contents:
    • Introduction
    • Prerequisites for Configuring HDX Insight
    • Troubleshooting
      • Issues Related to ICA parsing
      • Error Counter details
    • Checklist before Contacting Citrix Technical Support
    • Information to collect before Contacting Citrix Technical support
    • Known Issues

Citrix CTX204274 How ICA RTT is calculated on NetScaler Insight: ICA RTT constitutes the actual application delay. ICA_RTT = 1 + 2 + 3 + 4 +5 +6:

  1. Client OS introduced delay
  2. Client to NS introduced network delay (Wan Latency)
  3. NS introduced delay in processing client to NS traffic (Client Side Device Latency)
  4. NS introduced delay in processing NS to Server (XA/XD) traffic (Server Side Device Latency)
  5. NS to Server network delay (DC Latency)
  6. Server (XA/XD) OS introduced delay (Host Delay)

Multi-Datacenter Deployment Architecture

In a main datacenter, import two NetScaler Console appliances into the same subnet and configure them as an HA pair with a Floating IP address.

In a DR datacenter, import a DR node NetScaler Console appliance and configure it to replicate with the main datacenter.

  • Note: DR node requires a Floating IP, which requires NetScaler Console HA to be configured in the main datacenter.
  • Documentation at Configure disaster recovery for high availability at NetScaler Docs and will be detailed later in this article.

For NetScaler ADC appliances in additional datacenters, import two NetScaler Console Agent appliances into each datacenter. Remote NetScaler ADC instances are discovered and managed through remote NetScaler Console agents.

Import NetScaler Console Appliance

If you are upgrading an existing NetScaler Console or ADM, skip to the Upgrade section.

There are two different NetScaler Console appliances:

  • ADM appliance for the main datacenter, including High Availability, and for the DR node.
  • ADM Agent appliance for remote datacenters

To import a NetScaler Console Appliance into vSphere, do the following:

  1. Download Citrix ADM Image for ESX.

    • The download page for NetScaler Console has two different images: one called ADM Image, and one called ADM Agent Image. The first image should be the non-agent image.
  2. Extract the downloaded .zip file for the non-agent image (MAS-ESX-14.1).
  3. In vSphere Web Client, right-click a cluster, and click Deploy OVF Template.
  4. In the Select an OVF Template page, select Local file and browse to the NetScaler Console .ovf files. If .ova file is available, then only select the one .ova file. Otherwise, select all three files (.ovf, .mf, and .vmdk). Click Next.

  5. In the Select name and folder page, enter a name for the virtual machine, and select an inventory folder. Then click Next.
  6. In the Select a resource page, select a cluster or resource pool, and click Next.
  7. In the Review details page, click Next.
  8. In the Select storage page, select a datastore. Due to high IOPS requirement, SSD is recommended.
  9. Change the virtual disk format to Thin Provision. Click Next.
  10. In the Select networks page, choose a valid port group, and click Finish.
  11. In the Ready to Complete page, click Finish.

Appliance Hardware Configuration

  1. Before powering on the appliance, you can review its hardware specs. Right-click the NetScaler Console virtual machine and click Edit Settings.
  2. Review the specs. NetScaler Docs NetScaler Console on VMware ESXi recommends 8 vCPUs and 32 GB RAM.
  3. You can add a second hard disk at this time.
  4. NetScaler Docs Attach an additional disk to NetScaler Console says that an additional disk must be added before initial deployment.
    • Use the NetScaler Console storage calculator to determine the recommended size of the disk. Ask your Citrix Partner for the tool.
    • The new disk must be larger than 120 GB.
    • The new disk can be larger than 2 TB.
    • The new disk can be grown later, and /mps/DiskPartitionTool.py can resize the partition, but only up to 2 TB. If you need more than 2 TB, the initial disk should be larger than 2 TB.
  5. Power on the Virtual Machine.

Appliance IP Address Configuration

  1. Open the console of the virtual machine.
  2. Configure IP address information.
  3. Enter 7 when done.
  4. It takes several minutes for the GUI login to start working.

Second Disk

  1. SSH to the appliance and login as nsrecover/nsroot.
  2. Enter /mps/DiskPartitionTool.py

  3. Enter info to see that there are no existing partitions on the second disk.
  4. Enter create to create partitions on the second disk. A reboot is required.
  5. During the reboot, the database is moved to the second disk.
  6. After the reboot, the Disk Partition Tool info command shows the partition on the second disk.
  7. If you need to increase the size of the disk, reboot the NetScaler Console appliance so it detects the larger size. Then use the Disk Partition Tool resize command.

Deployment Modes

HA Pair in the Main Datacenter

If NetScaler Console 14.1 build 17 or newer, HA is no longer configured from the CLI. Instead, use the GUI.

  1. Latency to the HA node must not exceed 10 ms.
  2. The HA nodes must be on the same subnet.
  3. Import a second NetScaler Console appliance.
  4. If you added a second disk to the first NetScaler Console appliance, then you must add the same size second disk to the second NetScaler Console appliance.
  5. Configure the new node’s IP address.
  6. SSH to the second appliance, login as nsrecover/nsroot, and run the Disk Partition tool.
  7. Point your browser using https to the first NetScaler Console IP address. Note: After configuring the appliance IP, it takes several minutes for the GUI login to start working.
  8. Login using nsroot/nsroot credentials.
  9. Change the nsroot password when prompted. Login to the second node and also change its password.
  10. Click Get Started.
  11. In the Instances page, click Next.
  12. In the Connect to NetScaler Console Service page, click Skip.
  13. In the Notifications page, click Skip.
  14. Click Finish.
  15. In the left menu, expand Settings and click Administration.
  16. On the right, click IP Address, Second NIC, Host Name and Proxy Server.
  17. Configure the Alternate DNS and click Save. You can only configure this before you create the HA pair. Repeat on both nodes.
  18. On the right, click Configure NetScaler Console High Availability (HA).
  19. Enter the IP of the second NetScaler Console appliance.
  20. Enter a new IP that will float between the two nodes. Click Configure.
  21. Click Yes to reboot.
  22. It will take several minutes to configure HA.
  23. After the reboot, log into the floating IP.
  24. In the left menu, expand Settings and click HA Deployment.
  25. You can view the status of the HA pair and fix the database sync if it is broken. You can Break HA, Force Failover, or change the Floating IP (in HA Settings).

If this is older Citrix ADM, on the First Node, do the following:

  1. SSH to the first node and login as nsrecover/nsroot.
  2. Enter deployment_type.py.
  3. Enter 1 for NetScaler Console Server.
  4. Enter no when prompted for NetScaler Console Standalone deployment.
  5. For the First Server Node prompt, enter yes.
  6. Enter yes to Restart the system.

Older Citrix ADM Second Node:

  1. Import another ADM appliance to the same subnet and configure an IP address.
    • Latency to the HA node must not exceed 10 ms.
    • The HA nodes must be on the same subnet.
  2. If you added a second disk to the first ADM appliance, then you must add the same size second disk to the second ADM appliance.
  3. Configure the new node’s IP address.
  4. SSH to the second appliance, login as nsrecover/nsroot, and run the Disk Partition tool.
  5. SSH to the second appliance, login as nsrecover/nsroot, and run deployment_type.py.
  6. Enter 1 for Citrix ADM Server.
  7. Enter no when prompted for Citrix ADM Standalone deployment.
  8. Enter no when prompted is this is First Server Node.
  9. Enter the IP address of the first ADM node.
  10. Enter the nsroot password of the first node. The default password is nsroot.
  11. Enter a new Floating IP address.
  12. Enter yes to restart the system.

Older Citrix ADM Get Started:

  1. Use a browser to log into the first ADM appliance as nsroot/nsroot.
  2. Logging in to NetScaler ADM might show you the Get Started wizard. If you don’t see this wizard, then skip to the next section.
  3. In the Add NetScaler Instances page, you can Add Instance now, or just click Next and add instances later.
  4. In the Customer Identity page, you can login to Citrix Cloud, configure data sharing, or click Skip to do it later.

  5. In the System Notifications page, you can configure Email notifications now, or click Skip and do it later.
  6. In the Done page, click Finish.

Older Citrix ADM Deploy HA Configuration:

  1. After both appliances are fully booted, point your browser to the first appliance’s IP address and login as nsroot/nsroot. It will take several minutes after booting before the ADM appliance is ready.
  2. The top of the screen has some banners.
  3. If you want to make any network changes (e.g., DNS servers) to either node, then you must make those changes before you deploy the HA pair. Move your mouse over the left menu, expand Settings and click Administration.
  4. On the right, click IP Address, Second NIC, Host Name and Proxy Server.

    1. Enter an Alternate DNS and then click Save.
    2. Click the back arrow to go back.
    3. If you already created the HA pair, then the only way to add a second DNS server is through the command line on both nodes. See CTX281388 Error Message “Network configuration change is not allowed in Citrix ADM HA setup” When Changing Network Settings in ADM
      echo "echo \"nameserver DNS_IP\" >> /etc/resolv.conf" >> /mpsconfig/svm.conf
  5. Move your mouse to the left side of the screen, expand Settings, and then click Deployment.
  6. In the top right, click Deploy.
  7. Click Yes to reboot.
  8. It takes around 10 minutes to restart.
  9. After deployment, you can now use the Floating IP to manage the appliance pair.
  10. Logging in might show you the Get Started wizard. Proceed through the wizard as described in the previous section.
  11. Move your mouse to the left menu, expand Settings, and click Deployment.
  12. The Settings > Deployment page should show both nodes as UP and syncing.

Afterwards, you can manage High Availability.

  1. Settings> Deployment lets you see the HA nodes.
  2. You can Force Failover from here. Note: HA failover only occurs after three minutes of no heartbeats.
  3. On the top right is a HA Settings button that lets you change the Floating IP.

DR Node

Requirements for the DR node:

  • The main datacenter must have an HA pair of NetScaler Console appliances. Standalone in the main datacenter is not supported.
  • Latency from the main datacenter HA pair to the DR node must not exceed 200 ms.
  • Ports 5454 and 22 open between the NetScaler Console nodes.

To configure a DR node:

  1. Import another NetScaler Console appliance into a remote datacenter and configure an IP address.
  2. If you added a second disk to the main datacenter NetScaler Console appliances, then you must add the same size second disk to the DR NetScaler Console appliance.
  3. After configuring the new nodes’ IP address, SSH to the DR appliance and login as nsrecover/nsroot.
  4. Enter deployment_type.py.
  5. Enter 2 for Remote Disaster Recovery Node.
  6. Enter the Floating IP address of the HA pair in the main datacenter.
  7. Enter the nsroot password, which is nsroot by default.
  8. The DR node registers with the NetScaler Console HA Pair.
  9. You can change the password of the DR node by running the following command: 
    ./mps/change_freebsd_password.sh <username> <password>
  10. Point your browser to the Floating IP Address and login.
  11. Go to Settings > Administration.
  12. On the right, in the right column, click Disaster Recovery Settings.
  13. The Registered Recovery Node should already be filled in. Click Deploy DR Node.
  14. Click Yes to enable DR.
  15. A System Backup is performed and replicated to the DR appliance. Click Close when done.
  16. The status of the DR node is displayed. You can click the Refresh icon on the top right to update the display.
  17. There’s a Sync DR Node button in case it gets out of sync.
  18. Disaster Recovery is not automatic. See the manual DR procedure at NetScaler Docs. Docs also shows how to fail back.
    • /mps/scripts/pgsql/pgsql_restore_remote_backup.sh

NetScaler Console Agents

NetScaler Console Agents help NetScaler Console discover and manage instances on the other side of a high latency WAN link.

The virtual appliance for NetScaler Console Agent is different than the normal NetScaler Console appliance.

  1. Download the NetScaler Console Agent from the main NetScaler Console download page. On the NetScaler Console download page for a particular build, scroll down the page to find the ADM Agent images.
  2. Extract the downloaded .zip file.
  3. Import the MASAGENT .ova to vSphere. You can import the single .ova file, or you can import the .ovf file plus the .mf file and the .vmdk file.


  4. Edit the settings of the virtual machine to see the allocated CPU and Memory.
  5. There’s no need to add a disk to the Agent.
  6. Power on the NetScaler Console Agent virtual machine.
  7. At the virtual machine’s console, configure an IP address.
  8. Login as nsrecover/nsroot.
  9. Run /mps/register_agent_onprem.py
  10. Enter the floating IP address of the main NetScaler Console HA Pair. Enter nsroot credentials for NetScaler Console. Enter a new password for NetScaler Console Agent.
  11. The Agent will be registered, and services restarted.
  12. To change the nsrecover password on NetScaler Console Agents, putty (SSH) to the NetScaler Console Agent appliance, login as nsrecover and then run the script at /mps/change_agent_system_password.py. Or you can change the password in the NetScaler Console interface at Infrastructure > Agents.
  13. Login to the NetScaler Console Floating IP.
  14. Go to Infrastructure > Instances > Agents.
  15. On the right, select the NetScaler Console Agent, and then click Attach Site.
  16. In the Site drop-down, if you don’t see your site, then you can click the Add button to create a new site.

    1. Enter a name and other location information.
    2. Make sure you enter the coordinates. Google can find coordinates for various locations. If Longitude is West, then the value is negative.
    3. Click Create when done.
  17. Click Save to attach the Site to the Agent. Any NetScaler instance discovered through this Agent will be attached to the configured Site.
  18. For Agent HA, import two NetScaler Console Agents into your hypervisor and attach both Agents to the same Site.
  19. You can change the Agent’s nsrecover password from the NetScaler Console GUI.
  20. ADM 13.1 build 24 and newer have a Settings button on the top-right of the Agents page where you can enable Notifications when a  NetScaler Console Agent is unreachable.

NetScaler Console Appliance Maintenance

Add NetScaler Instances

NetScaler Console must discover NetScaler instances before they can be managed. NetScaler Docs How NetScaler Console discovers instances.

  1. Point your browser to the NetScaler Console Floating IP address and login as nsroot/nsroot.

Before adding instances, NetScaler Console needs to know the nsroot password for the instances. You create Admin Profiles to specify the nsroot passwords.

  1. When adding instances during the initial Welcome wizard, next to Profile Name, click Add to create an Admin Profile.
  2. Or in the main interface, to edit or create new Admin Profiles, move your mouse to the left menu, then go to Infrastructure > Instances > NetScaler.
  3. On the right, open the menu named Select Action, and click Profiles.
  4. Click the Add button to create an Admin Profile.
  5. In the top half, give the Profile a name and enter the password for the instance’s nsroot account. Create a separate Admin Profile for each unique nsroot password.
  6. In the bottom, make up some SNMP settings. You can do SNMP v3. Change the Authentication Type and Privacy Type to stronger options.
  7. Click Create when done.

To add instances:

  1. Move your mouse to the left, expand Infrastructure, expand Instances, and click NetScaler.
  2. On the right, select a tab (e.g. MPX), and then click Add.
  3. The Add instance screen is the same as shown during the getting started wizard. To authenticate to the NetScaler ADC using nsroot, select an existing Profile or create a new one. If you have Sites or Agents, you can select one. Select a Site so it’s shown correctly on the world map. Click OK when done.

Tags:

  1. You can assign Tags to instances. See How to create tags and assign to instances at NetScaler Docs.

  2. You can then search instances based on the Tags.

Instance Authentication from NetScaler Console

By default, when you click the blue link for one of the instances, NetScaler Console will do single sign-on to the instance using nsroot credentials. This is probably a security risk, or certainly an auditing risk.

To prevent NetScaler Console from doing single sign-on to instances:

  1. In NetScaler Console, go to Settings > Administration.
  2. On the right, click System, Time zone, Allowed URLs and Agent Settings.
  3. In the Basic Settings page, check the box next to Prompt Credentials for Instance Login and click Save.

NetScaler SDX

  1. At Infrastructure > Instances > NetScaler, on the SDX tab, you can click Add to discover a SDX appliance plus all VPXs on that SDX appliance. You don’t have to discover the VPXs separately.
  2. In the Add NetScaler SDX page, click the Add button next to the Profile Name drop-down to create an SDX profile. Note: SDX profiles are different than VPX profiles.

    1. Enter the credentials for the SDX SVM Management Service.
    2. For NetScaler Profile, select an admin profile that has nsroot credentials for the VPX instances. After the SDX’s VPX instances are discovered, NetScaler Console uses this NetScaler Profile to login to each VPX. If you don’t have a VPX Admin Profile in your drop-down list, click the Add button. Note: You can only select one NetScaler Profile. If each VPX instance has different nsroot credentials, you can fix it after SDX discovery has been performed. The NetScaler Profile is different than the SDX Profile.
    3. Back in the Configure NetScaler Profile page, enter new SNMP settings that SDX will use to communicate with NetScaler Console.
    4. Click Create when done.
  3. Back in the Add NetScaler SDX page, select a Site, and optionally an Agent.
  4. Click OK to start discovery.
  5. After discovery is complete, switch to the VPX tab. You should automatically see the VPX instances.
  6. To specify the nsroot credentials for a VPX, right-click the VPX, and click Edit.

    • In the Modify NetScaler VPX page, either select an existing Profile Name, or click the Add button to create a new one. Click OK when done. It should start rediscovery automatically.
  7. After fixing the nsroot credentials, right-click the VPX instance and click Configure SNMP. NetScaler Console will configure the VPX to send SNMP Traps to NetScaler Console.

Instance management

  • REST API proxy – NetScaler Console can function as a REST API proxy server for its managed instances. Instead of sending API requests directly to the managed instances, REST API clients can send the API requests to NetScaler Console. See NetScaler Console as an API Proxy Server
  • NetScaler Flexed Licensing – Your Flexed license includes software instance licenses (VPX/CPX/BLX, SDX, MPX, and VPX FIPS) and bandwidth capacity licenses. You must apply the Flexed license on NetScaler Console. You must also apply the MPX Z-Cap and SDX Z-Cap license on NetScaler MPX and NetScaler SDX hardware respectively. A Flexed license also offers analytics for unlimited virtual servers. See Flexed capacity license at NetScaler Docs.

Enable AppFlow / Insight / Analytics

NetScaler Console build 21 and newer remove the VIP licensing requirement for Analytics.

  1. Go to Infrastructure > Instances > NetScaler.
  2. On the right, switch to one of the instance type tabs (e.g. VPX).
  3. Select an instance, open the Select Action menu, and click Configure Analytics.
  4. Select one or more Virtual Servers and then click the button labelled Enable Analytics.
  5. Different options are available for different types of Virtual Servers.
  6. For NetScaler Gateways, you want HDX Insight. Gateway Insight provides AAA and EPA info for the Gateway. Enable WAF Security Violations if you enabled WAF on your Citrix Gateway.

    • Expand Advanced Settings and select NetScaler Gateway.
  7. For HTTP Load Balancing Virtual Servers, you want Web Insight. If you are licensed for NetScaler ADC Premium Edition, then you can also enable WAF Security Violations for Web App Firewall and Bot Protection monitoring.

    • For analytics on HTTP Virtual Servers, expand Advanced and click Enable X-Forwarded-For.
  8. Click OK to enable AppFlow on the Virtual Servers.
  9. Click Close when configuration is complete.
  10. Enable Analytics on more Virtual Servers.
  11. Login to the NetScaler ADC (not NetScaler Console) and go to System > Settings.
  12. On the right, click Configure Modes.
  13. If you are using LogStream, then make sure ULFD is checked. Click OK.

    enable mode ulfd
  14. On the right, click Change Global System Settings.
  15. Scroll down to ICA port(s) and add 1494 and 2598 to the list. Click OK. (Source = Citrix Discussions)

    set ns param -icaPort 1494 2598
  16. On the right, click Change HTTP Parameters.
  17. At the top, add 80 and 443 to the Http Ports list. Click OK. (Source = Citrix Discussions)

    set ns param -httpPort 80 443
  18. By default, with AppFlow enabled, if a NetScaler ADC High Availability pair fails over, then all Citrix connections will drop, and users must reconnect manually. NetScaler ADC has a feature to replicate Session Reliability state between both HA nodes.
    1. From Session Reliability on NetScaler High Availability Pair at NetScaler Docs: Enabling this feature will result in increased bandwidth consumption, which is due to ICA compression being turned off by the feature, and the extra traffic between the primary and secondary nodes to keep them in sync.
    2. On NetScaler ADC, go to System > Settings.
    3. On the right, in the Settings section, click Change ICA Parameters.
    4. Check the box next to Session Reliability on HA Failover and click OK.
  19. On NetScaler ADC at System > AppFlow > Collectors, you can see if the AppFlow Collector (NetScaler Console) is up or not.

  20. Go to Traffic Management > Load Balancing > Services and find the adm_metric_collector_svc. If it’s not UP, then you can change it to use NSIP instead of SNIP.

    1. Go to System > AppFlow. On the right, click Change AppFlow Settings.
    2. Check the box next to Time Series Data Over NSIP and click OK.
  21. When AppFlow is enabled on a Gateway Virtual Server, an AppFlow policy is bound to twice to the Gateway: once for Request Policies (i.e., HTTP), and once for ICA Request Policies. You might want to verify that these bindings are actually configured.
  22. On the NetScaler Console appliance, AppFlow for ICA (HDX Insight) information can be viewed under the Gateway > HDX Insight node.
  23. Web Insight for HTTP Virtual Servers is under Applications > Web Insight. WAF Violations is under Security.

NetScaler Console nsroot Password

Changing NetScaler Console’s nsroot password also changes NetScaler Console’s nsrecover password.

  1. In NetScaler Console, go to Settings > Users & Roles.
  2. On the right, on the tab named Users, select the nsroot account, and click Edit.
  3. Check the box next to Change Password and enter a new password.
  4. You can also specify a session timeout by checking the box next to Configure Session Timeout.
  5. Click OK.

NetScaler Console Management Certificate

  1. The certificate to upload must already be in PEM format. If you have a .pfx, you must first convert it to PEM (Base64 certificate and key files). You can use a NetScaler ADC’s Import PKCS#12 feature to convert the .pfx to PEM and then download the converted certificate from the NetScaler ADC appliance.
    1. On any NetScaler ADC, go to Traffic Management > SSL.
    2. On the right, click Import PKCS#12.
    3. Enter a name for a new file that will contain the PEM certificate and PEM key.
    4. Browse to the .pfx file and enter the password.
    5. You can optionally encrypt the PEM key by selecting an Encoding Format and entering an encryption key.
    6. Click OK.
    7. To download the PEM file, go to Manage Certificates / Keys / CSRs.
    8. Scroll to the bottom of the list, right-click the new file, and click Download.
  2. Back in NetScaler Console, go to Settings > Administration.
  3. On the right, in the SSL Settings section, click Install SSL Certificate.
  4. Click Choose File to browse to the PEM format certificate and key files. If the PEM certificate and PEM key are in the same file, then browse to the same file for both fields.
  5. If the keyfile is encrypted, enter the password.
  6. Click OK.
  7. Click Yes to reboot the system.

  8. To force users to use https when accessing the NetScaler Console management page, go to Settings > Administration.
  9. On the right, click System, Time zone, Allowed URLs and Agent Settings.

  10. On the Basic Settings page, check the box next to Secure Access Only and click Save.

System Configuration

  1. Go to Settings > Administration.
  2. On the right, click System, Time zone, Allowed URLs and Agent Settings.

    1. Check the box next to Enable Session Timeout and specify a value.
    2. By default, at InfrastructureInstances > NetScaler , if you click a blue IP address link, NetScaler Console does single sign on to the instance using the nsroot credentials. If you want to force NetScaler Console users to login using non-nsroot credentials, then check the bottom box for Prompt Credentials for Instance Login.

    3. Click Save.
    4. On the left, click the Message of the day tab.
    5. On the right, check the box next to Enable Message.
    6. Enter a message, and then click Save.
    7. Click the back arrow when done.
    8. When you login to NetScaler Console, you’ll be shown the message.
  3. Settings > Administration > Configure SSL Settings lets you disable TLS 1 and TLS 1.1.

    1. On the right, click the Protocol Settings section in the Edit Settings section on the right side of the screen.
    2. On the left, uncheck TLSv1 and TLSv1.1. Then click OK.
    3. Click Yes when asked to confirm the restart.

Prune Settings

  1. To see the current database disk usage, go to Settings > Data Storage Management. You can manually initiate pruning from this page.
  2. Go to Settings > Data Storage Management > Data Retention Policy.
  3. System Pruning defaults to deleting System Events, Audit Logs, and Task Logs after 15 days. System events are generated by the NetScaler Console appliance, which is different than Instance events (SNMP traps) that are generated by NetScaler ADC appliances.
  4. If you change anything on these pages, click the Save button before switching to a different tab/node/page.
  5. NetScaler Console can initiate a purge automatically as the database starts to get full.
  6. Instance Events page controls when instance SNMP traps are pruned, which defaults to 40 days.

Backup Settings

  1. In Settings > Administration, in the middle column, under Backup, click Configure System and Instance backup.
  2. System Backup Settings defines how many NetScaler Console backups you want to keep. These are NetScaler Console backups, not NetScaler ADC backups.
    1. There’s an option for External Transfer.
    2. NetScaler Console System backups (not Instance Backups) are at Settings > Backup Files.
  3. The Instance page lets you configure how often the instances are backed up.
    1. You probably want to increase the number of instance backups or decrease the backup interval. The backups are quite small (e.g. 700 KB).
    2. There is an option to perform a backup whenever the NetScaler ADC configuration is saved.
    3. The Enable External Transfer checkbox lets you transfer the backups to an external system so it can be backed up by your backup tool.
    4. Instance backups can be found at Infrastructure > Instances > NetScaler. Right-click an instance and click Backup/Restore.
    5. You can Restore a backup, Download the backup, or Transfer it to an external system.

Analytics Settings

  1. There are more settings at Settings > Analytics Settings.
  2. ICA/Gateway Session Timeout can be configured by clicking the link.

    • If NetScaler Console doesn’t receive AppFlow records for a session, it will consider that session has got terminated in NetScaler ADC and stops monitoring that session further. The time for which NetScaler Console needs to wait before considering a session terminated is ICA session timeout. This is configurable in NetScaler Console, by default it is set to 15 minutes. (source = Citrix Discussions)
  3. Go to Applications > Dashboard.
  4. On the top right, click the gear icon.
  5. Configure App Score factors and thresholds.
  6. Settings > Analytics Settings > Data Persistence lets you configure how long Analytics data is retained. Adjusting these values could dramatically increase disk space consumption.

    • To see the current database disk usage, go to Settings > Data Storage.

NTP Servers

  1. On the left, click Settings > Administration.
  2. On the right, click NTP Servers.
  3. Click Add.
  4. Enter an NTP server and click Create.

  5. After adding NTP servers, click the NTP Synchronization button.
  6. Check the box next to Enable NTP Synchronization and click OK.
  7. Click Yes to restart.

Syslog

This is for syslog entries generated by NetScaler Console server, and not for syslog entries generated by the instances.

  1. Go to Settings > NetScaler Console Audit Log Messages > Syslog Servers.
  2. On the right, click Add.
  3. Enter the syslog server IP address and select Log Levels. Click Create.
  4. You can click Syslog Parameters to change the timezone and date format.

Email Notification Server

  1. Go to Settings > Notifications.
  2. On the right, on the Email tab, click the button named Email Servers.

    1. Click Add.
    2. Enter the SMTP Email server address and click Create.
  3. In the breadcrumb, click Notifications.
  4. On the right, on the Email tab, and click Add.

    • Enter information for a destination distribution list and click Create.
  5. You can highlight a Distribution List and click the Test button.


  6. On the left, click Settings > Administration.
  7. On the right, click Change Event Notification and Digest.

    1. Move notification categories (e.g. UserLogin) to the right.
    2. Check the box next to Send Email. Select a notification distribution list. Then click Save.

Authentication

  1. Go to Settings > Authentication.
  2. On the right, switch to the tab named LDAP.
  3. Click Add.
  4. This is configured identically to NetScaler ADC.
    1. Enter a Load Balancing VIP for LDAP.
    2. Change the Security Type to SSL, and Port to 636. Scroll down.
    3. Enter the Base DN in LDAP format.
    4. Enter the bind account credentials.
    5. Check the box for Enable Change Password.
    6. Click Retrieve Attributes and scroll down.
    7. For Server Logon Attribute, select sAMAccountName.
    8. For Group Attribute, select memberOf.
    9. For Sub Attribute Name, select cn.
    10. To prevent unauthorized users from logging in, configure a Search Filter. Scroll down.
    11. If desired, configure Nested Group Extraction.
  5. Click Create.
  6. On the left, go to Settings > Users & Roles.
  7. On the right, click the tab named Groups.
  8. On the right, click Add.

    1. Enter the case sensitive name of your NetScaler Console Admins AD group.
    2. Move the admin Role to the right.
    3. The Configure User Session Timeout checkbox lets you configure a session timeout.
    4. Click Next.
    5. On the Authorization Settings page, if you are delegating limited permissions, you can uncheck these boxes and delegate specific entities.
      • All DNS Domain Names (GSLB) is an option for Stylebooks in ADM 12.1 build 49 and newer.
    6. Click Next.
    7. In the Assign Users page, click Finish. Group membership comes from LDAP, so there’s no need to add local users.
  9. On the top right, click the button named Settings.

    • NetScaler Console 14.1 build 43.50 and newer lets you configure two-factor authentication. NetScaler Docs.
      Authentication settings
    • If desired, check the box next to Enable User Lockout, and configure the maximum logon attempts. Click OK.
  10. On the left, go to Settings > Authentication.
  11. On the top right, click the button named Settings.
  12. Change the Server Type to EXTERNAL and click Insert.
  13. Select the LDAP server you created and click OK.
  14. Make sure Enable fallback local authentication is checked and click OK.

Analytics Thresholds

  1. Go to Settings > Analytics Settings > Thresholds.
  2. On the right, click Add.
  3. Enter a name.
  4. Use the Traffic Type drop-down to select HDXWEBSECURITY, or APPANALYTICS.
  5. Use the Entity drop-down to select a category of alerts. What you choose here determines what’s available as Metrics when you click Add Rule.
  6. Click Add Rule to select a metric and threshold.

    • To add multiple rules for multiple Entity types, simply change the Entity drop-down before adding a new rule.
  7. If the Traffic Type is HDX, and the Entity drop-down is set to Users, on the bottom in the Configure Geo Details section, you can restrict the rule so it only fires for users for a specific geographical location.
  8. In the Notification Settings section, check the box to Enable Threshold.
  9. Check the box to Notify through Email, and select an existing Email Distribution List.
  10. Click Create.

Private IP Blocks

You can define Geo locations for internal subnets.

  1. Go to Settings > Analytics Settings > IP Blocks.
  2. On the right, click Add.
  3. In the Create IP Blocks page:
    1. Enter a name for the subnet.
    2. Enter the starting and ending IP address.
    3. Select a Geo Location (Country, Region, City). As you change the fields, the coordinates are automatically filled in.
  4. Click Create.

SSL Certificate Expiration Notification

SSL Dashboard can notify you when certificates will expire soon.

  1. In the NetScaler Console menu, expand Infrastructure and click SSL Dashboard.
  2. On the top right, click the button named Settings.
  3. In the Certificate is expiring in (days) field, enter the number of days before expiration that you want to receive a notification. The default is 30 days.
  4. Check one of the boxes (e.g. Email) below How would you like to be notified.
  5. Select a notification profile (e.g. Mail Profile) or Add one.
  6. Click Save and Exit or click Next to see more SSL Dashboard settings.

Instance Email Alerts (SNMP Traps)

You can receive email alerts whenever a NetScaler ADC appliance sends a critical SNMP trap.

  1. On the left, go to Infrastructure > Events > Rules.
  2. On the right, click Add.
  3. Give the rule a name.
  4. Move Severity filters (e.g. Major, Critical) to the right by clicking the plus icon next to each Severity.
  5. While scrolling down, you can configure additional alert filters. Leaving them blank will alert you for all categories, objects, and instances. If you want to exclude some Categories (e.g., entitydown), then move all Categories to the right and move the excluded categories back to the left.
  6. On the bottom of the page, in the Event Rule Actions section, click Add Action.
  7. In the Add Event Action page:
    1. Select an Action Type (e.g. Send e-mail Action).
    2. Select the recipients (or click the Add button to add recipients).
    3. Optionally, enter a Subject and/or Message.
    4. If you enter a Subject, you can check Prefix severity, category, and failure object information to the custom email subject.
    5. Emails can be repeated by selecting Repeat Email Notification until the event is cleared.
  8. Click OK.
  9. Then click Create to finish creating the event rule.
  10. See the Event Management section at All how to articles at NetScaler Docs.

Events Digest

NetScaler Console can email you a daily digest (PDF format) of system and instance events.

To enable the daily digest:

  1. Go to Settings > Administration.
  2. On the right, click Configure Event Notification and Digest.
  3. Switch to the Event Digest page.
  4. Uncheck the box next to Disable Event Digest.
  5. Configure the other settings as desired and click OK.

Director Integration

Integrating NetScaler Console with Director adds Network tabs to Director’s Trends and Session Details views. Citrix Blog Post Configure Director with Netscaler Management & Analytics System (MAS)

Requirements:

  • Citrix Virtual Apps and Desktops (CVAD) must be licensed for Premium Edition (formerly known as Platinum Edition). This is only required for the Director integration. Without Premium, you can still access the HDX Insight data by visiting the NetScaler Console web site instead of from Director.
  • Director must be 7.11 or newer for NetScaler Console support.

To link Citrix Director with NetScaler Console:

  1. On the Director server, run C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /confignetscaler.
  2. Enter credentials for a user that only has HDX Insight permissions. 
    User Role for ADM Director Integration
  3. If HTTPS Connection (recommended), the NetScaler Console certificate must be valid and trusted by both the Director Server and the Director user’s browser.
  4. Enter 1 for NetScaler Console (formerly Insight).
  5. Do this on both Director servers.

Use NetScaler Console

Infrastructure

Everything under the Infrastructure node is free.

Infrastructure Analytics – there’s an Infrastructure Analytics node under the Infrastructure node. For details, see Infrastructure Analytics at NetScaler Docs.

  • On the top right, the gear icon above the table shows the Settings Panel.
  • The tab named Score Indicator Settings lets you adjust how Infrastructure Analytics scores instance CPU, Memory, Disk, etc.
  • The Notifications tab lets you be notified when score thresholds are crossed.
  • You can click the Circle Pack button to change to the Circle Pack view.

At Infrastructure > Instances > NetScaler, select an instance and view its Dashboard.

  • The Instance Dashboard has tabs.

Backups are available by selecting an instance and clicking Backup/Restore.

Infrastructure > Network Reporting lets you create Dashboards where you can view Instance performance data.


Infrastructure > Network Reporting has a Thresholds button that lets you create thresholds when counters cross a threshold. For example, you might want a notification when Throughput gets close to the licensed limit.


At the bottom of the threshold are Notification Settings.

Configuration Record and Play

Use NetScaler Console to record a configuration change on one instance and push the change to other instances.

  1. Go to Infrastructure > Configuration > Configuration Jobs.
  2. On the right, click Create Job.
  3. Give the job a name.
  4. Change the Configuration Source drop-down to Record and Play.
  5. Change the Source Instance drop-down to the instance you want to record.
  6. Click Record.
  7. You might have to allow pop-ups in your browser.
  8. NetScaler Console opens the instance GUI. Make changes as desired.
  9. When done, go back to NetScaler Console and click Stop.
  10. NetScaler Console retrieves the changed config.
  11. On the left, you’ll see the changed commands. Drag them to the right.
  12. On the right, you can change instance-specific values to variables by simply highlighting the values. This allows you to change the values for each instance you push this config to.
  13. Proceed through the rest of the Configuration Job wizard like normal. You’ll select instances, specify variable values for each instance, and schedule the job.

Analytics and Applications

The AppFlow Analysis tools (e.g., HDX Insight) are located under the Applications, Security, and Gateway nodes. See Viewing HDX Insight Reports and Metrics at NetScaler Docs.

Applications > Dashboard automatically includes all Virtual Servers.

  • On the top right, click Manage Apps to add a custom group of Virtual Servers together into an application. The grouped Virtual Servers are removed from the Others list.
  • Click New Application.

  • Back in the App Dashboard, you can then click any Application’s box to view stats.
  • For Custom Applications, it combines stats about all of the vServers in that Custom Application.
  • There are buttons at the top the page to view more info about the application.

Applications > Configurations > StyleBooks lets you use StyleBooks to create new NetScaler ADC configurations.

There are built-in Enterprise StyleBooks for Exchange, SharePoint, Oracle, ADFS, etc. Or you can create your own StyleBook and use it to create NetScaler ADC configurations. For details, see StyleBooks at NetScaler Docs.

The Applications Node has quite a bit of functionality. See Application Analytics and Management at NetScaler Docs for details.

Link:

HDX Insight

HDX Insight Dashboard displays ICA session details including the following:

  • WAN Latency
  • DC Latency
  • RTT (round trip time)
  • Retransmits
  • Application Launch Duration
  • Client Type/Version
  • Bandwidth
  • Licenses in use

Citrix CTX215130 HDX Insight Diagnostics and Troubleshooting Guide contains the following contents:

  • Introduction
  • Prerequisites for Configuring HDX Insight
  • Troubleshooting
    • Issues Related to ICA parsing
    • Error Counter details
  • Checklist before Contacting Citrix Technical Support
  • Information to collect before Contacting Citrix Technical support
  • Known Issues

Gateway Insight

In the Gateway node is Gateway Insight.

This feature displays the following details:

  • Gateway connection failures due to failed EPA scans, failed authentication, failed SSON, or failed application launches.
  • Bandwidth and Bytes Consumed for ICA and other applications accessed through Gateway.
  • Number of users
  • Session Modes (clientless, VPN, ICA)
  • Client Operating Systems
  • Client Browsers

More details at Gateway Insight at NetScaler Docs.

Security Dashboard

The Security Dashboard uses data from Application Firewall to display Threat Index (criticality of attack), Safety Index (how securely NetScaler ADC is configured), and Actionable Information. More info at Application Security Dashboard at NetScaler Docs.

Troubleshooting

Citrix CTX215130 HDX Insight Diagnostics and Troubleshooting Guide: Syslog messages; Error counters; Troubleshooting checklist, Logs

Citrix CTX224502 Frequently Asked Questions During NetScaler MAS Troubleshooting

Upgrade NetScaler Console

Licensing – NetScaler Console build 21 and newer remove Analytics licenses thus enabling unlimited Analytics VIPs. 

  1. Upgrade paths from Before you upgrade at NetScaler Docs.
    1. If you upgrade from 12.0 build 57.24 and higher, first upgrade to 12.1, then to 13.1, and then to 14.1.
    2. If you upgrade from 12.1, you must first upgrade to 13.0 64.xx, and then directly to 14.1.
    3. If you upgrade from versions lower than 13.0 64.xx, for better user experience, first upgrade to 13.0 64.xx and then to 14.1.
  2. Download the latest Citrix Application Delivery Management (ADM) Upgrade Package. You want the ADM Upgrade Package, not the ADM image. It’s around halfway down the page.
  3. Login to NetScaler Console Floating IP or Active Node. Upgrading the Active Node automatically upgrades the Passive Node.
  4. Go to Settings > HA Deployment and make sure both nodes are online and replicating.

  5. Go to Settings > Administration.
  6. On the right, in the far-right column, click Upgrade NetScaler Console.
  7. Browse to the build-mas-14.1…tgz Upgrade Package and click OK. The file name starts with build-mas-14.1 or build-mas-13.1 (not masagent).


  8. Click Upgrade.
  9. Click Yes to continue with the upgrade.

  10. After it says that NetScaler Console upgrade completed, click Login again.
  11. The new firmware version can be seen by clicking your username in the top right corner.

Upgrade Disaster Recovery Node

After you upgrade the HA pair in the primary datacenter, you can upgrade the DR node.

  1. Use WinSCP or similar to connect to the DR node using the nsrecover credentials.
  2. On the NetScaler Console DR node, navigate to /var/mps/mps_images.
  3. Create a new Directory with the same name as the 13.1 build number. Then double-click the new directory to open it.

  4. Double-click the new directory to open it and then upload the file named build-mas-14.1-##.##.tgz or build-mas-13.1-##.##.tgz to the version-specific directory. This is the regular NetScaler Console upgrade file with a name starting with build-mas-14.1 or build-mas-13.1. It’s not the Agent upgrade file.
  5. SSH (Putty) to the DR node and login as nsrecover.
  6. Enter the following. Replace the # with the version number. 
    cd /var/mps/mps_images/14.1-##.##
tar xvzf build-mas-14.1-##.##.tgz

  7. Then enter the following. The appliance will reboot automatically. 
    ./installmas

  8. After the reboot, the file /var/mps/log/install_state
  9. …shows you the installed version.

Upgrade NetScaler Console Agents

After you upgrade the NetScaler HA pair in the primary datacenter, and after you upgrade the DR node, you can then upgrade the NetScaler Console Agents.

  1. From the NetScaler Console download page, at the bottom of the page, download the ADM Agent Upgrade Package. This Agent Upgrade file is different than the regular NetScaler Console upgrade file. And it is different than the files to deploy a new Agent. Find it at the bottom of the downloads page.
  2. In NetScaler Console 14.1 build 43.50 and newer, you can use the GUI to upgrade the Agents. NetScaler Docs.
    Schedule upgrades
  3. For older NetScaler Console, use WinSCP or similar to connect to the NetScaler Console Agent using the nsrecover credentials.
  4. On the NetScaler Console Agent, navigate to /var/mps/mps_images.
  5. Create a new Directory with the same name as the agent build number. Then double-click the new directory to open it.

  6. Upload the file named build-masagent-14.1-##.##.tgz or build-masagent-13.1-##.##.tgz to the version-specific directory. This is the NetScaler Console Agent upgrade file, and not the regular NetScaler Console upgrade file.
  7. SSH (Putty) to the NetScaler Console Agent and login as nsrecover.
  8. Enter the following. Replace the # with the version number. 
    cd /var/mps/mps_images/14.1-##.##
tar xvzf build-masagent-14.1-##.##.tgz

  9. Then enter the following. The appliance will reboot automatically. 
    ./installmasagent

  10. After the reboot, the file /var/mps/log/install_state
  11. …shows you the installed version.
  12. Repeat for any additional NetScaler Console Agents.
  13. If you login to NetScaler Console and go to Infrastructure > Instances > Agents
  14. …you should see the new Version. It will take several minutes for the version number to update.

Omnissa Horizon True SSO with UAG SAML

Last Modified: Jul 27, 2024 @ 10:24 am

236 Comments

Navigation

Change Log

Overview

To configure SAML on Unified Access Gateway (UAG) you must have the following versions:

  • UAG 3.8 or newer
  • Connection Servers 7.11 or newer
  • For Windows 10 version 2004, deploy Horizon 2103 (8.2) or newer.

True SSO is optional.

  • SAML does not provide the user’s password to Horizon, which means that Horizon cannot perform single sign-on to the Horizon Agent machine and thus the Horizon Agent machine will prompt the user to login again. This usually means the user has to login twice.
  • To eliminate the second logon on the Horizon Agent machine, implement True SSO, which generates certificates for each user and then uses those certificates to automatically sign into the Horizon Agent machine.

Horizon Enrollment Servers ask Microsoft Certificate Authority servers to generate the SSO certificates for each user. This is an identity operation and thus the Horizon Enrollment Servers should be treated like Domain Controllers.

When you use Horizon Client to connect to a UAG that is SAML-enabled:

  1. It opens the default browser and prompts the user to sign into your SAML Identity Provider. If the user is already signed in then the user won’t see any sign-in prompt.
  2. After sign-in, the browser will then prompt the user to open Horizon Client.
  3. If the user locks the desktop then the user will need to know the local Active Directory password to unlock it.

Certificate Authority

Horizon Enrollment Servers can use a Microsoft Certificate Authority that already exists. Or you can install Microsoft Certificate Authority on the Horizon Enrollment Servers. If you have two Enrollment Servers, then install Microsoft Certificate Authority on both of the servers.

  1. Install Microsoft Certificate Authority from Server Manager > Manage > Add Roles and Features.
  2. Select Active Directory Certificate Services.
  3. The only Role Service needed for True SSO is Certification Authority.

The Microsoft Certificate Authority must be an Enterprise CA.

  1. After role installation, click the flag icon and then click the link to Configure Active Directory Certificate Services.
  2. In the Setup Type page, select Enterprise CA.
  3. In the CA Type page, if you already have a Root CA, then you can select Subordinate CA. Otherwise, you need at least one Root CA in your environment.

After Microsoft CA is installed, run the following commands:

certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS
certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
sc stop certsvc
sc start certsvc

If you just built a new Certificate Authority server then True SSO won’t work until you run gpupdate /force on all of your Domain Controllers and Horizon Agent machines. Or wait several hours for group policy to update.

Certificate Template

  1. On the Certificate Authority machine, from Start Menu, run Certification Authority.
  2. Right-click the Certificate Templates node and click Manage.
  3. Right-click the Smartcard Logon template and click Duplicate Template.
  4. On the Compatibility tab, change the drop-down for Certification Authority to Windows Server 2008 R2.
  5. Change the drop-down for Certificate recipient to Windows 7 / Server 2008 R2.
  6. On the General tab, name it True SSO or similar.
  7. Change the Validity Period to 1 day or similar.
  8. On the Request Handling tab, change the drop-down for Purpose to Signature and smartcard logon.
  9. Check the box next to For automatic renewal of smart card certificates, use the existing key if a new key cannot be created.
  10. On the Cryptography tab, change the drop-down for Provider Category to Key Storage Provider.
  11. On the Server tab, check the top box for Do not store certificates and requests in the CA database.
  12. Uncheck the bottom box for Do not include revocation information in issued certificates.
  13. On the Issuance Requirements tab, check the box next to This number of authorized signatures and enter 1 as the value.
  14. Change the drop-down for Policy type required in signature to Application policy.
  15. Change the drop-down for Application policy to Certificate Request Agent.
  16. At the bottom, change the selection to Valid existing certificate.
  17. On the Security tab, add your Horizon Enrollment Servers computer objects. This can be an AD group instead of individual servers.
  18. For each Enrollment Server computer object, on the bottom, check the Allow box for the Enroll permission. Click OK when done.
  19. Back in the Certificate Templates Console, right-click the Enrollment Agent (Computer) template and click Properties.
  20. On the Security tab, add your Horizon Enrollment Servers computer objects. This can be an AD group instead of individual servers.
  21. For each Enrollment Server computer object, on the bottom, check the Allow box for the Enroll permission. Click OK when done.
  22. Close the Certificate Templates Console.
  23. Back in the Certification Authority Console, with Certificate Templates highlighted on the left, if your environment has multiple CAs but this CA is dedicated to True SSO, then delete all templates from the right. Note: Domain Controllers must have certificates installed so make sure you have at least one other CA that is issuing Domain Controller certificates.
  24. Right-click Certificate Templates and click New > Certificate Template to Issue.
  25. Select Enrollment Agent (Computer) and click OK.
  26. Issue another certificate template but this time select the True SSO template.
  27. Your CA should now show the two templates.
  28. If you have a second CA, and if it is dedicated to True SSO, then delete all templates from that CA. Then configure it to issue the same two templates.

Enrollment Server

Horizon Enrollment Server must be installed on dedicated machine(s) that don’t have any other Horizon components installed.

  1. Login to the new Horizon Enrollment Server that has at least 4 GB of RAM.
  2. Run certlm.msc.
  3. Expand Personal, then right-click Certificates, expand All Tasks, and click Request New Certificate.

    1. In the Before You Begin page, click Next.
    2. In the Select Certificate Enrollment Policy page, click Next.
    3. In the Request Certificates page, check the box next to Enrollment Agent (Computer) and then click Enroll.
    4. In the Certificate Installation Results page, click Finish.
    5. Notice the expiration date on the Enrollment Agent certificate. Make sure you renew it before it expires.
  4. Go to the downloaded Horizon software and run VMware-Horizon-Connection-Server-x86_x64.exe.
  5. In the Welcome to the Installation Wizard for VMware Horizon Connection Server page, click Next.
  6. In the Destination Folder page, click Next.
  7. In the Installation Options page, change the selection to Horizon Enrollment Server and click Next.
  8. In the Firewall Configuration page, click Next.
  9. In the Ready to Install the Program page, click Install.
  10. In the Installer Completed page, click Finish.
  11. If Microsoft CA is installed on the Enrollment Server, then run regedit.
    1. Go to HKLM\Software\VMware, Inc.\VMware VDM.
    2. Create a new Key named Enrollment Service.
    3. Under Enrollment Service, create a new String (REG_SZ) value named PreferLocalCa and set it to 1.
    4. Also add string values for UseKerberosAuthenticationToCa = false and UseNTLMAuthenticationToCa = true
  12. If you have two Enrollment Servers, then repeat this entire section on the other server. This includes requesting the Enrollment Agent certificate, installing the Enrollment Server software, and setting the PreferLocalCa registry value.

Trust

  1. Log in to a Connection Server and run certlm.msc.
  2. On the left, expand VMware Horizon View Certificates and then click Certificates.
  3. On the right, find the certificate with the Friendly Name vdm.ec, right-click it, expand All Tasks, and then click Export. All Connection Servers have the same certificate so you only need to export from one of the Connection Servers.
  4. In the Export Private Key page, select No, do not export the private key, and then click Next.
  5. In the Export File Format page, leave it set to DER, and then click Next.
  6. Save the certificate to a file that you can access from your Enrollment Server(s).
  7. Log in to an Enrollment Server and run certlm.msc.
  8. On the left, right-click VMware Horizon View Enrollment Server Trusted Roots, expand All Tasks, and click Import.
  9. In the Welcome to the Certificate Import Wizard page, click Next.
  10. In the File to Import page, browse to the certificate that you exported from the Connection Server and then click Next.
  11. In the Certificate Store page, VMware Horizon View Enrollment Server Trusted Roots should already be selected so just click Next.
  12. In the Completing the Certificate Import Wizard page, click Finish.
  13. Repeat the certificate import process on the other Horizon Enrollment Server.

SAML to UAG

  1. Login to your SAML Identity Provider (IdP) and create an application for Unified Access Gateway.
  2. For Okta, see Omnissa Tech Zone.
  3. Azure AD has a gallery application to make configuration easier. Or use the following values:
    • Identifier = https://*.HORIZON_UAG_FQDN.com/portal
    • Reply URL (Assertion Consume Service URL = https://<HORIZON_UAG_FQDN>/portal/samlsso
  4. When done, it should look something like this:
  5. Download the Federation Metadata XML from your Identity Provider. The Metadata Url doesn’t seem to work.
  6. Login to your UAG admin page (https://<HORIZON_UAG_FQDN>:9443/admin).
  7. Select Configure Manually.
  8. Scroll down to the section named Identity Bridging Settings and click Upload Identity Provider Metadata.
  9. In Unified Access Gateway 2312 and newer, click Upload IDP Metadata.
  10. Click Select in the IDP Metadata row.
  11. Browse to the metadata .xml file and then click Save.
  12. At the top of the page, next to Edge Service Settings click SHOW.
  13. Next to Horizon Settings click the gear icon.
  14. At the bottom of the page, click More.
  15. At the top of the page, change the drop-down for Auth Methods to SAML.
  16. Change the drop-down for Identity Provider to the SAML Identifier in the Metadata that you just imported.
  17. At the bottom of the page click Save.
  18. Login to Horizon Console.
  19. In the left menu, go to Settings > Servers.
  20. On the right, click the tab named Connection Servers.
  21. Highlight a Connection Server that UAG talks to and click Edit.
  22. Switch to the tab named Authentication.
  23. Change the drop-down for Delegation of Authentication to VMware Horizon (SAML 2.0 Authenticator) to Allowed.
  24. Click the button named Manage SAML Authenticators.
  25. Click Add.
  26. Change the selection for Type to Static. Dynamic seems to only be valid for Omnissa Access.
  27. Go to your Metadata .xml file and edit it with a text editor. Then copy its contents to your clipboard.
  28. Back in Horizon Console, in the SAML Metadata field, paste in the contents.
  29. Give your SAML 2.0 Authenticator a name and click OK.
  30. Click OK to close the Manage SAML Authenticators window.
  31. Edit other Connection Servers that UAG talks to and go to the Authentication tab.
  32. Set SAML 2.0 Authenticator to Allowed and then click the Manage SAML Authenticators button.
  33. The previously created SAML Authenticator should already be there so just click Edit.
  34. At the bottom, check the box next to Enabled for Connection Server and then click OK. Repeat on any other Connection Server that UAG talks to.
  35. In Horizon Console, if you go to Monitor > Dashboard and then click VIEW in the System Health section.
  36. On the left go to Other Components. On the right go to the tab named SAML 2.0. You should see your SAML Authenticator.

Enable True SSO

Login to one of the Connection Servers and open a Command Prompt as administrator. The commands in this section have case sensitive parameter names. These commands are vdmutil, not vdmadmin.

Run the following command to add each Enrollment Server. Notes:

  • For the --authPassword fields, you enter "*" (with quotes) to be prompted to enter the password instead of specifying it at the command line.
  • --authAs fields do not include the domain name since domain is a different field.
vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --add --enrollmentServer enroll-server1-fqdn,enroll-server2-fqdn

Run the following command to see the available certificate authorities and certificate templates for a particular domain.

vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn

Run the following command to enable the Enrollment Servers for a particular domain. This syntax configures the Enrollment Servers as active/passive (failover). Note: certificateServer is the CA name from the previous command and not the server’s FQDN.

vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --create --connector --domain domain-fqdn --template TrueSSO-template-name --primaryEnrollmentServer enroll-server-fqdn --secondaryEnrollmentServer enroll-server-fqdn --certificateServer ca1-common-name1,ca2-common-name --mode enabled

Run the following command to see the SAML Authenticators configured in Horizon Console.

vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --list --authenticator

Run the following command to enable True SSO for a particular SAML Authenticator. Enter either ENALBED or ALWAYS.

vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --authenticator --edit --name authenticator-name --truessoMode {ENABLED|ALWAYS}

For more info, see Command-line Reference for Configuring True SSO at Omnissa Docs.

If you prefer to load balance your Enrollment Servers instead of active/passive, do the following:

  1. On a Connection Server, run adsiedit.msc.
  2. Change the Connection Point to dc=vdi,dc=vmware,dc=int.
  3. Change the Computer to localhost and then click OK.
  4. On the left, expand Properties, and then click Global.
  5. On the right, double-click Common.
  6. Find pae-NameValuePair in the list and Edit it.
  7. Enter cs-view-certsso-enable-es-loadbalance=true and then click Add.
  8. Click OK a couple times to close everything.

You can view the status of True SSO in Horizon Console.

  1. In Horizon Console, go to Monitor > Dashboard and on the right, in the System Health section, click VIEW.
  2. With Components selected on the left, on the right is a tab named TrueSSO.

Omnissa Horizon 8: Cloud Pod Architecture

Last Modified: Apr 18, 2025 @ 5:51 am

44 Comments

Navigation

This article applies to all Horizon versions 2006 (8.0) and newer.

Change Log

Planning

Cloud Pod Architecture lets you publish a single icon that load balances connections across multiple pools in multiple pods in multiple sites (datacenters).

  • Global Entitlements – Entitlements are the same thing as published icons. When you create an entitlement (local or global), you are publishing an icon from a pool.
    • For local entitlement, the icon is only published from one pool.
    • For global entitlement, the icon can be published from multiple pools. The pools can be in one pod or from multiple pods.
    • Don’t configure both global and local entitlements for the same pool.
    • A single pool can only belong to one global entitlement.
    • For applications, only one application per global entitlement.
  • Pod Federation – Global entitlements can’t be created until a Pod Federation is created. This federation could be one pod or multiple pods.
    • The pods can be separated into sites. Each site can contain multiple pods.
  • Global Load Balancing – Use NetScaler GSLB or F5 GTM to connect Horizon Clients to a globally available Horizon Connection Server. The connected Horizon Connection Server then uses Global Entitlements to select a site/pod/pool.
    • When a user launches a Global Entitlement, the Connection Server selects a pod based on the Global Entitlement Scoping, which can be All Sites, Within site, or Within Pod. This is from the perspective of the Connection Server the user is currently connected to. Horizon will prefer the local pod if possible.
    • Users or groups can be assigned to Home Sites. Global Entitlements can be configured to prefer Home Sites over the normal site/pod selection criteria.
  • Dedicated Assignment – For Dedicated Assignment pools, global entitlement only helps with the initial connection. Once the user is assigned to a desktop then that desktop is always selected. Users are not automatically provided with a desktop from another site if the site containing their dedicated desktop has gone down. The desktop request will fail because the dedicated desktop isn’t available. The administrator could configure a separate Global Entitlement for the users to provide a floating desktop until such time the original site recovers. That floating entitlement should be arranged to deliver desktops from other sites as required.
  • Firewall Ports – The Horizon Connection Servers participating in Cloud Pod Architecture communicate with each other over TCP 135, TCP 22389, TCP 22636, and TCP 8472. Make sure these ports are open. More info at Ray Heffer VMware Horizon 7.4 Network Ports for Cloud Pod Architecture

  • RBAC – Horizon Console includes a new administrator privilege: Manage Global Sessions. The regular Administrators role has access to multiple pods. The new Local Administrators role can only manage the local pod.

Cloud Pod Architecture Topology Limits Horizon 8 at Omnissa Docs:

  • Max users = 250,000
  • Max Pods = 50
  • Max Sessions per Pod = 12,000
  • Max Sites = 15
  • Max Connection Servers per Pod = 7
  • Max Horizon Connection Server Instances = 350

Traffic flow (Rob Beekmans – VMware Horizon View Cloud Pod – unwanted routing?):

  • Use F5 GTM or NetScaler GSLB to connect users to a Horizon Connection Server in any pod. If active/active, use proximity load balancing to control which pod is initially accessed.
  • The Horizon Connection Server looks up the Global Entitlements to determine the destination pod for the Pool.
  • User’s PCoIP session goes through the initially connected Horizon Connection Server and across the DCI (Datacenter Interconnect) circuit to the remote pod. There’s no way to re-route Blast/PCoIP through a Horizon Connection Server in the remote pod. In fact, the Horizon Connection Servers in the remote pod are never accessed. You need sufficient DCI bandwidth to handle this Blast/PCoIP traffic.
  • Note: Horizon Cloud Universal Broker doesn’t have this problem.

For more information on multi-datacenter design for Horizon, see Workspace ONE and Horizon Reference Architecture, which includes the following:

  • Omnissa Access
  • App Volumes
  • Horizon Cloud Pod Architecture
  • Dynamic Environment Manager
  • SQL AlwaysOn Availability Groups
  • Networking
  • Storage (e.g., vSAN)
  • Active Directory
  • Distributed File System
  • Global Load Balancing

Initialize First Pod

  1. In Horizon Console, expand Settings and click Cloud Pod Architecture.
  2. On the right, click Initialize the Cloud Pod Architecture feature.
  3. Click OK to initialize.
  4. A status page is displayed.
  5. On the right, feel free to rename the federation by clicking the Edit button. This is the Federation, not the Pod.

    • Enter a new name.
  6. On the left, expand Settings, and click Sites.
  7. On the right, in the top half, highlight the first site, and then click the Edit button to rename the Default First Site to be more descriptive. Sites can contain multiple pods. Site is typically a geo location or data center.

    • Enter a Site name.
    • Site URL is a feature in 2406 and newer. It lets you specify a datacenter-specific FQDN that Blast is redirected to when Cloud Pod Architecture chooses a Horizon Agent machine in that site. This avoids sending the Blast connection across the datacenter interconnect. UAG 2406 and newer supports the feature.
  8. Click the Site to highlight it to reveal the Pods on the bottom half of the window.
  9. Highlight the pod on the bottom and click Edit to make the name more descriptive.

    • Enter a Pod name.
  10. See Omnissa 2080522 Restoring View Connection Server instances in a Cloud Pod Architecture pod federation.

Additional Pods – Join Federation

  1. Connect to Horizon Console in the second pod.
  2. On the left, expand Settings, and click Cloud Pod Architecture.
  3. On the right, click Join the pod federation.
  4. Enter the name of an existing Horizon Connection Server that is already joined to the federation.
  5. Enter credentials and click OK.
  6. The Join status is displayed.
  7. On the left, expand Settings, and click Sites.
  8. If this pod is in a different site, then in the top half of the window click Add to create a new site.
  9. Give the site a name and click OK.

    • Site URL is a feature in 2406 and newer. It lets you specify a datacenter-specific FQDN that Blast is redirected to when Cloud Pod Architecture chooses a Horizon Agent machine in that site. This avoids sending the Blast connection across the datacenter interconnect. UAG 2406 and newer supports the feature.
  10. Highlight the first site.
  11. On the bottom, highlight the new pod, and click Edit.
  12. Rename the pod and put it in the 2nd site. Click OK.
  13. The top of Horizon Console shows you which Pod you are administering. You might have to refresh the page to see the correct Pod name after it was renamed.

Global Entitlements

Global Entitlements contain one or more Local Pools from one or more pods. Connections to the Global Entitlement can be load balanced across the member pods and pools.

Do not create both Global Entitlements and Local Entitlements for the same pool otherwise users might see two icons. Create the local pool, but don’t entitle it (i.e. don’t assign users). Instead, create a Global Entitlement and add the local pool to it.

  1. Before creating a Global Entitlement go to Inventory > Desktops or Inventory > Applications, click a pool name, scroll down to the Pool Settings section and record the settings. Your Global Entitlement must have the same settings.
  2. In Horizon Console, on the left, expand Inventory, and click Global Entitlements.
  3. On the right, click Add.
  4. In the Type page, select Desktop Entitlement or Application Entitlement, and click Next.
  5. In the Name and Policies page, give the entitlement (icon) a name. For Application Entitlements, it’s one Global Entitlement per application so include the application name.
    • Horizon 2006 and newer can specify a Display Name that is different than the name of the entitlement.
    • Horizon 2103 and newer can set a Federation Access Group to restrict administrator access to this Global Entitlement. You can create Federation Access Groups in the Horizon Console at Settings > Administrators, and on the right is a tab named Federation Access Groups. You can edit the Global Entitlement later to specify a Federation Access Group.
  6. Scroll down.
  7. Scroll down for more settings:
    1. You can configure tag restrictions (Connection Server restrictions) from this wizard.
    2. You can select a Category Folder where the published icon will be placed on the client’s Start Menu or Desktop. This feature requires Horizon Client 4.6 and newer.
    3. Configure Category Folder. You can type in a new folder or select an existing one. Specify whether the shortcut should appear on the Start Menu, Desktop, or both.
  8. Scroll down to the Policies section and configure the following. Note: these settings must match the Local Pool or you won’t be able to add the Local Pool to the Global Entitlement. Some of these settings can’t be changed without deleting the Global Entitlement and recreating it.
    1. For Desktop Entitlements, the User Assignment field (Floating or Dedicated) must match the Local Pools.
    2. Scope determines from which which site/pod the Local Pool is selected. Users connect to a specific Connection Server. Scope specifies if the Local Pool can be selected from any any pod in any site, from any pod in the same site as the Connection Server that the user connected to, or from the same pod as the Connection Server that the user connected to. For Dedicated Assignment pools, the user always connects to the assigned desktop no matter which Connection Server the user initially connected to.
    3. The Use home site checkbox tells the global entitlement to respect user home sites. When you assign a user to a home site, when the user launches the global entitlement, it tries to find a Local Pod in the same site as the user’s home site. This helps keep the user’s session close to the user’s data (e.g. home directory, roaming profile).
    4. Change the Default display protocol to VMware Blast. These settings must match the Local Pools.
    5. Horizon 2306 (8.10) and newer have a Session Distribution Policy to distribute sessions across the local resources in the Global Entitlement. Horizon 2309 (8.11) supports either Session Count or Load Index.
    6. For Desktop entitlements, you can allow users to Restart their machines or use Session Collaboration, or initiate separate sessions from different client devices. These settings must match the Local Pools.
    7. For Application entitlements, there’s a Pre-launch checkbox. If you need the Pre-launch feature, then enable the Pre-launch checkbox on at least one application, and entitle the application to the users that need the Pre-launch feature. These settings must match the Local Pools.
    8. There’s a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published icon to that computer AD group. The published icon can then only be accessed from the client computers in the AD group.

      Notes:

    9. For Application Entitlements, there’s a selection for Multi-Session Mode. Pre-launch must be disabled to enable this setting.
    10. Make other selections.
  9. Click Next when done.
  10. In the Users and Groups page, add users that can see the icon associated with the Global Entitlement. Click Next.
  11. In the Ready to Complete page, click Finish.
  12. Global Entitlements won’t work until you add some Local Pools to it. Make sure your Horizon Console is connected to the Pod that has the Local Pool.
  13. On the left, expand Inventory and click Global Entitlements.
  14. On the right, click the link for the name of the Global Entitlement. Global Entitlements are synced to every pod.
  15. Switch to the Local Pools tab and click Add.
  16. Select the local pools you want to add and click Add. Remember, only add one app per Global Entitlement. Also, you can only add pools from the local pod. To add pools from a different pod, you must point your Horizon Console browser to the other pod and edit the Global Entitlement from there.
  17. If the GUI won’t let you add the local pool then try it from the command line to see the actual problem. lmvutil parameter names are case sensitive. Some settings can only be changed by deleting the Global Entitlement and recreating it.
  18. Point your Horizon Console to another pod and view the Global Entitlements.
  19. On the right, click the hyperlink for the name of the Global Entitlement and follow the same procedure to add Local Pools. Horizon will automatically load balance user connections across all local pools based on the Scope policy (All Sites, Within Site, or Within Pod) in the Global Entitlement and Home Sites.
  20. A backup global entitlement delivers remote desktops or published applications when the primary global entitlement fails to start a session because of problems such as insufficient pool capacity or unavailable pods.
    1. Create a new Global Entitlement containing the backup pools.
      • The new Global Entitlement for backup should have the same settings as the production Global Entitlement.
      • You don’t have to assign anybody to the new Global Entitlement that will be the backup.
    2. Add Local Pools to the new Global Entitlement that will be the backup for when prod is down.
    3. Edit the production Global Entitlement.
    4. Scroll down to Backup Global Entitlement and click Browse.
    5. Change the selection to Backup Global Entitlement, select the Global Entitlement that will backup this one. Click Submit.
  21. Horizon Console, at Inventory > Desktops can show if a Local Pool is a member of a Global Entitlement. Scroll to the right to see the Global Entitlement column. This column doesn’t seem to be visible for Applications.

Monitoring

  1. Once Global Entitlements are enabled, a new Search Sessions node is added, which allows you to search for sessions across federated pods. Brokering Pod is the pod containing the Connection Sever that the user initially connected to to get the list of icons as opposed to the pod that contains the Local Pool that the session is actually launched from.
  2. The Monitor > Dashboard in Horizon Console shows the health of remote pods.

Home Sites

The Home Sites feature causes Global Entitlements to prefer local pools in the user’s Home Site before looking for pools in remote sites.

  1. Configure your Cloud Pod Architecture with multiple Sites and at least one Pod per Site.
  2. In Horizon Console, on the left, click Users and Groups.
  3. On the right, switch to the Home Site Assignment tab and click Add.
  4. Find a user or group for this home site, and click Next.
  5. Select the site to assign the users to and click Finish. This list of sites comes from your Cloud Pod Sites configuration.
  6. Home Sites can be assigned to both users and groups. User assignments override group assignments.
  7. Edit your Global Entitlement and ensure that Use Home Site is checked. You can optionally require that each user has a Home Site.
  8. Each Global Entitlement can have its own Home Site configuration that overrides the global Home Site configuration.
    • In Horizon Console, click the hyperlink for the Global Entitlement’s name, switch to the tab named Home Site Override, and then click Add.

  9. Since you could have a combination of default Home Site for user, default Home Site for group, and Global Entitlement-specific Home Sites, it’s helpful to know which Home Site is effective for each user and Entitlement.
    • In Horizon Console, in the Users and Groups node, switch to the Home Site Resolution tab. Find a user, and it will show you the Home Site Resolution for a specific Global Entitlement.

Related Pages

Omnissa Horizon 8: RDS Farms/Pools

Last Modified: Apr 18, 2025 @ 5:50 am

42 Comments

Navigation

This post applies to all Horizon versions 2006 (aka 8.0) and newer.

Change Log

  • 2023 Oct 28 – Published AppsSingle Application Launch Limit in Horizon 2309
  • 2021 Jan 10 – Disable Published Application in Horizon 2012 (8.1) and newer.
  • 2021 Jan 9 – updated screenshots for Horizon 2012 (8.1)
  • 2020 Aug 14 – updated entire article for Horizon 2006 (8.0)

Overview

This post details Horizon configuration for Remote Desktop Session Host (RDS) Horizon Agents. Virtual Desktops are detailed at Master Virtual Desktop and Virtual Desktop Pools.

Before following this procedure, build a master RDS Session Host.

Before you can publish applications or RDS desktops, you must create an RDS Farm. An RDS Farm is a collection of identical (cloned) Remote Desktop Session Hosts. Applications must be installed identically on every machine in the farm. If you have different applications on different Remote Desktop Session Hosts, then these are different RDS Farms.

Once the RDS Farms are created, you publish icons from them by either creating a Desktop Pool or an Application Pool or both. When creating a Desktop Pool or Application Pool, all members of the RDS Farm are selected. It is not possible to select a subset of Farm members.

Omnissa Tech Paper Best Practices For Published Applications And Desktops in Horizon:

  • vSphere Best Practices – Hardware, Network Adapters, ESXi BIOS Settings, ESXi Power Management
  • Core Services Best Practices – Active Directory, DNS, DHCP, NTP, KMS, RDS Licensing
  • ESXi Host Sizing Best Practices
  • RDSH Configuration Best Practices – Optimization
  • Horizon 7 Best Practices – Instant Clones, Load Balancing
  • User Environment Management Best Practices – Horizon Smart Policies, Folder Redirection, User Profiles, Printers, Hardware Graphics Acceleration
  • App Volumes Best Practices – dedicated AppStacks
  • Antivirus Best Practices
  • Maintenance Operations Best Practices – scheduled reboots

RDS Farms – Instant Clones

For a description of Instant Clones, see Instant Clones for RDSH in VMware Horizon 7.1 YouTube video.

  1. You select a snapshot from a master image.
  2. Horizon creates a template VM that boots from the master snapshot. After some prep, the template VM shuts down and creates a new snapshot.
  3. The template snapshot is copied to a Replica VM on every LUN (datastore) that will host RDS Farm VMs.
  4. For each datastore, Horizon creates a Parent VM on every host in the cluster. This parent VM is powered on and running at all times.
    • Horizon 2306 (8.10) and newer now default to no longer creating parent virtual machines.
  5. The linked clones can finally be created by forking the parent VM to new linked clone VMs. Notes:
    1. Once the Parent VMs are created, creating/recreating linked clones is fast. But it takes time to create all of the Parent VMs.
    2. And the Parent VMs consume RAM on every host. If you have multiple datastores and/or multiple pools, then there are multiple Parent VMs per host, all of them consuming RAM.
  6. You can schedule a periodic reboot of the Instant Clones, which causes the Instant Clone machines to refresh (revert) from the parent VM.
  7. Instant Clones require Distributed vSwitch and Distributed Port Group with Static Binding and Fixed Allocation. Standard vSwitch is not supported. Multi VLAN and vGPU for Instant Clones in VMware Horizon 7.1 YouTube video.

Create an Automatic RDS Farm

Instant Clones in Horizon 2303 and newer require vSphere 7 or newer. vSphere 6.7 and older will not work.

Master Image Preparation

  1. Make sure your RDS gold Agent has the VMware Horizon Instant Clone Agent feature installed.
  2. Make sure your RDS master Agent is configured for DHCP.
  3. Computer Group Policy – Make sure the Master VM is in the same OU as the Instant Clones so the Master VM will get the computer-level GPO settings. Run gpupdate on the master after moving the VM to the correct OU. New Instant Clones do not immediately refresh group policy so the group policy settings must already be applied to the master VM. See Omnissa 2150495 Computer-based Global Policy Objects (GPOs) that require a reboot to take effect are not applied on instant clones.
  4. Shut down the master image.
  5. Edit the specs of the master VM to match the specs you want the linked clones to have.
  6. Take a snapshot of the master image.
  7. In Horizon Console, on the left, expand Inventory, and click Farms.
  8. On the right, click Add.
  9. In the Type page, select Automated Farm, and click Next.
  10. In the vCenter Server page, select Instant Clone, select the vCenter Server, and then click Next. Notice that Composer is no longer an option.
  11. In the Storage Optimization page, click Next.
  12. In the Identification and Settings page:
    1. Enter a name for the Farm. A VM folder with the same name will be created in vCenter.
    2. Note: There’s no place to set the Display Name here. You do that later when creating a Desktop Pool.
    3. Scroll down to the Farm Settings section.
    4. Horizon supports Pre-launch. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
    5. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
    6. For Log off disconnected sessions, specify a disconnect timer. This is in addition to the idle timer configured in Global Settings.
    7. There’s a Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate. See Session Collaboration for details.
    8. Max sessions per RDS Host will block connections if this number is exceeded. You can leave it set to Unlimited.
  13. Click Next.
  14. The Load Balancing Settings page lets you configure what metrics are used for even distribution of users across the farm. By default, only Session Count is considered. You can add other metrics like CPU or Memory. Click Next.
  15. In the Provisioning Settings page:
    1. Enter a Naming Pattern. Make sure the name includes {n:fixed=3} or something like that. Computer names must be 15 characters or less.
    2. In Farm Sizing, enter the number of machines to create.
  16. Click Next.
  17. In the vCenter Settings page, click Browse next to each option and make a selection. These are self-explanatory. Make sure VM Folder Location doesn’t have any spaces in it. Scroll down to see all options. Then click Next.
  18. In the Guest Customization page:
    1. Select an OU to place the new virtual machines. This should be an OU that is configured with group polices for the RDSH machines.
    2. Consider the Allow reuse of pre-existing computer accounts check box.
  19. Click Next.
  20. In the Ready to Complete page, click Submit.

To view the status of RDS Farm creation:

  1. Click the farm name.
  2. The bottom of the Summary tab shows you the State of the Publishing progress.

  3. You can watch the progress in vSphere Client. It goes through a couple longer tasks, including cloning the snapshot, and creating a digest file.
  4. Eventually the tab named RDS Hosts will show the new virtual machines.
  5. Once the RDS Hosts are created, you publish resources from them by either creating a Desktop Pool, or an Application Pool, or both.

Add more RDS Hosts to an Automatic Farm

To add RDS hosts to an existing RDS Automatic Farm.

  1. On the left, expand Inventory, and click Farms.
  2. Click the link for an automated farm.
  3. On the right, click Edit.
  4. Switch to the Provisioning Settings tab and change the Max number of machines. Then click OK.
  5. It should not take long to add the new VM.
  6. The RDS Hosts tab of the RDS farm shows the new RDS host(s).

Update an Automatic Farm

Master Image Preparation

  1. Power on the master session host.
  2. Login and make changes.
  3. After making your changes, shut down the master session host.
  4. Right-click the virtual machine, and take snapshot. You must create a new snapshot.
  5. Name the snapshot, and click OK.
  6. You’ll need to periodically delete the older snapshots. Right-click the master VM, and click Manage Snapshots.
  7. Delete one or more of the snapshots.
  8. In Horizon Console, go to Inventory > Farms.
  9. Click the farm name’s link.
  10. On the Summary tab, click Maintain, and then click Schedule.
  11. One option is to schedule Recurring reboots, which revert the RDS Hosts to a clean state.
  12. To push out an updated Master Image, change the Schedule to Immediate.
  13. Select Start Now, or select Start at a future date/time. Click Next.
  14. In the Image page, uncheck the box next to Use current golden image, select the new snapshot, and click Next.
  15. In the Scheduling page, decide if the reboot should wait for users to logoff or force them off and then click Next.
  16. In the Ready to Complete page, click Finish.
  17. The RDS Farm’s Summary tab (scroll down) shows you that it’s publishing the new image.

  18. After the image is published, on the RDS Hosts tab, you can check on the status of the maintenance task.

Instant Clones Maintenance

To perform Instant Clone Maintenance:

  1. If you click an Instant Clones RDS Farm name…
  2. And switch to the RDS Hosts tab, you can select a machine, and then click Recover, this causes the VM to be deleted and recreated, thus reverting to the master image snapshot.

  3. On the Summary tab of the RDS Farm, you can click Maintain > Schedule to schedule a reboot of every VM in the RDS Farm. Rebooting causes the VMs to revert to the master image snapshot.
  4. Specify how often you want the reboot to occur, and then click Next.
  5. In the Image page, you don’t have to change the snapshot. Click Next.
  6. Decide what to do about logged on users, and click Next.
  7. In the Ready to Complete page, click Finish.
  8. If you click the Maintain menu again, you can click Reschedule to change when the reboots are scheduled. Or click Cancel.
  9. If you click Schedule again, you can only schedule a one-time update, typically to replace the master image snapshot used by the RDS Farm.
  10. ESXi hosts running Instant Clones can be placed into maintenance mode without any special instructions.

RDS Farms – Manual

If you are building your RDSH Machines manually (e.g. cloned manually in vCenter; no Instant Clones), then add the manually created machines to a Manual Farm.

  • All RDS machines added to a single Manual Farm should be identical because Horizon will load balance across the servers in the farm.

To create a manual RDS Farm:

  1. Make sure the Instant Clone Agent is not installed on your manual RDS servers, and make sure you saw the screen to register the Agent with a Horizon Connection Server.

    • Verify registration at Settings > Registered Machines.
  2. On the left, expand Inventory, and click Farms.
  3. On the right, click Add.
  4. In the Type page, select Manual Farm, and click Next.
  5. In the Identification and Settings page, enter a name for the Farm. Scroll down.
  6. Scroll down to the Farm Settings section.
    1. There is a pre-launch option. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
    2. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
    3. For Log off disconnect sessions, specify a disconnect timer. This is in addition to the idle timer configured in Configuration > Global Settings.
    4. There is an Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate. See Session Collaboration for details.
  7. Click Next.
  8. The Load Balancing Settings page lets you configure what metrics are used for even distribution of users across the farm. By default, only Session Count is considered. You can add other metrics like CPU or Memory. Click Next.
  9. In the Select RDS Hosts, select one or more identical Remote Desktop Session Hosts that are registered with Horizon Console. Click Next.
  10. In the Ready to Complete page, click Submit.
  11. If you click the farm name…
  12. On the RDS Hosts tab, you can click Add to add more registered RDS Hosts. Make sure every Host in the RDS Farm is identical.

Publish Desktop

To publish a desktop from a load balanced RDS Farm (Automatic Farm or Manual Farm):

  1. In Horizon Console, on the left, expand Inventory, and click Desktops.
  2. On the right, click Add.
  3. In the Type page, select RDS Desktop Pool, and click Next.
  4. In the Desktop Pool ID page, enter an ID and name. They can be different. The ID cannot contain spaces. Click Next.
  5. In the Desktop Pool Settings page:
    1. You can select a Category Folder where the published icon will be placed on the client’s Start Menu.
    2. You can type in a new category folder name or select an existing one. Also select Shortcut Locations.
    3. There is a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published desktop to that computer AD group. The published desktop can then only be accessed from the client computers in the AD group.
    4. Notes on Client Restrictions:
  6. Click Next.
  7. In the Select an RDS farm page, select a farm, and click Next. The farm can be either Instant Clone or Manual.
  8. In the Ready to Complete page, check the box next to Entitle users after this wizard finishes, and click Submit.
  9. In the Entitlements window, click Add.
  10. Browse to an Active Directory group, and click OK.
  11. Then click Close.
  12. If you go to Inventory > Farms, click your farm name, there will be a RDS Pools tab, where you can see which Desktop Pool is associated with this farm. An RDS Farm can only belong to one Desktop Pool.

Publish Applications

To publish apps from an RDS Farm (automatic farm or manual farm):

  1. In Horizon Console, on the left, expand Inventory, and click Applications.
  2. On the right, click Add, and then click Add from Installed Applications.
  3. In the Select Applications page, select a RDS Farm.
  4. The purpose of this wizard is to publish applications from an RDS Farm and then assign them to users (aka entitlement). The entitlements (aka user assignments) will apply to all of the applications you select on this page. If you want different entitlements for different applications, run this wizard multiple times and select different applications. Once the applications are published, you can change their entitlements individually.
  5. Select one or more applications. Notice that File Explorer is not one of the options. You can manually add that application later. Scroll down.
  6. There are additional options at the bottom of the Select Applications page. Notice the Entitle users box is checked by default.

    1. There’s a Pre-launch option for published applications. You can optionally enable it on at least one application, and then entitle the pre-launch application to the users that need the Pre-launch feature.
    2. Horizon 2309 and newer let you restrict applications to a Single Application Launch Limit.
    3. You can assign tags for Connection Server restrictions, which lets you control visibility of icons for internal users vs external users.
    4. You can select a Category Folder where the published icon will be placed on the client’s Start Menu and/or Desktop.
    5. There’s a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published application to that computer AD group. The published application can then only be accessed from the client computers in the AD group. Notes on Client Restriction:
  7. Click Next when done.
  8. The Edit Applications page lets you rename (Display name) the published icons. Click Submit when done.
  9. Click Add to select a group that can see all of the applications that you selected. This is the normal entitlement process.

    1. There is an option for Unauthenticated users, which is detailed at Entitle Unauthenticated Access Users to Published Applications at Omnissa Docs.
    2. Before you can configure Uauthenticated Access on published applications, you must add a Domain Account that will be used for anonymous access at Users and Groups > Unauthenticated Access.
    3. Then go to Settings > Servers and Edit a Connection Server.
    4. On the Authentication tab…
    5. …enable Unauthenticated Access, and select the Default unauthenticated access user account.
    6. Back in your entitlement, you select Unauthenticated Users, and entitle it to the Domain User that is your anonymous account.
  10. You can run the Add Application Pool wizard again to publish more applications with different entitlements (aka user assignments).
  11. If you click the name one of the application pools…
  12. …on the Entitlements tab, you can change the entitlements

Manual Application Publishing

Instead of publishing an existing application from the Start Menu, you can add an application manually:

  1. Go to Inventory > Applications, click Add, and select Add Manually.
  2. File Explorer is an application that has to be added manually. Select an RDS Farm and then enter the path to the application.

  3. When publishing Explorer, add the /separate switch. This prevents the full desktop from appearing when launching published Explorer through HTML Blast.
  4. There are more settings at the bottom of the page.

Icon for Published Application

  1. You can select an Application Pool, then open the Application Icon menu and click Associate Application Icon.

Published App Monitoring

If you click a Farm name, you can view Sessions connected to that Farm and the published application each user is running. Monitor > Sessions does not show published application information, but RDS Farm > Sessions does.

  1. In Horizon Console, on the left, expand Inventory and click Farms.
  2. On the the right, click the link for one of the farms.
  3. Switch to the tab named Sessions.
  4. As you scroll down the table you’ll see sessions with Type = Application.
  5. If you scroll to the right, you’ll see the Application Name in the far-right column.

Show application pools associated with RDS Farm

  1. If you go to Inventory > Farms, click your farm name…
  2. …and switch to the RDS Pools tab, you can see which Application Pools (published applications) are associated with this farm. You can click the link for a pool to be taken to the pool’s property pages.

Disable Application

Horizon 2012 (8.1) and newer let you disable an application pool. Go to Inventory > Applications, select one or more applications, click the More menu, and click Disable Application Pool.

When the application is disabled, the application icon is removed from Horizon Client at next refresh. If the user tries to launch the icon before it has been removed, then the message is “This application is currently not available”.

Anti-affinity

You can configure Horizon to restrict the number of instances of an application running on a particular RDS host. Here are some limitations:

  • If the user already has a session, then anti-affinity is ignored.
  • If the application is launched from within an RDS Desktop, then anti-affinity is ignored.
  • Not recommended for Horizon Mobile clients.

See Configure an Anti-Affinity Rule for an Application Pool in Horizon Console at Omnissa Docs.

Do the following to configure Anti-Affinity in Horizon Console:

  1. On the left, go to Inventory > Applications.
  2. On the right, edit an existing application pool.
  3. Scroll down. In the Anti-Affinity Patterns field, enter process names to match. Wildcards are supported. Each match is counted.
  4. In the Anti-Affinity Count field, enter the maximum number of process name matches that can run on a single RDS Host.

Related Pages