Citrix Access Gateway VPX Essentials. Copyright your book. Did you know that Packt offers eBook versions of every book published, with PDF and ePub. [PDF] Citrix Access Gateway VPX Essentials (Paperback). Citrix Access Gateway VPX Essentials (Paperback). Book Review. A must buy book if you . To get Citrix Access Gateway VPX Essentials (Paperback) PDF, make sure you follow the hyperlink below and download the document or get access to.
|Language:||English, Spanish, Dutch|
|PDF File Size:||11.18 MB|
|Distribution:||Free* [*Regsitration Required]|
Citrix Access Gateway Vpx Citrix Access Gateway VPX Essentials takes you through the complete process of configuring the appliance. Providing. Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www. You may be about alleviated this download Citrix Access Gateway VPX Essentials: A practical step by step guide to. Please do Ok if you would represent to.
Since authentication to web servers does not use a rigid format, you must specify exactly which information the web server requires and in which format when creating the action. To do this, you create an expression in NetScaler default syntax. Next you create a policy associated with that action. You can now unlock a user account that was locked out after too many failed logon attempts or after repeated violations of logon attempt time slice limits. In the data pane, select the user account to unlock, and then in the Actions drop-down list, choose Unlock.
To unlock a locked-out user account from the command line, type the following command:. The NetScaler implementation of SAML allows signing certificates of less than bits, but displays a warning message.
It also supports the SHA hash algorithm for signatures and digests. Citrix recommends that all signing certificates be of at least bits, and that you use SHA as SHA-1 is no longer considered secure. When sending SAML Authentication request to external identity provider, the NetScaler ADC now offers an option to send the thumbprint of the certificate that was used to sign the message instead of sending the complete certificate. The "sendThumbprint" option is off by default.
The Responder feature is flexible; you can create as many error responses as you wish, and respond to as many different error conditions. For example, if your users log on to different authentication servers in different geographic areas, you can customize responses to each region.
A user in the United States can receive an error message that is appropriate to his or her authentication server, and be directed to a customer service telephone number in the United States. A user in Japan can receive the same for his or her different authentication server and customer service telephone number. Briefly, to create a Responder configuration for this scenario, first create each error message and place that error message on a web server.
The web server should not be located on the same physical server as the authentication server, and preferably not on the same subnet. If you have multiple regional data centers that host separate authentication servers, it is advisable to locate each error response in a different data center than hosts the authentication server that it is used for, so that local power outages or Internet connectivity problems do not affect the web server that hosts the error messages.
Then, on the ADC, do the following steps:. You must craft a rule for the responder policy that selects connections that meet the appropriate criteria.
For example, if you want connections that originate in the USA and that fail authentication to receive this error message, the rule could identify the region by source IP, and the authentication failure by error message. For detailed instructions on how to set up a responder configuration of this type by using the command line, see the following article on the Citrix Customer Support web site:. A transaction flag now indicates, to external collectors, whether the transaction was successfully completed or was aborted.
This feature keeps sessions active even if network connectivity is interrupted, and to indicate that connectivity is lost, the user's device display freezes and the cursor changes to a spinning hourglass until connectivity resumes.
The user can resume interacting with the application once the network connection is restored. The process of collecting the load time and render time of web pages has been simplified by including the clientSideMeasurements parameter as part of the add appflow action command. For details about configuring an AppFlow action, see http: This combination offers layered network services, including robust application delivery capabilities that accelerate application performance for all users.
With a RISE based implementation, the NetScaler functionality is available as a centralized resource that can be leveraged across the application infrastructure supported by the Cisco Nexus series switch. The key functionalities of the RISE architecture include:. RISE provides a plug and play auto-provisioning feature. The NetScaler ADC uses its health monitoring feature to track and support server health by sending health probes to verify server responses.
The automatic policy based routes are defined on the Cisco Nexus series switch. When the return traffic from the server reaches the Cisco Nexus series switch, the APBR policies defined on the switch route the traffic to the NetScaler ADC, which in turn routes the traffic to the client.
Global server load balancing can now be configured on a NetScaler cluster. To do this, you must log on to the cluster IP address to define the GSLB entities and then bind these entities to a a single member cluster node group.
For detailed information, see http: To do this, while creating a cluster instance, you must set the "quorumType" parameter to none as shown here:.
For more information, see http: Net profiles are now supported on a NetScaler cluster. You can bind spotted IP addresses to a net profile which can then be bound to spotted load balancing virtual server or service defined using a node group with the following recommendations:. You must make sure that the cluster LA channel has a local interface as a member interface. You can now use the Layer2 mode in a NetScaler cluster. From NetScaler In earlier releases, the cluster feature was licensed by a separate cluster license file.
No changes are required. When using HTTP compression, you can explicitly specify a "vary" header value for compressed responses. Prior to this enhancement, the vary header was implied to be "Accept-Encoding, User-Agent". The NetScaler graphical user interface GUI has been enhanced to provide a better user interaction experience. It now provides you with a workflow-based experience, which guides you through the entire configuration.
The configuration settings have been classified as basic and advanced for some features. The NetScaler now keeps track of the interfaces through which operations are executed. This saves bandwidth and provides faster response times, because the NetScaler does not have to connect to the server for repeated requests of the same data.
This feature is especially useful if you want to base a content switching decision on a part of the URL and other L7 parameters. As a result, the configuration size is also reduced. A number of expressions have been added, and you can use them to examine the header and the attribute-value pairs AVPs in a Diameter packet. On the basis of that information, you can forward the request to the selected load balancing virtual server. The behavior has been enhanced with current release.
NetScaler will respond with the AA bit for negative cached responses just as it does for positive cache responses. The option by default has a value of NO. When you use the load balancing virtual server to load balance recursive resolvers, you can turn this option to YES.
This will cause NetScaler to respond with RA bit set on all responses. They therefore enable clients to discover which server the request should go to for a particular service and which protocol to use to connect to the server. ADNS mode and proxy mode. NetScaler ADC when deployed in a proxy mode does not always send the query for an address record to the back-end server.
This happens when for an answer to a query for an address record, a partial CNAME chain is present in the cache. You can now configure the NetScaler ADC to operate transparently between MySQL clients and servers, and to only log or analyze details of all client-server transactions.
Transparent mode is designed so that the ADC only forwards MySQL requests to the server, and then relays the server's responses to the clients.
As the requests and responses pass through the ADC, the ADC logs information gathered from them, as specified by the audit logging or AppFlow configuration, or collects statistics, as specified by the Action Analytics configuration. You do not have to add database users to the ADC.
Database specific load balancing is now supported for MySQL databases. If a database is available on multiple servers but is online on only some of these servers, the client request is forwarded to the server on which the database is online.
When autosync is triggered on the master site, first the static proximity database is synchronized followed by the synchronization of configuration. For more information see, http: You can now view the configuration details of the entities bound to a GSLB domain. The details include the configuration of the virtual servers, services, and the monitors bound to the GSLB domain.
To view the details, you can use either the command line or the configuration utility. When integrated caching is used in a high availability setup, in addition to storing the cached objects on the primary appliance, the objects are also stored on the secondary appliance.
This reduces bandwidth usage as cached objects are not lost during failover and the request can then be served directly from the cache of the secondary appliance. You can now configure rate limiting for diameter messages. The citrix-xdm monitor is used to monitor the XDM server while the citrix-xnc-ecv monitor is used to monitor the XNC server.
You can add these monitors by using the add lb monitor command from the command-line interface or by using the GUI. You can now configure up to 8K service groups on a NetScaler appliance.
The earlier limit was 4K service groups. For more information on jumbo frames, see http: You can now view the statistics of services and service groups that are bound to a load balancing virtual server by using the following URL:.
You cannot view these details by using the "http: NetScaler operations such as configuring SSL certificates requires the input files to be available locally on the NetScaler appliance.
NITRO allows you to perform file operations such as uploading file to the NetScaler, retrieving a list of files and the file content from the NetScaler, and also delete files from the NetScaler.
These operations can be performed for files of type: The SDKs can be downloaded from the Downloads page of the appliance's configuration utility.
Additionally, the expression editor for advanced endpoint analysis has been implemented in HTML within the configuration utility. If you configure a SmartAccess virtual server, when users log on from multiple devices, you can transfer the ICA Proxy session to another device and restrict users to one Universal license.
For example, if users log on by using Citrix Receiver on their computer and then log on again from a mobile device, this consumes two NetScaler Gateway Universal licenses and creates two sessions for one user. When you enable this setting, the user session transfers to the new device and uses one Universal license. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Virtual Servers.
NetScaler Gateway supports network traffic through a forward proxy between the appliance and servers in the internal network when users log on by using clientless access and when Secure Browse is enabled on the Security tab in a session profile. The Endpoint Analysis feature enables administrators to analyze and make client connection choices based on client endpoint settings for plug-in sessions connecting through the NetScaler Gateway. This task required administrators to manually extract the file on the NetScaler and then copy the extracted files to appropriate directories.
NetScaler Gateway NetScaler Gateway does not support single sign-on SSO to public servers unless single sign-on is enabled in a traffic profile or if split tunneling is enabled. You can also schedule the export of the reports to specified email addresses at various intervals.
The NetScaler Insight Center geo maps feature displays the usage of web applications across different geographical locations on a map. Administrators can use this. NetScaler Insight Center adaptive threshold functionality dynamically sets the threshold value for the maximum number of hits on each URL. HDX Insight reports now include details about session reconnects, client-side retransmissions, and server-side retransmissions. NetScaler Insight Center now saves the following data for a specific time period before it is purged:.
NetScaler Insight Center now analyzes the traffic flowing through NetScaler ADC to cache servers and origin servers, and provides useful information about the cache performance, such as:. For details on Cache Redirection Insight, see http: Authentication with the NetScaler Insight Center virtual appliance can be local or external.
With external authentication, NetScaler Insight Center grants user access on the basis of the response from an external server. It supports the following external authentication protocols:. Authorization through the NetScaler Insight Center virtual appliance is local.
The virtual appliance supports two levels of authorization. Users with superuser privileges are allowed to perform any action. Users with readonly privileges are allowed to perform only read operations. The authorization of SSH users requires superuser privileges.
Users with readonly privileges cannot log on through SSH. On the dashboard, if you move the columns in a table and refresh the page, the column ordering is sometimes reset to default.
The top-right corner of the page now displays a percentile icon, which you can click to display percentile values and the highest and lowest values for a selected metric. In the dashboard, you can now select and rearrange the columns displayed in the tables. These changes persist across user sessions. This counter indicates how many times the client advertised a zero TCP window.
This counter indicates how many times the server advertised a zero TCP window. This counter indicates how many times the retransmit timeout was invoked on the client-side connection.
This counter indicates how many times the retransmit timeout was invoked on the server-side connection. You can now customize NetScaler Insight Center reports to display the metrics that you want, and you can specify bar graphs or line graphs.
To make these changes, open the drop-down list next to the percentage icon in the top-right corner of the dashboard. NetScaler Insight Center now supports monitoring of CloudBridge , , , and appliances.
For details, see http: You can now configure the timeout period for how long a user or a group can remain in an idle state before being terminated. For more details on configuring a user account or a group account, see http: The database cache functionality of NetScaler Insight Center stores database content locally in the cache and serves the content to users without accessing the database server.
For details about configuring this functionality, see http: For debugging an issue, the technical support bundle that you generate to send to the technical support team now automatically includes NetScaler ADC data along with the NetScaler Insight Center data. All statistics that are maintained and reported for single-stream ICA connections are also displayed for multi-stream ICA connections.
For details on enabling this functionality, see http: You can now enable NetScaler Insight Center to periodically remove the out-of-date content from its database. The dashboard now displays the following user access types, depending on the NetScaler deployment:.
User connected to XenApp or XenDesktop server directly, with no intervening virtual server. These values are displayed only if the session reliability feature is enabled on XenApp or XenDesktop.
You can now limit the number of days for which the generated reports can persist in the database, after which the reports are permanently deleted. To change the value, on the Configuration tab, click System and in the right-pane from the System Settings group, click Limit Data Duration Persistency. This is particularly helpful in debugging and troubleshooting the instances hosted on the NetScaler SDX appliance when the instance is not reachable over the network.
The Events feature to monitor and manage the events generated on the NetScaler instances. The Management Service identifies events in real time, thereby helping you address issues immediately and keep the NetScaler instances running effectively. You can also configure event rules to filter the events generated and get notified to take actions on the filtered list of events.
You can monitor values, such as the health of a virtual server and the time elapsed since the last state change of a service or service group.
This gives you visibility into the real-time status of the entities and makes management of these entities easy when you have a large number of entities configured on your NetScaler devices. You can now use the command line interface to perform operations on the Management Service. Add, Set, Delete, Do and Save commands are supported through command-line interface. NetScaler SDX appliance now supports a configuring a password policy and a user-lockout policy to provide security against hackers and password-cracking software.
The password policy enforces a user-specified minimum length and a minimum level of complexity. The password must have at least one uppercase, one lowercase, one numeric, and one special character. The user-lockout policy disables a user-account if an incorrect password is entered a specified number of times.
You can specify the time period user lockout interval for how long the user account remains disabled, after which the user account is enabled automatically. The total number of instances that you can provision on an SDX appliance depends on the license installed on the appliance. You can use the Setup Wizard to complete all the first time configurations in a single flow. The wizard helps you in configuring network configuration details, system settings, changing the default administrative password, and manage and update licenses.
New inline wizard for provisioning NetScaler instances with simplified networking configuration steps. You can now use the new inline wizard to provision NetScaler instances from the Management Service. The networking configuration portion of the provisioning workflow has been simplified and streamlined for ease of use. With this release, the following authentication and authorization capabilities are supported for the Management Service on NetScaler SDX appliance:.
You can now schedule Management Service to run NeSclaer configuration difference against a template and show appropriate reporting. Further, you can use the report on the Change Management page of Management Service to view whether there is any difference between the saved configuration and the running configuration of any instance. You can click on the chart to further drill down and view the list of instances, their running configuration, saved configuration, history of configuration changes, any difference between the configurations before and after an upgrade, and any difference between the running configurations and the configuration of the associated audit templates.
Enhanced usability achieved by providing separate view for SSL certificates and keys for NetScaler instances. Now you can use the network configuration utility to assign both the Management Service IP address as well as the XenServer IP address on a new appliance. If any of the NetScaler VPX instances are in shutdown state, and an appliance reboot is carried out then the instances which were in the shut down state continue to be in the same state through the reboot process.
When deployments are being set up, usually the interfaces are not connected. Management Service now allows provisioning of NetScaler instances on SDX with data ports as management interface even if they are down. The new Dashboard provides a compact and a better view of key parameters. The fields that are displayed in the Dashboard are not user configurable.
When system sends any e-mail notification, it will contain host name along with IP address as sender. Management interfaces are not included. For third party virtual machines, user has to change the MTU explicitly from the virtual machine to make it effective. You do not require a separate license file to set up a cluster on an SDX appliance.
New kernel packages have been added to support software RAID on the following new platforms:. The When upgrading to this platform release from an earlier release, upgrade the two images in the order suggested above.
Previously, SDX platform components were distributed separately: XenServer image with kernel packages, 2 hotfixes, and 3 supplemental pack. To simplify installation, facilitate meeting all the platform requirements, and streamline the order in which the components are installed, all the components are now in one image, called the SDX Platform image. The XenServer component is based on XenServer LLDP is a layer 2 protocol that enables the NetScaler ADC to advertise its identity and capabilities to the directly connected devices, and also learn the identity and capabilities of these neighbour devices.
Now, you can create forwarding session rules for IPv6 traffic. By default, the NetScaler appliance does not create session entries for traffic that it only forwards L3 mode. For a case in which a client request that the appliance forwards to a server results in a response that has to return by the same path, you can create a forwarding-session rule. A forwarding-session rule creates forwardingsession entries for traffic that originates from or is destined for a particular network and is forwarded by the NetScaler appliance.
When configuring an IPv6 forwarding-session rule, you can specify either an IPv6 prefix or an ACL6 as the condition for identifying IPv6 traffic for which the forwarding-session entry to be created:. When you specify an IPv6 prefix, the appliance creates forwarding sessions for those IPv6 traffic that are sourced from networks that matches the IPv6 prefix. When the appliance is configured as a high availability node, Connection Failover for synchronizing IPv6 forwarding session entries with the secondary node is not supported.
Link Redundancy by using LACP channels enables the NetScaler appliance to logically create sub channels from a LACP channel where one of the sub channel is active and the remaining sub channels stay in standby mode. If the active sub channel fails or does not meet a minimum threshold throughput, one of the standby sub channel takes over and becomes active. The NetScaler appliance forms a sub channels from links that are part of the LACP channel and are connected to a particular device.
For example, for a LACP channel with four interfaces on a NetScaler appliance, where two of the interface is connected to device A, and the other two interfaces are connected to device B, then the NetScaler appliance logically creates two sub channels, one sub channel with two links to device A, and the other sub channel with the remaining two links to device B. This parameter specifies the minimum throughput threshold to be met by the active sub channel of a LACP channel.
When the throughput of the active channel falls below the lrMinThroughput , link failover occurs and one of the standby sub channels becomes active. Link redundancy for a LACP channel is disabled, which is also the default setting, when you set the lrMinThroughput parameter of the LACP channel to zero or when you unset this parameter.
In an HA configuration, if you want to configure throughput throughput parameter based HA failover and link redundancy lrMinThroughput parameter on a LACP channel, you must set a lesser or equal value to the throughput parameter as compared to the lrMinThroughput parameter. HA failover does not occur if any of the sub channels meets the lrMinThroughput parameter value even when the total throughput of the LACP channel does not meet the throughput parameter value.
HA failover occurs only when the entire sub channels of the LACP channel does not meet the lrMinThroughput parameter value and the total throughput of the LACP channel does not meet the throughput parameter value.
You can now associate a netprofile with a link load balancing configuration. The NetScaler ADC then uses one of the IP addresses in the netprofile as the source address for outbound traffic related to the link load balancing configuration. You can associate a netprofile with link load balancing virtual servers as well as with the bound services. A netprofile associated with a link load balancing virtual server always take precedence over netprofiles associated with the bound services.
For more information on netprofiles, http: You can now bind services in one traffic domain to a virtual server in another traffic domain. All the services to be bound to a virtual server in a different traffic domain must reside in the same traffic domain. There is no command or parameter introduced for this support. You configure this support by using the existing bind lb vserver command or the related configuration utility procedure. This capability can facilitate interaction between different traffic domains.
In an enterprise, servers can be grouped in different traffic domains. Virtual servers are created in a traffic domain that faces the internet. A virtual server from this traffic domain can be configured to load balance servers in another traffic domain. This virtual server receives connection requests from the Internet to be forwarded to the bound servers. Jumbo frames can transfer large files more efficiently than it is possible with the standard IP MTU size of bytes.
The appliance receives data as regular frames and sends it as jumbo frames. The appliance receives data as jumbo frames and sends it as regular frames. The NetScaler appliance supports jumbo frames in a load balancing configuration for the following protocols:. To use this feature no special license file is required.
For more information on vPath, see http: As a result, the ADC can segregate subsequent incoming traffic for different traffic domains on the basis of the destination MAC address. The source IP persistency of a netprofile associated with a virtual server or service enables the NetScaler ADC to use the same address, specified in the net profile, for all sessions initiated from a particular client. You can now bind up to 16 interfaces to a link aggregation channel. The channel can be either static or LACP.
The NetScaler ADC now supports the front end optimization feature, which reduces the load time and render time of web pages by simplifying and optimizing the content to be served to the client browser. Release The XL v5. Policy variables are named objects that can hold one or more values that can be set and modified at runtime.
The concept of variables is essentially the same as in programming languages. Variable values can be of two types:. The key can be used to find the value. In a map, more than one map entry may have the same value, but each map entry must have a different key. A number of NetScaler expressions have been added that enable the user to examine the header and the attribute-value pairs AVPs in a diameter packet.
These expressions enable the user to look up AVPs by index, ID, or name, examine the information in the AVP, and send a response based on that information.
You can now add Netscaler expressions with default syntax to HTML pages that are used with responder actions of the respondWithHtmlpage type. This functionality enables you to include information about the request that generated the Responder action in the response.
This is especially helpful in environments where shell access to the remote host is restricted. This group contains the following ciphers:.
Because of its smaller key size, Elliptic Curve Cryptography ECC is especially useful in a mobile wireless environment and in an interactive voice response environment, where every millisecond is important.
Smaller key sizes result in power, memory, bandwidth, and computational cost savings. You can now set a limit to the number of disabled SSL chips after which the appliance restarts. In end-to-end encryption with server authentication enabled, you can include a common name in the configuration of an SSL service or service group.
The name that you specify is compared to the common name in the server certificate during an SSL handshake. If the two names match, the handshake is successful. This configuration is especially useful if there are, for example, two servers behind a firewall and one of the servers spoofs the identity of the other.
If the common name is not checked, a certificate presented by either server is accepted if the IP address matches. The output of the "show fips" command now displays the HSM model number as shown below.
This is especially helpful if you are conducting an audit of the FIPS card in a NetScaler appliance and cannot open the appliance without voiding the warranty. The profile is a collection of SSL parameter settings for SSL entities, such as virtual servers, services, and service groups, and offers ease of configuration and flexibility.
Previously, you could specify only one set of global parameters. Now, you can create multiple sets profiles of global parameters and assign different sets to different SSL entities. SSL profiles are classified into two categories:. That is, they apply to the entity that receives requests from a client. For example, an SSL virtual server.
That is, they apply to the entity that sends client requests to a server. For example, an SSL service. An administrator can view the certificate chain for the certificates present on the ADC and install any missing certificates.
Twelve new ciphers are supported with TLS protocol version 1. SSL renegotiation is now blocked by default. In earlier releases, the default setting was to allow SSL renegotiation.
The presence of this SCSV extension in the Client Hello indicates that the client is retrying to connect to the server by using a lower SSL version, after its previous attempt to communicate with a higher version failed. Therefore, if the server finds this extension in Client Hello and also finds that the client is proposing a version that is lower than the maximum version supported by the server, it is a likely indication of a "man in the middle attack.
You can configure the SSL virtual server to accept only client certificates that are signed by a CA certificate bound to the virtual server. For this option to work, at least one side of the connection client or server must support it. The NetScaler appliance now supports ECN, which sends notification of network congestion state to the sender and takes corrective measures for data congestion or data corruption. When ECN is enabled, the NetScaler automatically differentiates between corruption loss and congestion loss.
When the configured external authentication server is not available, the NetScaler can be configured to allow local user access to perform administrative tasks.
To enable this function, enable the "localAuth" parameter of the "set system parameter" command. According to your requirement, you can now allocate an extra management CPU from packet engine pool in the NetScaler MPX appliance, and achieve better performance for configuring and monitoring of your appliance.
For example, let us consider an user "publicadmin" who has a timeout value of 20 minutes. Now, when accessing an interface, the user must specify a timeout value that is within 20 minutes.
Trap class, destination along with version will now act as unique identifier for a trap destination. This will allow configuration of same destination with different versions. All commands will take version V2 as default value. Set and Unset commands can no longer change version. This capability supports end-to-end quality of service QOS checks for load balanced traffic. In case of spurious re-transmissions, the congestion control configurations are reverted to their original state.
The following NetScaler features are now supported in all traffic domains configured on a NetScaler appliance:. You can use the new Traffic Domain TD parameter to specify or identify a traffic domain in commands and GUI elements related to these features. You can now configure rate limiting for traffic domains. The following expression has been added to the NetScaler expressions language for identifying traffic associated with traffic domains. You can configure rate limiting for traffic associated with a particular traffic domain, a set of traffic domains, or all traffic domains.
Use the following command to configure agCallbackURL:. The issues that were addressed in NetScaler The build number provided below the issue description indicates the build in which this issue was addressed. These attributes are sent to the Active Directory AD during a user search.
These values are extracted and stored. With this fix, the configuration utility successfully displays only the AAA sessions active at the IP addresses that you specify. The attribute values that are extracted as part of the authentication "http.
Four options are available for configuring each of these attributes to include attribute name, attribute value, attribute friendly name, and attribute URI specification. You can use the Citrix default syntax expressions to set the attribute values. When AAA is configured to authenticate users to a Microsoft Sharepoint server by using NTLM, the user might be prompted to retype his or her credentials even though the user entered those credentials correctly. After the user retypes the credentials, he or she is logged on successfully.
When this condition occurs, counters do not include the session, which causes monitoring and statistics displays to show incorrect information.
This information enables the IDP to request appropriate authentication credentials. In forms-based single sign-on SSO , if the designated response size is 0, the NetScaler ADC does not search for the complete response, as it normally would for responses with sizes above 0.
It therefore fails to find the login form, and forms-based SSO authentication fails. If, after successful completion of the single factor authentication, the user attempts to access a resource that requires a higher level level 2 authentication, in some load balancing topologies, the NetScaler ADC might,respond with a generic message.
With this fix, if the initial user authentication used single factor authentication, the ADC sends a logon page to prompt the user to again provide credentials for level 2 authentication.
The NetScaler ADC does not handle an authentication request if the incoming base64 decoded kerberos ticket is more than 10 kilobytes. This fix increases the buffer-size limit to accommodate tickets of up to 65 kilobytes.
With this fix, the ADC now passes the encoding type in the challenge so that the incoming data is accurately encoded. If an authentication profile has a space in its name, the NetScaler parser only takes the first part of the string up to the space character as the name of the profile.
The NetScaler ADC may fail if during user authentication it comes across another entity that matches this partial string. With this fix, we now use URLencoding for the profile name to accurately process special characters. Only service-provider initiated single logout flow is currently supported.
Identity-provider initiated logout is not yet supported. The NetScaler fails to parse incoming assertions if it finds a duplicate Status code tag.
The NetScaler appliance can crash if there is an authentication failure in based authentication when web authentication is used. The configuration that can lead to this is of the form:. In a AAA-TM setup that has authentication enabled on the load balancing virtual server, the NetScaler appliance can, in some cases, go down if it receives a malformed authorization header. The NetScaler appliance sometimes sends a error message to a client that sent a valid authorization header.
For Kerberos authentication, due to the reuse of server-side connections, the server does not display the appropriate user's page. During an upgrade from NetScaler When doing Kerberos authentication, the nskrb binary may leak memory for each transaction. When traffic domains are used with AAA-TM deployment, user login might fail at times during password change or password challenge messages.
When you upgrade the firmware of a HA setup to NetScaler This might cause Kerberos single sign-on to fail. You can remove the cached ticket files from the appliance. If an organization has users and services in multiple domains, then when doing Kerberos Constrained Delegation, the NetScaler appliance might pick incorrect ticket when accessed in a particular order. This can result in users not being able to access the sites.
The "show aaa session" command causes a high level of CPU usage when executed with the "-username" or "-group" option.
The NetScaler appliance does not set cookie to the domain that is configured in the authentication profile specified at the Load Balancing and Content Switching vservers. In a multi-core NetScaler environment, user sessions sometimes do not get terminated if the decision to terminate is based on a force timeout value that is configured on a TM traffic action.
That might cause some elements of pages to load incompletely, or time out. The NetScaler appliance fails if authentication is disabled while user authentication is in progress. If SAML authentication is used to log on a user, and the SAML action is removed while there are active sessions, addition of a high availability node might cause occasional failures on the secondary node. If AAA-TM logout is configured through a traffic policy on the Netscaler appliance, and the server sends a chunked response, the user encounters an error.
In a high availability setup, a session does not time out even if a force timeout is configured on a traffic action that is bound to a load balancing or content switching virtual server and a force fail over is performed. When doing forms based SSO, if the backend server sets a cookie with the login form, NetScaler does not send those cookies to the client.
This behavior was observed after a successful forms SSO attempt. If you use the Kerberos protocol for single sign-on SSO to access a back-end server, the NetScaler appliance might fail if heavy traffic causes allocation failures, because the appliance might detect a call to free memory that has already been freed. In rare scenarios, a NetScaler appliance becomes unresponsive when both nodes of a high availability HA setup claim to be the primary node.
If some of the components in high availability HA synchronization are temporarily disabled, the NetScaler appliance becomes unresponsive during HA or cluster upgrade. The classic-policy expression used by the default acceleration policy fails to identify an Internet Explorer browser whose signature does not comply with the IE user-agent string standards.
The NetScaler crashes due to an issue in hash calculation and comparison of the action analytics records. Stream analytics record creation will be case sensitive.
For example, WWW. COM and www. A global flag that tracks stream sessions when the ICMP traffic processing begins is not initiated properly. If you use AppExpert templates to create applications or public endpoints that have names longer than 18 characters, an "HTTP 1. The order in which AppExpert evaluates application units cannot be changed. After hovering over the icon, you can move an application unit up or down in the order of evaluation.
The NetScaler appliance does not perform policy evaluation for traffic other than related to SSL and Load balancing configurations. As a result, the appliance does not create AppFlow records for these traffic. When routes are updated after an AppFlow collector is added, the NetScaler appliance sends ARP requests for the AppFlow collector IP address, even when the collector is reachable only through a router.
The NetScaler appliance might become unresponsive if you attempt to delete an AppFlow action while the traffic is flowing. The NetScaler appliance might become unresponsive if a request generated by a client is corrupted after execution of the client-side measurement script.
This issue can occur if you enable the client side measurement option for an AppFlow action. Service states for the service groups cannot be updated. As a result, client requests are dropped. This leads to NetScaler failure. The security check violation is still triggered. If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive. The Profile Settings section of the report shows bound signatures as "Not Set".
During upgrade from release 10 to This results in two sets of database files and breaks the learned rule functionality. With this fix, learning data can be successfully retrieved after upgrade for profiles with names in mixed case characters. If you use the command line to make the same changes, no problems occur. If the application firewall receives a multipart POST request with a Content-Type header that contains a charset, it blocks that request as malformed.
When a user attempts to upload a file to a server that is protected by the application firewall, the file upload fails. The underlying cause is that the application firewall included an invalid character in the MIME boundary when encoding the file. If a NetScaler ADC receives a request for an object that it cached before the application firewall configuration was modified to add any advanced security check protection, the ADC responds with HTTP Error for subsequent requests to access this cached object, because the object does not contain the expected application firewall metadata.
With this fix, the existing cached objects without the required metadata are considered stale and are flushed. The request is served from the origin server and the cache is updated with refreshed data. If CEF logging is turned on, only the format of application firewall log messages is expected to change, but the format of other logs is also affected, causing problem with their display.
With this fix, turning on the application firewall CEF logging does not modify the format or display of other logs. On a NetScaler ADC that has the application firewall enabled and the Learning feature enabled for one or more security checks, the Learning module might become unresponsive.
When this happens, no additional learning takes place and no recommendations for new relaxations or rules are generated. The application firewall parses multipart forms correctly according to the appropriate RFC.
The NetScaler ADC might fail if a transaction is aborted before the application firewall completes processing the request. If a response contains href links that include query parameters, the NetScaler application firewall triggers false positives for CSRF and form field consistency violations if these links are accessed. When an HTTPS virtual server is processing the traffic, the violation logs that the application firewall generates for a blocked malformed request might show the wrong IP address, and the transaction ID might be shown as zero.
If a user-created signature has an uppercase character in the name, the application firewall profile bound to the signature is not saved in the configuration during an upgrade from a release If a user creates a signature name with uppercase characters, release But in release As a result of the database mismatch, the command to add the application firewall profile fails during an upgrade to a release During operations that require a large amount of memory, the NetScaler application firewall might not be able to allocate memory for active transactions.
The NetScaler appliance might fail under such conditions. The NetScaler ADC might fail if a request attempts to access uninitialized variable for an application firewall protected resource. The NetScaler ADC might display an error message when you bind a classic application firewall policy to a load balancing virtual server or to the global bind point, because classic application firewall policies do not support the "gotopriorityexpression" and "invoke" properties.
With this fix, properties that are not supported for application firewall policies are no longer included in the bind command. The binding is now successful, and you can see the bound entities. The external syslog servers are not able to properly display the audit-log messages from the NetScaler application firewall, because the messages are longer than expected. With this fix, the messages are the correct length.
Enabling the NetScaler application firewall XML Format check might block the contents of a response when the user accesses an embedded link in some applications. The response might be truncated even when the XML format check is deployed in a non-block mode.
For some transactions, this check truncates the processed data. When a new node is added to cluster, the configuration might get pushed to the new node before the imported objects are synced. As a result, the profile configuration might be lost if the profile has signature or other import object bindings. With this fix, a file sync is triggered to pull all the files from the CCO node to all the new nodes of the cluster before the configuration commands are pushed to new node.
Configuration changes in the action settings of the Content Type security check in the application firewall profile are not saved accurately.
Changes made by using the configuration utility are not reflected in the command line interface, and vice versa.
With this fix, changes made through any user interface are saved and displayed accurately in both the configuration utility and the command line. If a server sends a large value for the viewstate attribute in its HTML response, this value might get truncated during application firewall processing and display an error: The naming convention for application firewall import objects has changed from If a user creates a signature name with uppercase or mixed case characters, release As a result of the database mismatch, these signatures become unusable after the With this fix, the configuration is migrated accurately during the upgrade.
The response for an XML GET request might be truncated if, in addition to any of the XML checks, the creditcard or safeobject checks are enabled for the application firewall profile.
The Skip operation for the application firewall learned rules might take longer than expected. When cookie consistency check is deployed in the proxing mode, the application firewall does not expire the cookies as expected.
This occurs when the server sends the Set-cookie header without the domain information. Protected resources are vulnerable to access through reuse of these cookies after the session has expired.
In the configuration utility GUI , selecting the "Remove All Learned Data" action in the application firewall Learned Rules section might not remove the learned data for some of the security checks for the profile. A 64 bit memory leak in the application firewall module might lead to cache misses. The memory leak occurs when the cache is turned on and any of the advanced application firewall security checks are enabled.
The application firewall memory leak is now fixed, and the fix resolves the interoperability issue with the cache module. In After upgrading a 9. If a large number of long standing sessions expire and are freed during application firewall processing, a tight-loop condition might occur, causing the NetScaler appliance to fail.
In the RDX Graphical User Interface GUI , the deploy or skip operation might not work for application-firewall recommended learned rules that contain non-printable characters. During binding a signature to an application firewall profile, the NetScaler appliance might fail when it is under memory pressure. When any form protection check is enabled and the default request content-type parameter of the application firewall profile is not configured, an incoming request without a content-type header is treated as a form, even if it is not a form.
The transfer-encoding header gets deleted, and a content-length header gets added, but the request is forwarded to the server as a chunked request. The server is unable to process the chunked data and determines it to be a bad request. The import command to import an application firewall profile does not work, when the NetScaler appliance is deployed in a high availability set-up.
When the application firewall signature has upper case or mixed case characters in the name, the configured profile bindings for such a signature are not displayed in the signatures pane in the configuration utility. During application firewall processing, if the length of the pattern in the signature rule is longer than the payload text string currently being searched for a pattern match, the NetScaler appliance might fail.
With this fix, application firewall skips such a rule and moves on to process the next signature rule. The Citrix application firewall silently resets the connection when it receives a malformed or invalid request. With this fix, the application firewall logs such events. The following example shows a relaxation rule with two groups, nstimmy.
Citrix permits the users to buy XenDesktop in different versions, as given in the following list: In this book, when we refer to XenDesktop 7, it will be the Platinum Edition. It has the ability to show and implement the full functionality of the platform. Getting ready The associated version of the license server for XenDesktop 7 is Version System requirements for the latest version of the License Server are as follows: In this section, we are going to perform the operations required for the Citrix license server installation and configuration, based on the Windows Server operating system platform: Accept the Citrix License Agreement and click on the Next button.
Select a destination folder's path for the program as default; we selected: Then, click on the Install button. Click on the Finish button when the license server is successfully installed. Then, click on the OK button. You can decide to leave default ports for these three options, or change them.
In any case, the ports you decide to use must be opened on the Windows Server's personal firewall. To generate the license file that will be imported to our license server, run a Web browser installed on your client machine, connect to www. Go to Activate and Allocate Licenses. Click on Allocate licenses. Generate the license file by clicking on the Allocate button. Now, you'll be able to save the file. When prompted for the location, select the path on which the license manager will read the file with the.
The XenDesktop license server is case sensitive. Be careful when you insert the server FQDN. You've got to respect all uppercase and lowercase characters. You'll see the summary dashboard.
Click on the Administration button and insert the administrative credentials for your machine domain or local admin account. After a quick look in the Summary tab, click on the User Configuration button on the left-hand side menu. Add a new user account to differentiate from the standard administrative machine credentials.
After these operations, click on Save. Now it's time to configure the alerts. Depending on our needs, we can set up the critical and important alerts. It's preferable to leave them as default settings, and click on Save to archive the options.
You should take care of the following licensing alerts: Out of activatable licenses, Out of concurrent license, and Concurrent license expired. In the Server Configuration menu, configure the port for the web server default is and session timeout period default is 30 minutes, but you should try to reduce this value so that you can avoid inactive sessions that are locking unused resources.
For security reasons, it's a good practice to enable SSL port and eventually use a personal certificate for strong authentication as shown in next screenshot. The available port range on which configuring the License Server is from to ; the default port is The most important part is at the end—Vendor Daemon Configuration.
After that the license file has been generated; click on Import License, browse for the file location, and upload it by clicking on the Import License button. If everything is OK, you'll receive a confirmation message about the success of the loading operation. Click on Vendor Daemon in our case, the default daemon is called Citrix and click on Reread license file to make sure that everything's correct.
Never manually edit the license file! If vendor daemon configuration returns an error, probably you have to reallocate licenses and regenerate files, but don't correct it with any text editor. When you generate a. This means that if you need to reinstall the server or change its name, you must reallocate the license currently assigned and reassign it to the new server, always referring to its FQDN.
The license file must be regenerated and reimported, as seen previously. If using XenDesktop for test purposes, or in the case of a License Server's fault, Citrix gives you a grace period of 30 days. It's also possible to install the License Server from the command line by using the Windows command msiexec with the following parameters: This is the installation option.
This is for a silent installation. This is used to specify the path of the installation folder if not specified, the default one for a bit system is C: The License Server will listen to this port for connections default is This is the administrative password for the user admin on the licensing console. In the presence of an active directory, you have to use the administrative domain credentials.
This is the port of the vendor daemon component default is This is the administrative license console port default is Getting ready In order to install all the necessary components, you need to have domain administrative credentials on the server machine s on which you are going to implement your infrastructure.
The following are the steps by which we will perform the installation of the core components of the XenDesktop platform, including the Desktop Delivery Controller: Then, launch the XenDesktop installation by clicking on the Start button in the welcome screen, as shown in the following screenshot: In the installation menu screen, click on the Get Started section button to proceed with the setup procedure.
After the setup initialization, accept the licensing agreement, then click on the Next button. At this point, select the components that we need to install Delivery Controller, Studio, and Director.
It's also possible to change the installation folder by clicking on the Change button on the top-right of the screen. If the path is correct, click on the Next button to proceed with the installation.
Don't check both the License Server and StoreFront options. The first has already been installed on a separate server, and the second will be explained and configured in the next recipe.
Click on Next to proceed. After this, click on Next to continue. You'll be presented with the Summary window. If you agree with the summary details, click on the Install button to proceed. At the end of installation, leave the Launch Studio checkbox checked in order to verify the correct execution of the installed platform: XenDesktop 7 can be considered the most complete and advanced version of this software. In fact, it combines the consolidated XenDesktop 5.
Users access their resources by using the Citrix Receiver that is installed on the device from which they have established the connection.
The Receiver points to the configured store within the StoreFront platform, which can be considered a stronger evolution of the Citrix Web Interface—an infrastructural component that has been deprecated in this release.
The delivery of all the resources is managed by the Delivery Controller component, also known as Broker, which regulates the association between the users and their resources. Once this task has been accomplished, the broker stops its intermediary channel activities, and a direct communication is established between the user's physical workstation and the requested desktop or application. With the release of the Citrix XenDesktop 7 platform, the software activation procedure interacts with KMS, thanks to the ability to use a Microsoft KMS Server to release licenses for the operating systems and the Microsoft Office suites installed on the virtual desktops.
This permits a better management of the licensing, especially for those environments that are configured in a nonpersistent way, that is, any deployed desktop asks for a license activation code in a unique way, allowing the Microsoft KMS Server to identify any instance as a separate object. This historical component has been now substituted by the StoreFront platform, which with the 2.
In this recipe we will discuss how to install and configure it, to allow the users to be able to access their published resources. The following ports need to be opened on the firewalls within your network: Be sure that you are installing the software on a domain-joined machine within the same forest of XenDesktop components that were installed earlier, and check that the Windows Firewall is up and running.
Otherwise, StoreFront won't function. The Windows Firewall requirement is a StoreFront 2. This has been fixed in the StoreFront Version 2. The steps required to install and configure the StoreFront 2. After downloading the software from your personal Citrix account, run the CitrixStoreFront-x In the case of a Windows R2 environment, you will be prompted to install the.
NET 3. After all the required components have been installed, click on the Install button on the Ready to Install screen to proceed.
After the installation is completed, click on Finish to automatically start the StoreFront administration console. After the console has been opened, click on the Create a new deployment button in the StoreFront main menu.
Then, click on Next and wait till the end of the deployment. In the Store Name field inside the Store Name category, enter a name for the store you are going to create. Then, click on Next. In the Add Delivery Controller menu, perform the following configuration steps: Then click on Next to continue with the procedure. In this case, you can select the None option. We will configure the secure gateway later in this book.
To complete the configuration process, click on the Create button. At the end of the store creation, click on Finish. To check the configuration of your StoreFront platform, type the configured address in a compatible browser, in the form of https: Before using the web platform, you have to install the Citrix Receiver on the machine from which you want to use the web store.
In the left-side menu, click on the Server Group link. In this section, you will have the option to add a server to the configured StoreFront infrastructure Add server link on the right-hand side menu.
Click on the Authentication link in the left-hand side menu, and configure the following options: Select the authentication methods you want to configure for the login on your infrastructure. To satisfy the general security practices, you can regenerate the security keys before their expiration date by clicking on the Generate Keys button. With this option, it is possible to restrict the domains from which users can perform the login phase. Click on the OK button to complete the configuration.
This section permits users to change their password based on the configured option. Click on the Stores link in the left-hand side menu, and configure the following options: This options permits you to create a new store in the StoreFront infrastructure. This section permits you to export all the configured stores to the store configuration file to be used by end user devices on which you have installed the Citrix Receiver.
The file will be saved with the. This option is used to configure the external remote access by using a NetScaler Gateway appliance. Using this option, you can decide the way you want to manage the Citrix Receiver updates, that is, by using the Citrix Citrix.
This option permits you to include the three main Citrix online applications in your configured store. This option is similar to the multistore export we saw earlier, with the difference that this is related only to the current used store. This option activates the retro compatibility access for old Citrix clients.
As previously seen, this option permits the regeneration of security access keys before their natural expiration date. With this option, customers have the ability to remove configured stores.
Click on the Receiver for Web link in the left-hand side menu, and configure the following options: In this section, it's possible to add one or more websites to the StoreFront configured platform.
This interesting option permits you to add a StoreFront shortcut to specified websites to provide a quicker access to your published resources. By clicking on this link, you can change the store to which the configured Web Receiver is assigned. In this section, you can choose how to deploy the Citrix Receiver to end users. This option must be used only if you want to remove a configured Receiver Website.
It's in the form of a catalog, which is able to deploy resources like desktops and applications from heterogeneous Citrix software XenDesktop, XenApp, XenMobile, and so on. StoreFront offers the same login methodologies used by the web interface. Customers can access their contents by using simple authentication, smart card, or smart card pass through.
In addition, it's also possible to access the Citrix farm with the pass through from the NetScaler Gateway. The great step forward in this platform is its new features, which are given as follows: Now, it can use its local repository for user subscriptions. When using the Citrix Receiver to access your StoreFront server, you can use a configured e-mail address to directly access your store.
This is the e-mail-based account discovery feature. Also, in Multi-Store mode, this means that it's possible to export and configure on a client device all the available stores configured in the infrastructure. StoreFront is a more flexible platform than its predecessor.
Also, in case of the StoreFront installation, users can perform this task using the command line. You have to execute, from a command prompt shell, the same executable file used for the graphical installation CitrixStoreFront-x This is followed by one or more of these options: This option executes all the required steps in silently.
This option specifies the destination folder on which StoreFront 2. This option will make the Citrix Receiver installation files for Windows available on the StoreFront server.
This option will make the Citrix Receiver installation files for Mac available on the StoreFront server. In this recipe, we will explain step-by-step how to install and configure the Provisioning Services 7 platform. Citrix Provisioning Services 7. Getting ready The Provisioning Services 7 platform can be implemented on the following platforms: Operating Systems: In this recipe, we are going to execute all the steps required to install and configure the Citrix Provisioning Services platform.
It's necessary to install. Run Autorun. From the Provisioning Services installation screen, select Server installation, and then click on Install Server. In the missing prerequisites screen, click on Install to add all the pending components to the system. In the welcome screen, click on Next to proceed. Accept the Citrix License Agreement, and click on the Next button. Insert valid User Name and Organization values, choose whether you want to install the application for Anyone who uses this computer all users or Only for me Windows User , and then click on Next.
In the Destination Folder screen, accept the proposed installation path default path is C: After completion, click on the Next button to proceed. In the Ready to Install the program screen, click on the Install button to start the installation process.
After completion, click on the Finish button, and then proceed with the configuration operations. In the welcome screen, click on the Next button to proceed. You should always separate components for better performance and roles isolation. In the Farm Configuration section, select the Create farm radio button, and then click on the Next button.
To better convey the differences between the MCS and PVS architectures, we'll always use two different farms to accomplish tasks for both architectures. In the Database Server section, populate all the required fields to give the PVS server the ability to connect to the database server.
After completion, click on Next. Separating roles will ensure you separation, isolation, and better load balancing and security. In the New Farm screen, populate all the required fields, then choose the configured Active Directory groups for security radio button. After completion, click on the Next button. In the New Store screen, assign a name to the store, select a Default path, and click on the Next button to continue with the installation process. Then, click on Next to proceed.
To check and validate the validity of your License Server with the PVS 7 platform, flag the Validate license server version and communication option. In the User account screen, specify a valid account for the Stream and Soap Services. You can choose between the Network service account or Specified user account. After configuration, the user should click on the Next button. In the Active Directory Computer Account Password, you can automate the computer account password updates by enabling this option, configuring the interval in days after which the passwords will be updated.
The Network Communications screen allows users to be able to configure the network components in the PVS console component in terms of streaming NICs and communication ports.
Click on Next to continue after completed. Click on the Next button to continue. In the Stream Servers Boot List, users can configure up to four boot servers, specifying their network configurations. By clicking on the Advanced After completion, click on the OK button; and then, click on Next to continue.
Consider this a PVS debug mode. At the end of this procedure, flag the Automatically Start Services option and click on the Finish button.
Then, click on Done after all the configurations have been completed. Remember that active Windows Firewall might be a problem for your installation process.
You have to open the required ports, or turn it off. On the Installation media menu, select the Console Installation link. Click on the Next button on the welcome screen, to proceed with the console installation. In the Customer Information section, populate the User Name and Organization fields with valid data, specifying if the installation is for the entire machine's users Anyone who uses this computer or only for the current user Only for me.
After this choice, click on the Next button. Select a valid path in the Destination Folder screen, and click on Next to continue the installation. To change the default path C: In the Setup Type screen, select the Custom option and click on the Next button.
In the Custom Setup screen, select all the proposed components, maintain the previously chosen path, and click on Next. In the Ready to Install the Program screen, click on Install to complete the setup procedure. At the end of this setup, click on the Finish button. The Provisioning Services Console will be executed. Right-click on this link in the left-hand side menu and select the Connect to Farm option.
In the Connect to Farm screen, populate all the fields with the correct values and specify a valid domain username.
After this, click on the Connect button. After verifying the connection parameters, you will be able to use the PVS 7 platform. PVS is one of the two deployable architecture types for desktop and application deployments. Provisioning Services 7 is the latest release of the software used to implement this kind of architecture. The structure is quite simple.
A server component, which is managed by a PVS console, delivers operating systems images to the end users. This process permits having high elevated network performance, dramatically reducing the impact on storage activities.
In fact, even if it starts with only 20 MB of data, its dimension has a growth of 10 MB. This means that in the case of hundreds or thousands of objects, the database size could become higher than your expectations.
Provisioning Services use the Kerberos authentication to allow its components communicate with each other, register the components against the Active Directory through the Service Principal Name SPN , and permit the Domain Controller to identify the accounts that manage the running services.
In the case of registration problems, your PVS service could fail. To avoid this situation, you have to use the setspn command in order to give the right permissions to the account that manages the earlier described services such as the PVS Soap Service by applying the following syntax: After this, the second, and maybe the most important, step is deploying virtual desktop instances.
To accomplish this task, you need to interface Citrix servers with a hypervisor, a bare- metal operating system, which is able to create, configure, and manage virtual machines. XenDesktop is able to communicate with three important hypervisor systems on the market: The After you've created a template of a virtual machine with a Microsoft desktop or server operating system on board, XenDesktop is able to deploy OS instances to the end users starting from the virtual machine image through the use of different deployment techniques.
At the end of a desktop session, Delivery Controller will send a request to the hypervisor to restart or shutdown the virtual desktop instance. In this chapter, we're going to implement the communication between hypervisors and Citrix servers.
Getting ready In order to complete all the required steps for this recipe and perform a standard Site Deploy, you need to be assigned the administrator role for all the machines involved in the Site configuration Delivery Controller and the database server. In the following steps, we will describe how to create a site for a XenDesktop 7 infrastructure: Create a Site option to start the XenDesktop Site creation.
In the Introduction section, click on the second radio button option to create an empty site; assign a name to it by populating the Name your Site field, and click on Next to continue. Then assign a name to the site database, and click on the Test connection button to check that you are able to contact the database machine.
When prompted for the automatic database creation, click on the OK button to let Studio create the database. As an alternative, if you want, you can create the Citrix database manually by clicking on the Generate database script button; you'll get back a set of instructions in the form of two.
After the database configuration, in the Licensing section enter your license server name and the port number, in the form of hostname: If you already have a configured license file, click on the Use an existing license radio button; otherwise, you will have to click on the Use the free day trial option, inserting a correct license file later.
At the end of these configurations, click on Next. You can verify the validity of your License Server certificate by clicking on the View Certificate link—Connected to trusted server area.
In the Summary screen, after you have verified all the configured options, click on the Finish button to complete the procedure. After the configuration has been completed, in the Citrix Studio main menu, you will find information about the created Site. If you want, you can check your current implementation by clicking on the Test Site button.
Configuring a site lets you assemble together all the components previously configured; the main operations to complete during the generic Site configuration procedure are: This task can be accomplished in two ways: If you want, at the end of the procedure, you can check the validity of your configuration by using the Test Site button in the Studio Host main menu section.
In case you decide to use a database port other than the default SQL Server port value , you will have to insert the connection string in the following form: The XenServer 6. Getting ready The preliminary work required to perform all the operations of this recipe is to install one or more XenServer hosts. XenServer is a bare-metal hypervisor, a kind of virtualizator, which directly manages the hardware; for this reason, you have to install it as a normal operating system you need no other operating system installed on the server.
Please refer to the following Citrix document to install the XenServer hypervisor: In this section, we will perform the operations required to configure XenDesktop to use the Citrix XenServer hypervisor: On the left-hand side menu, expand the Configuration section, and select the Hosting link. Then click on the Add Connection and Resources link on the right-hand side menu.
In the Create Virtual machine using: In the Host section on the Resources screen, choose a configured network depending on your XenServer host configuration, you could have one or more available networks on which you are assigning the generated virtual desktop instances, and then click on the Next button.
In the Storage section, flag the available storage on which to create virtual machines, and select the desired radio button for personal vDisk location Use same storage for virtual machines and personal vDisk Normal paragraph style. To continue, click on the Next button. Separating the storage for the Personal vDisk will improve the global performances and make easier the backup procedure for the user data disk.
Separating these areas could make it easier to locate user disk zones, especially for backup operations or troubleshooting activities. In the Summary screen, after you've verified all the information, assign a name to the XenServer connection in the space provided for the Resource Name field, and click on Finish to complete the procedure. In the main menu of the Hosting section, we can now find the configured connection to the XenServer host. If necessary, there is the possibility of changing the connection parameters by selecting the Edit Connection link on the right-hand side menu.
In the Connection Properties section, we can modify the credentials to access the XenServer host Host address, username, and password fields by clicking on the Edit settings Upon selecting the Advanced section, administrators get the capability to configure the following options: Maximum active actions, Maximum new actions per minute, Maximum power actions as percentage of desktops, and Maximum Personal vDisk power action as percentage. On finishing, click on OK to complete the configuration.
To perform any modification activity on the host and the connection, you must put them in Maintenance mode. XenServer is the hypervisor included in the Citrix Virtualization platform; starting from this discussed version 6. The way in which XenDesktop interfaces with XenServer is simpler than that of the other hypervisors: One of the advantages of using this hypervisor is the capability to use the XenServer information caching feature also known as IntelliCache.
The IntelliCache technique drastically reduces the read and write activities of your storage. The XenServer IntelliCache feature has to be enabled during the installation procedure of this hypervisor. In the presence of tens of hundreds of virtual machines, the XenServer hypervisor could have performance issues in terms of lack of physical resources for Dom0, the most privileged domain in a XenServer installation, which is the only domain that is able to directly interface with the hardware or start non-privileged domains, for instance.
To solve this problem, it should be necessary to assign more physical resources to Dom0. The default memory value assigned to Dom0 is megabytes.
To apply the memory changes, you have to restart the XenServer node. After the reboot operations, run the following commands from XenServer CLI in order to let XenServer understand how to use all the newly assigned memory size: VMWare is currently the virtualization solution that better permits you to manage the resource over commitment and assignment for your virtual environments. You have to execute the following procedures in order to activate the communication between the XenDesktop Controller machine and the VMware vSphere infrastructure: Launch your chosen Web browser, and insert the hostname of the Virtual Center server in the address bar using the https connection.
When prompted for security risk, accept to continue with the site navigation. On the certificate status bar, click on the Status error, and select the View certificates link VMware Virtual Center certificate is currently untrusted for XenDesktop.
After the certificate presentation, click on the Install Certificate… button to proceed. Be sure that the hostname associated with the certificate matches the assigned name to the Virtual Center server.
In the case of mismatching, XenDesktop won't be able to connect with VMware. To avoid this, you could consider adding a record to the local file hosts of the XenDesktop server to match the IP address and hostname in the certificate. In the Certificate Store section, select the Place all certificates in the following store option, and then click on the Browse button to specify the location in which you are installing the certificate.
Enable the Show physical stores option by flagging it, and then select the Trusted People Registry subsection. After you are done, click on the OK button, and then click on Next to continue. To complete the certificate import activities click on Finish. To verify that the certificate import was successful, you must reconnect to the SSL Virtual Center address https: If you receive no more prompts about unsecure connections as previously seen , the import has been successfully completed.
Connect to the Citrix Studio console; expand the Configuration section in the left- hand side menu; select the Hosting link; and click on the Add Connection and Resources link on the right-hand side menu. The specified username and password for the connection must be valid domain credentials with elevated privileges within the Virtual Center. Please refer to the following Citrix document to configure the right user permissions: On the Cluster screen, click on the Browse button to select a vSphere Cluster on which to deploy virtual machines.
After this operation, select a Network from the presented list on which you are deploying the virtual machine instances. Click on Next to continue with the wizard. In the Storage section select the storage VMware datastore as local or shared for your virtual machine's system disks, and then decide whether to select a separate datastore for personal vDisks recommended.
In the Summary screen, after checking all the listed configured options, assign a name to the VMware connection, and click on the Finish button. The second is obviously more secure, and this communication is also advised by Citrix. For these components, VMware best practices say that you should create your own certificate from a personal certification authority. Anyway, communication could be established by using and importing the default self-signed VMware certificate. The use of VMware Virtual Center is not only necessary, it is also a way to implement an architecture that is centrally managed and tuned by a controlling platform, such as the VMware vSphere Virtual Center platform.
The use of VMware vSphere as a hypervisor platform gives you the ability to reserve a set of particular resources to the deployed machine instances.
You should apply these parameters to the Master Image template, replicating in this way the configurations to the deployed desktops. In the case of equal access priority to the hypervisor resources, you can use another parameter that permits giving to the XenDesktop deployed instances higher priority in the resource queue.
A higher number means prior access to the resources. Respecting this partnership, it's possible to deploy virtual desktops for Citrix with Hyper-V, the Microsoft hypervisor.
Getting ready To be able to use virtual machines with Windows Server , first of all we need to install and configure the hypervisor server role.
In this section we will configure the Microsoft Hyper-V 3. On a clean Windows Server installation, with no other roles installed, on the Server Manager dashboard, click on the Add roles and features link.
After clicking on Next on the Before You Begin section, select the Role-based or feature-based installation option, and then click on the Next button. In the Server Selection screen, choose the Select a server from the server pool option; highlight the server name on which you're currently installing the Hyper-V role; and click on the Next button.
Select the Hyper-V role in the Server Roles section, and when prompted to install the additional features, click on the Add Features button to accept.
After this, click on the Next button three times to continue. In the Virtual Switches section, select a network card to be used by Hyper-V to create the virtual switch for the virtual machine connections, and then click on the Next button. Kerberos is a more secure authentication method. On the other hand, it could be harder to implement, despite the CredSSP configuration.
If your Hyper-V server is to be a part of a Microsoft clustered environment, you don't have to enable the live migration option. This will be performed after the cluster configuration. In the Default Stores section, select available paths on which to allocate the virtual machine disks, and the virtual machine configuration files.
If the information in the Confirmation section is correct, flag the Restart the destination server automatically if required option, and click on Install to complete the role installation. On the main screen, click on the Install link in the Virtual Machine Manager section. The VMM Console component will be automatically selected as shown in the following screenshot: You can also insert your license number after the installation procedure.
Accept the License agreement flag I've read, understood and agree with the terms of license agreement , and click on Next. Check the appropriate radio button depending on whether you want to participate in the Microsoft collaboration program or not, and click on Next to continue.
In the Microsoft Update section, select the desired radio button On recommended or Off , and then click on Next to continue. Select the Installation location by typing it in the Location field, and proceed by clicking on Next.
After passing the prerequisites check, you must specify the database location Server name and Port , Windows administrative credentials check the Use the following credentials checkbox , Instance name and Database name, choosing between New database creation or Existing database utilization.
Select whether you are using a Local system account or a Domain account service type , and decide if you want to save the encryption keys in Active Directory by flagging the specific option; in this case you also have to specify on which Active Directory machine object you are archiving the keys.
To proceed click on the Next button. When possible, always consider using Domain accounts in order to have a centralized profile instead of a local and replicated account. Configure the ports for server communication as done in the following screenshot, and then click on Next: On the next screen, you can choose to create a new VMM library Create a new library share, including Share location and Share description , or use an existing one Use an existing library share by selecting the second radio button.
If the summary information is OK, click on the Install button to complete the procedure. Once the server components' installation is terminated, you need to install the Management Console on all the Delivery Controller machines within your infrastructure.
Repeat the launching setup procedure seen for Server components, and only then flag the VMM Console component. After accepting the License Agreement, click on Next to proceed; on the next screen, you'll be informed that you have automatically joined the Microsoft collaboration program. Click on the On radio button to activate updates, and then click on Next. Select the installation Location by populating the Location field as seen earlier, and click on Next.
Select a port on which to configure the console Communication with the VMM management server, default port , and click on Next to proceed. If the information on the Installation summary is correct, click on Install to complete this procedure. After setup has been completed, click on Close and leave Open the VMM console when this wizard closes checked. At the logon screen, insert Server name and port in the form of hostname: You can choose Use current Microsoft Windows session identity or select Specify credentials.
Click on Connect to proceed with the login. Select a Hyper-V host location from one of the following, and click on Next: Insert the User name and Password Use an existing Run As account or Manually enter the credentials checkbox to run resource discovery for Hyper-V, and then click on Next. Specify a discovery scope Specify Windows Server computers by names or Specify an Active Directory query to search for Windows Server computers to reduce the range on which it performs the host's searches.
After you've received query results, flag the desired host s , and proceed by clicking on Next. Select a Host group on which to attach the selected Hyper-V server; if you want, you can also check the option Reassociate this host with this VMM environment. After this, specify a location on which to store virtual machines, and click on Next to proceed.
If the configuration information is compliant with your environment parameters, click on Finish to complete the procedure. Select your Hyper-V configured resource from the list, assign it a name by populating the Enter a name for the Resources field, flag the desired network virtual switch from the list, and click on Next. In the App-V Publishing section, skip any configuration for the moment. We will discuss App-V later in this book. Click on Next to continue. Select the storage on which to archive the virtual machine; it's also possible to separate the VM's operating system storage from personal vDisk storage.
After completing this, click on Next. In this recipe, we have discussed how to install and configure the SP1 version, the release associated with the Windows Server edition. This is an interaction similar to that used for VMWare vSphere. Now it's time to put aside this class of elements for a while and concentrate our activities on desktop client components.
End users will interact only with Windows desktop machines and not with the architectural components shown earlier. So, you have to be careful about the configuration process for virtual desktops in terms of building a desktop image, optimization, and tuning. Most of your activities on clients will be based on policy usage and optimization in order to obtain high-level user experience without compromising on agility, performance, and security.
Master Image Configuration and Tuning Configuring and optimizing a desktop OS master image The first important task will be the configuration and the optimization of the Windows desktop OS operating systems, which will be used as a master image, in order to deploy the desktop instances.
The latest version of the Microsoft operating systems offer a lot of graphical enhancements useful to better appreciate their potential and usability. In a complex VDI architecture, we need to be careful about both of these aspects as shown in the previous recipe.
Consider that this customization process can vary depending on the configured environment. Anyway, the steps implemented in this section can be generally applied without specific issues.
Getting ready This recipe involves only the Windows client machine. In order to be able to carry out all modifications to the services, the graphical appearance, and the system configuration, you need to use domain or local administrative credentials for Windows 7 and Windows 8 OS versions.
An installed virtual machine with a Windows 7 or Windows 8 operating system is required in order to apply the described settings.
The modification activities of the desktop optimization policies involve only the Windows client machine and the domain to which it has been joined. So, you will need domain administrative credentials in order to be able to modify the necessary policies and to force their application on the involved clients. The following are the optimization processes for Windows 7 and Windows 8. For the Windows 7 master image configuration, the process is as follows: Log in to your Windows 7 base image template with administrative credentials.
Click on Start and type the services. The Windows Services snap- in will be opened, as shown in the following screenshot: From the services list, search for this service: Background Intelligent Transfer Service. Right-click on the name of the service, and select Properties from the menu that comes up.
From the Startup type drop-down list, select Disabled as the default state as shown in the following screenshot. Click on Stop if the service is running and then click on OK to exit from this area: Repeat steps 4 and 5 to disable the following services: Click on Start and run the cmd command to open a prompt shell. Then, run the following command—required to disable Windows's animation at boot time—in order to achieve faster machine startup: Navigate to Start Control Panel and click on the System icon.
Then, select Advanced system settings from the left-hand side menu. Select the Advanced tab and click on the Settings button in the Performance area. Select the Advanced tab and click on Change in the Virtual memory area, as shown in the following screenshot: Uncheck the Automatically manage paging file size for all drives option. Then, select the Custom size radio button and enter the same value in both textboxes. After entering the values, click on Set and then on OK, as shown in the following screenshot: It's common to assign a value twice that of the machine memory to the swap memory area for example, for 1 GB of RAM you'd assign a 2 GB swap size.
After the amount of swap has been modified, you need to restart your machine for the changes to come into effect. For the Windows 8 master image configuration, the process is as follows: Log in to your Windows 8 master image with administrative credentials. Then click on OK, as shown in the following screenshot: In the Windows Services snap-in, search, and disable the following services: At the shell prompt, run the commands indicated in the following lines; these will be used to customize the Windows 8 boot experience, in order to disable the Windows 8 boot screen, the Windows 8 boot logo, and the Windows 8 boot messages, respectively: To apply the boot configuration changes, you have to restart your Windows 8 machine.
Then click on the Advanced system settings link on the right-hand side of the System screen. On the System Properties screen, click on the Settings button; in the Performance subsection, click on the Advanced tab, as shown in the following screenshot: On the Performance Options screen, select the Advanced tab and click on the Change button in the Virtual Memory subsection.
As seen earlier for Windows 7, we have to fix the minimum and maximum quantity of swap with a fixed and equal value here as well.
To do this, uncheck the Automatically manage paging file size option for all drives, select the Custom size radio button, and enter the desired swap value Initial size and Maximum size. After that, click on Set as shown in the following screenshot, and then on the OK button: In order to apply the modified swap parameters, you need to reboot the master image.
Even though we have discussed the Windows 7 configuration, we will only generate catalogs with the Windows 8 version of the operating system in this book. To reduce the usual overtime needed by Windows 7 and Windows 8 machines to boot and start up all services, we've disabled some of them that are not necessary for regular operating system usage in a VDI configuration.
In order to optimize the operating system, we have performed the following configurations: Disabling the Windows Search service could have an impact on specific indexing functions, for instance, in the case of the Microsoft Outlook e-mail client.
For both the operating systems, you could consider disabling the operating system's long-term performance optimizer the Superfetch service discussed earlier, in the case of nonpersistent machine deployments. Disabling this service is particularly useful in the case of SSD disks in terms of disk space and faster boot time no more prefetch files will load during the startup phase.
Disable the Windows Search Indexing service only in the case of nonpersistent Virtual Desktops; in any other case, you should keep it active to avoid general content search issues.
To improve the responsiveness of your Windows machines, you could also apply the following operating system configurations: In this chapter, we will discuss the best practices to apply to obtain better user experience. Getting ready In order to complete all the required steps for this recipe, you need to connect to the Windows Server machine with administrative credentials to be able to install and configure all the necessary features.
In the following steps, we will describe how to improve the graphical and user experience for a Windows Server operating system in order to deploy desktops of server operating systems later in this book: Connect to the selected Windows Server machine with domain administrative credentials. Start the Server Manager utility if it has not automatically been started. In the Configure this local server section, click on the Add roles and features link as shown in the following screenshot: On the Installation Type menu, select the Role-based or feature-based installation option and click on Next to continue.
In the Server Selection menu, check the Select a server from the server pool radio button, select the machine on which you're configuring the user experience, and then click on Next to proceed. On the Server Roles screen, click on the Next button without selecting any option to skip role configuration. When prompted for additional required components, click on the Add Features button and then click on Next.
In the Confirmation box, click on the Install button to complete the activation procedure as shown in the following screenshot: After that, click on the Close button and reboot the Windows Server machine. Reconnect with the same domain administrative credentials.
You will know that the features have been enabled when you see a Windows 8-like start menu as the first screen. From the Start menu, click on the Desktop icon. Once you have been moved to the desktop view, right-click on it, and select the Personalize option, as shown in the following screenshot: On the Personalization menu, click on the Change desktop icons link on the left- hand side menu.
On the Desktop Icon Settings screen, enable the desired icons and uncheck the Allow themes to change desktop icons checkbox. Then, click on the Apply button first and click on OK, as shown in the following screenshot: You should avoid using desktop background images for a server operating system.
The purpose of this recipe is to create the right balance between the graphical experience and desktop performance. On the Desktop view, right-click on the Windows Taskbar and select the Toolbars option. Click on one or more options that you want to enable on the bar. The Touch Keyboard option could be particularly useful when using the Windows Server desktop on a tablet or a smartphone.
The configuration of a Windows Server operating system version for VDI purposes is slightly different than normal Windows Desktop platforms. In fact, the most important thing to understand is that a system administrator has to maintain the right balance between the graphical experience for end users and the performance required by the operating system to perform its normal activities. Starting with this point of view, the use case to which we apply the deployment of a server operating system should include one or all of the following points: This means that users can't install applications but have to use only the proposed environment.
This hint can be also applied to the previously discussed desktop OS environments.
As a result, it's now possible to use features which you could find, by default, in desktop operating systems versions, such as the Windows bar seen in one of the previous screenshots or system tools such as Windows Media Player, desktop themes which should be used with care to avoid performance issues arising from high-resolution graphics , video for Windows, or Sound Recorder. In this recipe, we will explain how to configure an operating system target device, which will be used later in this book to deploy machine catalogs for the Provisioning Services offer.
Getting ready The main required step for this recipe is installing a Windows 8 virtual machine, which will be used as the master image for the deployment of the virtual desktop instances within a XenDesktop PVS configuration. You can refer at the following Microsoft link for the Windows 8 installation procedure: In the following steps, we will describe how to configure a Windows 8 machine as a target device for the PVS architecture: Perform this task on the machine that will be used as the target device.
Connect to the Windows virtual machine by using domain administrative credentials. Browse the mounted PVS 7. On the new selection menu, click again on the Target Device Installation link. On the Welcome screen, click on Next to continue. In the license agreement section, accept the terms and click on the Next button. Populate the Customer Information section with the required information. After that, click on Next to proceed, as follows: On the Destination Folder screen, select a valid path on which you will be installing the agent and then click on the Next button.
In the Ready to Install the Program section, click on Install to start with the installation process. After the installation has been completed, leave the Launch Imaging Wizard checkbox enabled and click on the Finish button. After clicking on Next on the Welcome screen, populate the required fields to connect your target machine to the PVS server.