CWS 315 2I en StudentManual 1 3 Days v03

CWS-315-2I: Citrix Virtual Apps and Desktops 7 Advanced
Administration
(1-3 Days)
Table Of Contents
Module 0 - Course Overview.....................................................................................................................................................................2

Module 1 - Implement Redundancy and Scalability................................................................................................................................33
Citrix Virtual Apps and Desktops Redundancy and Scalability....................................................................................................35
StoreFront and Citrix Gateway Redundancy and Scalability.......................................................................................................42
Site Infrastructure Redundancy and Scalability...........................................................................................................................52
Machines Running the Virtual Delivery Agent.............................................................................................................................72
Module 2 - Manage a Virtual Apps and Desktops Environment with Multiple Locations.........................................................................84
Zones...........................................................................................................................................................................................86
VDA Registration in a Multi-Zone Environment...........................................................................................................................99
Zone Preference........................................................................................................................................................................113
Optimal Gateway Routing and Zones........................................................................................................................................122
Managing StoreFront Store Subscriptions in a Multi Location Environment.............................................................................131
Module 3 - Implement Backups and Disaster Recovery.......................................................................................................................143
Backups.....................................................................................................................................................................................145
Disaster Recovery Considerations............................................................................................................................................161
Disaster Recovery Process.......................................................................................................................................................171
Module 4 - Implement Advanced Authentication Methods....................................................................................................................181
Multi-factor Authentication - RADIUS and One Time Passwords (OTP)...................................................................................183
Multi-factor Authentication - Smart Card Authentication............................................................................................................193
Federated Authentication - Active Directory Federation Services (ADFS), Security Assertion Markup
Language (SAML), and Citrix Federated Authentication Service (FAS) ...................................................................................205
Module 5 - Improve App and Data Security..........................................................................................................................................227
Introduction to Application Security..........................................................................................................................................229
Preventing Jailbreak Attacks.....................................................................................................................................................236
Minimizing the Impact of Attacks...............................................................................................................................................256
Module 6 - Secure Machines Running the Virtual Delivery Agent.........................................................................................................274
Transport Layer Security (TLS) to Virtual Delivery Agent (VDA) Encryption.............................................................................276
Microsoft Group Policy Objects (GPOs) and Citrix Policies......................................................................................................285
Image Management...................................................................................................................................................................303
Module 7 - Introduction to Troubleshooting...........................................................................................................................................314
Resource Tools and Utilities......................................................................................................................................................320
Introduction to PowerShell.........................................................................................................................................................336
Module 8 - Troubleshoot Access Issues...............................................................................................................................................354
Troubleshooting StoreFront.......................................................................................................................................................356
Citrix ADC/Gateway - Workflow and Troubleshooting Overview...............................................................................................364
Citrix ADC/Gateway - Troubleshooting Access and Authentication..........................................................................................373
Citrix ADC/Gateway - Troubleshooting App/Desktop Launch...................................................................................................383
Module 9 - Troubleshoot Delivery Controller Issues.............................................................................................................................390
Validating FlexCast Management Architecture (FMA) Services................................................................................................392
Module 10 - Troubleshoot Virtual Delivery Agent (VDA) Registration Issues.......................................................................................415
Troubleshooting Virtual Delivery Agent (VDA) Registration......................................................................................................417
Module 11 - Troubleshoot HDX Connection Issues..............................................................................................................................433
Troubleshooting HDX Connections...........................................................................................................................................435
Citrix Virtual Apps and Desktops 7
Advanced Administration
Course Overview
CWS-315-2I: September 27, 2021

Lab Manual: v1.19, v2.1
Module 0
2 © 2020 Citrix Authorized Content

Course Overview (1/4)
• Explain how to implement redundancy for core Citrix

Virtual Apps and Desktops infrastructure
components
• Manage Citrix Virtual Apps and Desktops
deployment with multiple locations.
• Implement backups and disaster recovery for Citrix
Virtual Apps and Desktops deployment.
• Determine the advanced authentication methods
appropriate for access to a Citrix Virtual Apps and
Desktops environment.
• Explain how the app and data security can be
improved in a virtualized environment.
• Secure the machines running the Virtual Delivery
Agent.

• Introduce core troubleshooting methodology for a

virtual environment.
• Troubleshoot common access issues.
• Troubleshoot common Delivery Controller and
database issues.
• Troubleshoot common VDA registration issues.
• Troubleshoot common HDX connection issues.

• Introduce App Layering.

• Create OS, Platform, App, Elastic, and User Layers.
• Deploy a layered image using Citrix Virtual Apps
and Desktops.
• Explore Layer priority and maintain an App Layering
environment.

• Introduce Citrix Workspace Environment

Management (WEM).
• Install WEM on-premises and WEM Service.
• Run the WEM Consoles and perform initial setup.
• Use WEM for VM performance optimization.
• Use WEM to secure virtualization environments.
• Examine the WEM Agent operations.
• Migrate to WEM, and upgrade existing WEM
environments.

Citrix Workspace
Drive digital transformation

with an intelligent workspace
platform.

App Delivery and
Security
Formerly Networking

Student Introduction
• Introduce yourself to the class.

• Include the following information:
• Name and company
• Job title
• Job responsibility
• Networking and virtualization experience
• Citrix product experience
• Class expectations

Facilities
• Parking and transportation information

• Class Policies
• Break and lunch schedules
• Emergency contact information

Course Prerequisites
• Basic knowledge of:

• Active Directory
• Windows Operating Systems
• Storage
• Networking
• Some previous administrative experience with Citrix
Virtual Apps and Desktops 7 (Deploy and
Administer)
Key Notes:
• Citrix recommends completing the free Citrix Virtual Apps and Desktops 7 introduction bundle at elearning.citrix.com prior to
attending this course.

Course Outline – Day 1
• Module 0: Course Overview

• Module 1: Implement Redundancy and Scalability
• Module 2: Manage Virtual Apps and Desktops
Environment with Multiple Locations
• Module 3: Implement Backups and Disaster
Recovery

• Module 4: Implement Advanced Authentication

Methods
• Module 5: Improve App and Data Security
• Module 6: Secure Machines Running the Virtual
Delivery Agent
• Module 7: Introduction to Troubleshooting

• Module 8: Troubleshoot Access Issues

• Module 9: Troubleshoot Delivery Controller Issues
• Module 10: Troubleshoot VDA Registration Issues
• Module 11: Troubleshoot HDX Connection Issues

• Module 12: Introduction to App Layering

• Module 13: Create an OS Layer
• Module 14: Create a Platform Layer
• Module 15: Create App Layers
• Module 16: Create Elastic App and User Layers
• Module 17: Deploy a Layered Image using Citrix
Virtual Apps and Desktops
• Module 18: Explore Layer Priority and Maintain an
App Layering Environment

• Module 19: Introduction to Workspace Environment

Management (WEM)
• Module 20: Installing Workspace Environment
Management (WEM)
• Module 21: WEM Consoles and Initial Setup
• Module 22: WEM Centralized Management Features:
System and Log On Optimization
• Module 23: WEM Centralized Management Features:
Security & Lockdown
• Module 24: The WEM Agent
• Module 25: Upgrading Workspace Environment
Management (WEM) and Migration to WEM Service

Course Materials
• This course has the following material:

• Student Manual
• Lab Manual
• Lab Environment
• Watch the Instructor demonstrate how to access the
course materials and connect to the lab
environment.

Lab Exercises
All lab exercises are grouped and performed together

per module.

Lab Exercise Use the following link to access the labs:
https://training.citrix.com/learning/landing
Access
-315
1. Login with your MyCitrix

Credentials, specifically
those used to enroll in the
course.
2. When instructed to
provision your labs, click
the module you want to
complete.
© 2020 Citrix Authorized Content
Additional Resources:
• Lab Access URL: <Insert link here>

Lab Exercise Access (Continued)
3. After clicking on a specific module, verify the

requirements and click READY TO START.
4. On the next page, click START LAB.

Take notice of the Lab Time counter, this

will show you how much time you have left
to complete the exercise.
5. Verify the 5-minute countdown timer starts and

wait for the timer to go to zero.
6. If you have not done so already, ensure you
have the Citrix Workspace app or Citrix
Receiver installed.
7. Click OPEN LAB IN CITRIX RECEIVER to
connect to the lab.

8. Once the lab exercises are complete, click END

LAB to decommission the lab.

Lab Introduction
New York City (NYC) WW Labs Initial Proof of Concept (POC) Design
User Layer Access Layer Control Layer Resource Layer
Delivery Controller
NYC-VDC-001
• This diagram represent the StoreFront
Server OS Desktop OS
lab environment for this NYC-STF-001
Master Master
NYC-SRV-MST NYC-DTP-MST
course. Domain Controller
NYC-ADS-001
• Check connectivity to the lab Firewall
environment and report to

SQL Server OS
the Instructor any issues. NYC-SQL-001 NYC-SRV-001
Desktop OS
NYC-DTP-001
Firewall Citrix ADC
Endpoint
• All lab environment details NYC-WRK-001
NYC-ADC-001
are also provided in the lab Citrix ADM File Server

manual. NYC-ADM-001 NYC-FSR-001
Hardware Layer
Network Wifi Storage Processor Memory Graphics Hypervisor
Key Notes:
• The course lab environment is not a production environment.
• Each VM is given enough resources to perform the lab exercises.
• There are enough lab exercises to gain valuable hands-on experience to match the lecture part of this course.
• These lab VM’s are tuned tot eh lab manual tasks, do not deviate unless instructed to by the Instructor.
• Any deviation may result in destabilizing of the lab causing intermittent or long-term failure.
• If a lab fails, it can be reset to the beginning, but it is time consuming and requires a classroom support ticket.

Student Desktop
• Remote Desktop Connection

Manager for general
management
• Hyper-V Manager for virtual
machine management and
power operations
• System Center Virtual
Machine Manager for
Hypervisor management

Remote Desktop
Connection
Manager
• Use the Remote Desktop

Connection Manager to
connect to the lab virtual
machines (VM).
• The connections are pre-
configured.

Hyper-V Manager
• Manage virtual machines

• Power operations
• Install Operating System

System Center
Virtual Machine
Manager
• Manage Hyper-V clusters

• Add Networking features

Classroom Support
1. Navigate to training.citrix.com
2. Click on the “Contact Us” dropdown.
3. Select “Classroom Support”.

Printing
• You can download, save, and print electronic

courseware.
• To print, click Student Resources > Courseware >
Student Manual > Launch.

Looking Ahead:
End of Course Survey
Your opinion matters!
Help shape the next course.
Tell us what you liked!
What can we do better?

Citrix Measures your Feedback with NPS
How is Net Promoter Score Calculated?
Not at all How likely is it you would recommend Citrix Courses to a friend? Extremely
Likely Likely
0 1 2 3 4 5 6 7 8 9 10
\/
Detractor Passive Promoter
31
The picture can't be display ed.

Connect with Citrix Education
Facebook Twitter LinkedIn

Become a fan of Citrix Services Follow @citrixservices Join the Citrix Education Group
Visit http://training.citrix.com to find more information on training, certifications, and exams.
32
The picture can't be display ed.

Advanced Deployment, Troubleshooting,
Security and Administration
Implement Redundancy and Scalability
Module 1

Learning Objectives
• Describe why redundancy and scalability

considerations are critical for the stability and
optimization of Citrix Virtual Apps and
Desktops environments.
• Determine whether the number and sizing of
the Citrix components are appropriate for a
production Citrix Virtual Apps and Desktops
environment.
• Determine whether the number and sizing of
machines hosting HDX sessions is meeting
the needs of a production Citrix Virtual Apps
and Desktops environment.

Citrix Virtual Apps and Desktops
Redundancy and Scalability

Redundancy and
Scalability
Active – Passive Configuration (Failover)
• Redundancy: Duplicated StoreFront-A

components that
eliminate single points of Endpoints with
Citrix ADC
Load Balancer
Citrix Workspace app StoreFront-B
failure in a system.
• Scalability: The
maximum amount of Active – Active Configuration
users, connections, etc. a
system can support while
maintaining an StoreFront-A
acceptable level of Citrix ADC

Endpoints with
performance. Citrix Workspace app
Load Balancer
StoreFront-B
Key Notes:
• Discuss What is Redundancy and Scalability and why do we really need it.
• Depending on the deployment, some components of a Citrix Virtual Apps and Desktops Site are a “single point of failure”. To protect
against Site-wide outages due to a single failing component, plan for redundancy.
• Redundancy can come in different forms, but mostly means duplicated systems, connections etc. so that the loss of a single
component can be compensated without threatening the performance of the complete site.
• How much redundancy is needed?

• The main components of a Site need to be redundant:
• 2x StoreFront Server
• 2x Controller Server
• HA Database Server
• 2x License Server (if grace period is not acceptable)
• 2x Citrix Gateway (recommended)
• Redundancy not only protects from outages, but sometimes offers more performance or better scalability than singular
systems.
• Active-passive or failover configurations only protects against loss of functionality.
• Active-active configurations use multiple systems simultaneously or alternating and gain performance by distributing
load across available systems.
• Most load balancing systems (like Citrix ADC) offer many different load balancing mechanisms as well as some
performance gains by eliminating overhead, caching requests etc.
• Note that the diagram shows only one load balancer, which is a single point of failure. Typically, we would want to
address this by adding redundancy to the load balancer as well. For example, Citrix ADC can be configured as an HA pair.
• Adding even more redundant systems can offer even more speed but typically offer diminishing returns with each
additional machine.

Components
Covered in This User Layer Access Layer Control Layer Resource Layer
Course
Delivery Controller
Internal Users StoreFront

The following components Server OS Assigned
Desktop OS
will be reviewed in terms of Domain Controller
redundancy and scalability: Firewall
• StoreFront
• Citrix ADC
SQL Random Desktop OS
• Delivery Controller Remote PC
Firewall Citrix ADC
• Citrix License Server External Users
• Site Database
License Server
• Machines running the
Virtual Delivery Agent
(VDA) Hardware Layer
• Citrix Director (not
pictured)
Network Wi-Fi Storage Processor Memory Graphics Hypervisor
• Citrix Cloud Connector
(not pictured)

Customer-Managed Components in a Citrix Cloud Environment
User Layer Access Layer Citrix Cloud Resource Layer
Server OS Assigned
Internal Users StoreFront Workspace Delivery Controller Desktop OS
Cloud Connectors
Firewall Site Database
Random Desktop OS
Remote PC
Citrix Gateway Citrix Gateway License Server

External Users Firewall
Service
Domain Controller
Hardware Layer Hardware Layer

Optional
on-premises
Network Storage Processor Memory Graphics Network Storage Processor Memory Graphics
Key Notes:
• In a Citrix Cloud environment, the default setup is to use Workspace to provide authentication and Store services, and the Citrix
Gateway Service for HDX connections. Customers have the option to:
• Use StoreFront instead, or in addition to Workspace.
• Citrix ADC/Gateway instead on the Citrix Gateway Service.
• Note that although Workspace and the Citrix Gateway Service are considered Access Layer components, they are part of Citrix
Cloud services.

• The components shown in blue must continue to be managed by the organization that owns the Virtual Delivery Agent
machines, and so redundancy/scalability considerations still apply. These include:
• StoreFront (if hosted on-premises)
• Citrix ADC/Gateway (if hosted on-premises)
• Citrix Cloud Connector (considered to be co-managed, as Citrix is responsible for Cloud Connector updates)
• VDA machines

Lesson Review
To which component does redundancy and

scalability considerations always apply,
regardless of hosting platform?
Virtual Delivery Agent machines

StoreFront and Citrix Gateway
Redundancy and Scalability

StoreFront Server
Redundancy User Layer Access Layer Control Layer Resource Layer
Delivery Controller

• Aggregate multiple Server OS Assigned
Desktop OS
StoreFront servers to a Domain Controller
Storefront Server Group
Firewall
to provide redundant
access to the same SQL Random Desktop OS Remote PC
stores. Firewall Citrix Gateway
External Users
• This setup requires the

License Server
servers to share a
common base URL and
Hardware Layer
be load balanced.
Key Notes:
• When configuring multiple StoreFront servers in a server group:
• A load balancer is required (Citrix ADC is recommended)
• Manual propagation of configuration data is required
• Base URL must be updated
• Subscription replication uses TCP port 808
• All servers within a StoreFront Server Group use the same configuration. Whenever a configuration change has been done on a

StoreFront server within a server group, the changes must be manually propagated to the other servers in the group.
• Custom scripts and layout customizations are replicated.
• Synchronization of the subscription database occurs automatically in the background between all servers.
• It is recommended to designate one server to making changes and keep the rest of the StoreFront servers “passive
partners.” Synchronizing changes back and forth might corrupt the configuration.
• StoreFront high availability and multi-site configuration:
• 3.12 (LTSR version): https://docs.citrix.com/en-us/storefront/3-12.html
• Current Release: https://docs.citrix.com/en-us/storefront/current-release/plan/high-availability-and-multi-site-
configuration.html
• Configure server groups:
• Current Release: https://docs.citrix.com/en-us/storefront/current-release/configure-server-group.html
• Load balancing with ADC:
• Current Release: https://docs.citrix.com/en-us/storefront/current-release/integrate-with-netscaler-and-netscaler-
gateway/load-balancing-with-netscaler.html

StoreFront Server Scalability
1
Scale Up Scale Out

• Single-server scalability primarily based on • There is no hard limit to the number of
CPUs assigned to the server. servers in a server group.
• Scalability is measured by max amount of • However, there will be diminishing returns
user connections per hour. when adding 6+ StoreFront servers to a
• Access via Citrix Receiver/Workspace for server group.
Web adds CPU and RAM overhead. • 2-3 StoreFront servers with 4 vCPUs and 8
• Scale up first, then scale out. GB RAM should support 150k connections
per hour (logon rate of 50 requests per
second)
Key Notes:
• The number of Citrix Receiver/Citrix Workspace uses supported by a StoreFront server group depends on the hardware used and the
level of user activity.
• Based on simulated activity where users log on, enumerate 100 published applications, and start one resource, expect a single
StoreFront server with the minimum recommended specification of two virtual CPUs running on an underlying dual Intel Xeon L5520
2.27Ghz processor server to enable up to 30,000 user connections per hour.
• As more StoreFront servers are added to the server group, this will scale linearly for the first few servers, but additional scalability

will begin to decline at 6+ servers.
• As a result, it is recommended to increase the CPUs allocated to the initial StoreFront servers before adding more.
• The minimum recommended memory allocation for each server is 4GB. When using Citrix Receiver for Web, assign an
additional 700 bytes per resource, per user in addition to the base memory allocation. As with using Web Receiver,
when using Citrix Receiver, allow an extra 700 bytes per resource, per user on top of the base 4 GB memory
requirements for this version of StoreFront.
• To determine whether an existing production deployment of StoreFront is sized adequately, use Citrix Director Trends to
determine the maximum number of connections that are initiated over the course of an hour. If multiple Sites are
aggregated by a single StoreFront server groups, the connections initiated to each Site should be added to arrive at the
total number. Combined with resource utilization data from the StoreFront servers, this can be used to support a
request to allocate more resources to the existing StoreFront servers, or to add another server to the group.
• Plan your StoreFront deployment:
• 3.12 (LTSR version): http://docs.citrix.com/en-us/storefront/3-12/plan.html
• Current Release: https://docs.citrix.com/en-us/storefront/current-release/plan.html
• StoreFront high availability and multi-site configuration:
• Current Release: https://docs.citrix.com/en-us/storefront/current-release/plan/high-availability-and-multi-site-
configuration.html
• Configure server groups:
• Current Release: https://docs.citrix.com/en-us/storefront/current-release/configure-server-group.html
• StoreFront 3.0 Scalability: https://www.citrix.com/blogs/2015/09/16/storefront-3-0-scalability-2/

Citrix ADC Redundancy
HA Pair (Active/Passive) Cluster (Active/Active) Azure (Active/Active)
Users Users Users
Azure Load Balancing
Citrix ADC Citrix ADC Citrix ADC Citrix ADC Citrix ADC VPX Citrix ADC VPX
Server Server Server Server Server Server
Key Notes:
• Customers historically always deployed HA Pairs when integrating with Citrix Virtual Apps and Desktops products.
• With release 10.1 and later, most of the important features are available in Cluster mode, and thus more and more customers have
been deploying Clusters.
• When deploying any type of High Availability, scale the individual Citrix ADC appliances so that they can handle the user load even in
the event that one appliance is down.
• nCore is a technology engineered to optimize next-generation Web applications and services in software by leveraging the

underlying capabilities of general-purpose multi-core hardware.
• nCore technology allows its Citrix ADC appliances to deliver rich Web 2.0 applications and cloud services for up to 7x
more users with no new hardware investments required.
• A Citrix ADC cluster is a group of nCore appliances working together as a single system image. Each appliance of the
cluster is called a node. The cluster can have one appliance or as many as 32 Citrix ADC nCore hardware or virtual
appliances as nodes.
• While more features are supported by clustering with each release, please check the Citrix documentation to verify
that the required features are supported on a given version of Citrix ADC before moving forward with a deployment.
• All cluster nodes should be the same model, platform, type, version, and release.
• A Citrix ADC HA pair is active/passive, so while paying for two appliances, customers only get 1x on performance and
throughput.
• Both nodes of the HA pair should be the same model, version, and release.
• In a Microsoft Azure deployment, a high availability configuration of two Citrix ADC virtual machines is achieved by
using the Azure Load Balancer, which distributes the client traffic across the virtual servers configured on both the Citrix
ADC instances.
• The Basic edition of the Azure Load Balancer uses a hash-based distribution algorithm. By default, it uses a 5-tuple
hash composed of source IP, source port, destination IP, destination port, and protocol type to map traffic to
available servers. It provides stickiness only within a transport session. Packets in the same TCP or UDP session will
be directed to the same instance behind the load-balanced endpoint. When the client closes and reopens the
connection or starts a new session from the same source IP, the source port changes. This may cause the traffic to go
to a different endpoint in a different datacenter.
• High Availability: https://docs.citrix.com/en-us/netscaler/12-1/system/high-availability-introduction.html
• Clustering: https://docs.citrix.com/en-us/netscaler/12-1/clustering.html
• Azure Load Balancer overview: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview

Citrix ADC
Scalability
• TLS throughput is the

most significant factor in Citrix ADC VPX Citrix ADC MPX Citrix ADC SDX
identifying the appropriate
Citrix ADC that will host • Virtual appliance that is • Physical network • Physical network
supported on most major appliance that is installed appliance that uses the
the Citrix Gateway hypervisor and cloud- in an on-premises or MPX architecture
vServer(s). hosting platforms. service provider’s combined with Citrix
datacenter. Hypervisor to Citrix ADC
• Depending on model,
• Each Citrix ADC platform TLS throughput can • Depending on model,
virtual instances
simultaneously.
has multiple models with range from 10 Mbps to 30 TLS throughput can
Gbps. range from 1 Gbps to 120 • TLS throughput must be
increasing throughput Gbps compared to the
capabilities. maximum throughput for
the virtual VPX instance
where the Gateway
vServer is located.
Key Notes:
• In order to identify whether the current Citrix ADC platform can meet the current environment’s requirements, the key resource
constraints must be identified. Since all remote access traffic will be secured using the transport security layer (TLS), transported by
Hypertext Transfer Protocol (HTTP) in the form of HTTPs, there are two resource metrics that should be targeted:
• TLS throughput – The TLS throughput is the gigabits of TLS traffic that may be processed per second (Gbps).
• TLS transactions per second (TPS) – The TPS metric identifies how many times per second an Application Delivery Controller (ADC)
may execute a TLS transaction. The capacity varies primarily by the key length required. While TPS is an important metric to

monitor, field experience has shown that TLS throughput is the most significant factor in identifying the appropriate
Citrix ADC model.
• To determine the TLS throughput required for a Citrix ADC platform, multiply the maximum concurrent bandwidth for a
datacenter by 1.02:
• TLS Throughput = Maximum Concurrent Bandwidth * 1.02
• We are adding 2% to the max concurrent bandwidth to as a rule of thumb to account for TLS bandwidth overhead.
This is often considered negligible relative to the volume of HDX traffic and is not typically accounted for as part of
required TLS throughput. However, making provisions for TLS bandwidth will help ensure the total throughput
estimated is sufficient.
• Ideally, the overhead should be measured during a proof of concept or pilot.
• Once the concurrent bandwidth and TLS throughput requirements are known, compare those to the Citrix ADC model
that has been deployed. Citrix publishes datasheets that specify that maximum expected TLS throughput for a given
Citrix ADC platform and model.

Lesson Review
Two StoreFront servers in a server group

aggregate resources from multiple Sites.
They have been allocated with 2 vCPUs and 4
GB RAM. Resource utilization and historical
session data show that the StoreFront
servers are at the limit of their expected
capacity.
How should StoreFront capacity be
expanded?
Increase the resources allocated to the existing
StoreFront servers.

Site Infrastructure Redundancy
and Scalability

Citrix Delivery
Controller User Layer Access Layer Control Layer Resource Layer
Redundancy
Delivery Controller

Server OS Assigned
• Citrix Delivery Controller Desktop OS
servers can assume the Domain Controller
required roles within a Firewall
Site automatically and

can be used SQL Random Desktop OS Remote PC
Citrix Gateway
interchangeably. External Users Firewall
• To create redundancy for License Server
the controllers:
• Set up a second controller Hardware Layer
and join it to the Site of
the first Controller.
• Direct dependent systems
(Studio, StoreFront, Citrix
Gateway, VDAs) to both
Controllers.
Key Notes:
• If the only Delivery Controller fails…
• Published resources cannot be enumerated on StoreFront
• No new sessions can be launched (existing sessions unaffected)
• No Power Management on VDA machines
• No management via Studio or PowerShell
• Director cannot be used

• VDA machines cannot register with the Site
• Additional Controllers can be added during initial Site creation or later. Controllers cannot be added if the installed
software version is older than that of the Site.
• For example, a Delivery Controller server running version 7.17 cannot join a Site that is on version 7 1811. The
Delivery Controller must be upgraded to 7 1811 before it can join the Site.
• After the installation or upgrade wizard has completed, open Studio on the Delivery Controller that will be added to
the existing Site, and select the “Scale your deployment” option. From there, the Site address must be entered.
• After the Delivery Controller has been added to the Site, it must be integrated with the other components in order to be
fully functional.
• Studio: Regardless of where Studio is accessed, it should display all Delivery Controllers which are a member of the
Site once it receives that information from the Site database. Unlike StoreFront, Studio can be used on any of the
Delivery Controllers, or on a separate management server, and no manual propagation is needed. All configuration
changes will be stored in the Site database, and all instances of Studio configured for the Site will receive the
updated configurations from the same database.
• StoreFront: To make resource enumeration and session brokering/launching highly available, at a minimum add N+1
Delivery Controllers to the applicable StoreFront Store(s). StoreFront can use a failover or round-robin load balancing
method to contact the Delivery Controllers. Load balancing is typically recommended in order to distribute the load
across all Delivery Controllers. Citrix ADC can provide intelligent load balancing of the Delivery Controllers via the use
of a VIP. The VIP would then be added to StoreFront. Some customers prefer to place both the VIP and individual
Delivery Controllers within a Store configuration (in failover mode) to guard against a Citrix ADC failure; however,
keep in mind that with this method the first individual Delivery Controller in the failover list would need to support
the entire environment. If possible, implement Citrix ADC HA to mitigate the risk of this occurring.
• Citrix Gateway: Citrix Gateway allows for multiple Secure Ticket Authority (STA) URLs to be configured. These are
contacted in a round-robin fashion; if an STA fails to respond, the virtual server tries another STA on the list. The
virtual server must always contact each STA individually based on its STA ID. When configuring the address of each
STA in the virtual server, each STA address must be the true address of the STA server — do not enter the address of
any hardware load balancer, cluster name, or round-robin DNS name here. Otherwise, users receive intermittent
denials because, during the ticket validation process, the gateway might be load balanced to an authority that did
not originally generate the user’s ticket.

• VDA machines: If auto-update is enabled, the VDAs will receive an updated list of Controllers within 90 minutes. If
auto-update is not enabled, ensure that the Controller policy setting or ListOfDDCs registry key are updated for all
VDAs. After moving a Controller to another Site, update the policy setting or registry key on both Sites.
• Removing a Controller from a Site does not uninstall the Citrix software or any other component; it removes the
Controller from the database so that it can no longer be used to broker connections and perform other tasks. If you
remove a Controller, you can later add it back to the same Site or to another Site. A Site requires at least one Controller,
so you cannot remove the last one listed in Studio.
• When you remove a Controller from a Site, the Controller logon to the database server is not removed. This avoids
potentially removing a logon that is used by other products’ services on the same machine. The logon must be
removed manually if it is no longer required; the security admin server role permission is needed to remove the
logon.
• Removing a Controller from the Site can be completed from Studio if the administrator account has sufficient
permissions for the Site database. Otherwise, a database script can be generated so that a SQL admin can complete
the task.
• Citrix VDI Handbook 7.15 LTSR (pg. 105): https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/citrix-vdi-best-
practices.html
• FAQ: Citrix Secure Gateway/ Citrix ADC Gateway Secure Ticket Authority (Scalability):
https://support.citrix.com/article/CTX101997#Q1_Scalability
• Delivery Controllers (7.15 LTSR): https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/manage-
deployment/delivery-controllers.html
• Delivery Controllers (Current Release): https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/manage-
deployment/delivery-controllers.html

Citrix Delivery Controller Scalability
• The sizing equation is a baseline for estimating how many Delivery Controllers are needed in a Site
or Zone.
• Delivery Controller scalability is primarily based on CPU utilization.
• Local host cache considerations should play a part in sizing decisions.
• Use resource monitoring on the Delivery Controller(s) to track and validate scalability.
Delivery Controller Sizing Equation Assumed Specifications
• 4 vCPU
• 4 GB RAM
+ 1 = Number of Delivery Controllers • Bonded virtual NIC
,
• 40 GB storage
Key Notes:
• The sizing equation is useful for making quick estimates as to the scalability of a Delivery Controller, but a few factors can affect how
an administrator might want to size the Controllers in their environment.
• Local host cache introduces new considerations that were not applicable to earlier versions of Citrix Virtual Apps and Desktops. In
a Site database outage scenario, any of the Delivery Controllers in a Site could be elected as the primary broker. This means that
all Delivery Controllers must be sized to provide an acceptable level of scalability in this scenario.
• Because local host cache uses a SQL Server Express LocalDB to store Site data, only a single CPU socket and up to four cores can

be used. Therefore, to optimize the available compute power, fewer sockets, and more cores per socket, should be
allocated to the Controllers. When using virtual machines, this can be accomplished through the machine settings on
the hypervisor.
• Local host cache’s LocalDB service also has a RAM overhead of 1.2 GB RAM, while the High Availability Service can
use 1 GB RAM during outage scenarios. For this reason, consider allocating 8 GB RAM to each Controller, up from the
baseline specification used in the equation.
• Citrix documentation has published limits for the maximum amount of VDA machines that can be handled by a single
Controller during an outage. Note that these numbers count machines, not sessions, in contrast to the estimate
above.
• Design methodology control layer – Delivery Controllers – Decision: Server Sizing: https://docs.citrix.com/en-us/xenapp-
and-xendesktop/7-15-ltsr/citrix-vdi-best-practices/design/design-userlayer4.html
• Local Host Cache:
• 7.15 LTSR: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/manage-deployment/local-host-
cache.html
• Current Release: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/manage-deployment/local-host-
cache.html

Citrix Cloud
Connector
Redundancy
• Everything in the Citrix SQL SQL

Cloud control plane is
Servers Servers
deployed in active/active
pairs, in two different
Citrix ADC Load Balancer Citrix ADC Load Balancer
datacenters.
• All components are
behind a pair of Citrix
ADC load balancers,
which direct traffic within Connector Connector
the control plane.
• At least two Cloud
Connectors should
always be deployed in VDA VDA
each resource location.
Key Notes:
• In a Citrix Cloud deployment, VDA machines are configured to communicate with the Citrix Cloud Connectors in place of Delivery
Controllers. Having redundant Connectors means that if one Connector fails (or is receiving an evergreen update), the VDA will re-
register with another, healthy Connector. If only a single Cloud Connector is deployed, then that resource location may experience
outages when the Cloud Connector is updated.
• The number of total Connectors that should be installed is (N+1), where N is the capacity needed to support the infrastructure within
your Citrix Cloud resource location.

• Although two Connectors are technically enough to ensure high availability under normal operations, having three
would ensure that full capacity is in place while a single Connector is updated.
• Cloud Connectors automatically distribute the load among themselves, and do not require a network load balancer.
However, similar steps should be taken to integrate multiple Connectors with other components (VDAs, StoreFront and
Citrix Gateway if an on-premises deployment is used).

Citrix Cloud Connector Scalability Considerations
• As a baseline, two Cloud Connectors with 4 vCPU and 4 GB RAM can support 5,000 VDAs and
20,000 sessions.
• This assumes that the Connectors are only used for VDA registration and session launch.
• If the Connectors are used for HDX proxy with the Citrix Gateway service, scalability drops
significantly.
• Some field tests showed that only 1,000 sessions per Connector were achieved in this scenario.
• With version 7 1811 and later, the Rendezvous protocol (enabled by default) allows VDAs to connect
directly with the Gateway service, restoring Connector scalability.
Key Notes:
• The baseline scalability test performed by Citrix only covers VDA registration and session launch, it does not include HDX proxy
through the Connector and it does not account for other services such as Citrix Endpoint Management using the same Connectors.
• A set of three 4 vCPU Cloud Connectors is recommended for sites that host no more than 5,000 Desktop OS VDAs.
• This is an N+1 High Availability configuration.
• Starting 20,000 sessions to 100 Server OS VDAs is 57% faster using customer-managed StoreFront compared to using Citrix-managed
StoreFront.

• Provisioning 1,000 VMs takes an average of 140 minutes.
• Scalability will decrease for customers using the Citrix Gateway Service, because the Cloud Connectors need to encrypt
all the HDX session data and transport it to Citrix Cloud.
• To enhance the scalability of the Cloud Connector, use the Rendezvous protocol for the VDA to connect directly to the
Citrix ADC Gateway Service. This new policy setting, which is functional for VDA version 7 1811 and later, allows the VDA
to establish an outbound connection to a Rendezvous point (Flow Redirector, a component on the Citrix Gateway
Service cloud), bypassing the Cloud Connector on a resource location for HDX traffic once the session is launched.
Rendezvous Protocol is enabled by default and applies only to Citrix Cloud.
• Citrix Virtual Apps and Desktops Service in Citrix Cloud, Sizing and Scalability Considerations:
https://docs.citrix.com/content/dam/docs/en-us/citrix-cloud/downloads/xenapp-xendesktop-service-sizing-
scalability.pdf

Citrix License Server Redundancy Options and Scalability
1
Redundancy Options: Scalability Considerations:

• Create an identical, standby license server that is • A server with 2 vCPUs and 2 GBs of RAM can
only powered on if the original one fails. issue 170 licenses per second, or 306,000
• Create two live license servers that have the licenses per half hour.
same name, behind an active-passive load • The specification above can be increased to
balancer. support more requests per second, but is rarely
needed except for the largest environments.
• Create a Microsoft cluster with multiple nodes
and shared storage. • License server performance can be optimized by
tuning the number of “receive” and “processing”
threads.
Key Notes:
• Using identical license servers incurs some downtime for detection of the failure and startup of the second server. Identical license
servers can be created utilizing cloning technology, snapshots and scripted installation.
• Identical Server might cause problems with the AD account of the “cloned” server. The first server might have changed the AD
computer account password in the meantime. Two machines claiming the same name or ID will cause a conflict and have to be
separated at all times. So, additional caution needs to be applied to ensure the failed machine does not try to resume its original
role.

• Multiple license servers must not be issuing licenses at the same time because of EULA restrictions, which is why active-
passive load balancing is recommended for Option 2.
• Clustering the License Server allows users to continue working during failure situations, without interrupting their
access to critical applications. When the active node in a cluster-enabled License Server suffers from hardware failure,
failover occurs automatically and resources are available again quickly.
• License Server VPX does not support clustered License Servers
• If the thread count is set too low, requests will be queued until a thread becomes available. Conversely, if the thread
count is set too high, the license server will become overloaded. These values are configured via the License
Administration console.
• The optimal values are dependent on the server hardware, site configuration, and license request volume. Citrix
recommends testing and evaluating different values to determine the proper configuration. Setting the maximum
number of processing threads to 30 and the maximum number of receiving threads to 15 is a good starting point for
large scale deployments. This optimization will improve the Citrix License Server ‘s ability to provide licenses by
increasing its ability to receive and process license requests.
• Clustered license servers: https://docs.citrix.com/en-us/licensing/current-release/clustered-license-servers.html
• Making the Citrix License Server (Truly) Highly Available: https://www.citrix.com/blogs/2015/02/12/making-the-citrix-
license-server-truly-highly-available/
• Improve performance by specifying thread use: https://docs.citrix.com/en-us/licensing/current-
release/manage/thread-use.html

Site Database
SQL Always On
Redundancy SQLServer-A
Active
Options on Node01
Database
Virtual Database
Controller Server
SQLServer-B Replica
on Node02 Database
• Microsoft SQL Server
offers several redundancy SQL Mirror
options for Citrix Virtual SQLServer-A

Apps and Desktops: Active
Database
• SQL Always On keeps databases
in sync across different locations SQLServer-B
Controller
while providing failover
capabilities. SQLServer-C Mirror
• SQL Mirroring keeps a database Database
in sync across two servers (one
SQL Cluster
server active and the second
assume its role after failure).
• SQL Cluster stores the database
on a shared storage system SQLServer-A
accessed by a single active node
Virtual Database
from the cluster. Shared Storage
Controller Server Active
Database
SQLServer-B
Key Notes:
• SQL Always On:
• Relies on Microsoft Failover Clustering components
• Does not requires shared storage (SAN)
• Allows for some performance improvement
• Uses up to four replica servers (SQL2012)
• Replica servers have been called mirror servers – some administrators might be more familiar with this term.

• The replica servers can be used to speed up read access to the database, while all write actions have to be
performed on the active database.
• SQL Mirroring:
• Requires a Witness server for parity and automatic failover
• Only uses one mirror to a principal server
• Does not require shared storage (SAN)
• The Witness server can be a different SQL Server edition than the principal and mirror servers.
• SQL Server 2017 is still officially supporting this feature, but since Microsoft deemed the technology depreciated, it
will most likely be removed in a future SQL Server version.
• SQL Cluster:
• Requires shared storage (SAN)
• Can cause downtime during failover
• The shared storage architecture requires management and redundancy as well – which might make this solution more
costly than others.
• Supported Databases for XenApp and XenDesktop Components: https://support.citrix.com/article/CTX114501
• Always On Availability Groups (SQL Server): https://docs.microsoft.com/en-us/sql/database-engine/availability-
groups/windows/always-on-availability-groups-sql-server?view=sql-server-2017
• Deprecated Database Engine Features in SQL Server 2016: https://docs.microsoft.com/en-us/sql/database-
engine/deprecated-database-engine-features-in-sql-server-2016?view=sql-server-2017

Site Database Scalability
SQL Server Sizing Database Storage Sizing

Database Expected Key Sizing factors
Users CPU RAM Type max. size
0 – 5K 2 cores 4 GB RAM Number of users, published
30 – 390
5 – 15K 4 cores 8 GB RAM Site applications, virtual desktop
MBs
type.
15K+ 8 cores 16 GB RAM
20 MBs to Retention period, number of
Monitoring
• Host database files and transaction 119 GBs users, number of connections.
logs on separate hard disk
subsystems. Config. 30 – 200 Usage of MCS, number of
Logging MBs administrative actions.
• This will help the database cope with
high number of transactions during • Sizing estimates do not include transaction
boot storms. logs, and in larger environments these should
be monitored and backed up regularly to
prevent excessive growth.
Key Notes:
• The SQL server must be sized correctly to ensure the performance and stability of an environment. Since every Citrix product uses
SQL server in a different way, no generic all-encompassing sizing recommendations exist, but are available on a product-by-product
basis.
• For Citrix Virtual Apps and Desktops environments not using MCS, the configuration logging database size tends to fall between 30
and 40MB. For MCS environments, database size can easily exceed 200MB due to the logging of all VM build data.
• In addition to the Site, Monitoring, and Configuration Logging databases, a system-wide temporary database (tempdb) is provided by

SQL Server, and is used to store Read-Committed Snapshot Isolation data. Citrix Virtual Apps and Desktops uses this SQL
Server feature to reduce lock contention on the Site databases (thus extending the feasible range of a single Site).
• If Citrix Studio is used to create a new Site database, or upgrade an existing one, in many cases it automatically
enables Read-Committed Snapshot at that time, however this might not always be possible, in which case it is
necessary to manually enable the option.
• The size of the tempdb database will depend on the number of active transactions, but in general it is not expected
to grow more than a few MBs. The performance of the tempdb database does not impact the performance of
session brokering, as any transactions that generate new data require tempdb space. Citrix Virtual Apps and
Desktops tends to have short-lived transactions, which help keep the size of the tempdb small.
• For an existing production environment, regular monitoring of storage utilization of the SQL server(s) hosting the Site
databases should be completed by the team managing the SQL deployment. Regularly performing backups of the SQL
transaction logs can help to limit the growth of the Site databases.
• Citrix VDI Handbook 7.15 LTSR (pgs. 94-100): https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/citrix-vdi-
best-practices.html
• XenDesktop 7.x Database Sizing: https://support.citrix.com/article/CTX139508
• How to Enable Read-Committed Snapshot in XenDesktop: https://support.citrix.com/article/CTX137161

Citrix Director Redundancy and
Scalability Small Scale Deployments
Admin Internet Explorer Delivery

Controller with
• Consider multiple Citrix Director servers if high Director
availability for Site monitoring is a requirement. Enterprise Deployments
• Citrix Director can be co-located with the

Delivery Controller role in small or non-
Director Server Delivery
production environments. Admin Internet Explorer
Controller
• For larger environments with larger

High-Availability Deployments
administrative teams, use a dedicated server
or servers with 4 vCPU, 4 GB RAM as a
baseline. Director Server Delivery Controller
Admin Internet Explorer Citrix

Gateway
Director Server Delivery Controller
Key Notes:
• From a redundancy point of view, if a Citrix Director server goes offline, administrators will lose the ability to monitor the Site, but
end user sessions will not be affected. Configuring Citrix Director on multiple servers will mitigate this issue if high-availability is
desired for monitoring.
• A load balancer such as Citrix ADC can be used to distribute the load between multiple Director servers.
• During initial installation, only one Controller per Site should be entered. Director automatically discovers all other Controllers in
the same Site and falls back to those other Controllers if the configured Controller fails. Director does not load balance between

Controllers.
• As a minimum, a Citrix Director server should have a dedicated 2 GB RAM and 200 MB of hard disk space on a machine.
In smaller or non-production environments, the role can be co-located with the Delivery Controller(s), but larger
environments should use dedicated machines for the Director role to prevent it from impacting Controller performance.
• If creating a dedicated machine, Citrix recommends a 4 vCPU, 4 GB RAM resource allocation, which should support up
to 100 users. For every additional 100 users, add 4 GB RAM to the machine.
• Citrix Director – Advanced configuration: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/install-and-
configure/advanced-configuration.html

Lesson Review
When configuring CPUs for a virtual Delivery

Controller machine, is it better to configure
four sockets, one core per socket, or one
socket with four cores?
It is preferable to have one socket with four cores

allocated to it, so that all the cores can be used if
the Controller is elected as the primary broker
when Local Host Cache is in use.
Key Notes:
• From a redundancy point of view, if a Citrix Director server goes offline, administrators will lose the ability to monitor the Site, but
end user sessions will not be affected. Configuring Citrix Director on multiple servers will mitigate this issue if high-availability is
desired for monitoring.
• A load balancer such as Citrix ADC can be used to distribute the load between multiple Director servers.
• During initial installation, only one Controller per Site should be entered. Director automatically discovers all other Controllers in
the same Site and falls back to those other Controllers if the configured Controller fails. Director does not load balance between

Controllers.
• As a minimum, a Citrix Director server should have a dedicated 2 GB RAM and 200 MB of hard disk space on a machine.
In smaller or non-production environments, the role can be co-located with the Delivery Controller(s), but larger
environments should use dedicated machines for the Director role to prevent it from impacting Controller performance.
• If creating a dedicated machine, Citrix recommends a 4 vCPU, 4 GB RAM resource allocation, which should support up
to 100 users. For every additional 100 users, add 4 GB RAM to the machine.
• Citrix Director – Advanced configuration: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/director/install-and-
configure/advanced-configuration.html

Machines Running the Virtual
Delivery Agent

Determine Redundancy 1. Assess the Requirements
Requirements for Machines

Running the Virtual Delivery Agent
• The redundancy requirement for machines

2. Design the Capacity and
running the Virtual Delivery Agent is not as Redundancy
simple as having “N+1” machines per Delivery
Group.
• Each organization must determine the
availability and capacity of VDAs in the event
of a VM, host, chassis, or datacenter-level
outage. 3. Test and Deploy
• Work to learn the business requirements of the

end users and translate those into redundancy
requirements for each resource hosted on
Citrix Virtual Apps and Desktops.
Key Notes:
• There is no singular “leading practice” for the redundancy of machines hosting HDX sessions – each organization must make its own
tradeoff between cost and increased availability.
• For example, non-production and lab environments may be located on a single host, or even a single VM with a nested hypervisor.
On the other hand, critical production workloads may be hosted in multiple datacenters to provide the highest level of redundancy
possible.
• Work to learn the business requirements of the end user groups, in terms of application and/or desktop criticality, availability

expectations, and capacity expectations in the event of a major outage. Then translate those requirements into
redundancy requirements for the machines that host those published resources.
• As an example, consider the following example:
• The Citrix Administrative team needs to add a new internal support application to the existing Virtual Apps and
• During the intake process, a Citrix administrator asks the support manager who submitted the request about their
availability requirements. The manager stated that they would like to maintain availability for all 200 people on
the team whenever possible, but acknowledged that the application’s backend databases were hosted in a single
datacenter, so there was no expectation of access if the entire datacenter suffered an outage.
• As a result of these requirements, the Citrix administrative team worked with the hardware team to ensure that
the VDA machines hosting the application were not all located on the same physical host or rack in the primary
datacenter. As a result of this approach, the team minimized the number of surplus machines that needed to be
created.

Assess the Performance of
Machines Running the VDA
• In addition to the daily monitoring of system-

level metrics, performance trends should be
tracked over time.
• Perform regular capacity assessment of the
Citrix environment to determine environment
utilization and any capacity adjustments that
may be needed.
• Tools such as Citrix Director and the Citrix
Analytics service can assist in performing a
capacity assessment.
Key Notes:
• Even when a Citrix environment goes through a formal design and is sized based on capacity requirements, once the environment is
in production, regular capacity assessments with help plan for future growth as more users access the environment.
• A baseline of the environment performance should be taken so that it can be compared against performance over time. For example,
if a user complains of poor performance, this baseline can be used for comparison purposes to identify if the issues are related to
the user load exceeding the capacity of the environment.
• An example of baseline performance metrics for capacity management would include historical data for CPU, Memory, and

network utilization on the Server OS and Desktop OS machines running the VDA.
• Use the Trends > Capacity Management view within Citrix Director to track the Citrix Virtual Apps and Desktops
deployment over time.
• The Citrix Analytics service can also provide advanced performance data and recommendations. Performance analytics
provide a centralized location to view which VDA machines and Delivery Groups are suffering from resource constraints
and may need additional capacity.

Optimizing the Performance of
Windows Workloads
Citrix Optimizer
• Citrix has tools that are available to

optimize Windows workloads:
• Citrix Optimizer
• Workspace Environment Management
(WEM) System Optimization
• Always test optimizations before
implementing them in production.
Citrix Workspace Environment

Management (WEM)
Key Notes:
• In order to enhance performance and increase scalability, Citrix administrators can use tools such as the Citrix Optimizer and Citrix
Workspace Environment Management (WEM).
• The Citrix Optimizer is a utility to optimize the performance of operating systems in virtualized environments. The tool is PowerShell
based, but also includes a graphical UI.
• Citrix Optimizer can run in three different modes:
• Analyze – analyze the current system against a specified template, and display any differences.

• Execute – apply the optimizations from the template
• Rollback (PowerShell only) – revert the optimization changes applied previously
• The modules currently offered by Citrix Optimizer include:
• Disable scheduled tasks
• Disable unnecessary Windows Services
• Registry-based optimizations
• Remove unneeded Universal Windows Platform (UWP) apps
• PowerShell-based optimizations
• The optimizer has separate optimizations per OS version. Supported versions include:
• Desktop OS: Windows 7, 8, 10 (builds 1607, 1703, 1709, 1803, 1809)
• Server OS: Windows Server 2008 R2, 2012 R2, 2016, 2019 (1809)
• Citrix Workspace Environment Management (WEM) has system optimization features that can provide benefits in
certain situations. For example:
• It can help control “CPU eaters”, which are applications that can spike CPU or memory utilization, affecting other
applications and users on the system.
• It can help increase the number of sessions that can be hosted on a single machine
• It can help replace long logon scripts for drive and/or printer mapping, leading to long logon times.
• CWS-314: Citrix Virtual Apps and Desktops Advanced Image and Environment Management has a dedicated module
around using the system optimization features of WEM.
• Optimizations can also be applied manually if desired. Some common optimizations include:
• Disable unused services to save memory and a little processing
• Disable scheduled tasks that perform unnecessary processing
• Shorten logon scripts using WEM or other third-party tools
• Citrix Optimizer: https://support.citrix.com/article/CTX224676

Lesson Review
What are some tools that Citrix offers to help

assess and optimize the performance of
machines hosting apps and desktops?
Citrix Analytics service, Citrix Optimizer, and

Citrix Workspace Environment Management.

Lab Exercise Prep
Please Take a Moment and Provision Your Lab

For Module 01
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.

Lab Exercise
• 1-1: Join a Second Delivery Controller to the

Site
• 1-2: Edit the Store to Add the Second Delivery
Controller
• 1-3: Test Local Host Cache
• 1-4: Join the Second StoreFront Server to the
Server Group
• 1-5: Configure Load Balancing for the
StoreFront Servers
• 1-6: Test the Load Balancing of the StoreFront
Servers

Key Takeaways
• Redundancy and scalability considerations are
critical for the stability and optimization of Citrix
Virtual Apps and Desktops environments.
• Access Layer scalability is measured by the
amount of connections per hour or TLS
throughput for StoreFront and Citrix Gateway,
respectively.
• Site infrastructure redundancy and scalability
is critical to have for core components such as
the Delivery Controller or Citrix Cloud
Connector; devoting resources to components
such as Citrix Director will depend on the
requirements of the organization.
• Find out user requirements to guide
redundancy decisions for VDA machines, and
implement Windows optimizations to get the
most out of each machine.

Customer-Managed Components in a Citrix Cloud Environment
Internal Users StoreFront Domain Controller Server OS Assigned

Desktop OS
Firewall Cloud Connectors
Random Desktop OS Remote PC
Citrix Gateway
External Users Firewall Cloud Connectors
Hardware Layer
Optional
on-premises or Citrix
Cloud managed. Network Storage Processor Memory Graphics
Key Notes:
• In a Citrix Cloud environment, certain components are managed by Citrix. However, other components must continue to be managed
by the organization that owns the Virtual Delivery Agent machines, and so redundancy/scalability considerations still apply. These
include:
• StoreFront (if hosted on-premises)
• Citrix ADC/Gateway (if hosted on-premises)
• Citrix Cloud Connector
• VDA machines
Manage a Virtual Apps and Desktops
Environment with Multiple Locations
Module 2

Learning Objectives
• Describe the purpose and benefits of Zones in Citrix

Virtual Apps and Desktops Sites that have
geographically dispersed resource locations.
• Describe the VDA registration process in single and
multi-Zone environments.
• Identify registration and Machine Catalog
configuration tasks in multi-Zone environments.
• Describe the purpose of Zone preference types and
how they apply to apps and desktops launches.
• Compare the differences between StoreFront
standard routing and Storefront optimal gateway
routing (OGR).
• Describe StoreFront resource aggregation and
Storefront replication.

Zones

What are Zones?
• Zones is a mechanism that allow for deployment of a single Citrix Virtual Apps and Desktops Site
across multiple geographically disbursed datacenters.
• A Site will always contain a Primary Zone and optionally a number of Satellite Zones.
• The Primary Zone must contain at least one Delivery Controller and the Site database.
• A Satellite Zone can contain VDAs (Catalogs and Delivery Groups), Delivery Controllers, StoreFront
servers, Citrix Gateway servers and Hypervisor connections.
Key Notes:
• A Site always has one Primary Zone. It can also optionally have one or more Satellite Zones. Satellite Zones can be used for disaster
recovery, geographically-distant datacenters, branch offices, a cloud, or an availability Zone in a cloud.
• Primary Zone:
• The Primary Zone has the default name "Primary," which contains the SQL Server Site database (and high availability SQL servers,
if used), Studio, Director, Citrix StoreFront, Citrix License Server, and Citrix Gateway. The Site database should always be in the
Primary Zone.

• The Primary Zone should also have at least two Delivery Controllers for redundancy, and may have one or more VDAs
with applications that are tightly-coupled with the database and infrastructure.
• Satellite Zone:
• A Satellite Zone contains one or more VDAs, Delivery Controllers, StoreFront servers, and Citrix Gateway servers.
Under normal operations, Delivery Controllers in a Satellite Zone communicate directly with the database in the
Primary Zone.
• A Satellite Zone, particularly a large one, might also contain a hypervisor that is used to provision and/or store
machines for that Zone. When you configure a satellite Zone, you can associate a hypervisor or cloud service
connection with it. (Be sure any Machine Catalogs that use that connection are in the same Zone.)
• A Site can have different types of Satellite Zones, based on your unique needs and environment.
• Citrix XenApp and XenDesktop 19.12 LTSR Citrix Docs Zones: https://docs.citrix.com/en-us/citrix-virtual-apps-
desktops/1912-ltsr/manage-deployment/zones.html
• Citrix Virtual Apps and Desktops Current Release Zones: https://docs.citrix.com/en-us/citrix-virtual-apps-
desktops/manage-deployment/zones.html

Zones Deployment Options
Deployment Solutions
Option 1 Option 2 Option 3

Scenario: 3 Office Locations Scenario: 3 Office Locations Scenario: 3 Office Locations
Solution: 3 Sites Solution: 1 Site, 3 Zones Solution: 1 Site, 3 Zones,

Infrastructure in Citrix Cloud
• Each location has a deployed site. • Each site has a Primary Zone
• Each location has a Delivery which hosts the SQL Server. • The Infrastructure is hosted in
Controller and SQL server. Citrix Cloud, where HA is built in.
• A site can have zero or more
• HA implementations, such as
satellite zones which can consist • A site can have zero or more
Delivery Controller is per site.
of just VDAs with or without satellite zones which can consist
R:esult 3 times the work to manage 3 infrastructure servers. of VDAs and one or more
separate sites. Connectors; with or without
Result: Less administrative infrastructure servers.
overhead, with only 1 site to manage.
• None of the office locations have a
Delivery Controller or a SQL
server.
Result: Less administrative
overhead, with only 1 site and no
infrastructure to manage.
Key Notes:
• Although Option 1 does not include the deployment of Zones, as of Citrix Virtual Apps and Desktops version 7.7, each site
deployment automatically creates a zone and puts all infrastructure and resources into this zone.

FMA Zones Architecture
Deployment Example Primary Zone Each location is a
New York (NYC) separate Zone
within a single
Citrix Virtual Apps
and Desktops site.
SQL
• Single Site across multiple locations simplifies Delivery Controller

management.
• New York is the Primary Zone and will host the Linux Desktop Hosted Desktop Assigned Desktop
Site database and Citrix infrastructure.

Satellite Zone Satellite Zone
• Miami is a Satellite Zone that only hosts a San Francisco (SFO) Miami (MIA)
Catalog.
• San Francisco is a Satellite Zone that hosts Delivery Controller
both a Delivery Controller and a Catalog.
Remote PC
Assigned Desktop
Key Notes:
• From version 7.7 we can now span a single Citrix Virtual Apps and Desktops Site across multiple datacenters and geographical
locations.
• The Site database should always be in the Primary Zone.
• For optimal performance, install Studio and Director only in the Primary Zone.
• While it is possible to have Satellite Zones without any controllers, it is recommended to configure at least one controller for each
Satellite Zone to ensure fast and reliable VDA registration, and to ensure registration during WAN outages.

• Citrix Virtual Apps and Desktops 7.7: Intro to Zones within FMA: https://www.citrix.com/blogs/2015/12/29/xenapp-
xendesktop-7-7-intro-to-Zones-within-fma/

Primary Zone
Zone 1 Primary
Site 1
New York (NYC)
StoreFront License Citrix Gateway
SQL
Delivery Controller
• Every site has one Resources
primary zone. Studio

• Required Components: Director
Desktops Apps
• SQL Server Site DB
• Delivery Controller
• License server
Zone 2 Satellite Zone 3 Satellite
• Studio and Director San Francisco (SFO) Miami (MIA)
• Optional Components:
• Citrix Gateway
• StoreFront
• One or more VDAs *
• Machine catalogs Delivery Controller
Resources
• Host connections Resources
* One or more Desktop OS

and/or Server OS Desktops Apps
Desktops Apps
machines running the VDA.
• Citrix XenApp and XenDesktop 19.12 LTSR Citrix Docs Zones: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-
ltsr/manage-deployment/zones.html
• Citrix Virtual Apps and Desktops Current Release Zones: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/manage-
deployment/zones.html

Satellite Zone Zone 1 Primary Site 1
New York (NYC)
StoreFront License Citrix Gateway
SQL
Delivery Controller
Resources
• Every site may have one
or more satellite zones. Studio
Director
• Required Components: Desktops Apps
• One or more VDAs *
• One or more Machine
catalogs Zone 2 Satellite Zone 3 Satellite
• One or more Connectors San Francisco (SFO) Miami (MIA)
if using Citrix Cloud
• Optional Components:
• Delivery Controller Machine Catalog
• Citrix Gateway
• StoreFront Delivery Controller Machine Catalog
• Host connections Resources Resources
* One or more Desktop OS

and/or Server OS Desktops Apps Desktops Apps
machines running the VDA.
Key Notes:
• A Satellite Zone will provide no value unless it contains resources, we need to define at least VDA’s and Machine Catalogs on the
Zone level.
• A new registry setting has been added for the Controller, which can throttle concurrent end-user launches.
• HKLM\Software\Citrix\DesktopServer\ThrottledRequestAddressMaxConcurrentTransactions.
• In some test situations, high latencies between satellite zones and the database in the primary zone, coupled with a relatively
high rate of app and desktop connection launches by end users using a Controller in the satellite zone, could cause new launches
experiencing long delays because of a backlog of earlier launches.
Reason to Create Zones
Primary Reason: Secondary Reasons:

• Manage multiple locations without multiple • Control VDA registration during normal
SQL databases. circumstances and during Controller failure.
• Control app location launches via Zone
Preference.
Key Notes:
• There is no real limitation on how many VDAs can run per zone; it could only be limited based on the storage and resource
limitations of the host hypervisor platform.

Zones with Citrix Cloud
• Zones in Citrix Cloud are similar to Zones on-

premises.
• Use Zones in Studio to map other items to
Resource Locations:
• Cloud Connectors
• Machine Catalogs
• Host Connections
• Users
• Application Groups
• Cloud Zones do not use a Primary/Secondary
setup like an on-premises Site, and do not
support registration fail over
Key Notes:
• Zones in Cloud Studio are bonded with resource locations. Using Zones you can map Cloud Connectors, Machine Catalogs, Host
Connections, Users and Application groups to a particular Resource Location.
• In a Citrix Virtual Apps and Desktops Services Site there is no Primary Zone because the Database and Delivery Controllers reside in
Citrix Cloud and not inside the resource location.
• For each resource location created in the Cloud Control Plane, a corresponding Zone is created inside Cloud Studio.
• When a hypervisor connection is placed in a zone, it is assumed that all the hypervisors managed through that connection also reside

in that zone.
• When a machine catalog is placed in a zone, it is assumed that all VDAs in the catalog are in the zone.
• Citrix Gateway instances can be added to zones. When you create a resource location, you are offered the option to add
a Citrix Gateway. When a Citrix Gateway is associated with a zone, it is preferred for use when connections to VDAs in
that zone are used.
• Ideally, Citrix Gateway in a zone is used for user connections coming into that zone from other zones or external
locations, although you can use it for connections within the zone.
• After you create more resource locations and install Cloud Connectors in them (which automatically creates more
zones), you can move resources between zones. This flexibility comes with the risk of separating items that work best in
close proximity.
• For example, moving a catalog to a different zone than the connection (host) that creates the machines in the
catalog, can affect performance.
• So, consider potential unintended effects before moving items between zones. Keep a catalog and the host
connection it uses in the same zone.
• Zones are managed through the Zones section in Cloud Studio.
• When creating new resources such as machine catalogs, hypervisors, host connections and applications you specify
which zone and resource location they will be hosted in.
• Placing items in a zone affects how the service interacts with them and with other objects related to them.
• On-premises Virtual Desktops has a Primary Zone (which has the Site Database) and may have a Satellite Zone. VDAs in
a Satellite Zone register with the Delivery Controller in a the same Zone.
• If a Controller in a Satellite Zone fails, VDA will fail over to another local Controller. If no local Controllers are available, it
fails over to a Controller in the Primary Zone.
• Zones in Citrix Cloud: https://docs.citrix.com/en-us/xenapp-and-xendesktop/service/manage-deployment/zones.html

Lesson Review
What are the differences between CVAD on-

premise Zones and CVAD Service (Citrix
Cloud) Zones?
A Zone is the logic used inside the Virtual Apps

and Desktops architecture to define a datacenter
or a location.
A resource location is the logic used to define a
location on the Cloud Control Plane, which can
include other service as well, such as Smart
Tools.

VDA Registration in a Multi-Zone
Environment

VDA Registration Process and Methods
1
VDA Registration Process: VDA Registration Configuration:

• Install VDA software on the VM. • Auto-update:
• Dynamically retrieves the list of controllers.
• Specify Delivery Controller address. • Automatically updates the cached configuration.
• Citrix Desktop Service (BrokerAgent.exe) • Group Policy:
contacts controller over port 80. • Configured through domain or local GPO.
• Manually:
• Registry (or using Group Policy Preferences)
• During installation of VDA agent.
• Machine Creation Services:
• MCS inserts list of controllers into personality.ini
file.
Key Notes:
• The auto update setting allows VDAs to receive an updated list of available Delivery Controllers every 90 minutes.
• This allows Delivery Controllers to be added or removed from the Site without any additional configuration on the VDAs.
• This setting is controlled via Citrix Policy, and is enabled by default.
• The following types of deployments cannot use auto-update, and must self-manage:
• Deployments that use Controller groups.
• Deployments that use ListOfSIDs for security reasons. (Deployments that use ListOfSIDs to decrease the Active Directory load can

use auto-update.)
• Deployments that use Citrix Provisioning without a write cache drive.
• Deployments that use the Controllers or Controller SIDs policy setting.
• VDA Registration Process:
• After the VDA completes initial registration, the Controller with which it registered sends a list of the current
Controller Fully Qualified Domain Names (FQDNs) and Security IDs (SIDs) to the VDA.
• The VDA writes this list to the auto-update persistent storage. Each Controller also checks the Site Configuration
Database every 90 minutes for Controller information – if a Controller has been added or removed since the last
check, or if a policy change has occurred, the Controller sends updated lists to its registered VDAs.
• The VDA will accept connections from all the Controllers in the most recent list it received.
• If a VDA receives a list that does not include the Controller it is registered with (in other words, that Controller was
removed from the Site), the VDA re-registers, choosing among the Controllers in the list. After a VDA registers or re-
registers, it receives an updated list.
• When auto-update is enabled, and you specify a list of Controller addresses during VDA installation, a Controller is
randomly selected from that list for initial registration (regardless of which zone the Controller resides in). After the
machine with that VDA is restarted, the VDA will start to prefer registering with a Controller in its local zone.
• Citrix XenApp and XenDesktop 19.12 LTSR Delivery Controllers: https://docs.citrix.com/en-us/citrix-virtual-apps-
desktops/1912-ltsr/manage-deployment/delivery-controllers.html
• Citrix Virtual Apps and Desktops Current Release: Delivery Controllers: https://docs.citrix.com/en-us/citrix-virtual-apps-
desktops/manage-deployment/delivery-controllers.html

Single Zone
(Registration Communication Process)
Active Directory
(4) (8)
1. Check if Auto-update of DDCs is enabled. If so, (3) (7)

gather list of all available controllers.
2. Check registry entry for ListOfDDCs (manually
or GPO populated). VDA uses Desktop
Service
(5)
(BrokerAgent.exe)
3. Validate each DDC found in AD by DNS entry. to initiate the
(9)
Virtual Delivery registration process Delivery Controller
Agent over TCP (BrokerService.exe)
4. Obtain a Kerberos ticket from AD for each (BrokerAgent.exe) Port 80
controller found to allow for communication. (1) & (2)
5. Make a call for “Registration”

(6)
Site Database
5ey Notes:
• Registration Process Steps:
1. Check if Auto-update of DDCs is enabled. If so, gather list of all available controllers.
2. Check registry entry for ListOfDDCs (manually or GPO populated)
3. Validate each DDC found in AD by DNS entry
4. Obtain a Kerberos ticket from AD for each controller found to allow for communication

6. Validate VDA identity and functional level
7. BrokerService.exe attempts to validate Kerberos ticket and VDA details from AD
8. Obtain Kerberos ticket for communication with VDA
9. 2 -Way test for Callback made.(needs to be confirmed by both VDA and controller for hard registration to be
successful.

Single Zone
(Registration Communication Process)
Active Directory
(4) (8)
6. Validate VDA identity and functional level (3) (7)
7. BrokerService.exe attempts to validate

Kerberos ticket and VDA details from AD
VDA uses Desktop (5)
8. Obtain Kerberos ticket for communication with Service
(BrokerAgent.exe)
VDA to initiate the
(9)
Virtual Delivery registration process Delivery Controller
Agent over TCP (BrokerService.exe)
9. 2 -Way test for Callback made.(needs to be (BrokerAgent.exe) Port 80
confirmed by both VDA and controller for hard (1) & (2)
registration to be successful.
(6)
Site Database
Key Notes:
• Registration Process Steps:
1. Check if Auto-update of DDCs is enabled. If so, gather list of all available controllers.
2. Check registry entry for ListOfDDCs (manually or GPO populated)
3. Validate each DDC found in AD by DNS entry
4. Obtain a Kerberos ticket from AD for each controller found to allow for communication

6. Validate VDA identity and functional level
7. BrokerService.exe attempts to validate Kerberos ticket and VDA details from AD
8. Obtain Kerberos ticket for communication with VDA
9. 2 -Way test for Callback made.(needs to be confirmed by both VDA and controller for hard registration to be
successful.

Multi Zone: Registration Communication Process
In multi-zone environments, the registration process will vary based on location of the VDAs and Delivery Controllers.
VDA Location (Primary Zone) VDA Location (Satellite Zone)

VDAs in the primary zone will always attempt to VDAs in the primary zone will always attempt to
register with a Delivery Controller which is also register with a Delivery Controller which is also
in the primary zone, and will never attempt to in the primary zone, and will never attempt to
register with Controllers in satellite zones. register with Controllers in satellite zones.
Zone 1 (Primary) Zone 2 (Satellite) Zone 1 (Primary) Zone 2 (Satellite)

New York (NYC) San Francisco (SFO) New York (NYC) San Francisco (SFO)
SQL SQL
Delivery Controller Delivery Controller Delivery Controller

Delivery Controller
Resources Resources Resources (1) Resources
Desktops Apps Desktops Apps Desktops Apps

(2)
Desktops Apps
• Zones - Where VDAs register: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/manage-deployment/zones.html
• VDA registration: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/manage-deployment/vda-registration.html

Failover Registration
Site 1
Zone 1 (Primary) Zone 2 (Satellite)

New York (NYC) San Francisco (SFO)
When the first attempt to register fails, the VDA
follows this pattern:
Delivery Delivery Delivery Delivery
Controller Controller Controller Controller
1. A VDA in a Satellite Site unsuccessfully
(2) (1)
attempts to contact a Delivery Controller. (4) (3)
2. The VDA will next attempt to register with

another Controller in its Local Zone.
3. If that is unsuccessful, the VDA will contact a

random Delivery Controller in the Primary Zone.
4. The VDA proceeds to attempt registration with

other Delivery Controllers in the Primary Zone
until none are left to try.
Key Notes:
• In this example, the VDA is able to register with the final Delivery Controller in the Primary Zone.
• If the Satellite Zone VDA ends up registering with a Primary Zone Delivery Controller, the VDA stays registered in the Primary Zone,
even if a Controller in Satellite Zone becomes available again.
• If an administrator wants to later return the VDA back to their original Satellite zone it will require a manual restart of the VDA, or its
Citrix Desktop Service (BrokerAgent.exe), which will force a new registration logic from scratch. Essentially, any action that triggers

the agent to attempt re-registration will move it back to one of its local Satellite zone controllers.
• A VDA in a Satellite Zone will never attempt to register with a Controller in another Satellite Zone.
• Zones: Where VDAs register and where Controllers fail over: https://docs.citrix.com/en-us/citrix-virtual-apps-

Moving a Catalog From One Zone
Site 1
to Another Zone
Zone 1 (Primary) Zone 2 (Satellite)

New York (NYC) San Francisco (SFO)
• If you move a Machine Catalog to another
zone, the VDAs in that catalog will re-register
with Controllers in the zone where you moved Delivery Delivery Delivery Delivery
Controller
the catalog. Controller Controller Controller
Machine Catalog Machine Catalog

• When you move a catalog, make sure you
also move any associated host connection to
the same zone.
Key Notes:
• An Administrator may want to move specific Machine Catalogs to a different zone for a number of reasons:
• To move machines to a host connection located in another area.
• To manage VDA registration to Delivery Controllers located in a zone where the respective users are also located.
• To follow specific Disaster Recovery standards.
• To ease overall Site resource organization and administration.
• You can move a catalog from one zone to another using Citrix Studio.

• To perform this operation:
1. Select the Machine Catalogs node in the Studio navigation pane.
2. Select the catalog you want to move, and then select Move in the Actions pane.
3. Select the zone where you want to move the catalog to.
Additional References:
• Move a machine catalog to a different zone (1912 LTSR): https://docs.citrix.com/en-us/citrix-virtual-apps-
desktops/1912-ltsr/install-configure/machine-catalogs-manage.html#par_anchortitle_ee79
• Move items from one zone to another zone (Current Release): https://docs.citrix.com/en-us/citrix-virtual-apps-

Lesson Review
Scenario: A deployment has three

Controllers: A, B, and C.
A VDA is installed and registers with
Controller B
(which was specified during VDA installation).
Controller B is removed from the Site. If Auto-
Update is
enabled, what happens next?
The VDA receives an updated list of Delivery

Controllers 90 minutes later, the list does not
include Controller B.
The VDA will proceed to attempt registration with
Controller A or C.
Once it successfully registers with one of these
Controllers, it receives another updated list.
Key Notes:
• To be operational a VDA must register with a Controller on the Site. The VDA discovers a Controller by checking a list of Controllers
called the ListofDDCs. The ListOfDDCs comprises of one or more DNS entries or IP addresses that point to Controllers on the Site.
• For load balancing purposes, the VDA automatically distributes connections across all Controllers in the list.
• ListOfSIDs indicates which machine Security IDs (SIDs) the VDA allows to contact it as a Controller.
• The ListOfSIDs is used to decrease the load on Active Directory, or to avoid security threats from a compromised DNS server.
• To keep the lists current, you can:

1. Use the auto-update feature to automatically update the ListOfDDCs and ListOfSIDs as Controllers are added or
removed. By default, auto-update is enabled.
2. Self-manage – which is to manually update policy or registry settings that identify Controllers.
• Information in the ListOfDDCs and ListOfSIDs can come from several places in a deployment. The VDA checks the
following locations, in order, stopping at the first place it finds the lists:
• A persistent storage location maintained for the auto-update feature. This location contains Controller information
when auto-update is enabled and after the VDA successfully registers for the first time after installation. (This storage
also holds machine policy information, which ensures that policy settings are retained across restarts.) For its initial
registration after installation, or when auto-update is disabled, the VDA checks the following locations.
• Policy settings (Controllers, Controller SIDs).
• The Controller information under the Virtual Desktop Agent key in the registry. The VDA installer initially populates
these values, based on Controller information you specify when installing the VDA.
• OU-based Controller discovery. This is a legacy method maintained for backward compatibility.
• The Personality.ini file created by Machine Creation Services.
Additional References:
• Delivery Controllers: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/manage-deployment/delivery-
controllers.html

Zone Preference

Zone Preference Overview
1
• Zone Preference provides for more flexibility in controlling which VDA is to be used when launching
an application or desktop in a multi-zone Site.
• An Administrator can better manage how a broker selects a preferred launch zone when a user
session is initialized.

Zone Preference
The default Zone Preference priority order
1. Application Home 2. User Home 3. User Location
• The Application Home • The User Home option • The User Location option
option of Zone of Zone Preference will of Zone Preference will
Preference will result in result in the broker result in the broker
the broker selecting the selecting the launch selecting the launch zone
launch zone where the zone where the user’s where the user
application is configured home data is located is currently located.
and its data stored. (such as profile share).
• Wherever the user's
Citrix Workspace app is
running will be identified
and chosen as the launch
zone for that session.
Key Notes:
• There are three forms of Zone Preference that can be used.
• The default priority order for selecting the preferred zone is:
• Application Home
• User Home
• User Location

• The broker selects only one preferred zone for launch.
• Zone Preference priority:
• If an application has a configured zone association (an application home), then the preferred zone is always the
home zone for that application.
• If an application does not have a configured zone association, but the user has a configured zone association (a user
home), then the preferred zone is always the home zone for that user.
• If neither the application nor the user has a configured zone association, then the preferred zone is the zone where
the user is running a Citrix Receiver instance (the user location).
• Zone Preference feature only applies to shared desktops or applications, not to private/assigned ones.
• Application Home supports applications only. There is no support specific to Published Desktops (VDI) or Server
Desktops.

Customize Zone Preference
There are three options to customize Zone Preference
Mandatory User Home Mandatory Application Home No Application Home Zone

(Ignore configured user home zone)
• This option will prevent • This option will prevent a • If you do not specify a
a session from being session from being home zone for an
launched in an alternate launched in an alternate application, you can also
zone if the users session zone if an applications indicate that any
cannot be launched in home zone is not configured user zones
their Home zone. available. should not be considered
when launching that
application.
Key Notes:
• Zone Preference provides the three options with the ability to further restrict how user and application Home zones are handled for
launch requests. These three options are:
• Mandatory User Home
• Mandatory application home zone
• No application home zone, and ignore configured user home zone

Zone Preference
1
Session Launch: Order of Preference:

• Zone Preference is designed so the 1. Connect to an existing session in the
Delivery Controller running the Broker Preferred Zone.
Service will always attempt to launch an
2. Reconnect to an existing disconnected
application or desktop in the preferred
session in a Non-Preferred zone.
zone, even if there is an already existing
session for a user whom launches a new 3. Start a new session in the Preferred Zone.
application that could share (Session 4. Connect to a existing session in a Non-
Sharing) the already existing session. Preferred Zone.
5. Start a new session in a in a Non-
Preferred Zone.
Key Notes:
• Zone Preference usually takes precedence over Session Sharing.
• These 5 Order of Preference steps are the default setup and behavior; there is no need to perform any pre-configuration.
• EXAMPLE SCENARIOS:
• Connect to an existing session in the Preferred Zone: (1 Primary Zone, and 2 Satellite Zones)
1. App Home has been configured for a requested resource in the Primary Zone.

2. There is currently an active session for the user in the Preferred Zone.
3. The User in one of the Satellite zones uses session sharing to launch the App Home app in the existing session
within the Primary zone, which is its App Home. Session sharing helps reduce overall resource utilization and
concurrent license usage.
• Reconnect to an existing disconnected session in a Non-Preferred Zone: (1 Primary Zone, and 2 Satellite Zones)
2. There is currently a disconnected session for the requested app in a non-preferred zone.
3. The User in one of the Satellite zones reconnects to the disconnected state session of the App Home app in a
non-preferred zone. This behavior occurs in order to prevent the creation of an orphan session that can no
longer be reached.
• Start a new session in the Preferred Zone: (1 Primary Zone, and 2 Satellite Zones)
2. There are currently no active sessions for the user.
3. The User in one of the Satellite zones launches the App Home app in a new session on the preferred zone
(Primary Zone).
• Connect to a existing session in a Non-Preferred Zone: (1 Primary Zone, and 2 Satellite Zones)
2. There is currently an active user session for a different published app in a non-preferred zone. No VDAs are
available to host the session within the preferred zone (Primary Zone).
3. User in one of the Satellite zones launch request of the App Home app is launched within the existing session
in the non-preferred zone (Second Satellite Zone) to make use of session sharing. Normally, a new session
would be started in the preferred zone, but no VDAs were available this time.
• Start a new session in a Non-Preferred Zone.: (1 Primary Zone, and 2 Satellite Zones)
2. There are currently no active or disconnected sessions for this user. However, no VDAs are available to host
the session within the preferred zone (Primary Zone).
3. User in one of the Satellite zones launch request of the App Home app is launched on a new session in the

non-preferred zone (Second Satellite Zone) because no existing sessions were available for session sharing.
Normally, a new session would be started in the preferred zone, but no VDAs were available this time.
• Zone Preference (Order of Preference): https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/manage-
deployment/zones.html

Lesson Review
What is the default priority order for selecting

the preferred zone to process the session
launch?
Application Home
User Home
User Location

Optimal Gateway Routing and
Zones

Standard Routing
• StoreFront automatically
identifies the Citrix (SITE) New York San Francisco (SITE)
Gateway used to make a
launch request. HTTP(S)
Citrix Citrix
Gateway Gateway
• By default, HDX
connections pass through
the Citrix Gateway that HDX traffic passing
over inter-datacenter
made the launch request link
regardless of where the StoreFront Word 2016 StoreFront

resources are
geographically located.
Key Notes:
• For Example: If your desktop is in New York, but you are traveling near San Francisco, then S. F. can perform the enumeration.
• However, the ICA file will be re-written to go back to the correct data center.
• This standard routing has existed for a while, but this is the first time we have presented it in the console.
• With standard routing, the HTTPS and HDX traffic will all go through the same Citrix Gateway.
• The one that was used for the initial connection, even when the desktop and apps are in a different datacenter.

Optimal Gateway
Routing
• HDX Optimal Gateway

Routing forces the HDX (SITE) New York San Francisco (SITE)
connection to use the

HTTP(S)
gateway closest to the
resource. Citrix
Gateway
Citrix
Gateway
• Enumeration and HDX

traffic may use different
gateways.
• HDX traffic is prevented
StoreFront Word 2016 StoreFront
from traversing inter-
datacenter network.
Key Notes:
• Pre-StoreFront 3.5 you could configure HDX Optimized Routing for Farms/Sites as this slide suggests.
• Since StoreFront 3.5 , the feature of also individual mapping to Delivery Controllers located in defined zones is available.
• Source: https://docs.citrix.com/en-us/storefront/current-release.html
• StoreFront high availability and multi-site configuration: https://docs.citrix.com/en-us/storefront/current-release/plan/high-
availability-and-multi-site-configuration.html
Optimal Gateway Routing Configuration
1
• Older versions of StoreFront: Configured

using PowerShell.
• StoreFront 3.12+: Configured using the
management console.
• With StoreFront 3.12, Optimal Gateway can
be mapped using Zones and Delivery
Controllers.
Key Notes:
• The Optimal Gateway feature lets you override the Citrix Gateway used for ICA connections
• Configure StoreFront to associate Citrix Gateway instances with zones (HDX Optimal Routing).
• Workspace App will attempt to use the preferred Citrix Gateway for the zone hosting the resource.
• StoreFront high availability and multi-site configuration: https://docs.citrix.com/en-us/storefront/current-release/plan/high-
availability-and-multi-site-configuration.htm
StoreFront NYC Site
Resource
Aggregation Receiver for Aggregation
Outlook
web Group
NYC-XDC
• Identical desktop or
Outlook SFO Site
application resources
from different Site
deployments are Outlook
grouped, and then

Outlook StoreFront
aggregated as a single Endpoint Outlook
SFO XDC
icon to users.
MIA Site
• Load balance resources
across controllers. Outlook
Outlook
MIA XDC
Key Notes:
• When a user starts an aggregated resource, StoreFront determines the most appropriate instance of that resource for the user on
the basis of server availability.
• StoreFront will dynamically monitors the servers that fail to respond to requests on the basis that such servers are either overloaded
or temporarily unavailable. Users are then directed to resource instances on other servers until communications are re-established.
• After checking for availability and existing user sessions, StoreFront uses the ordering specified in your configuration to determine
the deployment to which the user is connected.

• When using Grouped deployments, they do not need to be identical, but resources must have the same name and path
on each server to be aggregated.
• StoreFront Multi-Site Settings Part 2: https://www.citrix.com/blogs/2016/09/07/storefront-multi-site-settings-part-2/

Configure StoreFront Resource Aggregation
1
• Allows for the set up of highly available,

multi-site configurations.
• Configurable from within the StoreFront
Console GUI.
Key Notes:
• Many of these settings have been moved into the console (as of 3.5) from where they were previously located in the web.config file.
Additionally, a new setting was added for load balance non-identical sites (as of 3.6),
• The resource aggregation settings available in the console are accessible through the Manage Delivery Controllers option in the
Action pane of the Store. If you define more than two farms/sites, the “Configure” option at the bottom of the window will
automatically become enabled.
• If choose to “Configure,” you will see a window prompting you to configure user farm mapping and/or resource aggregation. Here

you will define user groups and map those user groups to Delivery Controllers.
• Once you have defined a user group that this configuration should apply to, select the aggregate resources link and you
will then be able to select which sites will be configured for aggregation.
• Map users to controllers – Use this setting to provide access to deployments based on user’s membership of Active
Directory groups.
• Aggregate resources – Use this optional setting to help de-duplicate overlapping resources across multiple
controllers. At least one user mapping must be defined before aggregating resources.
• Two options then become available:
• Controllers publish identical resources - This setting places the farms in the same “equivalent farm set.” No new
functionality here.
• Load balance resources across controllers - This setting either load balances sessions across the farms or configures
them for failover order. The ability to do this without requiring the two farms/sites to be 100% identical is a new
feature of 3.6 that was a significant limitation before. Previously, if two sites were non-identical but with some
overlapping resources, configuring them for aggregation meant that the aggregated resources were automatically
launched in failover order. Load balancing was limited to identical sites.
• If you want to define multiple, distinct aggregation groups, it still has to be done by editing the web.config file – no
current GUI configuration for this at this time.
• When using highly available multi-site configurations, you can provide access to particular deployments on the basis of
users’ membership of Microsoft Active Directory groups, allowing for the configuration of different experiences for
different user groups, through a single store.
• To provide a seamless experience for users moving between separate StoreFront deployments, you can configure
periodic synchronization of users’ application subscriptions between stores in different server groups. Choose between
regular synchronization at a specific interval or schedule synchronization to occur at particular times throughout the
day.
• StoreFront high availability and multi-site configuration: https://docs.citrix.com/en-us/storefront/current-
release/plan/high-availability-and-multi-site-configuration.html
• StoreFront Multi-Site Settings Part 2: https://www.citrix.com/blogs/2016/09/07/storefront-multi-site-settings-part-2/

Lesson Review
Instead of using PowerShell, what is an

alternative method to configuring Optimal
Gateway Routing?
Using the StoreFront Management Console,

within the Configure the Store Settings, under
Optimal HDX Routing, Delivery Controllers or
Zones may be specified to configure Optimal
Gateway Routing.
Key Notes:
• If you enable Optimal Gateway Routing using PowerShell, the changes will automatically appear in the StoreFront Console as well.
• If you have a Server Group set with multiple StoreFront servers, enabling Optimal Gateway Routing must be propagated manually
across the Server Group.
• Optimal Gateway Routing can only be enabled via the StoreFront console, or PowerShell.

Managing StoreFront Store
Subscriptions in a Multi Location
Environment

Subscription Store Server Group 1
StoreFront-A
• Users log on to File-Based

Database
StoreFront and are Replication Replication
presented with the option

to add applications to
Single Shared Store
their favorites.
• Mapping between users
and their subscribed
applications is stored in a
Replication
local database on each
StoreFront server.
StoreFront-B StoreFront-C
• Needs to be enabled by File-Based File-Based

an Administrator. Database Database
Key Notes:
• Subscription Store is stored in C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Citrix\SubscriptionsStore\<Store
Name>\PersistentDictionary.edb folder.
• The Subscription Store contains user Favorites and the Site name in the metadata.
• The subscription consists of a string that includes:
• User SID
• Site/Farm name (as defined in the StoreFront store)

• Application/Desktop name
• Unique, per subscription GUID
• “subscribeddazzle:position#” with the number related to the application/desktop icon position on the screen so
that the icons maintain their order
• StoreFront servers replicate the database information across server group.
• To address some of the most common subscription-related issues, start by restarting the Citrix Subscriptions Store
service.
• What Subscriptions and Server Groups Mean for StoreFront Designs: https://www.citrix.com/blogs/2014/10/10/what-
subscriptions-and-server-groups-mean-for-storefront-designs/

Subscription Store Administrator points the Server Group 1
StoreFront-A store to the
subscription service end
point on StoreFront-B
web.config
( StoreFront-A ) StoreFront-A StoreFront-B
(Internal Store) (External Store) (Internal Store) (External Store)
• Within a StoreFront
deployment,
Internal External External
Subscriptions can be Subscription-A Subscription-B
Internal
Subscription-A Subscription-B
configured to be shared
between Stores within the
Now the two stores are Server Group 1
same server group. pointing to the same
Subscription data
• The web.config file on

one Store needs to be
adjusted to point to the StoreFront-A StoreFront-B
(External Store) (Internal Store) (External Store) (Internal Store)

subscriptions file on the
other Store.
Internal Internal
Subscription-A Subscription-A
Key Notes:
• Sharing subscriptions between Stores:
• By default, StoreFront creates a single datastore for each store. Each subscription datastore is updated independently from each
other store.
• Subscriptions can be shared between Stores within the same server group.
• In a default scenario involving two stores and their corresponding subscription datastores, a user must subscribe to the same
resource twice. However, configuring the two stores to share a common subscription database improves and simplifies the

roaming experience when users access the same resource from inside or outside the corporate network.
• You can configure both “external” and “internal” stores to share a common subscription datastore; this is done by
making a basic change to the store web.config file.
• Each store has a web.config file located in C:\inetpub\wwwroot\citrix<storename>.
• The web.config file on one Store should be adjusted to point to the subscriptions file on the other Store.
• Each store web.config contains a client endpoint for the Subscription Store Service. For two stores to share a
subscription datastore, you need only point one store to the subscription service end point of the other store.
• Example: <clientEndpoint uri="net.pipe://localhost/Citrix/Subscriptions/1__Citrix_<StoreName>"
authenticationMode="windows" transferMode="Streamed">
• Configure two StoreFront stores to share a common subscription datastore : https://docs.citrix.com/en-
us/storefront/current-release/configure-manage-stores/configure-two-stores-share-datastore.html
• Citrix VDI Handbook 7.15 LTSR (pgs. 50-51): https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/citrix-vdi-
best-practices.html
• How to Export and Import StoreFront Subscription Database: https://support.citrix.com/article/CTX139343

Replicating Subscriptions between StoreFront Server Groups
Server Group 1 Boston 9 PM Server Group 2 New York

(EST)
StoreFront-A StoreFront-B Subscription StoreFront-A StoreFront-B

Schedule initialized
Store Store
12 AM
3 AM Server Group 3 Miami (EST)
(EST)
StoreFront-A StoreFront-B
Store

Configuring Subscription Synchronization
• PowerShell is used to execute periodic pull synchronization of subscriptions from stores in different
StoreFront deployments.
• A specific sequence of commands are run via PowerShell to configure and execute this periodic
pull synchronization
Key Notes:
PowerShell Configuration for Periodic Synchronization:
• It is important to recognize the amount of data contained within each locations Store, as this may cause the synchronization time to
vary when the Subscription schedule is initialized.
• When configuring a periodic pull synchronization, it is important to remember that the StoreFront and PowerShell consoles cannot
be open at the same time. So, when you are using the PowerShell windows to execute the synchronization, always close the
StoreFront admin console prior.

• When establishing your subscription synchronization, it is important to remember that the configured Delivery
Controllers must be named identically between the synchronized Stores. Additionally, the Delivery Controller names are
case sensitive.
For example: If you had three different GEO locations, as in this slides diagram, you may have three different AD
infrastructures and unique Virtual Apps and Desktops Sites in each location. So, you would need to name the
Delivery Controllers the same for each of the three Sites. Otherwise, without the same Delivery Controller names it
may lead to users having different subscriptions across the synchronized Stores.
Configuring a PowerShell periodic pull synchronization:
• You will need to use an account with local administrator permissions to start Windows PowerShell and to import the
StoreFront modules that will be required below:
• Import-Module "installationlocation\Management\Cmdlets\UtilsModule.psm1"
• Import-Module "installationlocation\Management\Cmdlets\SubscriptionSyncModule.psm1“
• You can configure periodic synchronization to take place at a particular time every day, or you can configure regular
synchronization at a specific interval.
• Additional Command can be used to edit and view the schedules.
• To start synchronizing of users’ application subscriptions between the stores, you will need to restart the subscription
store service on both the local and remote deployments using PowerShell.
• If your local StoreFront deployment consists of multiple servers, use the Citrix StoreFront management console to
propagate the configuration changes to the other servers in the group.
• Set up highly available multi-site stores: https://docs.citrix.com/en-us/storefront/current-release/set-up-highly-
available-multi-site-stores.html

Lesson Review
Where is the Subscription Store stored?
On each StoreFront server within the server

group, specifically in a file-based database
located in the following directory:
C:\Windows\ServiceProfiles\NetworkService\App
Data\Roaming\Citrix\SubscriptionsStore\<Store
Name>\PersistentDictionary.edb folder
Key Notes:
• If you enable Optimal Gateway Routing using PowerShell, the changes will automatically appear in the StoreFront Console as well.
• If you have a Server Group set with multiple StoreFront servers, enabling Optimal Gateway Routing must be propagated manually
across the Server Group.
• Optimal Gateway Routing can only be enabled via the StoreFront console, or PowerShell.

Lab Exercise Prep

For Module 02

Lab Exercise
• Exercise 2-1: Create a Satellite Zone

• Exercise 2-2: Move a Controller into the Satellite
Zone
• Exercise 2-3: Move a Catalog into the Satellite
Zone
• Exercise 2-4: Auto-Update Policy
• Exercise 2-5: Add a Home Zone for a User
• Exercise 2-6: Add a Home Zone for an App
• Exercise 2-7: Test Home Zone App Launch
• Exercise 2-8: Configure Optimal Gateway Routing
• Exercise 2-9: Test Optimal Gateway Routing
• Exercise 2-10: Configure Subscription
Synchronization
• Exercise 2-11: Test Subscription Synchronization

Key Takeaways
• Zones allow deployment of a single Site

across multiple geographically disbursed
datacenters.
• VDA registration process will vary based on
whether a VDA is located in a Primary or
Satellite Zone.
• There are three forms of Zone Preference that
can be used; Application Home, User Home,
and User Location.
• Zone Preference uses a specific Order of
Preference when performing an application
launch.
• HDX Optimal Gateway Routing can be used to
improve HDX session performance by routing
traffic to the Gateway closest to end user.

Implement Backups and Disaster Recovery
Module 3

Learning Objectives
• Describe how to perform onsite and offsite

backups of key components, applications, and
data in a Citrix Virtual Apps and Desktops
environment.
• Describe how to maintain access to Citrix
Virtual Apps and Desktops published
resources during an event requiring disaster
recovery and how Citrix Cloud services can
benefit an organization’s CVAD deployment
disaster recovery plan.
• Identify the process steps of failing over to a
disaster recovery environment, and then
returning to normal operations after disaster
recovery event.

Backups

Determining Backup Requirements and Location
A leading practice is storing backups of critical data1both onsite and at an offsite location.
Onsite Backups: Offsite Backups:

• Located on a storage device in the • Require transferring data physically or
datacenter. digitally to a separate physical location from
• Allows for data to be recovered quickly. the datacenter.
• Ideal for issues that only affect a small • Typically used for a limited number of
portion of hardware in the datacenter. backups that require additional protection in
the event of a disaster.
• Cold storage solutions like tape can also be
used.
Key Notes:
• The location of backups directly effects the recovery time and reliability of the Citrix environment. There are two categories of
backups that can be used:
• Onsite Backups
• These backups can be located on storage devices or tapes that are kept at the datacenter location. They allow for a quicker
recovery, but have less resilience in the event of a disaster that impacts the entire datacenter.
• While cold storage solutions such as tape are slower to recover from, they provides additional protection since they are only

active during the backup process.
• Offsite Backups
• Because they are stored in a location separate from the datacenter, offsite backups by design will increase
recovery times. However, this type of backup provides additional protection in the event of a disaster.
• Offsite backups may require transferring data over the Internet to a third party provider or they are created onsite
and then transported to a remote location on storage mediums such as tape.
• It is typical to put a limited number of backups offsite. For example, one backup a week or month.
• A leading practice is to store backups of critical data both onsite and at an offsite location.
• If offsite backups are not possible due to costs associated or sensitivity of the data, backups should be placed at
separate physical locations within the same datacenter.
• Each type of data that exists in an environment should be evaluated on factors such as privacy considerations and
criticality to the business, and based on that information, create backup requirements that balance costs with an
acceptable level of risk mitigation.
• Citrix VDI Best Practices for XenApp and XenDesktop 7.15 LTSR – Monitor: https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-15-ltsr/citrix-vdi-best-practices/monitor.html

StoreFront Configuration Backup
• The entire configuration of a StoreFront deployment can be exported.

• Configuration exports can be imported on other machines with StoreFront installed.
• Any configurations on a StoreFront server will be overwritten by the imported settings.
• PowerShell commands are used to export and import StoreFront configurations.
backup.zip backup.zip
StoreFront StoreFront
Key Notes:
• StoreFront configuration exports can include both single server deployments and server group configurations.
• If an existing deployment is already present on the importing server, the current configuration is erased and then replaced by the
configuration contained within the backup archive.
• If the target server is a clean factory default installation, a new deployment is created using the imported configuration stored
within the backup.
• The exported configuration backup is in the form of a single .zip archive if unencrypted, or a .ctxzip if you choose to encrypt the

backup file when it is created.
• You can only import StoreFront configurations which are the same StoreFront version as the target StoreFront
installation.
• Considerations when exporting and importing a StoreFront configuration:
• Will the Host Base URL contained in the backup archive be used, or will a new Host Base URL be specified to use on
the importing server?
• The “HostBaseURL” parameter can be used to accommodate either scenario.
• Are any Citrix published authentication SDK examples, such as Magic Word authentication or third party
authentication customizations being used?
• If so, the SDK or customization packages must be installed on all importing servers before importing the
StoreFront configuration containing extra authentication methods
• StoreFront configuration backups can be encrypted or unencrypted. The exporting and importing PowerShell cmdlets
support both use cases.
• You can decrypt encrypted backups (.ctxzip) later, but StoreFront cannot re-encrypt unencrypted backup files
(.zip). If an encrypted backup is required, perform the export again using a PowerShell credential object containing
a password of your choice.
• The SiteID of the website in IIS where StoreFront is currently installed (exporting server) must match the SiteID of the
target website in IIS (importing server) where you want to restore the backed up StoreFront configuration.
• Export and import the StoreFront configuration: https://docs.citrix.com/en-us/storefront/current-release/export-
import-storefront-config.html

User Data Storage and Backup Options
Data recovery options for user profiles and home drives
Multi-File Backup/Restore Versioning in the Cloud
File Server Desktop
• Save a new copy of a file • Backup and restore • Uses cloud-hosted

every day. solution used at many storage, such as Citrix
enterprises. Content Collaboration
• All files still on local (ShareFile).
machine. • Files must be saved on
network drives. • Auto-creates new versions
• Hard to manage, and will as files are saved.
not defend against local • Requires support call to
storage failure. recover files. • Balance of recoverability
and lower administration.
Key Notes:
• In a traditional on-premises deployment, data could be kept on local endpoints (or VMs), stored in an enterprise shared storage
solution, or placed into a third-party cloud service (options presented above).
• Each has it pros and cons, but most medium to large enterprises will choose option 2 or 3 in order to have more control over how
data is accessed and used, as well as to lower the risk of unrecoverable data in the event of an outage.
• Some options for enterprise storage solutions include:
• Single File Server – have a single server or IaaS VM (if using a public cloud) to host Windows File Services

• Pros
• Simple to implement using existing skills
• Moderately scalable by adding more disks or resizing machine (if using a VM)
• Cons
• Single point of failure – data could be lost if the machine is corrupted
• Routine maintenance would impact the availability of the data
• Long recovery time – even if the data was backed up in another location, it will take some time to restore it on
a new machine
• Microsoft DFS Namespace – a hosted SMB file share with multiple machines as referral targets. DFS-R is used to
replicate the contents between machines.
• Pros
• Offers resilience – no single point of failure
• Moderately scalable by adding more disks or resizing machines (if using VMs)
• Technology is generally well understood.
• Cons
• Unsupported by Microsoft in an Active-Active configuration, must use in an Active-Passive capacity for support
• Requires manual intervention to fail over if the active machine fails
• Questionable performance – Citrix Consulting has encountered issues with file locking leading to inconsistent
and unpredictable behavior
• Storage Spaces Direct (S2D) – Based on Windows Server Failover Cluster and Scale-Out File Services, this solution
allows a single SMB file path to be hosted on multiple machines without the need for shared storage.
• Pros
• Highly resilient – the failure of a node does not have an impact to service
• Highly scalable – Additional machines can be added to increase capacity and performance of the cluster
• Cons
• Only available on Windows Server 2016 and Windows Server 2019 Datacenter edition.
• Complex solution – most organizations are still relatively unfamiliar with it
• Questionable performance with user profile workloads
• May require high-spec machines to function appropriately

• Similar limitations to a scale-out file server
• Third-party offerings – includes vendors like Veeam, NetApp, Cloudian, etc.
• Pros
• Can be resilient with good performance
• Cons
• Can be costly, with recurring subscription fees
• Limited experience and proven usage in the field
• Citrix VDI Best Practices for XenApp and XenDesktop 7.15 LTSR – Design methodology resource layer – Decision: Data
Recovery: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/citrix-vdi-best-practices/design/design-
userlayer3.html

Application Data Backup Considerations
Include backup considerations in the application intake process
1. Application is identified for inclusion in 2. Citrix and app team determine backup 3. Application backup configuration occurs during
environment. requirements and responsibilities. onboarding activities.
Citrix Virtual
Apps and Desktops
Key Notes:
• It is critical to identify the applications that we aare willing to backup. It might be possible that initially we had 10 applications in our
Citrix Virtual Apps and Desktop environment.
• Now, only 8 applications are active. This step definitely saves time and effort.
• Each application will have its own backup options and requirements. As a result, backup requirements should be determined during
the intake process for a new application to the Citrix Virtual Apps and Desktops Site.
• Otherwise, there is an increased chance of miscommunication or incorrect assumptions about who is responsible for maintaining
application data backups, and what level of backups are expected.
Master Image Backups
Backup considerations for image management
Machine Creation Services Citrix Provisioning Citrix App Layering

Elastic Layer
App Layering
VM-1 VM-2 VM-3

Application Layers
Provisioning Server
Virtual Machine
Platform
Layer
Virtual Machine
Master
Master Image OS Layer
Machine vDisk
Differencing
Identity Disk vDisk Store Virtual Machine
Disk
• Backup approach and • vDisks should receive the • Implement backup plan for
difficulty will differ based highest level of backup the layered images
on whether thin clones or available.
full clones are used. • Elastic and user layers
should be backed up
• Consider backing up according to use case
master VMs/templates criticality.

SQL Database Backups
Select the appropriate level of SQL recovery model 1for the Citrix product databases.
Recovery Models Backup Levels

Simple: Full:
• No log backups required • Contains all data in a specific database, and
• Lower storage space requirements also enough log to allow for recovering the data
• Changes to database since most recent
backup are NOT protected Partial:
• Contains data from only some of the filegroups
Full: in a database, including:
• Requires log backups • the primary filegroup
• Data can be recovered from any point in time • every read/write filegroup
• optionally specified read-only files
• Required for SQL mirroring
Bulk-Logged: Differential:
• Based on the last full backup
• Requires log backups
• Records only the portions of data that have
• Permits bulk copy operations; not typically
changed since the full backup
used for Citrix databases

© 2020 Citrix | Confidential
Key Notes:
• Multiple Citrix products rely on a Citrix database to store session or configuration information. Examples include Citrix Virtual Apps
and Desktops, Citrix Provisioning, Citrix Workspace Environment Management, Citrix AppDNA, and Citrix Session Recording.
• Some level of backup and recovery is recommended for all of the Citrix product databases. The recovery model and backup
level/frequency will depend on the organization’s requirements. Backup is an additional step to the existing SQL solution like Always
On, Mirror and Cluster.
• SQL database recovery models apply to the transaction log file, which contains a record of all transactions and database

modifications made by each transaction.
• The transaction log is a critical component of the database and, if there is a system failure, the transaction log might
be required to bring the database back to a consistent state. The usage of the transaction log varies depending on
which database recovery model is used:
• Simple: Does not require log backups, and log space is automatically reclaimed, keeping space requirements small.
This essentially eliminates the need to manage transaction log space, but changes to the database since the most
recent backup are unprotected.
• In the event of a disaster, the unprotected changes must be redone manually.
• Full: Requires log backups, but no work is lost due to a lost or damaged database data file. Data from any arbitrary
point in time can be recovered (for example, prior to application or user error).
• Full recovery is required for database mirroring.
• Bulk-logged: This is an adjunct of the full recovery model that permits high performance bulk copy operations. It is
typically not used for Citrix databases.
• SQL database backups are essential for protecting Citrix product data. Citrix databases are typically backed up using a
combination of full, partial, and differential backups on varying schedules. The specific combination used depends on
the SQL operational standards of the organization, and a storage cost vs. risk tolerance decision regarding the size and
frequency of the backups.
• Citrix VDI Best Practices for XenApp and XenDesktop 7.15 LTSR – Design methodology control layer – Decision: Cloning
Type: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/citrix-vdi-best-practices/design/design-
userlayer4.html
• Recovery Models (SQL Server): https://docs.microsoft.com/en-us/sql/relational-databases/backup-restore/recovery-
models-sql-server?view=sql-server-2017
• Backup Overview (SQL Server): https://docs.microsoft.com/en-us/sql/relational-databases/backup-restore/backup-
overview-sql-server?view=sql-server-2017

License File Backups Options
• Existing license files can be re-used if one of

the Citrix License Server high availability
options are used (see Module 1)
• All machines involved in a high availability
configuration must use the same hostname, or the
license file will not work
• If a machine with a different hostname will be
used as a backup, or is created during
recovery, the Citrix license file must be re-
allocated with the new hostname.
• License files: https://docs.citrix.com/en-us/licensing/current-release/license-files.html

Hypervisor VM/Pool/Cluster Metadata
• Each hypervisor vendor will have specific methods to back up critical data that will enable the
hypervisor environment to be restored in the event of a disaster.
• As an example, the following types of data should be backed up for a Citrix Hypervisor deployment to
recover from possible server and software failure.
Pool Metadata Host Config. and Software Virtual Machines
• Hosts use a database to store • These backups refer to • Consists of backing up the
metadata about VMs and hypervisor server control virtual machine disk files.
associated resources. domain backup and restore • Can be treated similarly to other
procedures.
• The process to back up and file backups; Citrix
restore VM metadata will very • Does not include storage recommends using a Citrix
based on whether a single-host repositories; only the privileged Ready-certified 3rd party
deployment or pooled control domain that runs Xen solution.
deployment is used. and Citrix Hypervisor agent.
Key Notes:
• Whenever possible, leave the installed state of Citrix Hypervisor servers unaltered. That is, do not install any additional packages or
start additional services on Citrix Hypervisor servers and treat them as appliances.
• The best way to restore, then, is to reinstall Citrix Hypervisor server software from the installation media. If you have multiple
Citrix Hypervisor servers, the best approach is to configure a TFTP server and appropriate answer files for this purpose.
• VM Metadata Backup
• To back up a single-host deployment, CLI commands run on the host can backup the database into a backup file, as well as

restoring the database from a previous dump file.
• If a host has died completely, then a fresh install must be performed, then the restore command would be run
against the freshly installed server.
• Citrix Hypervisor preserves UUIDs of the hosts restored using this method. If a different physical machine is
restored while the original Citrix Hypervisor server is still running, duplicate UUIDs may be present, and as a result,
XenCenter refuses to connect to the second Citrix Hypervisor server.
• Pool database backup is not the recommended mechanism for cloning physical hosts. Use the automated
installation support instead.
• In a pool scenario, the master host provides an authoritative database that is synchronously mirrored to all the pool
member hosts. This process provides a level of built-in redundancy to a pool, where any pool member can replace
the master because each pool member has an accurate version of the pool database.
• This level of protection may not be sufficient. For example, when shared storage containing the VM data is backed
up in multiple sites, but the local server storage (containing the pool metadata) is not.
• To recreate a pool given a set of shared storage, you must first back up the pool-dump-database file on the master
host, and archive this file. To later restore this backup later on a new set of hosts:
• Install a fresh set of Citrix Hypervisor servers from the installation media or using a network boot from a TFTP
server.
• Using the command-line on the new master server, restore the database from the backup file.
• Run a command on the master server to remove the old member machines.
• Run a command on each new member server to connect them to the new pool.
• Citrix Hypervisor server backup
• Typically, the control domain does not actually have to be backed up to recover a Citrix Hypervisor host or pool, but it
can be complementary to backing up the pool metadata.
• A backup is created by running “xe” commands on the target host. Later, this backup would be restored using a
similar command on a new host. The VM metadata would be restored separately after this procedure.
• Back up and restore hosts and VMs: https://docs.citrix.com/en-us/citrix-hypervisor/dr/backup.html
• Citrix Ready Marketplace (Backup Providers): https://citrixready.citrix.com/category-results.html?
search=backup&_ga=2.239675978.810872846.1559518441-98755839.1533921585

Lesson Review
What is the difference between a full and a

differential SQL database backup?
When a full backup is created, the full database

is backed up and a new backup file is created.
When a differential backup is created, only the
changes made since the previous full backup are
captured, and are added to the existing backup
file.

Disaster Recovery
Considerations

Understand Disaster Recovery Requirements
Information Needed from a Disaster Recovery Plan
• Which Citrix components must be recoverable?

• How much capacity is required in a Citrix Virtual Apps and Desktops Site?
• Which applications should be available after a DR event, and how quickly?
• What are the application recovery procedures?
• How long should a Site failover take?
• Can the failover be automated?
Key Notes:
• These questions are examples of typical assessment questions that can be used to determine the disaster recovery considerations
for a deployment design. These questions are dependent on key design plans already in place.
• For Example: Which Citrix components must be recoverable?
• To answer this, we must have already defined in the design the type and quantity of each component, defined by layers and
attributes. Moving forward, we then address, in the event of a failure, which components are identified as mission critical and
must be recovered, or are all components critical to the design.

• In some cases, a corporate DR plan may be in place, but does not have Citrix-specific requirements? In these cases, the
requirements must be translated into specific requirements for the Citrix Virtual Apps and Desktops deployment.
• Based on the DR plan and requirements, make a team or personal plan (depending on the size of the organization)
specifying what actions will be taken during a DR event in order to comply with the DR plan. Having a checklist in place
will increase the chance that nothing important will be missed in the failover and recovery sequences, during what can
be a stressful situation.
• XenDesktop, GSLB & DR – Everything you think you know is probably wrong!:
https://www.citrix.com/blogs/2014/03/29/xendesktop-gslb-dr-everything-you-think-you-know-is-probably-wrong/

Access During a DR Event
Key Considerations
• Same URL vs. separate URL

• Automatic failover vs manual failover
• Single site vs multi-site
• Zone preference and failover vs StoreFront multisite aggregation
• StoreFront subscription sync
Key Notes:
• When creating an action plan, access for users must be determined in the event of an outage and potential site failover.
• Same URL vs. separate URL
• Consider if there is at least one StoreFront server in each resource location, and how many stores were built for the same set of
users.
• Will users connect to one Store during normal operations, and to an alternate Store during a DR event?
• Automatic failover vs manual failover

• Are Citrix ADC appliances deployed with an Active-Active GSLB configuration? Are the appliances themselves in an
HA configuration or using clustering?
• If a separate team manages the Citrix ADC deployment (or equivalent appliances from other vendors), discuss the
expected behavior of their deployment in a DR event impacting one or more datacenters/resource locations.
• What about non-Citrix components that Citrix Virtual Apps and Desktops relies on, such as file storage: are the user
profiles stored in each location, and is the synchronization manual or automatic?
• Single site vs multi-site
• Is each location managed independently through separate Citrix Virtual Apps and Desktops Sites? This will require
more upfront effort in configuration, but will reduce the failure domain of the environment.
• Are Zones in use?
• If a single Site is being used, is redundancy in place for each infrastructure component?
• Zone preference and failover vs StoreFront multisite aggregation
• If Zones are in use, are there any User Home or Application Home settings that could interfere with a datacenter
failover?
• Is Citrix ADC an option to aggregate StoreFront access?
• StoreFront subscription sync
• Is Storefront in more than one location in the deployment?
• The Citrix leading practice for multi-StoreFront deployments is to configure them as a server group; but across a
WAN, what is the impact to store synchronization and can the bandwidth handle it?

Resources During a DR Event
Key Considerations
• Data loss acceptance vs cost

• Importance of applications and data
• Application and backend database failover
• User profile failover vs new profile
• Home drive and redirected folders
Key Notes:
• In a deployment with active/active datacenters, it is important to focus on how the user data is handled. An Active/active design is
relatively simple as long as users do not have any personalization requirements, do not need to retain application settings, and do
not need to create documents or other persistent data.
• In practice, most use cases will require at least some of these items. However, active/active replication for profile data is not
supported by Microsoft (specifically, with their DFS-R solution) or Citrix (regarding Citrix Profile Management when using DFS for
replication).

• Any supported scenarios assume that only one-way profile replication is implemented, and that only one copy of the
profile will ever be active at any point in time. In order to support active/active replication, distributed file locking is
needed, which is not available with DFS-R.
• As a rule of a thumb – never plan to have multiple access points to the same data by the same user.
• Multiple folder targets and replication (with Citrix Profile Management): https://docs.citrix.com/en-us/profile-
management/current-release/plan/high-availability-disaster-recovery-scenario-2.html
• Disaster recovery (for Citrix Profile Management): https://docs.citrix.com/en-us/profile-management/current-
release/plan/high-availability-disaster-recovery-scenario-3.html

Disaster Recovery and Citrix Cloud
Key Considerations
• Citrix Cloud supports multiple resource locations / zones.

• Deploy resources in on-premises datacenters or public cloud.
• Use Zone preference, StoreFront optimal gateway routing & GSLB to connect users.
• Be familiar with the Citrix Cloud Service Level Agreement, and use it to make informed disaster
recovery plans for the customer-managed components.
Key Notes:
• Remember, for Citrix Cloud customers, the Control Layer is redundant and hosted in Citrix Cloud.
• This includes the Delivery Controller(s), the Site database, the Studio management console and optionally other services, such
as Citrix Gateway and StoreFront (aka Citrix Workspace).
• The Disaster Recovery plan for customers subscribed to apps and/or desktops in Citrix Cloud only includes the components not
within Citrix Cloud, such as the Server OS or Desktop OS machines running the VDA and the possible on-premises Citrix ADC or
StoreFront servers.

• If connectivity to Citrix Cloud is ever lost or interrupted, Local Host Cache is used so that end users can continue to
start HDX sessions on customer-managed VDA machines.
• The Citrix Cloud service level agreement (SLA) is available online, and provides a monthly uptime commitment and an
explanation of what that includes and doesn’t include. Any Citrix Cloud customer should become familiar with the SLA
document and determine whether it is acceptable for their organization’s overall DR requirements.
• This will determine, for example, whether to use an on-premises StoreFront and Citrix Gateway to provide access
during a Citrix Cloud outage, and also to ensure that leading practices are in place for using Local Host Cache.
• Scale and size considerations for Local Host Cache: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-
service/install-configure/install-cloud-connector/local-host-scale-and-size.html
• Service Level Agreement: https://docs.citrix.com/en-us/citrix-cloud/overview/service-level-agreement.html

Lesson Review
How might Zone preference settings interfere

with a datacenter failover during a DR event?
If users or applications are configured to a

mandatory home zone, they will not automatically
have access to their resources if they access a
new zone.

Disaster Recovery Process

Failing Over to a Disaster Recovery Environment
Block Access Terminate Enable

Go / No-Go Complete Revert
to Primary Existing Access in DR
Decision Replication Replication
Environment Sessions Datacenter
Key Notes:
• The steps in the diagram apply to a scenario where there is a primary, active datacenter and Citrix Virtual Apps and Desktops Site
that is normally used, and a passive DR datacenter with an backup Citrix Virtual Apps and Desktops Site that is only accessed when
the primary Site is unavailable or impaired.
• This scenario also assumes that there is application and user profile data that must be replicated from the primary to the DR
datacenter so that users can have the full functionality needed there. Many of the steps are in place to ensure that data
replication can occur successfully without synchronization issues or lost data.

• Go / No-Go Decision
• A decision-maker must make the decision to begin the failover process. This will typically involve an assessment of
whether the primary production environment is able to meet the internal service level agreement to the
organization, or to individual business units. Can the environment be recovered in time, or will the DR environment
need to be used so that employees can continue working while a more extensive recovery takes place?
• Block Access to Primary Environment
• In this step, users are prevented from initiating new sessions on the primary environment. This could be
accomplished in a number of ways; for example, the Citrix Gateway or StoreFront URL could be redirected to a web
page explaining the situation to end users, and advising them of where to go to get access to their resources (if a
separate URL will be used for the DR environment) or of an expected time to services resuming (if a single URL will
be used).
• The goal of this and the subsequent step is to remove all sessions from the Site so that no application or profile data
is being actively accessed. This will allow data replication to occur without losing any data.
• Terminate Existing Sessions
• There are a few considerations here – you might decide to force termination of existing sessions, but you’re risking
that users will lose their data. Or you might decide for a more gentle approach - notify users to finish their work and
let them finish their sessions. There are few associated decisions – for example do you want to block access for all
users, or do you plan to drain existing users?
• Complete Replication
• Once all profile and application data is no longer being accessed or modified on the primary Site, data replication to
the backup environment can proceed. This ensures that the user experience and application functionality is
equivalent to what they are accustomed.
• If some or all of the production data was lost due to the DR event, recovering the data from backup locations to the
DR datacenter could also occur at this stage.
• Revert Replication
• Once the datacenter doesn’t have any active connections and user data is either properly replicated or you’ve
decided to cut them off, it’s possible to proceed with the second part of the failover, activating access to the backup
datacenter.
• The backup datacenter should be designated as the primary data location, and the replication flow reversed so that

changes made to data in the backup environment will be retained.
• Enable Access in DR Datacenter
• Although there can be pressure to provide access to the backup datacenter as soon as possible, it is recommended
to complete any needed backend data migration/replication procedures first.
• Communication to end users is important in this step, particularly if the access method will differ from their usual
process.
• Ideally, a plan should be in place for onboarding/migrating users to the DR site:
• How many users and apps should be migrated.
• Prioritize business critical users and apps.
• How will users be notified about DR availability/limitations.
• Avoid boot/login storms.
• Monitor load on VDA machines and backend servers.
• Create appropriate load evaluator policy settings to ensure VDA machines are not overloaded.

Returning to Normal Operations
Terminate Enable
Determine Complete Resume
Block Access Existing
stability in Replication Replication Access in
to DR Sessions in
Primary to Primary to DR Primary
Datacenter DR
Datacenter Datacenter Datacenter Datacenter
Datacenter
Key Notes:
• Returning to normal operations involves the same steps as failing over to the backup datacenter, in reverse.
• Determine stability in the Primary Datacenter
• Perform infrastructure and functional testing to confirm that core functionality has returned. The process should be similar to
what is performed when the production environment was initially built.
• A key difference between this and the initial failover process is that there is more time to perform the process, assuming that the
backup environment is performing as expected. Different use cases or user groups can be “onboarded” back to the primary

environment in stages if needed. For example, a user group that has mandatory profiles assigned to them, which
does not access to applications with backend data requirements, could be onboarded before other groups.
• Block Access to DR Datacenter
• Again, this could be done in stages by removing certain Active Directory groups from resource assignments in the
backup datacenter, for example. However, it is vital to communicate with the affected user groups ahead of time so
they know what to expect.
• This and subsequent activities could be performed during a change window to minimize the disruption to end users.
• Terminate Existing Sessions in DR Datacenter
• Again, in this action can be performed more gradually now, compared to the initial DR event, by draining the
environment of active HDX sessions.
• Complete Replication to Primary Datacenter
• This ensures that any changes to data made while users were accessing the backup datacenter are preserved.
• Resume Replication to DR Datacenter
• This would restore data replication to standard production settings.
• Enable Access to Primary Datacenter

Lesson Review
How can user profile settings impact a

failover to a disaster recovery environment?
If user profile data is required (for example

Microsoft roaming profiles or Citrix Profile
Management), the profile data must be replicated
to the DR location before users access that
location.

Lab Exercise Prep

For Module 03
Key Notes:
exercise.

Lab Exercise
• Exercise 3-1: Export and Import the StoreFront

Configuration
• Exercise 3-2: Perform a Differential Backup for
the Site Database
• Exercise 3-3: Restore a Backup for the Site
Database

Key Takeaways
• In a Citrix Virtual Apps and Desktops

environment, there are multiple components
that should be considered for regular backups.
• Citrix component backups can be included in a
disaster recovery plan that translates
organizational DR requirements to concrete
actions for the environment.
• Determine the specific series of steps that are
needed to fail over between a primary and
backup environment, as well as what user
communications should be involved.

Implement Advanced Authentication Methods
Module 4

Learning Objectives
• Explain how one-time passwords can be used

with RADIUS authentication in a Citrix Virtual
Apps and Desktops environment.
• Describe Smart Card authentication in a Citrix
Virtual Apps and Desktops environment.
• Describe ADFS and SAML authentication in a
Citrix Virtual Apps and Desktops environment.

Multi-factor Authentication
RADIUS and One Time Passwords (OTP)

Introduction to Authentication Factors
Passwords Tokens
Static PINs Phones
Smart Cards
What you know What you have

Multi-factor authentication
Key Notes:
• Three possible authentication “factors” are commonly referred to as “what you know,” “what you have,” and “what you are.”
• However, “What you are” is really just a more specific form of “what you have.” It is often considered distinct from “what you have”
because it is “inseparable from you” – but hackers have illustrated this is not the case by reproducing fingerprints and fooling facial
recognition software with photos or 3D models.
• Another reason biometrics aren’t considered a factor of authentication by many is that they are, by their very nature, public. You
walk around with your face uncovered, you leave your fingerprints everywhere, and even your retina scan is available to your

optometrist. For that reason, many consider biometrics to be a factor of identification, not authentication.
• It’s Me, and Here’s My Proof: Why Identity and Authentication Must Remain Distinct: https://docs.microsoft.com/en-
us/previous-versions/tn-archive/cc512578(v=technet.10)

One Time Passwords (OTP)
• Individual token created and tied to a seed.

• Hashing function runs on seed and current time to generate a One Time Password (OTP).
• Token contains seed + hardware\software to perform token hash.
• Token and backend hash(seed + time) must match, proving they both had the original seed!
Something you know User Login

My PIN
is 6789
Username: HR1
Password 1: 6789
Something you have OTP Token Password 2: ABC123
ABC123
Key Notes:
• One time passwords are typically contain in OTP tokens, and fulfill the “what you have” authentication factor.
• OTP tokens can be physical or virtual. Many different brands and types from various vendors exists (eg. RSA SecureID, Symantec
VIP, HID ActivID).
• How do these tokens usually work?
• No network connectivity required
• The token device (or soft token) has a secret unique “seed record” that exists both on the device (or software) and on the backend

authentication server. The device and server input the seed record and the current time into a publicly known
algorithm to generate a unique PIN or Password.
• The algorithm is specifically designed as a sort of ‘one-way function’ in which it is near impossible to determine the
seed record from the output.
• The unique seed record cannot be transferred between devices, so that device becomes a “what you have”.
• Devices vary in functionality; for example HID-brand devices typically require a PIN to be entered before the OTP is
displayed. This prevents the PIN from being compromised by a malicious key logger on the user’s PC.
• OTP tokens can be used as the first authentication method when using Citrix Gateway.
• This will help protect Active Directory from brute force attacks, account lockouts, and DDoS.

What is RADIUS?
• The Remote Authentication Dial-In User

Service, or RADIUS, is an open network
protocol providing Authentication,
Authorization, and Accounting (AAA) services.
• It is commonly used as a multi-factor protocol
and is used by many vendors to implement
OTP systems.
• RADIUS is supported for both Citrix ADC
system Management and Citrix Gateway user
connections.
• StoreFront needs Citrix ADC to perform RADIUS
authentication.
Key Notes:
• RADIUS is the protocol that allows different third parties to authenticate using OTP systems.
• An authenticating system “speaks” RADIUS to an OTP vendor server to pass along token information entered by the user.
• The OTP system returns pass\fail conditions over RADIUS back to the authenticating entity.

• RADIUS Protocol and Components: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
server-2008-R2-and-2008/cc726017(v=ws.10)

Citrix Gateway and RADIUS
Authentication
Endpoint
1. User sends username, password, and token (1)

credentials to Citrix Gateway.
(2)
2. Citrix Gateway forwards the token
credentials to the RADIUS server.
Citrix ADC RADIUS
3. If RADIUS confirms the token credentials, Server
(4) (3)
Citrix Gateway sends the LDAP credentials
to a Domain Controller.
4. If the LDAP credentials are validated by the
Site
Domain Controller, the rest of the
enumeration and launch processes
continue normally. Domain
StoreFront Controller
Key Notes:
• Remember that all the standard Windows OS authentication still happens on the backend.
• The Citrix Virtual Apps and Desktops backend passes the user\password into the session just like in an explicit authentication
scenario.
• When configuring multi-factor authentication, the order in which the factors are authenticated can provide additional protection
against DDoS attacks.
• In this example, if LDAP is the first factor, an external DDoS attack could target the Domain Controllers, even though the attackers

have not authenticated and are outside the internal network!
• Instead, place hardened, dedicated authentication mechanisms such as a RADIUS server as the first authentication
factor in order to prevent this scenario.
• Any of the authentication mechanisms that are supported on the Citrix ADC appliance can be configured as any factor
of the nFactor authentication setup. These factors are executed in the order in which they are configured.
• Tokens can be compromised fairly easily, since many are not protected by PINs or passwords. Even so, they are also
susceptible to man-in-the-middle attacks since the token information is sent across the wire.
• Smart cards can solve some of these problems; these will be covered in the next lesson.

Lesson Review
What Citrix component can be used to

implement two-factor authentication involving
a RADIUS server for a Citrix Virtual Apps and
Desktops environment?
Citrix ADC supports n-factor authentication;

RADIUS is supported as a possible factor.

Multi-factor Authentication
Smart Card Authentication

Smart Cards with
Citrix Virtual Apps ID
and Desktops
United States Government
• Supported natively
through StoreFront with
IIS
• Requires TLS
Factor #1
• Cert. trust must fully be in
place
• StoreFront auto-
John Doe
1 2 3 4
configures IIS SSL
configs (can be tested)
• Bimodal authentication Factor #2
available in StoreFront USA
• Middleware may be
needed on client and
VDA machine
• ActivClient, SafeNet
(Gemalto)
Key Notes:
• How do smart cards provide multi-factor authentication?
• Identification: User certificate
• Authentication factor #1: PIN
• Authentication factor #2: Proof of private key (digital signatures and public key decryption)
• Smart cards rely on certificates and their associated public and private keys
• PKI provides a system of encryption and identity verification.

• Symmetric encryption uses the same key to encrypt and decrypt.
• Asymmetric encryption uses public/private key pairs to encrypt/decrypt.
• Smart cards rely on asymmetric cryptography using public/private key pairs
• Public Key – A key used to encrypt data to be sent to an authorized entity. Known to everyone.
• Private Key – A key used to decrypt data that has been encrypted with a corresponding Public Key. Known to only the
intended receiver.
• Provide proof of identity and identity of issuer
• Can be revoked
• Certificate Revocation List (CRL)
• Online Certificate Status Protocol (OCSP)
• Smart Cards with Virtual Apps and Desktops
• When we say domain-joined we also require the user to log on to that client with the same smart card cert they wish
to use on Citrix Virtual Apps and Desktops.
• Common healthcare SSO badge reader solutions are not using same mechanisms and don’t have the same
requirements.
• StoreFront allows for bimodal authentication, meaning the user can select either explicit or smart card
authentication once they hit the StoreFront server

Smart Cards with Virtual Apps and Desktops
Considerations
Smart Card Removal Smart Cards and WAN Smart Card Updates on
Behavior Network Virtual Apps and Desktops
• When user removes their • Smart cards were never • PIV smart card
smart card from the PC or meant to operate over a authentication support
attached reader, one of WAN, and thus are highly has been added for
the following occurs based sensitive to latency. Director access.
on the “Smart card
removal behavior” GPO • Because certificates have • Fast smart card feature
setting: to be exchanged over the that improves
wire, logon times can performance in high-
– Workstation is locked
increase significantly latency WAN scenarios.
– Session is disconnected (for remote when default settings are
sessions)
used.
– User is logged off
– No action (session stays active)
Key Notes:
• Starting in XenApp and XenDesktop 7.17, apart from the form based and Integrated Windows authentication of users, Director now
supports Personal Identity Verification (PIV) based smart card authentication.
• This feature is useful for organizations and government agencies that use smart card based authentication for access control.
• Starting in XenApp and XenDesktop 7.18, support for the fast smart card feature addresses high-latency WAN scenarios.
• Fast smart card is enabled by default on the hosts that are running Windows Server 2012, Window Server 2016, or a minimum of
Windows 10.

• To enable fast smart card on the client side, configure the SmartCardCryptographicRedirection parameter in
default.ica.
• Smart cards: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/secure/smart-cards.html
• Configure PIV smart card authentication (for Director): https://docs.citrix.com/en-us/citrix-virtual-apps-
desktops/director/install-and-configure/configure-smart-card.html

Smart Card PIN Prompts with Citrix Virtual Apps and Desktops
• Typically a user authenticating into a Citrix Virtual Apps and Desktops published resource with a
smart card will receive one or more PIN prompts:
• PIN prompt at IIS\Citrix Gateway during authentication unless cached (or using Kerberos)
• PIN prompt at Citrix Gateway during resource launch if set for “Client Cert:Required”
• Non-domain joined Citrix Workspace app must enter PIN again at Windows (no SSOn)
• Domain-joined Citrix Workspace app with SSOn configured may not require third PIN
Key Notes:
• A Smart Card PIN can be cached for middle-ware such as ActivClient, which will automatically respond to the prompt for PIN. Or if
Kerberos is configured for Citrix Workspace app or Citrix Workspace for web, then a Kerberos ticket can be used to authenticate to
StoreFront.
• If Citrix Gateway is set for requiring a client cert, then we will prompt again on application launch through a Gateway.
• If Single Sign-On is not configured (so that the PIN is captured by the winlogon component), then a user will receive a PIN prompt at
the Windows OS level. To prevent this, the SSOn configuration must be in place and the user must be logging on to a machine with
the same Smart Card they wish to logon to Citrix Virtual Apps and Desktops with.
Smart Card Authentication Flow
Domain-joined machine with Citrix Virtual Apps and Desktops
1
Endpoint
Domain Controller
Winlogon Delivery Controller
StoreFront FMA
SSONSVR.exe 2
4
3
Web Browser 5 13
Winlogon
9 8 7
6 11
Desktop Toolbar VDA
12 14
Backend Services
ICA Client Engine
10
Key Notes:
• Similar to a user\password authentication flow except we cannot cache the PIN on the backend. For SSOn we rely on our client
processes to grab the PIN and present it inside the HDX session on logon.
• Another option for authentication to IIS would be IWA (Kerberos) instead of PIN.
• The process runs as follows:
1. The user’s smart card logs into the endpoint. Winlogon validates the PIN and accepts the smart card certificate. Winlogon
authenticates against the domain controller and requests the TGT. The domain controller checks the certificate validity (this is

replacing the use of a password to authenticate).
2. As part of Single-Sign on, SSONSVR.exe stores the users’ PIN.
3. The web browser sends the smart card PIN to StoreFront.
4. StoreFront communicates with the domain controller to validate that the client machine is a trusted device.
5. After a successful validation, StoreFront sends the client’s SID to the Delivery Controller.
6. The Delivery Controller generates a launch reference for the requested published resource and sends it to
StoreFront.
7. StoreFront generates an ICA file which includes the launch reference and sends it to the client.
8. The client device’s web browser passes the launch reference to the Desktop Toolbar, which forwards it to the ICA
Client Engine.
9. The ICA Client engine obtains the smart card PIN, which was stored by the Single-Sign on process.
10. The ICA Client Engine passes the launch reference and PIN to the VDA machine.
11. The VDA checks with the DDC to validate that the launch request is coming from an authorized machine, and to
perform some other checks related to previous sessions, etc. If the SID provided by the VDA matches the SID that
the Delivery Controller had previously stored, the Delivery Controller validates the connection.
12. The VDA service sends the PIN to Winlogon. Winlogon validates the PIN with the endpoint, and receives the smart
card certificate in return.
13. Winlogon authenticates against the domain controller by using the smart card credentials.
14. At this stage, if the client needs a connection to other backend servers like Outlook or SharePoint, then the VDA will
use the smart card credentials to request a TGT\Service ticket for the requested server.

Domain Controller
4
2
Citrix Gateway + 1 3
Smart Card Authentication NetScaler
6 5
VDA Delivery Controller
Key Notes:
1. User sends PIN and Smart Card certificate to Citrix Gateway.
2. Citrix ADC pulls AD attributes from the certificate and performs LDAP translation to obtain the sAMAccountName or UPN.
• As a secondary authentication mechanism, LDAP can be used to translate to sAMAccountName or UPN from any AD attribute on
the certificate. The translation step is not necessary if the cert has sAMAccountName or UPN as one of its attributes.
3. Citrix ADC passes the sAMAccountName or UPN to StoreFront. StoreFront uses the callback URL to validate that the request is valid.
4. StoreFront requests the endpoint machine SIDs from the domain controller and forwards them to the Delivery Controller. At this

point, available resources are enumerated.
5. When the endpoint attempts to a launch a published resource, StoreFront obtains an STA ticket for the requested
resource and sends it to the client along with the ICA file.
6. The client re-enters the PIN in order to log into the VDA via Citrix Gateway. This PIN prompt is avoided if Single Sign-on
is configured.

Lesson Review
Scenario: You are a Citrix Administrator who

has recently configured Smart Card
authentication for a Virtual Apps and
Desktops environment. Users with managed
devices must authenticate via Citrix Gateway.
No middleware is caching PINs, and the
Gateway is set for “User Cert: Mandatory”.
Single sign-on has been set up for the
environment, and users use the same
credentials to access their endpoints and the
Citrix environment. How many PIN prompts
would the user see here and why?
One PIN prompt at the initial Citrix Gateway

logon. A second PIN prompt at Citrix Gateway
during session launch. The final Windows OS
PIN prompt is taken care of by the SSOn configs
in this case, so there will be two prompts total.

Federated Authentication
Active Directory Federation Services (ADFS),
Security Assertion Markup Language (SAML),
and Citrix Federated Authentication Service (FAS)

Introduction to Federated Identity
Site App
Password Password
• The problem: too many accounts; too many

passwords.
• Every new partner, customer, or SaaS vendor has
its own separate identity system
• But users want SSO, and app owners don’t want
to manage accounts Identity
• Kerberos only provides SSO within Provider
domain\Kerberos realm
• The solution: SSO using federated identity Work
• Links users’ identity and other attributes across ATM PIN
Password
multiple distinct identity management systems
• Allows a single set of credentials for user
authentication to Intranet or Internet applications
Key Notes:
• The Goal - SSO everywhere
• The web is full of interactive applications that users can visit by simply clicking a hyperlink. Once they do, they expect to see the
page they want, possibly with a brief stop along the way to log on.
• Users also expect websites to manage their logon sessions, although most of them wouldn't phrase it that way. They would just
say that they don't want to retype their password over and over again as they use any of their company's web applications.
• For claims to flourish on the web, it's critical that they support this simple user experience, which is known as single sign-on.

• Doesn’t Kerberos provide SSO already?
• Kerberos is only SSO within a domain - If you've been a part of a Microsoft® Windows® domain, you're already
familiar with the benefits of single sign-on. You type your password once at the beginning of the day, and that grants
you access to a host of resources on the network.
• Indeed, if you're ever asked to type your password again, you're going to be surprised and annoyed. You've come to
expect the transparency provided by Integrated Windows Authentication.
• Domain controllers are isolated for protection, which limits their reach. Ironically, the popularity of Kerberos has led
to its downfall as a flexible, cross-realm solution.
• Because the domain controller holds the keys to all of the resources in an organization, it's closely guarded by
firewalls. If you're away from work, you're expected to use a VPN to access the corporate network.
• Kerberos is inflexible in the attribute info it provides.
• Kerberos tickets only give you a user's account and a list of groups. What if your application needs to send email
to the user? What if you need the email address of the user's manager?
• This starts to get complicated quickly, even within a single domain. To go beyond the limitations of Kerberos, you
need to program Active Directory. This is not a simple task, especially if you want to build efficient Lightweight
Directory Access Protocol (LDAP) queries that don't slow down your directory server.

Federated Identity Solutions Utilize Claims-based Identity
Claim Security Token Issuer (e.g. ADFS, Okta, Relying Party (e.g.
• A statement that one • A bundle of claims that is and Ping) ShareFile)
subject makes about itself digitally signed by the issuer • A trusted authority that • The claims-based
or another subject. who created it issues claims & tokens application that trusts the
• E.g. username, email • Typically responsible for issuer to provide
address, group authenticating the user identity/authentication
membership, privilege level,
surname.
• An introduction to claims: https://msdn.microsoft.com/en-us/library/ff359101.aspx

Claims-based Identity Example
Check-in desk
provides boarding
pass based on
claims.
• A real world example – the airport!

• Issuer: Check-in desk Security validates
the “token” by
• Token: Boarding pass
asking for an
• Relying Party: Gate crew additional
authentication
• Claims: Passenger name, flight number, seat factor (e.g. license
number, frequent flyer status, etc. or passport).
• Claims-based identity frees the application

from the burden of authentication
Boarding agent
• Claims-based authentication requires an accepts token and
explicit trust relationship with the provides access to
the service.
issuer…applications/resources believe a claim
about a user only if it trusts the entity that
issued the claim
Key Notes:
• A very familiar analogy is the authentication protocol you follow each time you visit an airport. You can't simply walk up to the gate
and present your passport or driver's license.
• Instead, you must first go through a security checkpoint. Here, you present whatever credential makes sense.
• If you're going overseas, you show your passport. For domestic flights, you present your driver's license.
• After verifying that your picture ID matches your face (authentication), the agent checks your boarding pass to verify that you've
paid for a ticket (authorization). Assuming all is in order, you are allowed to proceed to the terminal and ultimately, the gate.

• A boarding pass is very informative. Gate agents know your name and frequent flyer number (authentication and
personalization), your flight number and seating priority (authorization), and perhaps even more. The gate agents have
everything that they need to do their jobs efficiently.
• There is also special information on the boarding pass. It is encoded in the bar code and/or the magnetic strip on the
back. This information (such as a boarding serial number) proves that the pass was issued by the airline and is not a
forgery.
• In essence, a boarding pass is a signed set of claims made by the airline about you. It states that you are allowed to
board a particular flight at a particular time and sit in a particular seat. Of course, gate agents don't need to think very
deeply about this. They simply validate your boarding pass, read the claims on it, and let you board the plane.
• It's also important to note that there may be more than one way of obtaining the signed set of claims that is your
boarding pass. You might go to the ticket counter or kiosk at the airport, or you might use the airline's web site and
print your boarding pass at home. The gate agents boarding the flight don't care how the boarding pass was created;
they don't care which issuer you used, as long as it is trusted by the airline. They only care that it is an authentic set of
claims that give you permission to get on the plane.
• In software, this bundle of claims is called a security token. Each security token is signed by the issuer who created it.
A claims-based application considers users to be authenticated if they present a valid, signed security token from a
trusted issuer.

Active Directory Federation Services (ADFS) and Security Assertion
Markup Language (SAML)
SAML is the protocol that describes how an entity authenticates to an Identity Provider (such as ADFS) to access a
resource from a Service Provider.
Client Authorization
Service Provider
(web browser) Server (IDP)
User accesses URL in app
App generates auth

1
request HTTP POST to AS w/ Auth request Auth request is
2 passed, verified
User is sent to logon page at AS
3
User logs in
Redirect to app w/ SAML token

4 SAML token is
generated
User is logged in to service provider

5
Key Notes:
• SAML = Security Assertion Markup Language (SAML).
• It is an XML-based open standard used for exchanging authentication and authorization data between security domains.
• In other words, between an identity provider (ADFS, Google, Okta, etc.) and a service provider (such as ShareFile, SalesForce or
Workday).
• An identity provider is a trusted provider that enables you to use SSO to access other Web sites.
• A service provider is a Web site that hosts applications.

• Similar to ADFS, SAML is also a claims-based protocol. ADFS can speak SAML.
• ADFS 2.0 supports SAML 1.1 & 2.0 tokens and protocol
• Use cases:
• Partners & Contractors
• What happens when 3rd parties need to access a XenApp resource?
• XenApp admin must maintain 3rd party user accounts in AD (creation, modification, deletion, support)
• 3rd party users must remember username/password
• Mergers & Acquisitions
• Two companies merge resulting in two Active Directory forests
• IT teams must create accounts for other organization’s users
• Multiple logons, forgotten passwords, help desk calls
• Multi-tenant management
• What happens when an organization’s identity provider is not Active Directory?
• Non-AD Identity Provider must be synced with Active Directory
• Users must use Active Directory username and password to log into XenApp and XenDesktop
• Multiple logons
• SAML vs. ADFS Terminology
• Attributes = Claims
• Identity Provider (IdP) = Account Provider / Issuer / Claims Provider
• Service Provider (SP) = Relying Party
• SAML tokens contain assertions and claims about the authenticating party
• Identity and other attributes
• Authentication mechanism used
• The SAML authentication flow is also used by ADFS:
• Step 1: The user browses to the URL of the web application, which is also referred to as the Service Provider (SP).
• Step 2: The web application generates a SAML authentication request, and passes it to the Authorization Server.
• Step 3: The client web browser is redirected to the AS’s logon page. The user enters the credentials necessary to
authenticate with the AS.
• Step 4: After successful authentication, the AS generates a SAML token, which is sent to the SP.

• Step 5: After validating the SAML token, the SP allows the client to access the web application.
• ADFS Technical Reference: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-technical-reference

Citrix and Federated
Authentication Service (FAS)
Overview Vendor
• The Citrix Federated Authentication Service SAML Active

Identity Directory
(FAS) is a privileged component designed to Provider
integrate with Active Directory Certificate

Services.
Users
Corporate Network
• Allows StoreFront to use a broader range of
authentication options, such as SAML.
FAS Server Certificate Active
Authority Directory
Citrix
StoreFront Controller VDA
Gateway
Key Notes:
• By using federation, you don’t need to issue and manage passwords for your partners’ personnel, nor do you have to worry about
how to lock down their access to just this entry point and those apps. The external users don’t get passwords for your environment
and so can only come in via the gateway configured to accept them. Importantly, this puts responsibility for confirming the
authenticity and status of the external users where it belongs, with the partners themselves.
• This is the ultimate in authentication flexibility for Windows. And the beauty of FAS is that you are not compromising the capability
of the Windows session if you chose to go password-free. With XenApp 6.5 and earlier, we had long offered the ability to do a

domain logon without a password, but the mechanism was based on Kerberos delegation, which brought limitations
that, in some cases, affected the service quality that could be delivered.
• Who creates/manages the virtual smart cards?
• The Federation Account Service has a Registration Authority / Enrollment Agent certificate that automatically
requests and stores each user’s virtual smart card.
• Security Considerations
• The virtual smartcards are stored as non-exportable private keys by the network service. Low-level cryptographic
configuration is available in the FederatedAuthenticationService.exe.config file allowing admins to change the
encryption and protection of the virtual smartcards
• Use case example
• Google Apps and Windows apps from a Chromebook. If my company is using Google apps, my users all have a
Google account. If they have Win apps, they also have an AD account. Right now, my users log in to Google to get
Google apps, then they log in to AD to get Win Apps via XA/XD. Two separate accounts are needed.
• With XA/XD 7.9+ FAS, my user can login to Gmail via FAS, and their Gmail account is associated with an AD account
and they get access to their Win and Google apps via one, non-Windows account (Better UX).
• If the Gmail account is compromised, the company can disconnect the link between Gmail and Windows AD and
the compromised Gmail account doesn’t have access to business critical Windows apps.
• The other benefit of this approach is the ‘password free’ part, where the Gmail users only have to worry about
their Google password and there is no additional password required to associate and authenticate to AD.
Everyone needs an AD account or a mapping to an AD account to get their Win Apps, but the accounts can be
generic/shared.
• Federated Authentication Service: https://docs.citrix.com/en-us/federated-authentication-service/1912.html

FAS Architecture Communication
Step 1 - Authentication
Vendor
1. Remote user authenticates to SAML Identity SAML Active

Identity Directory
Provider and is issued a SAML token. Provider
Users
Corporate Network

Authority Directory
Citrix
Gateway
Key Notes:
• SAML = Security Assertion Markup Language (SAML).
• It is an XML-based open standard used for exchanging authentication and authorization data between security domains.
• In other words, between an identity provider (ADFS, Google, Okta, etc.) and a service provider (such as ShareFile, SalesForce or
Workday).
• An identity provider is a trusted provider that enables you to use SSO to access other Web sites.
• A service provider is a Web site that hosts applications.

• Similar to ADFS, SAML is also a claims-based protocol. ADFS can speak SAML.
• ADFS 2.0 supports SAML 1.1 & 2.0 tokens and protocol

Step 2 – Citrix Gateway
Vendor
1. Remote user authenticates to SAML Identity
Provider and is issued a SAML token.
2. User connection is forwarded to NetScaler SAML Active
Identity Directory
Gateway which validates the SAML token Provider
against the Identity Provider.

Users
Corporate Network

Authority Directory
Citrix
Gateway

Step 3 - StoreFront
Vendor
3. NetScaler Gateway converts the SAML

Identity
Active
Directory
SAML token to a username and Provider
forwards the request to StoreFront.

Users
Corporate Network

Authority Directory
NetScaler
Gateway

Step 4 - FAS
Vendor
4. StoreFront forwards the username to SAML

Identity
Active
Directory
FAS, which requests a certificate from Provider
the CA for the Session.

Users
Corporate Network

Authority Directory
Citrix
Gateway

Step 5 - Certificate
Vendor
5. The certificate is used to mimic a SAML Active

Identity Directory
smart card logon through the rest of Provider
the process.
Users
Corporate Network

Authority Directory
Citrix
Gateway

Implementing FAS with Citrix Virtual Apps and Desktops
Requirements and Setup Process
• Install FAS on separate secured server

• Upgrade all components to 7.9 or higher
• StoreFront must be 3.6 or higher
• Deployment procedure:
• Install FAS
• Enable FAS on StoreFront using PowerShell
script.
• Configure Group Policy
• Deploy templates
• Configure CA
• Authorize FAS
• Configure User Rules

Lesson Review
Can SAML authentication be configured on

environments without the use of the
Federated Authentication Server (FAS)?
No, although this was possible with XenApp 6.x,

FAS is required for SAML authentication with
Citrix Virtual Apps and Desktops 7.

Lab Exercise Prep

For Module 04
Key Notes:
exercise.

Lab Exercise
• Exercise 4-1: Install the Federated

Authentication Service (FAS)
• Exercise 4-2: Integrate FAS with Citrix Virtual
Apps and Desktops
• Exercise 4-3: Configure and Test FAS
• Exercise 4-4: Integrate FAS with ADFS and
SAML
• Exercise 4-5: Test SAML authentication using
ADFS and FAS

Key Takeaways
• Multifactor authentication can be configured for

Citrix Virtual Apps and Desktops by using
Citrix Gateway.
• The number of smart card PIN prompts that
appear for users will depend on how Citrix
Gateway and Citrix Workspace app are
configured.
• Citrix Federated Authentication Service allows
StoreFront to use a broader range of
authentication options, such as SAML.

Improve App and Data Security
Module 5

Learning Objectives
• Define Defence in Depth and recognize how

attackers can compromise Citrix Virtual Apps
and Desktops Site security using the jailbreak
method.
• Identify the different methods used to
implement Defence in Depth security in a Citrix
Virtual Apps and Desktops environment.

Introduction to
Application Security

Define Defense in Depth Security Principle
• One of the most important principles of

security is called defense in depth (also known
as the castle approach).
• The strategy is based on the military principle
that it is more difficult for an enemy to defeat a
complex and multi-layered defense system
than to penetrate a single barrier.
• A Citrix environment is layered and needs to
be secured at each layer.
Key Notes:
• In a Citrix Virtual Apps and Desktops environment, the StoreFront or Citrix Gateway (positioned in the DMZ) is merely pass-through
authentication for the backend Citrix resources. The applications and environments reside on the Citrix Virtual Apps and Desktops
Site, potentially providing an attacker a shell in this private network when compromised.
• Thus, it is important to understand the architecture and possible consequences of a Citrix jailbreak should it occur. The question
should be asked: “If a jailbreak were to occur, would the attacker have a foothold into the internal network?”

• What we are going to do here is to have a look at what attacker would do, based on scenario where they have access to
one published application.

Breaking Out of the Application
Attacker Example
• Application A (Notepad) is published to Domain Users.

• An attacker has compromised an account and can successfully establish a session.
XenApp Server
App A App C App E
Attacker Published
Endpoint Resource
App B App D App F
Key Notes:
• In the first step, attacker has been able to get access to one of the domain accounts (perhaps via social engineering). They are using
a test account that was not properly secured (predictable password stored in one of the text files).
• They were able to find Notepad that is published to domain users (used for testing of the Citrix Virtual Apps functionality). At this
moment, they can establish the session inside the secured perimeter even with this limited account.

Breaking Out of the Application
Attacker Example
• The attacker will try to gain access to shell or more useful application.
• Now the attacker has access to the file system and all the other applications.
• Always assume that the attacker will be able to break out of the application.
XenApp Server
App A App C App E
Attacker Published
Endpoint Resource
App B App D App F
Key Notes:
• The HDX session is running on the same server as other (more important) applications. The attacker’s next step is to jailbreak from
the application – switch to a more useful application. There are many different approaches to this – on an unsecured Citrix
environment, they can just use Ctrl + F1 to start Task Manager and from there they can start any executable.
• As soon as the attacker jailbreaks from a published application, they effectively have access to the rest of the system and any other
applications that are installed on the same server.
• Jailbreaking is the ability to abuse an application running in the virtualized or physical environment to launch other applications,

spawn command shells, execute scripts and perform other unintended actions prohibited by administrators. Application
jailbreaking can provide an attacker with an initial foothold into the environment and domain.
• This is the “blind side” for most Citrix deployments and their administrators.
• Citrix Virtual Apps and Desktops deployments are typically driven by an application, or a group of them. Having these
published resources always available is the highest priority for most deployments.
• Security, beyond what is needed for application X to work, seldom happens.
• Publishing filtering should not be considered a security feature. Applications that are installed on the same server are
easily accessible.

Lesson Review
A Citrix Virtual Apps and Desktops

environment has been configured to use
multifactor authentication for all external HDX
sessions. Will this prevent all attacks on the
environment? Why or why not?
No, it is still possible for an attacker to gain

access to credentials and/or endpoints via social
engineering or a man-in-the-middle attacker (e.g.
disgruntled employee).
As a result, a defense in depth approach should
be used so that additional layers of protection
can prevent or at least mitigate the damage an
attacker can do.
Key Notes:
• No single security practice, product, or feature discussed in this course is sufficient to prevent all attacks on its own. By implementing
multiple layers of security, performing an attack without detection is made much more difficult.

Preventing Jailbreak Attacks

User Assignments
Using Group Nesting 1
Published Resource
Group A
Published Resource
Group B
Published Resource
Group C
Group Group Membership

Membership Remote Desktop Users
NTFS
CTX-Core User Profiles \ Folder

Redirection
Key Notes:
• For many years the best leading practice is using Active Directory groups for resource assignment, and to not publish applications for
specific users. It's not only for security, but also to simplify the management.
• A leading practice is to refrain from publishing applications to all users. Don't publish applications to the domain users. Don't publish
applications to authenticated users. Try to limit the access as much as you can.
• Avoid publishing to non-specific users, typically anonymous accounts or user accounts that are shared by multiple users. If such
accounts are required for a certain use case (such as kiosks or hospital stations), additional measures must be taken to isolate and

lock down the resources that are accessed.
• Principle of Least Privilege
• While almost everyone understands the reason behind the Principle of Least Privilege (PoLP), very few people realize
that it should be applied to all types of user accounts. The following example is something that Citrix Consulting has
often seen in the field:
• Most customers are using groups for publishing (which is great). During the Design phase of a new environment,
they create Active Directory groups for every application or Active Directory groups for a group of applications,
and that's what is used to limit the access.
• After the Build phase starts, it soon turns out that there are additional groups and permissions required.
• Membership to the local Remote Desktop Users group needs to be provided.
• NTFS and share permissions are required for UPM profiles or folder redirection.
• As these permissions are required for all Citrix users, Domain Users or Authenticated Users are used most of the
time. This is one of the examples where people don’t follow PoLP and don’t realize it.
• There are customers that take this to another extreme. They create too many groups and have very granular access
permissions.
• Instead of using Domain Users, they have one group to provide access to Remote Desktop Users, another group to
provide access to the user profile or Folder Redirection.
• Not only this is much harder to manage (users calling “I see applications, but cannot start it”), but it’s also less
secure over time.
• When you are removing access, you need to remember not only to remove access to published application(s), but
also to remove the user from all of these groups. What happens very often is that some of these permissions are
forgotten during deprovisioning.
• A leading practice is to implement group nesting, which many customers are already using. We start with a typical
scenario -- one Active Directory group for each published application or group of published applications. We create
one group where we call it, for example, CTX-Core (it’s often called all users or similar).
• What we do next is that we add all these groups that are used for publishing as members to this central group.
• Finally, all required permissions are assigned to this new group. When user is added to any of the published
application, he will get all the required backend permissions automatically.
• This approach not only makes it easy to provision access (users are just assigned to published applications), but

deprovisioning is much easier as well. Once a user is removed from the last AD group for publishing, they will
inherently lose permissions to all shared resources (shares, NTFS, ability to logon remotely).
• Restrict Remote Desktop Services Access
• According to Microsoft, by default the group Remote Desktop Users is granted the logon right "Allow log on through
Remote Desktop Services" (except on domain controllers).
• Can manage permissions on a per connection basis in Remote Desktop Session Host Configuration.
• Your organization's security policy may state explicitly that this group should be removed from that logon
right. Consider the following approach:
• The Virtual Delivery Agent (VDA) for Server OS uses Microsoft Remote Desktop Services. You can configure the
Remote Desktop Users group as a restricted group, and control membership of the group via Active Directory
group policies. Refer to Microsoft documentation for more information.
• For other components of Citrix Virtual Apps and Desktops, including the VDA for Desktop OS, the group Remote
Desktop Users is not required. So, for those components, the group Remote Desktop Users does not require the
logon right "Allow log on through Remote Desktop Services"; you can remove it.
• Additionally:
• If you administer those computers via Remote Desktop Services, ensure that all such administrators are
already members of the Administrators group.
• If you do not administer those computers via Remote Desktop Services, consider disabling Remote Desktop
Services itself on those computers.
• Ensure that there are no unauthorized groups in the Direct Access local group, which allows unfettered RDP
access. Users with Direct Access permissions could also rewrite an ICA file and access unauthorized
applications on a VDA.
• Enforcing Contents of Local Users and Groups
• Apply the following settings to the Local Administrator or Group using GPO:
• Deny access to this computer from the network
• Deny log on as a batch job
• Deny log on as a service
• Deny log on through Remote Desktop Services
• On all versions of Windows currently in mainstream support, the local Administrator account is disabled by default,

which makes the account unusable for pass-the-hash and other credential theft attacks.
• However, in environments that contain legacy operating systems or in which local Administrator accounts have
been enabled, these accounts can be used as previously described to propagate compromise across member
servers and workstations.
• On domain-joined machines (such as VDAs) each local Administrator account and group should be secured via
GPOs.
• Manage logon rights: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/secure/best-practices.html#manage-
logon-rights
• Configure Permissions for Remote Desktop Services Connections: https://technet.microsoft.com/en-
us/library/cc753032(v=ws.11).aspx
• Securing Local Administrator Accounts and Groups: https://docs.microsoft.com/en-us/windows-server/identity/ad-
ds/plan/security-best-practices/appendix-h--securing-local-administrator-accounts-and-groups

Remove Undesired Citrix and Windows Functionality
• Remove HDX session shortcuts and Help keys

• Restrict access to the ICA file
• Disable unneeded HDX channels and
redirections
• Remove unneeded devices and drivers
• Restrict access to the command-line,
PowerShell, and the registry
• Restrict Control Panel access and functionality
• Limit local VDA machine and client drive
access
Key Notes:
• Depending on the session type and version of Receiver or Citrix Workspace app used, users could potentially use HDX session
shortcut or help keys to gain unauthorized access to parts of the operating system:
• Hotkey sequences are key combinations designed by Citrix. For example, in some versions of Receiver/Workspace app, the
Shift+F1 sequence reproduces Ctrl+Alt+Delete, and Shift+F2 switches applications between full-screen and windowed mode. You
cannot use hotkey sequences with virtual desktops displayed in the Desktop Viewer (that is, with XenDesktop sessions), but you
can use them with published applications (that is, with XenApp sessions).

• Hotkeys that are native to the local operating system typically cannot be used inside an HDX session. However, recent
code changes might make this possible for some applications. As always, determine whether a given published app
uses hotkeys, and whether those hotkeys should be used in an HDX session.
• Hotkey mappings might differ (added, changed, or removed) between client versions. Install the comparative version
of Receiver on a test workstation to view the current hotkey mappings available for the deployed version of Receiver.
• You can also configure combinations of keys that Receiver interprets as having special functionality. When the
keyboard shortcuts policy is enabled, you can specify Citrix Hotkey mappings, behavior of Windows hotkeys, and
keyboard layout for sessions.
• Two methods:
• Group Policy settings for Receiver (good for managed endpoints)
• Updating the default.ica file
• For StoreFront use the following location: \inetpub\wwwroot\Citrix%Sitename%\App_Data
• The Desktop Viewer toolbar includes a button to send CTRL+ALT+DELETE to the VDA, which in turn can enable access
to Task Manager.
• In Desktop Viewer sessions, WIN+L is directed to the local computer.
• Ctrl+Alt+Delete is directed to the local computer.
• Key presses that activate StickyKeys, FilterKeys, and ToggleKeys (Microsoft accessibility features) are normally
directed to the local computer.
• As an accessibility feature of the Desktop Viewer, pressing Ctrl+Alt+Break displays the Desktop Viewer toolbar
buttons in a pop-up window.
• Ctrl+Esc is sent to the remote, virtual desktop (opens Start Menu).
• Solutions: Disable the Desktop Viewer via StoreFront, update the default.ica file, and disable Task Manager access
via GPO.
• Some customers have been known to preconfigure ICA files with a username and password (in clear text!) and provide
them to users as an easy way to access published resources with an unbrokered HDX connection.
• In general, a leading practice is to refrain from doing this, especially for production environments.
• Going further, it is a good idea to restrict download access to the ICA file in general.
• Preconfigured ICA files could easily be passed around and even modified to access different applications and VDA
machines than what was originally intended. Additionally, the password could be used to access other intranet

resources.
• Citrix generally does not support the usage of standalone ICA files or customized usage of them.
• Effectively, the issue with ICA file download is that the ICA file has no ties to the client for which it was generated, so a
hijack of a VDI launch is relatively trivial by simply preventing the ICA file from running and copying it to another
machine. This approach would still require user credentials to generate the ICA file.
• Users on Google Chrome or Mozilla Firefox who access Receiver for Web may be prompted to download the ICA file
when they click on a published resource icon, which can be subsequently opened with any text editor (Notepad,
WordPad, Microsoft Word etc.)
• To reduce the risk, a few methods can be used,
• For managed endpoints, place the applicable StoreFront and NSG URLs in the Intranet zone so that ICA file
download is not prompted.
• Offer a fallback to the HTML5 Receiver or a download location for Citrix Receiver in the event that the endpoint
does not already have Receiver (this will often cause the .ica file to be downloaded as well). Additionally, enforcing
use of the HTML5 Receiver will prevent ICA files from being downloaded to the endpoint.
• When using HTML5 Receiver, the ICA file is passed between the two browser tabs via javascript. While most
users will never see the file, a determined attacker could potentially use browser developer tools to view the
network requests/responses and see the ICA file contents. Javascript debuggers could also be used for this
purpose.
• Always use Citrix Gateway for connections from unmanaged endpoints. This will enable the STA ticket to be used.
STA tickets can only be used once, and then they are invalid, preventing replay attacks. Additionally, STA tickets
time out after a default amount of time, limiting the potential for misuse.
• Disable all HDX channels that are not required
• Redirection (or offloading) is one of the areas where you have to balance user experience with security. Offloading
(Flash or Windows Media) essentially allows you to transfer data between the session and endpoint, which is always
potentially dangerous. For environments where security is important, a leading practice is to disable all offloading.
• Even if there appears to be no direct security threat, it is important to minimize the attack surface by removing
unnecessary functionality.
• Remove access to printers or devices that are not absolutely required.
• Especially since this often leads to file system access via “Print to File”.

• Remove drivers that provide access to devices and services that are not required
• E.g. floppy disk drives and music search
• Disable or remove floppy drives, USB ports, and other means of connecting external drives to restrict copying of data
to removable devices.
• How to Configure Desktop Viewer: https://support.citrix.com/article/CTX209468
• How to Enable or Disable Hotkeys within an ICA File (including Template.ica file):
https://support.citrix.com/article/CTX140219
• Support for ICA files in XenApp/XenDesktop Environment: https://support.citrix.com/article/CTX200126
• Receiver Internals: How Receiver for HTML5 & Chrome Connections Work:
https://www.citrix.com/blogs/2015/07/08/receiver-internals-how-receiver-for-html5-chrome-connections-work/

Application and Web Browser Hardening
Many layers of defence are required for a
hardened environment
Datacenter
Network and Services
• Review policies and hardening guides for all Hypervisor
applications. Operating System
• Apply the recommended hardening

HDX Session
configuration.
• Be careful with applications that provide a
Application Hardening Application Hardening
development environment.
• Because web browsers often have external App-to App
network access, they tend to pose a significant Policy
security risk relative to other apps.
Key Notes:
• Review policies and hardening guides for all applications that are published on a specific server. Apply the recommended hardening
configuration; for example disable context menus, printing (if not required) or diagnostic tools. Be especially careful with applications
that provide a development environment, such as Visual Basic for Applications language.
• Web browsers present a special security concern because by their nature, they are intended to access content from outside the
internal network.
• Often, users need to browse the web to do their job, so we cannot simply remove access to browsers. But the web presents many

concerns, including ransomware, phishing, session hijacking, and many more.
• Protocol and network security
• Use HTTPS for access to external web sites, especially if sensitive data will be transmitted. HTTP Strict Transport
Security (HSTS) can be optionally implemented by web applications to prevent the use of HTTP for the web
connection by using a special response header.
• HTTP response headers can be used to send security policies to an endpoint’s browser, ultimately ensuring a more
secure connection.
• Open redirection could be implemented on a vulnerable web page so that users accessing the page are redirected to
an untrusted, malicious website. This is often used in phishing attacks, where the malicious website mimics the
original website to collect personal user information. Preventing open redirection must be implemented by the
website owner by closing known security vulnerabilities in login pages and referrer parameters.
• Domain relaxation, also known as same-origin policy, allows web browsers to permit scripts to run between web
pages from the same origin, such as the same root domain. This provides a clear separation between trusted and
untrusted content. Internet Explorer’s security zones use this concept.
• DNS/ARP/cache poisoning is attack technique where spoofed ARP messages are transmitted over a LAN. This is the
precursor to a man-in-the-middle attack, where traffic gets routed through an untrusted machine on its way to the
intended target.
• Web proxies are often used as an intermediary between internal endpoints and the Internet. In an enterprise
environment, proxies are often used to apply content filtering and other security policies to reduce the risk to the
internal network.
• Encryption
• HTTPS communications should be enabled through the use of certificates from Trusted Root CAs. The encryption
algorithm and hash used can also affect the level of security provided by a given certificate.
• Session and state management
• Session persistence, especially SSL session persistence, helps improve the functionality and performance of a web
app. This is typically provided through the use of cookies, which ensure that when users connect to a set of load
balanced web servers, they are directed to the same server for the duration of the session. However, cookies can
potentially be exploited in cross-site scripting attacks. Cookie security options (HTTPS-only, domain-matching, path-
matching, expiration dates) can be implemented to mitigate the risks.

• Security indicators within browser often help end-users determine whether a website is high risk. For example, most
of the commonly-used browsers use an indicator to show when a web site is not using HTTPS, when accessing a
mixed content page (more on this below) or when the certificate used by the web site is from an untrusted source.
• Authentication
• Authentication can be used to identify and restrict who can access a given application, including web applications.
Using multi-factor authentication can help to mitigate the possibility of one factor being compromised via phishing or
social engineering.
• Content filtering and security
• Content filtering refers to the practice of restricting which web sites can be accessed from a given network. This is
often done both for productivity reasons (restricting access to games and objectionable content) as well as security
reasons.
• Content security can be implemented to determine whether and how a browser will process the different files and
apps that comprise a full web page.
• Beyond HTML, most modern websites also transmit a number of other forms of content on a given page. When the
other resources are transmitted over HTTP instead of the HTTPS used for the initial connection, the page is classified
as mixed content. Web developer must work to ensure that all sources of content for the page are encrypted with
HTTPS.
• Embedded objects are often included in web pages. These are often links to other documents or files that can be
viewed or downloaded. However, an attacker could include a malicious executable and disguise it as a legitimate
object.
• In Citrix Virtual Apps and Desktops, each of the major browsers can be configured to run using special parameters. This
can help to lock down large portions of the browser even before implementing additional policies.
• Kiosk mode
• Google Chrome: --kiosk --no-default-browsercheck --no-first-run <URL>
• Internet Explorer and Firefox: -k <URL>
• Incognito mode
• Google Chrome: --incognito
• Internet Explorer and Firefox: -private
• Disable Extensions

• Google Chrome: --disable-extensions see chrome://extensions
• Internet Explorer: -extoff
• Firefox: -safe-mode
• Web security can be further enhanced via Group Policy settings.
• Different web browsers such as IE, Chrome, and Firefox can attain different levels of security based on the settings
available for each.
• We can manage browser settings with the help of browser-specific Administrative Templates.

Citrix Secure Browser
Secure Browser On-Premises Deployment
Secure Browser is An isolated Store is A web browser is configured as a
only supported for created for anonymous published app to a specific URL in
• Secure Browser is internal endpoints. users using the HTML5 kiosk mode, and made available to
Receiver. anonymous users.
available as a Citrix
Cloud service. User Layer Access Layer Control Layer Resource Layer
Citrix and
• Has the capability to Microsoft
Delivery
quickly and securely Controller group
policies
deliver web and SaaS Domain provide
Controller
applications to any further
Internal Users StoreFront Server OS VDA
lockdowns
modern browser. Databases to the VDA.
• Delivers older/legacy
customer applications License
Server
more effectively and
reliably
Compute Layer
• Secure Browser
capabilities are also built Network Storage Processor
into on-premises Citrix Memory Graphics Hypervisor
Virtual Apps and

Desktops product.
Key Notes:
• Secure Browser is available as a Citrix Cloud service, where everything will be preconfigured for you – just supply the URLs of the
web apps you need users to access.
• However, it is also possible to replicate the Secure Browser configuration in an on-prem deployment. The end result is that users can
have a seamless web-based application experience where a hosted web-based application simply appears within the user’s preferred
local browser.
• There is a value to running a hosted web browser which is locked down, with Citrix policies restricting clipboard access granularly,

restricted client drive mapping, printing…everything you don’t need.
• This is accomplished by doing the following
• IE is published in kiosk mode, pointing to the desired web app URL.
• The app is part of an unauthenticated Delivery Group.
• A separate, dedicated StoreFront Store is used to provide anonymous user access to the published web app.
• Not that to provide adequate security, the web app itself must have an authentication mechanism.
• The HTML5 Receiver is enforced on the Store so that the session opens in a new browser tab.
• This solution is only intended for internal usage (e.g. no Citrix Gateway) in order to separate the browser from the
internal endpoint.
• Citrix Virtual Apps and Desktops Secure Browser: https://www.citrix.com/digital-workspace/secure-browser.html

Restrict Access to Internal Tools
• Disable all unnecessary administrative

components, and beware of hidden scripting
environments.
• Make use of User Account Controls (UAC) to
prevent unauthorized changes to a system.
• Allow users to run executables only from
location where they don’t have write
permissions (such as Program Files and
Windows folders)
Key Notes:
• If an attacker is not able to use their own code, they will try to use whatever is available on the box. Make sure to secure (using
policies or NTFS permissions) all administrative tools that could be abused – command prompt (and PowerShell), Registry editor, Task
Manager and many others. You can also use 3rd party tools to password protect the executables (if you still need to execute them for
troubleshooting purposes).
• Be aware of hidden scripting environments. There are many technologies that are very powerful and professional attacker can use
them to his advantage. One of the good examples is Office suite. It includes Visual Basic for Applications. VBA can be used as a

replacement of PowerShell.
• Prevent access to all tools and utilities that can provide an attacker with access to the underlying operating system
and/or other applications hosted on the same server. Defenders often think about Task Manager, Remote Desktop, and
command shell, but most forget about PowerShell and PowerShell ISE. Restrict access to any other system utilities that
are not needed for normal users (for example, many executables under the System32 folder). Access can be prevented
using standard methods (Software Restrictions, AppLocker), using various 3rd party tools, or using NTFS permissions.
• UAC controls should be used to ensure that standard users do not have permissions to access system files or install
applications. Even if the VDA is only intended to host published apps, assume that the attacker is able to circumvent
that and attempts to install malicious scripts or executables.
• Restrict access to file system dialog – The goal here is to prevent access to the file system where an attacker may have
unintended access to launch executables, data-mine files, or write malware. This does not only mean Windows
Explorer, but also any other methods that access the file system. A good example mentioned before is the Windows
print functionality that allows a user to “Print to File” or use “Save As” dialogs. This is a good leading practice and is
closely related to the previous leading practice about restricting access to the internal tools, as some system utilities
can display the local file system as well (e.g. FTP.exe). Hiding local drives is another common method – either using
Group Policy (hide & prevent access) or Group Policy Preferences (hide, but do not prevent access).
• In general, logon or logoff scripts can limit the amount of lockdowns that can be applied to the command-line,
PowerShell ISE, or the registry if the script requires silent access to these items. In this scenario, an attacker could
exploit that to run their own scripts.
• If possible, examine whether there is an alternative method of achieving the script results.
• If some scripts must be used, consider:
• Any passwords stored in plaintext?
• Are login/logoff scripts using backdoors in ways you wouldn't want your users doing?
Additional Resource:
• “AlwaysInstallElevated” is Equivalent to Granting Administrative Rights:
http://blogs.technet.com/b/fdcc/archive/2011/01/25/alwaysinstallelevated-is-equivalent-to-granting-administrative-
rights.aspx

Application Whitelisting/Blacklisting
• Can use Windows AppLocker, or 3rd party

tools to control what processes can run on a
machine.
• These tools control the executable files,
scripts, Windows installer files and DLL files.
• Use Citrix Workspace Environment
Management (WEM) to centrally manage
security: Windows AppLocker and process
blacklists/whitelists.
• Generally encouraged to take a gradual
approach to creating rules, when applying to a
production environment, to ensure needed
functionality remains.
Key Notes:
• Various tools can be used to create whitelists or blacklists, with Microsoft AppLocker being one of the most common ones.
• Using App Locker, you can:
• Control the following types of applications: executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows
Installer files (.msi and .msp), and DLL files (.dll and .ocx).
• Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file
version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create

rules for a specific version of a file.
• Assign a rule to a security group or an individual user.
• Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run except
Registry Editor (Regedit.exe).
• Use audit-only mode to deploy the policy and understand its impact before enforcing it.
• Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the
rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you
import a policy, all criteria in the existing policy are overwritten.
• Streamline creating and managing AppLocker rules by using Windows PowerShell cmdlets.
• AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing
resources by decreasing the number of help desk calls that result from users running unapproved applications.
• To centrally manage application security across multiple machines, a leading practice is to use Citrix Workspace
Environment Management (WEM). WEM is used for machine optimization as well as machine security:
• WEM manages and applies the Windows AppLocker feature.
• WEM manages and applies process blacklists and whitelists.
• More information on this is available in the CWS-314 and CWS-315 WEM modules.
• What Is AppLocker?: https://technet.microsoft.com/en-us/library/ee424367(v=ws.10).aspx
• Requirements to use AppLocker: https://docs.microsoft.com/en-us/windows/device-security/applocker/requirements-
to-use-applocker
• WEM Security: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
description/security.html

Lesson Review
Does locking down an HDX session involve

Citrix configurations or Microsoft
configurations?
Ideally, both Citrix and Microsoft configurations

should be implemented to fully lock down an
HDX session.

Minimizing the Impact of Attacks

Separate Applications Based on their Security Sensitivity
• To review, if a breakout occurs on a VDA, an attacker could gain access to other applications installed
on the same machine, administrative tools, or sensitive data.
• Consider dedicating group of servers for a very sensitive applications
• This allows you to separate the networks as well
Server OS VDA 1 Server OS VDA 2
App A App C App E
Attacker Published
Resource App B App D App F
Key Notes:
• As mentioned earlier, despite all of the lockdowns covered so far, given sufficient time, we can assume that an attacker will find a
way to perform a jailbreak. So, assuming that you cannot prevent this from happening, what can you do?
• Would you publish an application that is available to all users (Domain Users), is extremely hard to secure (Office) and contains its
own scripting engine (Office VBA) on the same server as your payroll application that is available only to a very limited number of
users?
• That’s not a good idea. An attacker who is able to jailbreak a published app now has easy access to the sensitive app on the same

machine. During the design phase, you should segment your application hosts based on their sensitivity and have
separate hosts for critical applications.

Use NTFS to Isolate Applications on the Same Server
• Restrict access to applications by NTFS permissions on application folders\executables

• You can use the same Active Directory group that is used for publishing
Server OS VDA
App A App C
Attacker Published
Resource
App B App D
NTFS
Key Notes:
• Once you isolate your servers into groups, you can add another layer of protection. Try to isolate all applications from each other
(hosted on the same server). The most primitive (and reliable) method is to use NTFS permissions to isolate applications from each
other. Whenever possible, block access on the folder level (Read\Execute permissions).
• Sometimes, if the folder contains libraries (typical examples are Office and Adobe Acrobat), you can at least secure the executables.
• You can use the same AD group that is used to publish the application. That way you can also guarantee that when a user sees an
icon, she can execute it (as permissions are granted through the same AD group).

Use Citrix Analytics to Detect Attacks and Apply Mitigations
Citrix Analytics is an
analytics service that
allows you to monitor and
identify inconsistent or
suspicious activities on
your networks. It provides
actionable insights such
as:
• User behavior
• Usage based on
indicators identified
across users, endpoints,
network traffic, and files.
Key Notes:
• Once users are discovered by Citrix Analytics, they will eventually get a risk score assigned to their account.
• A risk score is a value that indicates the aggregate level of risk a user poses to the network over a pre-determined monitoring period.
This value is dynamic and is based on User Behavior Analytics (UBA) that study and determine patterns of user behavior. \
• These algorithms are applied to analyze anomalies that indicate potential threats. For a defined monitoring period, risk score is an
aggregate of the risk indicators that are triggered for a user.
• Risk indicators are user activities that look suspicious or can pose a security threat to the organization. Risk indicators span across

all Citrix products used in a deployment.
• The indicators are based on user behavior and are triggered where the user’s behavior deviates from the normal.
Risk indicators help in determining the user’s risk score.
• A risky user associated with a risk score can be either of the following types:
• High risk users. Users who represent immediate threats to the organization.
• Medium risk users. Users who could have multiple serious violations on their account and must be monitored
closely.
• Low risk users. Users who may have some violations detected on their account.
• About Security Analytics: https://docs.citrix.com/en-us/citrix-analytics/security-analytics/about.html

Session Recording
Introduction
Session Recording Infrastructure
User Layer Access Layer Resource Layer Control Layer

• Powerful activity monitoring
• Capture screen updates to a video file
• Configure monitoring of a specific user, app or SR Policy Console Delivery
Controller
server
• Faster problem resolution Internal Users StoreFront Server OS VDA
w/ SR Agent
Domain
• Replay actual screen activity at exact moment of Session Recording
Controller
failure Firewall Server
• Quickly troubleshoot errors through time-stamped Databases (Includes

SR Database)
Citrix Desktop OS VDA
Firewall
visual records External Users Gateway w/ SR Agent
• Helps address difficult to reproduce errors

Session Recording License
Player Server
• Enhanced auditing
• Record admin screen for change management of Compute Layer
critical systems
• Notify users of recording to help deter potential Network Storage Processor Memory Graphics Hypervisor
misdeeds
Key Notes:
• Session Recording uses flexible policies to automatically trigger recordings of Citrix Virtual Apps and Desktops sessions. This enables
IT to monitor and examine user activity of applications – such as financial operations and healthcare patient information systems –
demonstrating internal control, thus ensuring regulatory compliance and successful security audits. Similarly, it also aids in technical
support by speeding problem identification and time-to-resolution.
• Benefits of Session Recording:
• Definitive log of activity involving sensitive data — Enables organizations to record user activity while interacting with applications

that present sensitive information such as financial data, intellectual property, personal information, and medical
records.
• Powerful litigation support — Video logs of computing activity are the most powerful form of evidence because they
are the clearest indication of criminal intent. Whether acting as a defendant or a plaintiff, organizations that use SRT
will have a better chance of proving their case in court by using video footage in parallel with other eDiscovery
methods and tools.
• Faster problem resolution — When users call the helpdesk with a problem that is difficult to reproduce, support staff
can enable recording of user sessions. When the issue occurs again, SRT provides a visual record of the error which
can be used with other event logging tools to troubleshoot user issues faster.
• Session Recording consists of five components:
• Session Recording Agent. A component installed on each Server OS or Desktop OS machine to enable recording. It is
responsible for recording session data.
• Session Recording Server. A server that hosts:
• The Broker. An IIS 6.0+ hosted Web application that handles the search queries and file download requests from
the Session Recording Player, handles policy administration requests from the Session Recording Policy Console,
and evaluates recording policies for each XenApp and XenDesktop session.
• The Storage Manager. A Windows service that manages the recorded session files received from each Session
Recording-enabled computer running XenApp and XenDesktop.
• Session Recording Player. A user interface that users access from a workstation to play recorded XenApp and
XenDesktop session files.
• Session Recording Database. An SQL database for storing recorded session data.
• Session Recording Policy Console. A console used to create policies to specify which sessions are recorded.
• Key Enhancements
• 7.8: Session recording for VDI introduced; including support for Windows 10 and Remote PC.
• 7.13: Database high availability
• 7.16: Load balancing Session Recording servers fully supported
• 1811: Windows Server 2016 support

• Session Recording 1903: https://docs.citrix.com/en-us/session-recording/1912-ltsr.html
• Install, upgrade, and uninstall Session Recording: https://docs.citrix.com/en-us/session-recording/current-
release/install-upgrade-uninstall.html

How Session Recording Works
1. Policies configured via SR Policy Console

Session SR Policy
2. HDX Session established Recording Player Console
3. SR Agent verifies recording policy with SR 6 1

Server
2 3 5
4. SR Agent records session; sends data to
4 Session
SR Server Session Recording
Server OS VDA Recording
w/ SR Agent Server Database
5. SR Server logs session data; sends
metadata to the database and the 5 7
recordings to storage
6. SR Player can retrieve and play session
3rd Party Archiving
recordings by contacting SR Server Storage
Solution
7. Files can be archived via 3rd party
archive solutions
Key Notes:
• Once session recording has been configured and activated, the SR Agent is in “capture” mode, monitoring all HDX sessions that start
up and asking the SR Server what to do: record or not, and if record, notify or not.
• If the policy is to record, the session data is sent to the SR Server for processing.
• The actual session recordings are written to storage and various metadata associated with the session is logged.
• Metadata includes session attributes such as the user, the application, the session start time, and the XenApp Worker used.
• An authorized user can use the SR Player to search metadata records for items of interest to play back.

• For organizations that plan to record a large number of sessions and retain the recording for a long period of time, a 3rd-
party archival solution will need to be employed.
• The text-based session watermarking feature can be used in conjunction with session recording to show the particulars
of the endpoint or VM being depicted in the recording.
• Get started with Session Recording: https://docs.citrix.com/en-us/session-recording/current-release/get-started.html

Citrix App Protection
• App protection is an add-on feature for the Citrix Workspace app that provides enhanced security
when using Citrix Virtual Apps and Desktops published resources.
• Two policies provide anti-keylogging and anti-screen-capturing capabilities for a Citrix HDX session.
The policies along with a minimum of Citrix Workspace app 1912 for Windows or Citrix Workspace
app 2001 for Mac can help protect data from keyloggers and screen scrapers.
• What does app protection protect?
• Citrix logon windows
• Citrix Workspace app HDX session windows (example, managed desktop)
• Self-Service (Store) windows
• What doesn’t app protection protect?
• The items under the Citrix Workspace apps icon in the navigation bar:
• Connections Center
• All links under Advanced Preferences
• Personalize
• Check for Updates
• Sign Out
Key Notes:
• App Protection Expected Behaviour :
• The expected behaviors depend on how you access the StoreFront store that contains protected resources. You can access the
resources using a supported native Citrix Workspace app client.
• Behavior on StoreWeb - Applications with app protection policies are not enumerated on StoreFront web stores.
• Behavior on unsupported Citrix Receivers or Citrix Workspace apps - Applications with app protection policies are not
enumerated.

• Behavior on supported Citrix Workspace app versions - Protected resources enumerate and start properly.
• Protection is applied under the following conditions:
• Anti screen capture – enabled if any protected window is visible on the screen. To disable protection, minimize all
protected windows.
• Anti-keylogging – enabled if a protected window is in focus. To disable protection, change focus to another window.
• App Protection is now GA for on-prem Citrix Virtual Apps and Desktops: https://www.citrix.com/blogs/2020/02/25/app-
protection-is-now-ga-for-on-prem-citrix-virtual-apps-and-desktops/
• App protection: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/secure/app-protection.html
• Citrix Workspace app for Windows – App Protection: https://docs.citrix.com/en-us/citrix-workspace-app-for-
windows/configure.html#app-protection

HDX Session Watermarking
• Text-based session watermarks help to deter and enable tracking data theft. This traceable
information appears on the session desktop as a deterrent to those using photographs and screen
captures to steal data.
• You can specify a watermark that is a layer of text, which displays over the entire session screen
without changing the content of the original document. Text-based session watermarks require VDA
support.
• Text-based session watermarking is not a security feature. The solution does not prevent data theft
completely, but it provides some level of deterrent and traceability.
• Session watermark supports only Thinwire and not the Framehawk or Desktop Composition
Redirection (DCR) graphic modes.
• If you use Session Recording, the recorded session doesn’t include the watermark.
• If you use Windows remote assistance, the watermark is not shown.
• Text-based session watermark: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/graphics/session-watermark.html
• Session watermark policy settings: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-
settings/session-watermark-policy-setting.html

Lesson Review
Which built-in Windows setting allows

administrators to provide granular access
permissions to individual files and folders?
NTFS permissions can be used to accomplish

this, and provide an additional layer of protection
for applications.
For ease of management, use the application-
specific Active Directory groups when configuring
NTFS permissions.

Lab Exercise Prep

For Module 05
Key Notes:
exercise.

Lab Exercise
• Exercise 5-1: Install Session Recording

Administration Components
• Exercise 5-2: Install the Session Recording
Agent
• Exercise 5-3: Configure Director to use the
Session Recording Server
• Exercise 5-4: Test Session Recording

Key Takeaways
• There are many routes an attacker could take

to break out of a published resource, which is
why implementing a defense in depth
approach is necessary to mitigate that risk.
• Implement any application-specific hardening
configurations available, especially for web
browsers, which present special security
concerns.
• The severity of attacks can also be reduced by
isolating sensitive applications and setting
granular NTFS permissions for files and
folders on the VDA.

Secure Machines Running the
Module 6

Learning Objectives
• Discuss the security advantages of using end-

to-end TLS encryption and how to encrypt VDA
communications with TLS.
• Describe how Microsoft GPOs and Citrix HDX
policies are used to secure machines, devices,
sessions, and users in a Citrix Virtual Apps and
• Describe how Citrix ADC/Gateway
SmartAccess and SmartControl can be used to
secure HDX sessions and endpoint
compliance.
• Describe how to harden a base image for
provisioning secure virtual machines.

Transport Layer Security (TLS)
to Virtual Delivery Agent (VDA)
Encryption

Limitations for
Default Deployment
Some Industries: Only External Traffic secured using SSL is sufficient.
SSL/TLS
• By default, the Citrix
Citrix Gateway
Gateway is not using SSL Endpoint Devices
VDA
to secure the HDX proxy

to the session.
• For some industries,
securing external traffic is Other Industries: All Traffic is secured using SSL.
sufficient.
• Other industries require
companies to secure both SSL/TLS In SSL/TLS
external and internal Citrix Gateway VDA

Endpoint Devices
traffic.
Key Notes:
• TLS encryption between components, even internally, is a requirement for FIPS and PCI compliance.

Securing Internal Traffic with
Secure ICA (TLS Encryption)
Basic Encryption
443
HDX
VDAs
• Default HDX traffic uses basic XOR-based Delivery
encryption. Secure ICA is available to increase Controller
StoreFront
this encryption level. Internal
Users
Server OS Assigned Desktop
OS
Domain
• The TLS encryption improves on basic Secure Firewall Controller
ICA, using cryptographic protocols that provide Firewall

Databases
Random Desktop OS Remote PC
External
private communication security over the Users
Citrix
Gateway
network.
License Server
• You must secure the VDA, in addition to a Compute Layer

network proxy like the Citrix Gateway, in order
to receive end to end TLS security. Network Storage Processor Memory Graphics Hypervisor
Key Notes:
• By default, HDX traffic uses a basic XOR-based encryption algorithm. It protects the data stream from being read directly, but it can
be decrypted.
• Rather then use the SecureICA minimum encryption level setting for Citrix Virtual Apps and Desktops 7, a leading practice is using
TLS to secure HDX traffic if end-to-end traffic encryption is desired.
• A SecureICA minimum encryption level Citrix policy is available as a way to increase the encryption level of the HDX logon traffic to

Server OS VDAs by using a 128-bit RC5 algorithm.
• Although simple to implement, this policy only covers logon data, does not perform authentication or check data
integrity, and RC5 is not a FIPS-compliant algorithm.
• The SecureICA minimum encryption level setting specifies the minimum level at which to encrypt session data sent
between the server and a user device. Originally developed for the Citrix Virtual Apps IMA architecture, some settings
can be used in a Citrix Virtual Apps 7 environment.
• Important: For the Virtual Delivery Agent, this policy setting can be used only to enable the encryption of the logon
data with RC5 128-bit encryption. Other settings are provided only for backwards compatibility with legacy versions
of Citrix Virtual Apps.
• For Server OS VDA, encryption of session data is set using the basic settings of the VDA's Delivery Group. If Enable
Secure ICA is selected for the Delivery Group, session data is encrypted with RC5 (128 bit) encryption.
• If Enable Secure ICA is not selected for the Delivery Group, session data is encrypted with Basic encryption.
• When adding this setting to a policy, select an option:
• Basic encrypts the client connection using a non-RC5 algorithm. It protects the data stream from being read directly,
but it can be decrypted.
• By default, the server uses Basic encryption for client-server traffic.
• RC5 (128 bit) logon only encrypts the logon data with RC5 128-bit encryption and the client connection using Basic
encryption. This is the setting that can be selected in Citrix Virtual Apps and Desktops 7 environments.
• RC5 (40 bit) encrypts the client connection with RC5 40-bit encryption (legacy environments only).
• The settings you specify for client-server encryption can interact with any other encryption settings in your environment
and your Windows operating system. If a higher priority encryption level is set on either a server or user device, settings
you specify for published resources can be overridden.
• You can raise encryption levels to further secure communications and message integrity for certain users. If a policy
requires a higher encryption level, Citrix Workspace app using a lower encryption level are denied connection.
• SecureICA does not perform authentication or check data integrity. To provide end-to-end encryption for your site, use
SecureICA with TLS encryption.
• SecureICA does not use FIPS-compliant algorithms. If this is an issue, configure the server and Citrix Workspace app to

avoid using SecureICA.
• Transport Layer Security (TLS): https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/secure/tls.html
• Security policy settings: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-
settings/security-policy-settings.html

Secure the VDA
(3)
Delivery Controller
How? (1)
1. Add certificate to VDAs.

2. Enable TLS on VDAs. (2)
SSL/TLS SSL/TLS
3. Enable TLS on Controllers.
Endpoint Devices Citrix VDA
Gateway
Key Notes:
• To enable TLS encryption you need to add certs to the VDAs, and then configure the VDAs and Controllers to use encryption. We’ll
look at each of these steps in more detail because there are some important things to consider.
• In a typical scenario, external connections are secured to Citrix Gateway, but the “last mile” does not leverage TLS.
• You should encrypt HDX traffic to prevent an attacker from being able to watch everything that a user is doing. ICA ports 1494, 2598
and 8008 are unencrypted by default (though not plain text).
• With the release of Citrix Virtual Apps and Desktops 7.6, it is now possible to implement TLS encryption that is FIPS approved from

Receiver to the VDA.
• The first step is to deploy certificates to the VDAs. By default there are no certificated deployed to VDAs.
• After certificates have been deployed to the VDAs, TLS can be enabled by the script Enable-VdaSSL.ps1 (on the product
ISO).
• This is relatively straightforward for dedicated desktops, but much harder for pooled desktops, which are reset
following a reboot. One solution is to add a wildcard certificate to the master image such as *.Citrix.com.
• The problem though, is that if any of the VDAs are compromised, all other VDAs are at risk.
• An alternative is to use Microsoft Certificate Services to automatically provision certificates using group policy. A
startup script is then used to enable TLS (more on this in the following slide).
• However, at this time, the script only supports Desktop OS VDAs and static Server OS VDAs.
• Once you have the cert installed on the VDA you need to run a PowerShell script that enables TLS on the VDA. You can
use a few different parameters with the script.
• The SSLMinVersion parameter can be TLS_1.0, TLS_1.1 and TLS_1.2. The script will use TLS_1.0 by default.
• The SSLCiperSuite parameter allows you to select your preferred cipher suite which can include Government,
Commercial and All.
• The certificate thumbprint parameter allows you to specify which certificate you want to use. Most of the time you
won’t need this parameter as you’ll just have one cert on the VDA.
• The last step is to enable encryption on the controller.
• There are two PowerShell commands that you need to run on each controller. The first one enables TLS for all delivery
groups- you can also enable TLS for individual delivery groups if you wish.
• The second PowerShell command changes the address of the VDA in the ICA file from IP address to FQDN so that it
matches the name in the certificate.
• When you change the VDA address from an IP to FQDN, you lose the ability to directly connect with Quick Launch.
• A Delivery Group cannot have a mixture of some VDAs with TLS configured and some VDAs without TLS configured.
When you configure TLS for a Delivery Group, you should have already configured TLS for all of the VDAs in that Delivery
Group.
• When you configure TLS on VDAs, permissions on the installed TLS certificate are changed, giving the ICA Service read
access to the certificate’s private key, and informing the ICA Service of the following:
• Which certificate in the certificate store to use for TLS.

• Which TCP port number to use for TLS connections.
• TLS – TLS Settings on VDAs: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/secure/tls.html
• How To Secure ICA Connections in Citrix Virtual Apps and Desktops using SSL:
https://www.citrix.com/blogs/2014/12/11/how-to-secure-ica-connections-in-xenapp-and-xendesktop-7-6-using-ssl/
• Citrix Virtual Apps and Desktops: What Crypto is My Session Using?: https://www.citrix.com/blogs/2015/07/13/xenapp-
xendesktop-what-crypto-is-my-session-using/
• End-To-End Encryption with Citrix Virtual Apps and Desktops:
https://www.citrix.com/content/dam/citrix/en_us/documents/white-paper/end-to-end-encryption-with-xenapp-and-
xendesktop.pdf
• Configure TLS on a VDA using the PowerShell

Lesson Review
What is the default encryption used by HDX

traffic?
XOR-based encryption

Microsoft Group Policy Objects
(GPOs) and Citrix Policies

Introduction to System Hardening via Policies
1
Overview: Users and Administrators:

• System hardening secures an environment • Policies can be used to control resource or
to reduce exposure to threats, and provide environment access for users and
secure remote access to an environment Administrators.
and its resources.
• Identify and confirm the requirements for
• Security is done via various methods - each type of account, defining the identity,
policies being the most common method. authentication and access rights and
• With Citrix Virtual Apps and Desktops, both privileges.
Microsoft Group Policy Objects (GPOs) and • Separating policies will provide the level of
Citrix policies (HDX) can be used. granularity needed to provide the right level
of access based on individual needs of
users or Administrators.
Key Notes:
• One of the most common methods of applying lockdowns to a Windows Operating Systems is via policies.
• Before applying any new GPOs to a production environment (whether importing GPOs or creating them from scratch) be sure to
evaluate the settings to determine their appropriateness for your organization’s environment. Then test them in a non-production
environment.
• Depending on your organization’s requirements, the Citrix Cloud GPOs may be more or less stringent than the ideal level of
lockdowns.

• Separating admin from user policies allows flexibility in your organization to give certain administrators full access to
tasks, and operations while other administrators have limited access.
• One of the key benefits of policy-based lockdowns is that in many cases different levels of lockdowns can be applied to
different user groups, including administrators who may need greater access to the machines.
• As a general leading practice, when applying security lockdown policies, ensure that your core administrator group is
not inadvertently included in settings that would prevent them from effectively performing their duties.
• At the same time, even administrators should not have full access to the systems and machines under their control,
according the PoLP.
• Citrix Common Criteria Certification Information: https://www.citrix.com/about/legal/security-compliance/common-
criteria.html

Separate Policies for
Users/Admins
• Policies can be applied to only allow users or

Administrators access to specific resources or
environments.
• Identify and confirm the requirements for each
type of account, defining the identity,
authentication and access rights and
privileges.
• Separating policies will provide the level of Policy Policy
granularity needed to provide the right level of
access based on the individual needs of the
user or administrator. Admin User
Key Notes:
• Separating admin from user policies allows flexibility in your organization to give certain administrators full access to tasks, and
operations while other administrators have limited access.
• One of the key benefits of policy-based lockdowns is that in many cases different levels of lockdowns can be applied to different user
groups, including administrators who may need greater access to the machines.
• As a general leading practice, when applying security lockdown policies, ensure that your core administrator group is not
inadvertently included in settings that would prevent them from effectively performing their duties.

• At the same time, even administrators should not have full access to the systems and machines under their control,
according the PoLP.

Citrix Security and Control Policy Template
• Used to limit access enabled by default in the

• Enables the administrator to deny access to
peripheral devices, drive mapping and much
more.
• Allows for a quick and easy way to apply the
most restrictive policy to either users or
administrators.
Key Notes:
• Citrix Virtual Apps and Desktops includes a Citrix Security and Control policy template that contains many settings appropriate to a
locked down environment, such as disabling use of client-side peripheral devices (like USB drives), drive mapping, client-side
rendering of media content, and more.
• Note that applying some of these settings may consume more bandwidth and/or reduce user density per server.

Citrix Policy Example
Clipboard Redirection
text, files & folders
Only bitmaps
Only text
All data:
Two-Way Clipboard One-Way One-Way No Clipboard

(Client-to-Server) (Server-to-Client)
Clipboard Clipboard
Key Notes:
• Citrix has introduced increasingly granular clipboard redirection settings to enable administrators to choose which type of content
can be transferred between a session and user device via the clipboard, as well as in which direction.
• Since CVAD 1903, clipboard data that can be copied/pasted between sessions and user devices includes files & folders; not just text
and bitmaps.
• Client clipboard redirection
• Recommended security-focused setting: Disabled

• This setting allows or prevents the clipboard on the user device being mapped to the clipboard on the server. By
default, clipboard redirection is allowed.
• To prevent cut-and-paste data transfer between a session and the local clipboard, select Prohibit. Users can still cut
and paste data between applications running in sessions.
• Although fully disabling clipboard redirection is by definition the most secure, additional settings are available for a
more granular approach.
• Restrict client clipboard write, restrict session clipboard write
• If this setting is Allowed, host clipboard data cannot be shared with the client endpoint or within the user session,
respectively. This can be used to enable uni-direction clipboard access.
• Client clipboard write allowed formats, session clipboard write allowed formats
• When the Restrict client clipboard write or Restrict session clipboard write setting is Enabled, host clipboard data
cannot be shared with the client endpoint or user session respectively, but you can use this setting to allow specific
data formats to be shared with the client endpoint clipboard or user session clipboard. To use these settings, enable
them and add the specific formats to be allowed.
• The following clipboard formats are system defined:
• CFX_FILE (note: use this format to copy/paste files & folders)
• CF_TEXT
• CF_BITMAP
• CF_METAFILEPICT
• CF_SYLK
• CF_DIF
• CF_TIFF
• CF_OEMTEXT
• CF_DIB
• CF_PALETTE
• CF_PENDATA
• CF_RIFF
• CF_WAVE
• CF_UNICODETEXT

• CF_ENHMETAFILE
• CF_HDROP
• CF_LOCALE
• CF_DIBV5
• CF_OWNERDISPLAY
• CF_DSPTEXT
• CF_DSPBITMAP
• CF_DSPMETAFILEPICT
• CF_DISPENHMETAFILE
• The following custom formats are predefined in Citrix Virtual Apps and Desktops:CFX_RICHTEXT
• CFX_OfficeDrawingShape
• CFX_BIFF8
• HTML Format
• Enabling HTML format clipboard copy support (HTML Format) will copy any scripts (if they exist) from the source
of the copied content to the destination. Check that you trust the source before proceeding to copy.
• If you do copy content containing scripts, they will only be live if you save the destination file as an HTML file and
execute it.
• Additional custom formats can be added. The custom format name must match the formats to be registered with the
system.
• Format names are case-sensitive.
• This setting does not apply if either Client clipboard redirection or Restrict client clipboard write is set to Prohibited.
• In addition to security of files, and keeping the data internal, we also need to consider denying or limiting what a user
can do with the clipboard.
• Will we allow copy/paste to/from the clipboard to the local device? You can specify which direction and what content
can be copied.
• One way
• Two ways
• Only text
• Only bitmaps,

• ICA policy settings: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings.html

Citrix Policy Guides
• Citrix Virtual Apps and Desktops 7.6 LTSR,

Citrix Gateway 10.5, and Citrix Hypervisor
6.0.2 have achieved some level of Common
Criteria (CC) certification.
• If CC certification is a requirement, these
product versions should be used.
• However, the set of Citrix and Microsoft GPOs
used by Citrix to achieve this can be applied to
any supported version of Citrix Virtual Apps
and Desktops.
Key Notes:
• Citrix publicly provides a PDF of the settings used to achieve the certification (see Additional Resources), as well as exports of the
GPOs themselves.
• An Evaluated Configuration guide provides a more comprehensive review of the environment used to gain the CC certification. These
resources can be used as guidelines to assist in evaluating the relative security of different Citrix Virtual Apps and Desktops
configurations.

• Citrix also periodically releases whitepapers which contain security recommendations and lists of recommended Citrix
policies and GPOs.
• Citrix Common Criteria Certification Information: https://www.citrix.com/about/legal/security-compliance/common-
criteria.html
• Common Criteria Certified Products (expand categories and do a keyword search for Citrix):
http://www.commoncriteriaportal.org/products/
• Securing Citrix Virtual Apps and Desktops Environments (see System Hardening Guidance for Citrix Virtual Apps and
Desktops): https://www.citrix.com/about/legal/security-compliance/security-standards.html

Using Citrix Gateway SmartAccess and SmartControl with Citrix
Virtual Apps and Desktops 1
Firewall Firewall
Compliant Endpoints
Full Access
VDAs
Citrix Gateway Limited: StoreFront Delivery Controller
Copy/Paste
Drive Access Citrix Virtual Apps
Print Access and Desktops Site
Non-Compliant Endpoints
Key Notes:
• In contrast to SmartAccess, Smart Control is implemented exclusively through ICA policies on the Citrix Gateway. Each ICA policy is an
expression and access profile combination that can be applied to users, groups, virtual servers, and globally.
• ICA policies are evaluated after the user authenticates at session establishment. As a result, session settings can be defined and
applied before the user connection enter the internal network.
• SmartControl requires Citrix Virtual Apps and Desktops Platinum licensing.

• Rather than making the admin configure capabilities on multiple backend XA/XD servers, with SmartControl, Citrix
Gateway becomes a single point of configuration.
• Users can be granted access desktop or apps based on EPA checks.
• SmartAccess & SmartControl (Even more security for your apps and desktops):
• Smart Access:
• Citrix Virtual Apps and Desktops feature in conjunction with Citrix Gateway.
• Allows policy and resource filtering based on connection/access conditions.
• “Per Site” configuration.
• Requires Universal Licenses:
• Part of ADC (Standard: 500 licenses, Advanced: 1000 licenses, Premium: unlimited licenses included).
• Part of Citrix Virtual Apps and Desktops Premium.
• Smart Control:
• Citrix ADC only feature (Citrix Virtual Apps and Desktops site does not know about it).
• Allows controlling ICA Virtual Channel behavior on Citrix Gateway such as.
• Disabling/enabling client drives, printers, etc.
• Can be controlled by means of ADC syntax policies.
• Allows configuration “per Gateway”.
• Requires Citrix ADC Platinum license.
• SmartControl can be used to verify that when users connect they are running the latest antivirus version and then
decide if they can connect.
• What is Citrix Gateway SmartAccess and SmartControl?
• Smart Control:
• Smart Control allows administrators to define granular policies to configure and enforce user environment
attributes for Citrix Virtual Apps and Desktops on Citrix Gateway.
• Smart Control also allows administrators to manage these policies from a single location, rather than at each
instance of these server types.
• SmartAccess:
• SmartAccess allows you to control access to published applications and desktops on a server through the use of
Citrix Gateway session policies.

• Smart Access uses pre-authentication and post-authentication checks as a condition, along with other conditions,
for access to published resources.
• SmartAccess and SmartControl are two features which utilize the Citrix Gateway to help control which resources and
level of access a given user and/or endpoint is granted based on pre-defined criteria.
• SmartAccess allows you to control access to published applications and desktops on a server through the use of
Citrix Gateway session policies. You use pre-authentication and post-authentication checks as a condition, along
with other conditions, for access to published resources.
• Other conditions include anything you can control with a Citrix Virtual Apps and Desktops policy, such as
printer bandwidth limits, user device drive mapping, clipboard, audio, and printer mapping. You can apply a
Citrix Virtual Apps and Desktops policy based on whether or not users pass an Citrix Gateway check.
• This functionality is achieved by integrating Citrix Gateway components with StoreFront and Citrix Virtual Apps
and Desktops. This integration provides advanced authentication and an access control options to StoreFront
• Smart Control allows administrators to define granular policies to configure and enforce user environment
attributes for Citrix Virtual Apps and Desktops on Citrix Gateway. Smart Control allows administrators to manage
these policies from a single location, rather than at each instance of these server types.
• Both SmartAccess and SmartControl can apply differing HDX policy settings based on an EPA health check, for example
by verifying whether a certain antivirus client is present on the endpoint device.
• Features Comparing:
• Smart Access:
• Resource access restrictions based on EPA.
• Verification of required security measures enabled on devices.
• Restriction of access to the resources based on Active Directory (AD) identify or group membership.
• SmartControl
• Resource access restrictions based on EPA.
• Verification of required security measures enabled on devices.
• Single point of configuration for all Citrix Virtual Apps and Desktops servers behind the Citrix Gateway.
• Smart Control. What can be Controlled?
• Peripheral Redirection (Client printer redirection, Client USB redirection, Client audio redirection)
• Port Redirection (Client LPT port redirection, Client COM port redirection, Client audio redirection)

• Other Settings (Multi Stream , File Sharing for receiver for HTML 5, Client Drive mapping ,Client Clipboard mapping)
• SmartAccess can additionally provide differing settings based on Active Directory identity or group membership. This is
not possible with SmartControl, because the primary differentiator of SmartControl is that it functions without needing
to communicate with the internal network, including Active Directory.
• SmartControl can provide a single point of configuration for all Citrix Virtual Apps and Desktops environments behind a
particular Citrix Gateway, because no Farm or Site-level configurations are needed – everything is configured on the
Citrix Gateway.
• SmartAccess and SmartControl policies can be defined concurrently, and the most restrictive policy set will apply.
• Limitation to SmartControl
• Not all XA/XD features can be controlled as of now.
• EPA related checks will work only in the Gateway mode. EPA related checks wont work for the LAN users or
Transparent users. The workaround would be to make these users to go through the Gateway.
• Since the SmartControl enforcement is done at session setup time, if the EPA periodic check fails after the connection is
established, we cannot change the already enforced SmartControl for that connection.
Smart Control (Use Case Example):
• John is an admin for Techcorp LLC. Techcorp issues laptops to employees with the antivirus MacAfee Virus scan
enterprise v8.0.
• Techcorp wants to protect its private data from any malicious viruses and does not want any devices without
MacAfee virus scan enterprise v8.0 to plugin any USB drives to copy any data.
• SmartControl can be used to allow or prevent USB drive redirection based on an end-point scan to confirm the
presence of the virus-scan software.
• Configuring SmartAccess: https://docs.citrix.com/en-us/citrix-gateway/13/integrate-web-interface-apps/ng-
smartaccess-wrapper-con.html
• Configuring SmartControl: https://docs.citrix.com/en-us/citrix-gateway/13/integrate-web-interface-apps/smart-
control.html
• Demo Guide for SmartAccess and SmartControl:
https://www.citrix.com/content/dam/citrix/en_us/documents/guide/demo-guide-for-smart-access-smart-control.pdf

Can I Use Registry Changes to Provide Further Lockdowns?
1
• Several web sources are available which list

registry changes to remove different menu
options or buttons from various portions of
windows.
• These registry changes are not officially
supported by Microsoft and Citrix, and
present the risk of corrupting the OS image.
• If you choose these methods, always create
a registry backup and test with a non-
production image before rolling out these
changes to production.

Lesson Review
SmartAccess and SmartControl provide

enhanced security for apps and desktops.
SmartAccess is a feature of?
SmartControl is a feature of?
Smart Access: Feature of Citrix Virtual Apps and

Desktops.
Smart Control: Feature of Citrix ADC.

Image Management

Harden Components by Using a
Golden Image
Recommendations
VDA
• Harden all components by using a Gold disk
image when possible.
• Enable cryptographic checksum and hashes on
Gold disks and OS.
• Patch all components in a timely manner to
Citrix Provisioning Server VDA
include the infrastructure and hosts.
vDisk
• Automate the provisioning and de-provisioning (Golden Image)
processes with Citrix Provisioning or Machine
Creation Services.
VDA
Key Notes:
• Recommendations:
• Ensure the virtualized environment uses the same security stack as the non-virtualized environment. This includes IDS, IPS, multi-
factor authentication, web proxies and advanced threat detection appliances.
• Automate Citrix site creation process via Citrix Life Cycle Management to bring consistency between development, test and
production environment. More information available in Additional Resources.
• Maintain a consistent development, test and production environment that can be used to test security policies successfully.

• Enable Secure ICA connections in Citrix Virtual Apps and Desktops for end-to- end TLS encryption of traffic including
traffic inside the data center. Lock down Citrix Database access to authorized administrators only.
• System Hardening Guidance for Citrix Virtual Apps and Desktops:
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/system-hardening-for-xenapp-and-
xendesktop.pdf
• Workspace Cloud: https://www.citrix.com/products/workspace-cloud/tech-info.html
• Securing the Published Browser: https://www.citrix.com/content/dam/citrix/en_us/documents/white-paper/securing-
the-published-browser.pdf

Enable Cryptographic Checksum and
Hashes on Golden Image and OS
• Cryptographic checksums are values that are

generated by an algorithm based on the
contents of a file.
• This approach can also be used to verify that
unauthorized changes have not been made to
an OS image.
Key Notes:
• Checksums are often used to verify that downloaded files have not been tampered with and are exactly the same as when the
checksum was generated.
• Typically, the hash function used to create the checksum is listed along with the checksum so that it can be verified.
• A number of online and downloadable tools exist that can be used to create checksums of any file.
• Examples include Microsoft Checksum Integrity Verifier, CertUtil, and PowerShell.

• How to compute the MD5 or SHA-1 cryptographic hash values for a file: https://support.microsoft.com/en-
us/help/889768/how-to-compute-the-md5-or-sha-1-cryptographic-hash-values-for-a-file
• Microsoft File Checksum Integrity Verifier: https://www.microsoft.com/en-us/download/details.aspx?id=11533
• Guide to Cryptography: https://www.owasp.org/index.php/Guide_to_Cryptography

Creating a Locked-down VM Template
• Templates should be named to indicate what

their intended purpose is.
• For example, to avoid using an experimental
template for a production VM, specify “-test” as
part of their name.
• When building a template, make sure it does
not include any unnecessary or undesirable
networks.
• A best leading practice is that you do not
assign unnecessary network ports to each
guest.
• For example, when initially making the VM from
which you want to generate the template, verify
you do not create virtual network interfaces for all
of the networks (NICs) available on your host.
Key Notes:
• A template that was created with only one use case in mind might be re-used for many other VMs with differing security
requirements.
• A leading practice is that you take extra care when creating VMs for replication (as templates) to ensure that the configurations are
suitable practice for all potential uses of the VM.
• A leading is that you ensure that VM templates are considered as part of your organization’s patching schedule.
• The following practices can be used to lock down a VM template:

• Remove all undesired Windows and Citrix functionality
• Application Hardening
• Restrict access to internal tools
• Restrict access to external tools
• Restrict access to file system dialog
• Limit sensitive information on local and remote drives
• Separate applications on different servers
• Isolate applications on the same server
• Security Recommendations When Deploying Citrix XenServer:
https://www.citrix.com/content/dam/citrix/en_us/documents/white-paper/security-recommendations-when-
deploying-citrix-xenserver.pdf
• System Hardening Guidance for Citrix Virtual Apps and Desktops:
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/system-hardening-for-xenapp-and-
xendesktop.pdf

Lesson Review
What are some online tools available to

create checksums for files?
• Microsoft Checksum Integrity Verifier

• CertUtil
• PowerShell

Lab Exercise Prep

For Module 06
Key Notes:
exercise.

Lab Exercise
• Exercise 6-1: Configure Certificates on the

VDA
• Exercise 6-2: Enable TLS on the VDA
• Exercise 6-3: Enable TLS on the Controller
• Exercise 6-4: Implement Citrix Security and
Control Template
• Exercise 6-5: Import and Apply Common
Criteria GPO Security Template
• Exercise 6-6: Configure Citrix Gateway
SmartControl Policies
• Exercise 6-7: Test Citrix Gateway
SmartControl Policies

Key Takeaways
• TLS (Transport Layer Security) improves on

legacy SecureICA by utilizing enhanced
cryptographic protocols.
• Enabling TLS requires SSL certs on all VDAs
and encryption setup on the VDAs and
Controllers.
• Policies can be configured to reduce exposure
to threats, and provide secure remote access
for Users and Administrators.
• SmartAccess and SmartControl provide
enhanced security within a Citrix Gateway and
Virtual Apps and Desktops infrastructure.
• Cryptographic checksum (and hashes) can be
enabled on gold disks and files to verify if any
tampering, or unauthorized changes were
made.

Introduction to Troubleshooting
Module 7

Learning Objectives
• Describe the troubleshooting process and

stages of problem resolution.
• Identify the capabilities of tools and utilities
commonly used to troubleshoot and monitor a
• Demonstrate how to use Get-Help, Get-
Command and Show-Command PowerShell
Cmdlets.

Troubleshooting
Methodology
Detect the problem Isolate the problem
Using the appropriate

methodology when
troubleshooting will allow
you to quickly identify
current or impending Understand the problem Fix the problem
issues.
Recover the service Take pro-active steps
Key Notes:
• Detecting the Problem: Issue identification is the first step in the troubleshooting methodology.
• Most issues are reported in one of three ways: End users request helpdesk tickets, Monitoring tools, Observation by
administrators.
• One additional troubleshooting method is often overlooked. As Citrix solutions are presenting a front end to the users,
administrators should not overlook the regular feedback retrieved directly from the end users. Consulting has had many
encounters in which partners or customers were struggling with consistent issues, but the root cause couldn’t be discovered until

consulting directly approach the end users to discuss the problem.
• Understanding the Problem: To gain an understanding of a problem, you must first know the symptoms of the issue.
• Prioritize the problem based on:
• How many people are impacted.
• The importance or severity of the problem.
• Consider things like, When did the problem start? What is the impact? Is the problem reproducible?
• Build an action plan.
• Escalate the issue when:
• Data has been gathered and analysis is needed.
• The issue has been persistent for an extended period of time.
• Use resources such as Google; it is a strong first step in identifying a problem. Google can help locate known issues
or find documentation, find potential workarounds for an issue, find answers that prevent an administrator from
“re-inventing the wheel.”
• In real life, this stage is often very flexible: the assigned priority can be driven by other issues and projects you are
dealing with at the moment. For example, if you are not working on anything critical, you might decide to analyze the
problem with a well-known workaround.
• Also, this might actually be a very good moment to involve vendor support. If the issue prevents end users from
working and impacts a large amount of users, you might want to escalate it immediately.
• In many cases, a consultant will just use a website http://www.google.com to provide customer with a solution. Very
often, if you type the specific error code into Google, the first link provides you with the solution. It is not a good use
of expensive consulting services to solve something that a simple Google query can answer.
• The question that you ask during this step is actually quite simple – “Why was it working yesterday and is not
working today?”
• Recovering the Service:
• Recover the service if you can provide a suitable workaround for end users.
• Recover the service and allow users to continue working while you continue to troubleshoot the issue.
• In most companies, the IT department is responsible for providing technical support for core business of the
company. As soon as a technical issue affects the core business, you should address the problem.

• At this stage, very often you may not know what the problem is and are not actively trying to fix it; you are just trying
to make the environment fully functional again.
• This stage is very often about the decision between quickly recovering the environment and finding the root cause.
For example, if you have a problem that is repeated on a daily basis and the quick solution is the recovery of the
database, you might invest time to actually identify the root cause. If the problem occurs once a year on an
unimportant component and is solved by restarting one service, finding the root cause might be a lower priority.
 Isolating the Problem: Conditions to consider when isolating the problem:
• Is the problem limited to certain individuals or geographical locations?
• How many machines are affected?
• Is the issue sporadic or does it occur at a specific time?
• Can the issue be easily reproduced?
• You can start randomly applying hotfixes or restarting servers, but if you understand the product well, you can
actually isolate the problem.
• Other really good questions to ask:
• Is the problem limited to certain end device types – for example, thin clients?
• Can the issue be reproduced on different protocols, such as RDP?
• Does the problem exist if an end user with higher privileges launches the application?
• This course addresses the most common problem areas for troubleshooting:
• M03 – Problems between STF and XDC
• M04 – Problems between XDC and SQL (or FMA services)
• M05 – Problems between VDA and XDC
• M06 – Problems between endpoint and VDA
• Fixing the Problem: When implementing a fix, it is important to verify and test it to ensure that it corrects the problem,
as well as confirm that it causes no disruptions to the production infrastructure.
Fix implementation guidelines:
• Use a dedicated environment designed only for testing.
• Verify the fix in a test environment first.
• Test the fix after making one change at a time.
• Document any changes made.

• Allow ample time to confirm that the fix resolved the issue.
• Implement the fix during non-production hours when possible.
• Apply fix to all impacted production machines
• Taking Pro-active Steps: After resolving a problem, capture as much data as possible for root cause analysis:
Implement monitoring software within the infrastructure to trigger alerts.
• Design and deploy a maintenance schedule for the infrastructure.
• Review the infrastructure to identify single points of failure.
• Prepare a disaster recovery plan.
• This is an often-overlooked step in troubleshooting methodology. Think about what you could do to prevent the issue
from occurring again. Was the whole process flawless? Did you waste too much time on some steps? Did everyone
know what to do?

Resource Tools and Utilities

Citrix Director
• Administrators can use

Citrix Director
Director to review and
monitor real-time data, as OData
well as historical trends
Delivery Controller
for all session activity
within a Citrix Virtual
Desktops infrastructure.
• Citrix Director metrics
include:
WMI Data
• Session usage Administrator
• Logon performance
• Connection and machine VDA
failures
• Load evaluation
• Machine and application
usage
• Licensing status
Key Notes:
• Citrix Director allows an administrator to quickly resolve real-time issues, by performing actions such as ending nonresponsive
applications or processes.
• Additionally, real-time shadowing operations on the end user's machine, restarting the machine, or resetting the user profile, can
also be performed.
• The Dashboard provides an overview of the key aspects of a deployment, such as the status of sessions, user logons, and the site
infrastructure.

• Full administrators see and manage the entire site and can perform commands for multiple users and machines.
• Delegated administration is also supported and can be used to enable access to specific tasks.

Environment Tests
• The Environment Test

service is responsible for
managing and executing
tests, to evaluate the
state of a Citrix Virtual
Desktops Site:
• It can be accessed and
run using Citrix Studio or
PowerShell cmdlets.
• More than 200 tests are
available for reviewing
infrastructure.
Key Notes:
• Environment Tests is one of the very underrated features in Citrix Virtual Apps and Desktops.
• A good leading practice is to run environment tests regularly within a Site.
• Environment tests check database connectivity, Active Directory info, MCS availability, and the state of the delivery groups and
machine catalogs, ..and a lot more.

Citrix Diagnostics Toolkit
1
• The Diagnostic Toolkit is a suite of individual

standalone applications, tools and utilities,
from both Citrix and third-party vendors.
• Tool examples include:
• XDPing
• Citrix Scout
• Citrix Receiver Clean-Up Utility
• CDF Monitor
• Stress Printers
• Print Detective
• Wireshark
• System Dump Checker.
• Process Monitor and Explorer
Key Notes:
• All third-party tools are downloaded and installed on demand.
• Toolkit contains tools from Citrix, Microsoft, and other 3rd party vendors.
• Citrix Diagnostics Toolkit - 64bit Edition: https://support.citrix.com/article/CTX135075
• Citrix Receiver Diagnostics Tool - For Windows: https://support.citrix.com/article/CTX141751

Citrix Scout
1
• Citrix Scout is a support tool that is now

widely used by administrators to diagnose
various environmental issues.
• Scout gathers information on items such as:
• Broker Service Status
• Site and Zone Information
• Machine Catalogs
• License Server information
• Hypervisor information
Key Notes:
• Citrix Scout is run from a single Delivery Controller to capture key data points and CDF traces. Then, the data is securely uploaded as
a package to Citrix Technical Support.
• Key data point include: HW information, such as BIOS, and CPU information, as well as SW such as Windows registry and event logs
information.
• Data captured can be upload to cis.citrix.com for analysis or submitted to Citrix support.
• Scout can be configured to capture event log messages, CDF trace messages, and machine settings.

• Scout also supports CLI mode that allows unattended and scripted executions of Scout.
• Citrix Scout is now installed by default on every Controller.
• Citrix Scout: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/manage-deployment/cis.html
• Citrix Scout: https://support.citrix.com/article/CTX130147

Citrix Supportability Pack
• The Citrix Supportability Pack is a collection of

tools, including the Citrix Diagnostic Toolkit,
designed to help diagnose and troubleshoot
Citrix Virtual Desktops products:
• Tools meant to help customers and partners save
time and effort when testing.
• They are not designed to replace system
administration features that Citrix Virtual Desktops
provides for day-to-day system management.
• Includes both Citrix and third party tools.
Key Notes:
• The tools in this pack are not intended to replace system administration features that Citrix Virtual Apps and Desktops provides for
day-to-day system management. This collection of tools are specialized utilities for advanced troubleshooting in very specific areas.
• Installing Supportability Pack:
1. If you have an older version of Supportability Pack on your system, e.g. v1.1.x, a best leading practice is that you completely
remove the existing Supportability Pack including all tools and files, before downloading the new v1.2.x version. Since v1.2.x
provides a new Updater utility, you can use it to keep all tools up to date in the future.

2. Unzip the Supportability Pack v1.7.x zip package into a local folder of your choice.
3. Open the README.HTML file with any web browser and begin exploring the tools catalog.
4. Each tool is in its individual folder inside the local directory Tools.
5. The Updater SupportabilityPackUpdater.exe is in the same directory as README.HTML. Use
"SupportabilityPackUpdater.exe /help" to get more info about how to use it.
• The Pack can be extracted to local drive, portable drive, USB stick, etc.
• The Citrix Health Assistant is a Windows tool that helps administrators troubleshoot configuration issues in a Citrix
environment. The tool provides GUI and supports operation from the command line.
• The tool conducts the following health checks on a VDA and reports check results in the GUI and in a log file:
• VDA registration
• Session Launch
• Time Zone Redirection
• Citrix Provisioning Event Log
• Profile Management Configuration
• The Citrix Supportability Pack: http://support.citrix.com/article/CTX203082
• 12 Brand New Tools in the Latest Citrix Supportability Pack: https://www.citrix.com/blogs/2016/08/11/12-brand-new-
tools-in-the-latest-citrix-supportability-pack/
• Citrix Health Assistant - Troubleshoot VDA Registration and Session Launch:
https://support.citrix.com/article/CTX207624?recommended

Citrix Insight Services
Citrix Insight Services (CIS) is an initiative from Citrix focused on making product support
easier and more robust for customers.
Key Notes:
• Citrix Insight Services Overview:
• Admin uploads status report file to CIS site from local computer for analysis and results.
• CIS analyzes uploaded data to identify any known issues or optimization short falls.
• Performs a health check to reveal any potential issues the environment may incur.
• Analysis results are returned to Admin.
• File can be uploaded directly if Scout is installed.

• Citrix Insight Services consists of tools and online analysis capabilities to help collect environment information, analyze
that information and provide recommendations.
• CIS instrumentation and telemetry capabilities enable technical users (customers, partners, and engineers) to self-
diagnose and fix problems and optimize their environments.
• You should run an analysis on CIS on a regular basis as a quick and effective health check of the environment.
• The features offered by Citrix Insight Services continue to grow and evolve, and now form a part of Citrix Smart Tools.
• Citrix Smart Tools enables you to automate deployment tasks, health checks, and power management.
Additional resources:
• How to Upload Data to Citrix Insight Services (CIS): https://support.citrix.com/article/CTX136396
• Citrix Insight Services: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/manage-
deployment/cis.html

CDF Tracing Overview
Controllers Providers Consumers
• Start and stop ETW • Components which • Consume the
kernel-level tracing provide events (or events from one or
sessions event trace more trace
messages) sessions.
• Enable and disable
• A CDF trace provides the ability to collect real- providers • Once registered as • View the event
time logs without disrupting the running an ETW provider, data as the data is
• Configure the can be enabled or created, or view
services or end users: resulting log file size disabled using a the event data
• It can be configured to run locally in real-time, at and location controller from a log file.
startup, or remotely by utilizing the remote registry • Configure the level of

service. details to capture
• You can enable trace providers with the ability to • Configure the trace
filter the retrieved data. buffers
• There are three main facets to the CDF trace
process: Controllers, Providers and Consumers.
CDF
Key Notes:
• CDFControl is an event tracing tool that is designed towards capturing Citrix Diagnostic Facility (CDF) trace messages that are output
from the various Citrix tracing providers.
• There are two primary ways to use CDF logging: CDFControl and Citrix Scout.
• CDFControl can be used to both capture as well as analyze CDF traces, and can be customized to parse trace messages from a
particular time period or particular provider.
• Citrix Scout Captures the CDF traces and then securely uploads the data to Citrix Support.

• There are three main facets to the CDF trace process: Controllers, Providers and Consumers.
• CDFControl: https://support.citrix.com/article/CTX111961
• How to Collect a Citrix Diagnostic Facility (CDF) Trace at System Startup: https://support.citrix.com/article/CTX127131
• How To Collect Remote CDF Tracing: https://support.citrix.com/article/CTX237216
• Recommendations for Collecting the CDF Traces: https://support.citrix.com/article/CTX121185
• Citrix Scout: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/manage-deployment/cis.html

Why is PowerShell Important?
Before PowerShell PowerShell ERA
Management GUI (MMC)
Scripts
GUI
Windows/server product functionality
.NET Framework, WWI and PowerShell

WMI Command line COM
Windows / server product functionality

Scripts
Key Notes:
• PowerShell is most commonly used through different consoles (PowerShell and PowerShell ISE being the most popular ones);
however PowerShell system can be directly accessed from C#.
• With the “SDK” it is not referring to any set of APIs or libraries, but it’s actually referring to the regular PowerShell.
• In Citrix Virtual Desktops, there are no APIs or libraries to import, and the same language is used for administrators or scripters as
well as professional software developers.
• For most legacy software products, the majority of functionality could be accessed using a GUI. Automation was always very painful

– not only did you have to use a couple of different technologies, but you were usually rather limited in what could be
automated.
• With modern software designs, GUI is actually just sitting on top of PowerShell layer (such is the case with Citrix Studio)
and you have more functionality available from CLI than GUI.
• Free and amazing training from Microsoft (Jeffrey Snover is the father of PowerShell):
https://www.microsoftvirtualacademy.com/en-us/training-courses/getting-started-with-powershell-3-0-jump-start-
8276
• SDKs and APIs: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/sdk-api.html
• SDKs: https://docs.citrix.com/en-us/citrix-cloud-government/manage/sdk-api.html

Lesson Review
What are the two tools to utilize for a CDF

capture?
CDFControl and Citrix Scout.

Introduction to PowerShell

PowerShell Structure
Two main components make up PowerShell:

• Cmdlets:
• Commands based on .NET framework classes
• Perform an action
• Differ from other CLI commands in other CLI-shell
based structures, such as Windows CLI
• Modules:
• A set of related functionalities (cmdlets, providers,
aliases, variables)
• Module can contain multiple cmdlets
• Allows for the modularization of Windows
PowerShell code
Key Notes:
• Cmdlets are members of a module. If you know the module, you can find out all cmdlets that are members of that module; or if you
know the cmdlet, you can find the parent module (and then list all members).
• For example, if you know the command Start-ScheduledTask, you can find the module it belongs to (Get-Command Start-
ScheduledTask | Select Module) and then find all the commands that are available for scheduled tasks (Get-Command –Module
ScheduledTasks).
• This is a very important concept of PowerShell. You can easily spend hours just discovering new modules and cmdlets without using

Google or reading a book.
• With a solid understanding of PowerShell, you can learn about the new PowerShell modules (such as Citrix Virtual
Desktops) without reading through the help documentation.
• If you want to view the list of Citrix modules, type “Get-Command –Module Citrix* | Select ModuleName –Unique” in
PowerShell.
• Citrix Virtual Apps and Desktops SDK PowerShell: https://citrix.github.io/delivery-controller-sdk/
• Citrix Virtual Apps and Desktops: Basic PowerShell Cmdlets for Delivery Controller's Health Check:
8276

Cmdlet Syntax
Verb Noun
Predefined list Variable: Examples
Get Date
New Process
Start Task
Remove Event Log
•• Etc…
Key Notes:
• PowerShell utilizes a "verb-noun" naming system to perform actions. Each cmdlet name consists of a standardized verb which is then
hyphenated with a specific noun to create a specific function.
• This is one of the most important early concepts of PowerShell. All cmdlets use the verb-noun syntax, where “verb” part is a
predefined list of approved verbs that is not changing.
• Actual syntax is: module\verb-noun – for example, Get-Process can be called using Microsoft.PowerShell.Management\Get-Process.
This allows you to use same cmdlet names in multiple modules; however, it’s not recommended and should be avoided if possible.

• When you’re trying to find the command to do something, you should start thinking about the verb – do you want to
remove something? Or do you want to start something?
• As this list verb is static. You can use cmdlet Get-Verb to retrieve a list of verbs available for use.
• Technet: https://social.technet.microsoft.com/wiki/contents/articles/4537.powershell-approved-verbs.aspx
• Learning PowerShell command names: https://docs.microsoft.com/en-us/powershell/scripting/learn/learning-
powershell-names?view=powershell-6

PowerShell is Citrix Virtual Apps
and Desktops
• Virtual Apps and Desktops:

• Citrix Studio runs PowerShell under the hood
• Follows best practices from Microsoft
• Contains over 40+ modules
• Contains over 700+ cmdlets
Key Notes:
• This module is a very short introduction to PowerShell, as its capabilities are grand..
• Everything you do in Citrix Studio is actually executed as a PowerShell command , and Virtual Apps and Desktops is one of the
products where not only everything in UI is supported for automation, but you have actually more options when you use the CLI
interface.
• The latest release of Virtual Apps and Desktops contains over 700+ cmdlets.
• The most important lesson is that PowerShell is not a scripting language that needs to be memorized.

• StoreFront contains 25 modules, Virtual Apps and Desktops contains 17 modules.
• StoreFront contains 100+ cmdlets, while Citrix Virtual Desktops contains 600+ cmdlets.
• Citrix Virtual Desktops also includes two providers – Citrix.Hypervisor (XDHyp:\) and CitrixGroupPolicy (LocalGpo:\
and Templates:\).
• Citrix Virtual Apps and Desktops SDK PowerShell: https://citrix.github.io/delivery-controller-sdk/
• Citrix Virtual Apps and Desktops Basic PowerShell Cmdlets for Delivery Controller's Health Check:
8276

Citrix Virtual Apps and Desktops Cmdlets Syntax
Verb-ModuleNoun:
• Citrix Virtual Desktops cmdlets are based on Microsoft’s naming conventions.
• Noun is prefixed with the Citrix Virtual Desktops service name.
Broker MCS AD Identity Service

• Prefix: Broker • Prefix: Prov • Prefix: Acct
• Examples: • Examples: • Examples:
• Get-BrokerDesktop • Get-ProvTask • Get-AcctIdentityPool
• Get-BrokerSite • New-ProvScheme • Get-AcctADAccount
• Get-BrokerController
Key Notes:
• While many people are familiar with a verb-noun syntax (which was covered previously), not many people know that the full syntax
actually includes a module name, at least in a shorter version.
• The actual full syntax includes the module prefix as well – Module\Verb-ModuleNoun.
• With a simple verb-noun syntax, there is a big risk of running into conflict with other modules. For example Get-Session cmdlet could
be applied to multiple different products, therefore in Citrix Virtual Desktops implementation it is prefixed by a short module name
(Get-BrokerSession). With the full syntax,
• it’s actually Citrix.Broker.Admin.V2\Get-BrokerSession.
Using Get-Command
• Use Get-Command to list all PowerShell

commands that are installed on the
computer.
• Use Get-Command to find the specific
command you need.
• * Wildcards are supported.
Examples:
• Get-Command Get-*User –Module Citrix*
• Get-Command –Module
Citrix.Broker.Admin.V2
• Get-Command *IP* -Module *Net*
Key Notes:
• You can’t run a command without knowing it’s name – and this is why Get-Command is one of the most important cmdlets.
• Get-Command on its own has limited usefulness, as it will only list all of the available commands. However, when used either to list
the cmdlets in a single module or when used with wildcards, it provides much more detail.
• You can use the Auto-complete, using TAB key, as another approach to finding commands.
• Auto-complete is another very useful feature of PowerShell, as you can start typing a command and press Tab to auto-complete it.
• For Example: type in Get-Pro*ess and press Tab – it will automatically be changed to Get-Process (unless you have other cmdlets

that would match the pattern).
• Get-Pro*ess
• Set-*Network*Adapter
• PowerShell ISE (superior version of PowerShell console) provides you with context-menus as well.
• Get-Command Module: Microsoft.PowerShell.Core: https://technet.microsoft.com/en-us/library/hh849711.aspx

Using Get-Help
• Display information about Windows

PowerShell commands and concepts.
• Once you identify the command using
Get-Command you can learn how to
use it using Get-Help.
Examples:
• Get-Help Start-EnvTestTask –Examples
• Get-Help Get-BrokerController –Full
Key Notes:
The Get-Command, allows you to find the right command to do the task you have to perform. The next step is to use Get-Help to find
more information about it – what are the arguments, what are the examples of usage, and so on.
• Get-Help useful switches:
• Show examples of usage
• Examples
• Displays the entire help topic for a cmdlet

• Full
• Get-Help Module: Microsoft.PowerShell.Core: https://technet.microsoft.com/en-us/library/hh849696.aspx

Using Show-Command
• Show-Command is used to generate a

UI for any PowerShell command.
• It can be used as a replacement for both
Get-Command and Get-Help.
Examples:
• Show UI to browse available cmdlets
• Show-Command
• Show UI for Get-Process cmdlet
• Show-Command Get-Process
Key Notes:
• Show-Command allows you to use any existing cmdlet and to build a GUI for it automatically.
• It allows you to browse through available modules and cmdlets.
• While more senior administrators will probably prefer to use a combination of Get-Command\Get-Help, Show-Command can be very
helpful for anyone, especially during their first interactions with PowerShell.

• Show-Command Module:Microsoft.PowerShell.Utility: https://technet.microsoft.com/en-us/library/hh849915.aspx

Lesson Review
What system does PowerShell use to perform

actions?
PowerShell utilizes a “verb-noun” naming

system.

Lab Exercise Prep

For Module 07
Key Notes:
exercise.

Lab Exercise
• Exercise 7-1: Use Get-Command

• Exercise 7-2: Use Get-Help
• Exercise 7-3: Use Show-Command

Key Takeaways
• Citrix Director is a prime administrator tool for

reviewing real-time and historical data and
resolving issues.
• There are a number of resources available
containing both Microsoft and Citrix tools, such
as the Citrix Supportability Pack.
• CDFControl is an event tracing tool designed
towards capturing real-time message output
from various Citrix trace providers.
• PowerShell contains powerful search
commands and consists of two primary
components: Cmdlets and Modules.

Troubleshoot Access Issues
Module 8

Learning Objectives
• Identify common StoreFront authentication,

enumeration, and Store subscriptions
problems and their troubleshooting methods.
• Describe session launch workflow when
accessing published resources through Citrix
ADC/Gateway.
• Identify common Citrix ADC/Gateway access
and authentication issues and how to
troubleshoot them.
• Identify common Citrix ADC/Gateway
App/Desktop launch issues and how to
troubleshoot them.

Troubleshooting StoreFront

Troubleshooting StoreFront
1
End User PC
Connection issues
Enumeration Registration issues

StoreFront (DDC) Controller VDA
Site issues License issues
Site Database
License Server

Credential Wallet
• Only used with Explicit Authentication

(username + password).
• Allows multiple authentication requests

without prompting for username and
password.
• Uses Windows service that stores encrypted

passwords in an in-memory cache, used
later for authenticating users.
Key Notes:
• If authentication fails, check the Event Viewer on each StoreFront server to ensure that no credential errors are present.
• When troubleshooting authentication issues, ensure that the Citrix Credential Wallet service is set for a delayed start, and that it is
started on the StoreFront server.
• Check for an un-started or hung Credential Wallet service when troubleshooting.

Enumeration
• Failure to enumerate
applications can be
caused by multiple
issues. StoreFront
User
• Most common issues
include:
• XML broker is
unavailable.
• Authentication failed for
the end user.
• End user has not been
granted access to
desktops or applications. Database Delivery Controller
Key Notes:
• Do not worry that Subscription Store is missing on the list of common issues; it is not preventing enumeration from proceeding. When
access to the Subscription Store fails, StoreFront continues enumeration, but indicates that subscription is not available.
• The XML Broker being unavailable can occur for a number of reasons, such as the XML service being offline.
• If pass-through or smart card authentication are being used, you must enable Trust requests sent to the XML service on the Delivery
Controller - to trust any XML requests sent from StoreFront.
• To Enable XML Trust:

1. Load the Citrix cmdlets by typing asnp Citrix*. (including the period).
2. Type Add-PSSnapin citrix.broker.admin.v2.
3. Type Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True.
4. Close PowerShell.
• Additional authentication failures may occurs as a result of such things as incorrect credentials, network communication
issues, or Active Directory validation problems.
• StoreFront 1903: https://docs.citrix.com/en-us/storefront/1912-ltsr.html
• Troubleshoot StoreFront: https://docs.citrix.com/en-us/storefront/current-release/troubleshoot.html
• XML service-based authentication: https://docs.citrix.com/en-us/storefront/current-release/configure-authentication-
and-delegation/xml-authentication.html
• User authentication: https://docs.citrix.com/en-us/storefront/current-release/plan/user-authentication.html
• Citrix Broker Service Events: https://docs.citrix.com/en-us/xenapp-and-xendesktop/current-
release/downloads/BrokerEvents.htm

Expected
Subscription Store
• Users may no longer be

able to save or view
their Favorites if an
issue occurs with the
Subscription Store.
Failure
• Problems may include:
• The Citrix StoreFront
Subscriptions Store
Service.
• Subscription replication or
synchronization problems.
Key Notes:
• To address some of the most common subscription-related issues, start by restarting the Citrix Subscriptions Store service.
• Citrix Store Front 3.0 Unable to save favorites in Store Front: https://support.citrix.com/article/CTX222649
• Troubleshoot StoreFront: https://docs.citrix.com/en-us/storefront/current-release/troubleshoot.html

• Store Front 3.12 | Automatic Subscription store synchronization between two servers:
• Subscription Synchronization Does Not Work Among Multiple StoreFront Clusters:
• What Subscriptions and Server Groups Mean for StoreFront Designs: https://www.citrix.com/blogs/2014/10/10/what-
subscriptions-and-server-groups-mean-for-storefront-designs/

Lesson Review
What are the most common enumeration

problems?
• Problems with one or more of the XML brokers

in a Site.
• Authentication failures for end user(s).
• Published desktops or applications not properly
configured for end user(s).

Citrix ADC/Gateway
Workflow and Troubleshooting Overview

Troubleshooting Citrix ADC/Gateway
1
• Problems accessing published resources

through Citrix ADC/Gateway could be due to
several reasons:
• Authentication
• Enumeration
• Application launching
• It is recommended to always test Direct
Access mode through StoreFront, in order to
isolate the issue to the Gateway component
• World-class support and services for Citrix Gateway: https://www.citrix.com/products/citrix-gateway/support.html
• Citrix Gateway: https://docs.citrix.com/en-us/citrix-gateway.html

Complete Connections and Communication
Citrix ADC/Gateway Authentication 1
New York City (NYC)
Infrastructure Zone 1 (Primary)

(3) Resources
(1)
Users Citrix StoreFront Active (4) License Delivery Controller SQL

Gateway Directory Server Site DB Desktops Desktops Apps Apps
(2)
End User
Device San Francisco (SFO) Miami (MIA)
Infrastructure Zone 2 (Satellite) Zone 3 (Satellite)
Resources Resources
Citrix
Gateway
Delivery Controller
Desktops Apps Desktops Apps
StoreFront
Key Notes:
• External Process (Citrix Gateway) (Purple Steps)
• (1) End User device accesses Citrix Gateway authentication page via remote access URL.
• Ensure URL is externally accessible and not blocked by firewall.
• Certificates on Citrix Gateway should be valid and up-to-date.
• (2) User enters authentication credentials.
• Common error in authentication phase is user mis-typing or mis-remembering credentials. Level 1 support should be trained to

verify that credentials are valid as an initial troubleshooting step.
• Consider implementing the Self-Service Password Reset feature to enable end users to reset their own AD
passwords without opening a support ticket.
• (3) Citrix ADC authenticates the user via LDAP(S) to the Domain Controller.
• If using LDAPS, ensure appropriate certificate is in place on the Citrix ADC(s).
• An authentication server and authentication policy must be configured and applied to the Citrix Gateway virtual
server.
• (4) The Domain Controller validates the credentials.
• Consider implementing a virtual IP (VIP) in order to load balance multiple LDAP servers in order to provide
redundancy.
• StoreFront 1912 Enable users to change their passwords: http://docs.citrix.com/en-us/storefront/1912-ltsr/configure-
authentication-and-delegation/configure-authentication-service.html
• How to Configure LDAP Authentication on Citrix ADC or Citrix Gateway: https://support.citrix.com/article/CTX108876
• StoreFront 1912 XML Service-Based authentication: http://docs.citrix.com/en-us/storefront/1912-ltsr/configure-
authentication-and-delegation/xml-authentication.html

StoreFront Authentication 1
New York City (NYC)

Resources
Users Citrix StoreFront (3) Active (4) License Delivery Controller SQL
(2)
(1)
End User
Resources Resources
Citrix
Gateway
Delivery Controller
StoreFront
Key Notes:
• Internal Process (StoreFront Direct) (Green Steps)
• (1) End user device access StoreFront authentication page via internal URL.
• The URL must be accessible to any users expected to access it directly. Making this URL available to external users presents a
security risk because you are allowing external traffic to communicate directly with a Windows machine, which is more
vulnerable to malicious attacks (compared to a hardened network appliance like a Citrix ADC).
• Ideally, HTTPS would be used for the communication with StoreFront, which requires up-to-date certificates to be in place.

• Common error in authentication phase is user mis-typing or mis-remembering credentials. Level 1 support should
be trained to verify that credentials are valid as an initial troubleshooting setp.
• (3) StoreFront submits credentials to a Domain Controller for validation.
• Ensure the appropriate authentication methods are selected for the Store. For more complex methods such as
Smart Card, Domain pass-through, or SAML authentication, additional configuration will be required.

XML Service Based Authentication 1
New York City (NYC)

(3)
Resources
(4)
Users Citrix StoreFront Active License Delivery Controller SQL
(5)
(2)
(1)
End User
Resources Resources
Citrix
Gateway
Delivery Controller
StoreFront
Key Notes:
• Internal Process (XML Service-Based) (Yellow Steps)
• (1) End user device access StoreFront authentication page via internal URL.
• The URL must be accessible to any users expected to access it directly. Making this URL available to external users presents a
security risk because you are allowing external traffic to communicate directly with a Windows machine, which is more
vulnerable to malicious attacks (compared to a hardened network appliance like a Citrix ADC).
• Ideally, HTTPS would be used for the communication with StoreFront, which requires up-to-date certificates to be in place.

• Common error in authentication phase is user mis-typing or mis-remembering credentials. Level 1 support should
be trained to verify that credentials are valid as an initial troubleshooting step.
• (3) StoreFront submits credentials to the XML port of a Delivery Controller.
• For this to occur, the “Validation Password Via” setting must be configured to “Delivery Controllers.”
• (4) The Delivery Controller submits the credentials to a Domain Controller.
• Ensure that communications between the Delivery Controllers and AD Domain Controllers are allowed in the
firewalls of your environment.

Lesson Review
To narrow down a resource enumeration

issue via Citrix Gateway, which component
should we remove from the process to help
troubleshoot it further?
Citrix Gateway

Citrix ADC/Gateway
Troubleshooting Access and Authentication

Login Page Not Accessible
• The intermediate and root certificates in the Citrix
Gateway console, under Traffic Management > SSL,
are not linked properly.
Citrix Gateway Error: 403 - Forbidden:
Access is Denied • The Citrix Gateway session policies settings for the
Store URL and Name are not spelled correctly.
• The StoreFront address in the Citrix Gateway Session
Profile does not match the site address in StoreFront.
• The call back address is not set to HTTPS.
• Authentication to the Citrix Gateway via
• There is not a DNS Host entry on StoreFront to point
StoreFront can received a 403 error for
to Citrix Gateway virtual server.
several reasons.
• Issue can occur post-authentication as well. • The Root CA is an internal CA certificate and the Root
CA certificate is not added to both StoreFront as well
as on Citrix Gateway. So, therefore, there is not a
trust between them.
Key Notes:
• When the issue happens upon post-authentication, there is an trust issue with certificates. Rebuilt the trust issue between the
StoreFront server and the Citrix Gateway .
• Error: "403 - Forbidden: Access is Denied" After Log on to Citrix Gateway: https://support.citrix.com/article/CTX206900
• How to Configure Citrix Gateway with StoreFront and App Controller: https://support.citrix.com/article/CTX139319

• Error: 403 forbidden | Post authentication when accessing through Citrix Gateway:

Unable to Authenticate through Citrix Gateway
Two factor authentication fails with error "user credentials are invalid“ logging on to the Citrix Gateway.
Problem Cause: Troubleshooting Authentication:

• The aaad.debug log displays an attempt to • Authentication processing in Citrix Gateway
authenticate with the RADIUS server- the is handled by the Authentication,
user trying to log on is, however, rejected. Authorization, and Auditing (AAA) daemon.
• Problem: The RADIUS server is rejecting • The raw event output from the audit daemon
the data being sent from the Citrix Gateway. can be reviewed in the aaad.debug module.
• The aaad.debug is a “pipe” as opposed to a flat
file and does not display the results or log them.
• The cat command can be used to view this
output.
Key Notes:
• If the aaad.debug log displays an attempt to authenticate with the RADIUS server, and the user trying to log on is rejected
,(process_rad_reject RADIUS attribute 18) , then process RADIUS will send a reject ,(send_reject_with_code, Rejecting with error
code 4001).
• This rejection occurs as a result of the RADIUS server rejecting the data being sent from the Citrix Gateway.
• This can be reviewed and corrected by:
1. Verify this through the nstrace captured from the Citrix Gateway .

2. Review the nstcpdump performed.
3. After ensuring that the Citrix Gateway is sending out the traffic correctly and settings on the Citrix Gateway are set
correctly, examine why the RADIUS server is rejecting connections from the Citrix Gateway.
4. Either the RADIUS client is not added correctly for the NSIP of Citrix Gateway or the shared secret configured on
Citrix Gateway and backend RADIUS server is not matching.
• Troubleshooting Authentication Issues Through Citrix Gateway:
• Authentication processing in Citrix Gateway is handled by the Authentication, Authorization, and Auditing (AAA)
daemon. The raw event output from the audit daemon can be reviewed in the aaad.debug module.
• This process is useful for troubleshooting authentication issues such as:
• General authentication errors
• Username/password failures
• Authentication policy configuration errors
• Group extraction discrepancies
• Two Factor Authentication Fails on Citrix Gateway: https://support.citrix.com/article/CTX200402
• Troubleshooting Authentication Issues Through Citrix Gateway with aaad.debug Module:

Error Message Appears after Authenticating
Cannot Complete Your Request" as result of LDAP Authentication Misconfiguration on Citrix Gateway.
• This error can occur when there is a misconfiguration in the Authentication policy on the Citrix
Gateway, or possibly an issue with Load Balancing, if multiple LDAP servers are used.
• A policy misconfiguration results in communication failure between the Citrix Gateway and LDAP
server.
Active Directory LDAP Server
Citrix Gateway
End Users
StoreFront
Key Notes:
• If this issue occurs, then the following steps can be used to troubleshoot this issue:
• Test LDAP reachability and validate end-to-end LDAP authentication, to verify the cause of the issue.
• From within the StoreFront MMC, go to Citrix Gateway > select the gateway you are configuring > Change General
Settings window, and confirm the Logon Type is set to Domain - if using LDAP authentication on the Citrix Gateway.
• Under the Citrix Gateway VIP go to Authentication > LDAP Policy > Edit Server and confirm the following settings:
1. Session Policy bound to the Citrix Gateway VIP > Edit Profile > Client Experience > Single Sign-on to Web Applications and

confirm that it is checked.
2. Go to the Published Applications tab > Single Sign-on Domain and confirm the correct domain is specified.
• If you received this error during implementation of ADFS, Azure and FAS, then consider the following - SAML
authentication does not use a password and only uses the user name.
• Firewall failures or misconfigurations can also trigger LDAP authentication issues if they are located between the Citrix
Gateway and the LDAP servers on the internal domain.
• Error: "Cannot Complete Your Request" Due to Authentication Misconfiguration on Citrix Gateway:
• Common Resolutions to “Cannot Complete Your Request” Error: https://support.citrix.com/article/CTX207162
• How to Configure LDAP Authentication on Citrix Gateway: https://support.citrix.com/article/CTX108876

Troubleshooting Authentication:
Citrix Gateway, StoreFront, and XML Service Based
Common Misconfigurations: Tools to Support and Troubleshoot:

• User error • Windows Event Logs – Citrix Delivery
• Mistyping or forgetting credentials Services
• Client-side network connectivity issue
• PowerShell
• Un-started or hung Credential Wallet service
on StoreFront server(s) • Wireshark
• Citrix Gateway LDAP authentication settings • Citrix Application Delivery Management (for
misconfigured external access scenarios using Citrix
Gateway)
• Firewall or monitor issues causing Citrix
ADC load balancing of the StoreFront • aaad.debug Module (on Citrix ADC)
servers to fail. • StoreFront console
Key Notes:
• Other potential causes for authentication issues:
• In multi-factor authentication scenarios, communication issues with RADIUS server due to firewalls or misconfiguration on the
Citrix ADC or the RADIUS server.
• Active Directory could be experiencing issues that cause it to be unresponsive to authentication requests.
• DNS issue preventing Citrix ADC GSLB from functioning (if GSLB is configured).

• Citrix Workspace App experiencing issues due to faulty upgrade.
• The Citrix Delivery Services view within the Windows Event Logs on the StoreFront server is extremely helpful for
troubleshooting common application launch issues.
• Windows PowerShell commands can be run on the StoreFront servers to verify that the Citrix services are running and
functioning as expected. It can also restart Services as needed if they are unresponsive.
• WireShark is a free and open source packet analyzer that can be used to capture network data for analysis. It is helpful
for pinpointing where a communication process fails.
• The Citrix Application Delivery Management is a centralized console to manage and monitor Citrix application
networking products that include Citrix ADC MPX, Citrix ADC VPX, Citrix Gateway, Citrix ADC SDX, Citrix ADC CPX, and
Citrix SD-WAN. This can be especially helpful in larger deployments in order to quickly verify and configure Citrix ADC
settings across multiple appliances.
• Authentication processing in Citrix Gateway is handled by the Authentication, Authorization, and Auditing (AAA)
daemon. The raw authentication events that AAA daemon processes can be monitored by viewing the output of the
aaad.debug module and serves as a valuable troubleshooting tool.
• Troubleshooting Methodology for Citrix ADC, StoreFront with Virtual Apps and Desktops:
• Troubleshoot StoreFront: http://docs.citrix.com/en-us/storefront/1912-ltsr/troubleshoot.html
• StoreFront SDK (i.e. PowerShell command functionality): http://docs.citrix.com/en-us/storefront/1912-ltsr/sdk-
overview.html
• Wireshark webpage: https://www.wireshark.org/
• Overview (Citrix Application Delivery Management 11.1): https://docs.citrix.com/en-us/citrix-application-delivery-
management-software/13.html
• How to Troubleshoot Authentication Issues Through Citrix ADC or Citrix Gateway with aaad.debug Module:

Lesson Review
Where can Citrix Administrators review the

Citrix Gateway authentication (AAA) audit
daemon raw event output?
The aaad.debug module

Citrix ADC/Gateway
Troubleshooting App/Desktop Launch

App/Desktop Launch Issues through Citrix ADC/Gateway
App/Desktop launch issues, through the Citrix ADC/Gateway, can occur due to a number
of reasons. The following can be checked and verified, if these issues occur:
• Latest version of Citrix Workspace is being used by end-users.
• Available User Licenses are all used up.
• A Citrix Gateway License Type Mismatch is present.
• Certificate is not Linked on the Citrix Gateway.
• Gateway does not have a Secure Ticket Authority (STA) specified.
• FQDN of the Secure Ticket Authority is Not Resolvable.
Key Notes:
• These issues can be isolated if testing connections directly via the StoreFront URL allows for the launch of the published applications
or desktops without any issues. Problem only happens via the Citrix Gateway.
• Error: "Unable to launch your application." When Launching Published Applications or Desktops Through Citrix Gateway:

App/Desktop Launch Issues through Citrix ADC/Gateway
App/Desktop launch issues, through the Citrix ADC/Gateway, can occur due to a number
of reasons. The following can be checked and verified, if these issues occur:
• STA configured on Citrix Gateway Returns an STA ID.
• STA Servers on Citrix Gateway Virtual Server do not match the StoreFront Servers.
• Usage or Role on the StoreFront Server is Set to Authentication and HDX Routing.
• Communication on port 1494/2598 from the Subnet IP/Mapped IP to the Citrix Virtual
Apps and Desktops Servers has issues.
Key Notes:
• These issues can be isolated if testing connections directly via the StoreFront URL allows for the launch of the published applications
or desktops without any issues. Problem only happens via the Citrix Gateway.
• Error: "Unable to launch your application." When Launching Published Applications or Desktops Through Citrix Gateway:

Lesson Review
The STA address on the gateway is https://sta-

server.company.com/Scripts/CtxSta.dll and the
STA address on the storefront is
https://staserver1.company.com/Scripts/CtxSta.
dll.
Will the app launch work ?
No. We need to make sure that the STA address

on the gateway and Storefront server is exactly
the same.

Lab Exercise Prep

For Module 08
Key Notes:
exercise.

Lab Exercise
• Exercise 8-1: Change Delivery Controller

settings on StoreFront to resolve Failed
Enumeration
• Exercise 8-2: Troubleshoot Failed
Authentication Issues Using PowerShell On
StoreFront
• Exercise 8-3: Export and Restore the
Subscription Store Database On StoreFront
• Exercise 8-4: Investigating XML Service
Communications Issues Between StoreFront
and Delivery Controller
• Exercise 8-5: Manually Rewrite Subscription
Store on StoreFront using PowerShell

Key Takeaways
• Credential Wallet allows multiple

authentication requests without prompting for
username and password.
• There are a number of common issues that
can cause enumeration issues within
StoreFront.
• Testing Direct Access mode through
StoreFront is a strong first step towards
isolating an issue within the Citrix Gateway.
• The aaad.debug module can be used to
review authentication issues with the Citrix
Gateway.
• There are a number of issues to verify when
there are application launch issues through the
Citrix Gateway.

Troubleshoot Delivery Controller Issues
Module 9

Learning Objectives
• Describe the role of each of the FlexCast

Management Architecture (FMA) services and
how to validate them using PowerShell.
• Describe HDX session enumeration workflow
and identify common failure causes.

Validating FlexCast
Management Architecture (FMA)
Services

Learning Objectives
• Describe the role of each of the FlexCast

Management Architecture (FMA) services.
• Demonstrate how to validate FlexCast
Management Architecture (FMA) services
health using PowerShell.
• Describe HDX session enumeration workflow.
• Identify common HDX session enumeration
failure causes.

FMA Services
The FMA Services collectively create the functionality of Citrix Virtual Apps and Desktops.
User Access Control

Resource Layer
Layer Layer Layer
Delivery
Controller
Internal StoreFro
Server OS Assigned
Users nt Domain Desktop OS
Controller
Firewall Delivery Controller
Database Random Remote PC
External Firewall Citrix
Desktop OS
Users ADC FMA Services
Gateway
License
Server
Services
Central Delegated
Core
Hardware Layer
Configuration Administration
Configuration
Service Service Logging Service
Network Storage Processo Memory Graphics Hypervisor
r
• Each FMA Service communicates

with one another, but function AD
Host Analytics StoreFront Monitoring Citrix
Apps and Desktops
Identity
independently. Service Service Service Service Trust
Supporting
Service
Services
Services
• Collectively, the FMA Services Machine

Broker Citrix App Environmental
provide management functionality for Creation
Service Orchestration Library Test Service
Service
Studio, Director, and PowerShell.
Key Notes:
• The FMA Services are a Service Oriented Architecture (SOA) allows Citrix engineers to easily add new services when needed. This
SOA also makes troubleshooting easier, because CDF traces have multiple providers.
• The FMA Services diagram shows three groups of FMA Services:
• Core Services
• These services are involved in almost all operations.
• The Citrix Configuration Service acts as a centralized directory service for all other services.

• The Delegated Administration Service is used to make the final decision if the current user is allows to perform a
requested operation.
• The Configuration Logging Service is used to record all administrative changes.
• Apps and Desktops Services
• These services are used during provisioning processes.
• The AD Identity Service is used to create and manage all catalog machine accounts.
• The Machine Creation Service is used to process the MCS Provisioned created virtual catalog machines.
• The Host Service is used to manage all Resource Connections between the Citrix Virtual Apps and Desktops Site
and the Hypervisor Hosts / Resource Pools and perform power management actions.
• The Broker Service is used for a lot of actions including, brokering user connections to sessions, validating STA
tickets and communicating with the deployed Virtual Delivery Agents (VDA).
• Supporting Services
• These services are used to support additional functionality of the Citrix Virtual Apps and Desktops Site.
• The Analytics Service is used to collect data from the other services for reporting.
• The StoreFront Service is used to manage the StoreFront Deployment, which allows for some StoreFront
management through the Studio.
• The Monitoring Service is used to monitor the overall FMA architecture and to produce alerts and warnings
when is finds something is potentially wrong, such as a failing service.
• The Citrix Trust Service is not currently in use. (This is why this service is greyed out on the diagram.)
• The Citrix Orchestration Service is not currently in use. (This is why this service is greyed out on the diagram.)
• The App Library Service is used to support management and provisioning of AppDisks, AppDNA integration and
App-V.
• The Environmental Test Service is used to manage tests for evaluating the state of the Citrix Virtual Apps and
Desktops infrastructure, such as when an environment test is triggered through the Studio..
• These FMA Services all use Windows Communication Foundation (WCF) for inter-service communication.
• This allows each service to run independently of each other, so a failure of one service typically will not cause a
disruption in the functionality of other service. There are exceptions to the “typical” failure, such as for example:
• If the Citrix Configuration Service fails, then there is no centralized directory for all of the services which causes
a communication break down, because no one service would be able to communicate with another.

• If during MCS, the AD Identity service fails, then the machine accounts will not be created in Active Directory
for the catalog.

Central
Configuration
Service (CSS)
Delivery Controller
• Provides global directory
to all services (WCF FMA Services
addresses).
Services
Central Delegated
• Allows services to Configuration
Core
Configuration Administration
Service Service Logging Service
register and unregister.
All services must
register with CCS.
AD
Apps and Desktops Host Analytics StoreFront Monitoring Citrix
Identity
• All services hold cache Service Service Service Service Trust
Supporting
Service
Services
Services
for five minutes to prevent

Machine
Broker
overloading CCS by too Creation
Service
Citrix
Orchestration
App
Library
Environmental
Test Service
Service
many queries.
Key Notes:
• CCS acts as a global directory for FMA architecture.
• CCS knows each FMA service WCF address and is a central point of contact; which is why it’s one of the core FMA services and is
involved in any operation across services.
• CCS allows services to register and unregister. All services must register with CCS.
• You can use Get-ConfigRegisteredServiceInstance to retrieve the list of registered services.

• When one service wants to talk to another one, it will start by querying the CCS about WCF address first, and CCS will
reply only to services that are already registered.
• To prevent CCS from becoming a bottleneck, each service will keep a cache of CCS directory for five minutes to
prevent overloading CCS by too many queries.
• If you ever need to refresh the cache, simply restart the Windows service itself.
• This cache is retrieved during the startup of the service.
• You can use Get-ConfigRegisteredServiceInstance to retrieve the list of registered services.
• It may be necessary to manually register a service with CCS. For example, services are registered during the installation
of the Delivery Controller server with the DNS name of this Delivery Controller server. If the Delivery Controller is ever
renamed, the FMA services will stop registering with CCS. In this case, the easiest solution is to unregister existing
instances and register new instances.
• You can use Get-ConfigRegisteredServiceInstance to retrieve the list of registered services. The output will specify
the FQDN of the Delivery Controller original name.
• To un-register existing services use Get-ConfigRegisteredServiceInstanc | Unregister-
ConfigRegisteredServiceInstance. If the environment has more than one Delivery Controller, the –ServiceAccountSID
argument must be used to specify the Delivery Controller.
• To retrieve the FMA service instances and re-register them use Get-Command Get-*ServiceInstance –Module Citrix*
| For Each {.$_.name| Register-ConfigServiceInstance}.
• Now that the FMA Services are registered to the CCS service, the service access permissions and configuration
service locations must be reset using $ServiceInstance = Get-ConfigServiceInstance; Get-Command Reset-
*ServiceGroupMembership | ForEach {. $_.Name –ConfigServiceInstance $ServiceInstance}
• Remember:
• All FMA services need to register their instances with the CCS.
• The CCS needs to be aware of every service that is part of the Citrix Virtual Apps and Desktops site.
• Each FMA service needs to know the address of the CCS.

FMA Services (1 of 3)
Service Descriptions and PowerShell Validation
PowerShell
Citrix Services Description Validating with PowerShell
prefix
Brokers new session requests, handles disconnected sessions and resource

Citrix Broker
Broker enumeration, processes STA ticket verification and user validation. Get-BrokerServiceStatus
Service
Additionally, it handles all communication to and from the VDA desktop.
Citrix Machine
Prov Handles the creation of new virtual machines (not physical machines). Get-ProvServiceStatus
Creation Service
Citrix Configuration
Config Handles all inter-service communication between FMA services. Get-ConfigServiceStatusGet
Service
Citrix AD Identity Handles all Active Directory accounts related to any Citrix virtual or physical
Acct Get-AcctServiceStatus
Service workload.
Citrix Hosting Manages all connections XDC, and the Hypervisor; supporting vSphere,
Hyp Get-HypServiceStatus
Service Citrix Hypervisor or SCVMM. Responsible for power management.
Supports management and provisioning of AppDisks, AppDNA integration,

Citrix App Library AppLib Get-AppLibServiceStatus
and management of App-V.
Key Notes:
• Use “Get-Command Get-*ServiceStatus” to see all cmdlets.
• What you do for one FMA service, you must do for all.
• All the FMA services are independent from each other.

PowerShell
prefix
Citrix Delegated
Manages the creation, configuration and administration of all delegated
Administration Admin Get-AdminServiceStatus
administrative permissions.
Service
Citrix Monitoring Monitors the overall FMA architecture and produces alerts and warnings
Monitor Get-MonitorServiceStatus
Service when it finds something is potentially wrong, such as a failing service.
Citrix Environment Manages tests for evaluating the state of Citrix Virtual Desktops
EnvTest Get-EnvTestServiceStatus
Test Service infrastructure.
Citrix Configuration Monitors and logs all configuration changes made within a Citrix Virtual
Log Get-LogServiceStatus
Logging Service Desktop site, to include all administrator activity.
Citrix Analytics
Analytics Collects analytical data from Citrix products. Get-AnalyticsServiceStatus
Service
Key Notes:

PowerShell
prefix
Citrix StoreFront
SF Manages the StoreFront deployment. Get-SFServiceStatus
Service
Citrix Orchestration
Orch Not currently used (must be enabled, do not disable) Get-OrchServiceStatus
Service
Citrix Trust Service Trust Not currently used (must be enabled, do not disable) Get-TrustServiceStatus
Key Notes:
401 • © 2020 Citrix Authorized Content

Security considerations and best practices: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/secure/best-
practices.html

Following standard Microsoft PowerShell naming convention:
FMA Services and PowerShell • Verb-ModuleNoun
• Each Module prefix is associated with a FMA service
Here are some example FMA PowerShell Structures below:
Citrix Broker Service
Prefix
Broker
Use Examples:
• There are 14 FMA services. Get-BrokerDesktop
Get-BrokerSite
• Each FMA Service follows a standard Get-BrokerController
PowerShell structure. Get-BrokerSession
Citrix Machine Creation Service
• There are various commands within Prefix
PowerShell that assist with reviewing and Prov
troubleshooting issues within the FMA Use Examples:

Get-ProvServiceStatus
architecture. PowerShell provides the ability to: Reset-ProvServiceGroupMembership
• Review current site or session information. Reset-ProvEnabledFeatureList
• Investigate FMA service status and Delivery Host Service
Controller health. Prefix
• Review and reset Machine Creation Services Hyp
Use Examples:
tasks.
Test-HypDBConnection
• Test and review hypervisor host conditions. Get-HypServiceStatus
• And more… Get-HypVMMacAddress
Key Notes:
• The SDK with the current release of Virtual Apps and Desktops comprises several PowerShell snap-ins that are installed automatically
when you install a Delivery Controller or Studio.
• You must run the shell or script using an identity that has Citrix administration rights.
• Citrix Virtual Apps and Desktops, and earlier Citrix Virtual Desktops 7 version snap-ins are version 2.

• Citrix Virtual Apps and Desktops SDKs and APIs : https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-
ltsr/sdk-api.html
• Citrix Virtual Apps and Desktops : Basic PowerShell Cmdlets for Delivery Controller's Health Check:
• Getting started with the SDK: https://developer-docs.citrix.com/projects/delivery-controller-sdk/en/latest/getting-
started/

SQL Connections
Monitoring Service Configuration Configuration

Monitoring Service
Database Logging Service Logging Database
AD Delegated Machine
Citrix Citrix Analytics Broker Configuration Environmental Host StoreFront App
Identity Administration Creation
Trust Orchestration Service Service Service Test Service Service Service Library
Service Service Service
SITE Database
Each of the Citrix services establishes its own direct connection to the site database.
Additionally, some services, such as Configuration Logging, will have an additional separate
connection to a secondary database.
Key Notes:
• Each service has a separate connection to a database.
• Citrix Virtual Apps and Desktops Site supports Microsoft SQL databases.
• FMA services leverage the Delivery Controller’s machine account to authenticate to SQL.
• Data for the Site from the FMA services is stored in the Site databases – this is why a SQL server is required.
• Leveraging the Delivery Controller’s computer AD account for authentication to SQL enhances security by preventing the service

account password from being stored and by having the machine password change every 30 days
• The Site Database contains configuration information for the running of the system.
• Remember what you have to do for one service, you have to do for all of them.
• For example, if you change the address or configuration of SQL server, you need to update that information for all
services. Or, if you generate a SQL script or add a new controller, you will have to generate it for each and every
service.
• Remember, as learned during the CXD-210 course, Citrix Leading Practice recommends using three separate
databases.
• High levels of transactions per second occur during logon, as each user logon requires multiple individual transactions
to be carried out, and scale based on the concurrent launch rate.
• Peak size is reached after 48 hours, as the database stores very little persistent information.
• FMA stands for the FlexCast Management Architecture, which is the architecture used in Citrix Virtual Apps and
Desktops 7.
• During the Controller installation, if you choose to have the default SQL Server Express database installed, some
information is already pre-populated in the wizard. If you use a SQL server that is installed on a different machine,
enter the database and server names when prompted.
• Connection string can be retrieved using PowerShell.
• It is also stored in registry: HKLM\Software\Citrix\XDServices\<Service>\Data Store\Connections.
• When changing a DB connection, you have to reset it to $Null first (for example “Set-BrokerDBConnection –
DBConnection $Null”). This is by design to prevent accidental changes to the database configuration. After resetting
the connection to an empty state, you can define a new server.

StoreFront Enumeration: SQL Server Site Database
1 Query and App and Desktop Icon Enumeration
New York City (NYC)

(2) (4) Resources
(3)
Users Citrix (1) StoreFront Active License Delivery Controller SQL

Gateway Directory Server Site DB Desktops Apps
Desktops Apps
(5)
End User
Device
San Francisco (SFO) Miami (MIA)

Resources Resources
Citrix
Gateway
Delivery Controller
Internal User Desktops Apps Desktops Apps
External User StoreFront
Key Notes:
• (1) External (Green): Citrix Gateway communicates with StoreFront (after successful user authentication) to begin the resource
enumeration process.
• If the StoreFront server address (or VIP) is misconfigured on the Citrix Gateway, the logon process will fail at this stage.
• (2) Internal and External: After successful authentication, StoreFront queries the configured Delivery Controllers for available
resources accessible to the user. If XML-based authentication is used, the process begins at Step 3.

• If a custom XML communication port is used, ensure that it has been configured both on the StoreFront server group
(via the Manage Delivery Controllers setting in the console) and the Delivery Controllers (via BrokerService.exe).
• Additionally, ensure firewall rules allow communication on the selected port.
• (3) The Controller queries the site database for resource information.
• If high availability is a high priority for a given organization, strongly consider implementing HA for the SQL Site
database. The other Citrix Virtual Apps and Desktops databases (Monitoring, Configuration Logging) and supporting
product databases (Citrix Provisioning, AppDNA, Workspace Environment Management) can be located on the same
HA SQL deployment.
• (4) Based on the results of the SQL query, the Controller returns a list of all available resources for the user to
StoreFront.
• If the Controller cannot communicate with the Site database, the local host cache are used to provide resource
information. Each method has considerations that should be included in the environment design.
• (5) StoreFront builds a web page with the available resources which is either communicated directly to the end user
device (internal) or proxied to the end use device via Citrix ADC (external).
• If no resources have been assigned to a user or any of the AD groups they are a member of, no resource icons will be
visible to the user.
• How to Change the XML Port in Virtual Desktops: https://support.citrix.com/article/CTX127945
• Local host cache (FMA): https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/manage-deployment/local-
host-cache.html

StoreFront Enumeration: SQL Server Site Database1 Query and App and Desktop Icon Enumeration

• XML communication port mismatch. • Citrix Studio
• No published resources have been made • Windows Event Logs
available to user(s). • Citrix Delivery Services
• CAPI2 Operational Log
• Expired SSL certificates on the Delivery
Controller(s). • PowerShell/Command Prompt
• Citrix Gateway and/or StoreFront • Windows Registry

information misconfigured on the respective • Active Directory Users and Groups
components.
• Delivery Controllers are offline or
unresponsive.
Key Notes:
• Expired SSL certificates on the Delivery Controllers will impact communications between the StoreFront servers and Delivery
Controllers if SSL is enabled between them. Switching to the HTTP transport type is a workaround, but will lower the security of the
environment until new certificates are installed on the Delivery Controller(s).
• An XML communication port mismatch will occur if the configured port was changed on either the StoreFront server(s) or Delivery
Controller(s), but not both.
• The StoreFront console is used to adjust this setting on StoreFront, while a command prompt setting is used on the Delivery

Controllers. The registry can also confirm the Delivery Controller setting.
• Citrix Studio can be used to verify that resources have been published to a user or user group. Remember to check any
application-level assignments and the “limit visibility” setting.
• The CAPI2 operation log within Windows Event Logs can help to identify PKI-related errors (e.g. expired or invalid
certificates). This log is not enabled by default, and takes up additional resources on the machine, so it should only be
enabled during troubleshooting.
• Enable CAPI2 event logging to troubleshoot PKI and SSL Certificate Issues:
https://blogs.msdn.microsoft.com/benjaminperkins/2013/09/30/enable-capi2-event-logging-to-troubleshoot-pki-and-
ssl-certificate-issues/

Lesson Objective Review
Which FMA service serves as the centralized

directory service for all other services?
The Citrix Configuration Service

Lab Exercise Prep

For Module 09
Key Notes:
exercise.

Lab Exercise
• 9-1: Verify and Update SQL Connections

Strings on the Delivery Controller
• 9-2: Validate the FMA Services Using
Powershell on the Delivery Controller
• 9-3: Performing a Site Recovery when no
Delivery Controllers are Available
• 9-4: Remove Defunct Delivery Controllers from
the SQL database

Key Takeaways
• There are 14 FMA Services that function

independently and provide management
functionality for Studio, Director and
PowerShell.
• The Citrix Configuration Service is the global
directory for the FMA architecture and all other
FMA services must register with it.
• PowerShell is a powerful tool for managing
and troubleshooting the FMA architecture.
• StoreFront Enumeration is a multi-step
process in which specific misconfigurations or
failure points will cause enumeration failure to
occur.

Troubleshoot Virtual Delivery Agent (VDA)
Registration Issues
Module 10

Learning Objectives
• Identify the common causes of VDA

registration failures.
• Discuss the troubleshooting methods and tools
to resolve common VDA registration failures.
• Describe the VDA registration process in a
multi-Zone Citrix Virtual Apps and Desktops
environment.

Troubleshooting Virtual Delivery
Agent (VDA) Registration

VDA Registration Issues (Overview)
1
End User PC
Network or
Connection issues

StoreFront ( VDC ) Controller VDA
Site Database License Server


Registration Communication Process
1
(4) Obtain a Kerberos ticket from

AD for each controller found
to allow for communication Active Directory
(7) BrokerService.exe (8) Obtain Kerberos ticket

(3) Validate each DDC found for communication
attempts to validate
in AD by DNS entry with VDA
Kerberos ticket and
VDA details from AD
VDA uses Desktop Service
(5) Make a call for
(BrokerAgent.exe) to initiate the
“Registration”
Virtual Desktop registration process over TCP Port 80
(BrokerAgent.exe)) Controller Site Database
(9) 2 -Way test for Callback made.(needs (BrokerService.exe)
to be confirmed by both VDA and (6) Validate VDA
(1) Check if Auto-update of (2) Check registry entry for controller for hard registration to be identity and
DDCs is enabled. If so, ListOfDDCs (manually or successful. functionality level
gather list of all available GPO populated)
controllers
Key Notes:
• Be aware that both VDA and Controller are actually acting as a client\server – there are two independent connections between
them. This is again used to prevent a man-in-the-middle attack, as the attacker would also need to compromise the Active Directory
environment.
• And if he can do that, you a have much bigger problem going on. You can see this in steps 3-4 and 7-8, where the controller doesn’t
trust the information provided by the VDA and actually contacts the AD to confirm the SPN record.
• This is the reason why you cannot use a load-balanced IP when defining the controller.

• The same process applies to Linux VDAs, as well as Remote PC. That’s why Linux VDAs must actually have an AD account
created.

Common Registration Failures
• Misconfigured or unavailable Firewall

• DNS
• Time synchronization (5 minutes)
• Domain membership
• SPN records
BrokerAgent.exe attempts to
register on port 80
Registration attempt fails!
Firewall configured to block port 80 inbound – Registration request is blocked

Virtual Delivery Agent and never reaches the Delivery Controller Delivery Controller
Key Notes:
• There are a number of reasons as to why VDA registration mail fail; such as a network failure, or firewall blocking communication.
Other issues can be related to Domain or DNS.
• Issues with DNS prevent Controller and VDA communication in the AD domain.
• ListOfDDCs registry value not updated or mistyped after a Delivery Controller is replaced or removed from the Site (for manual
configs).
• GPO or network firewall rule introduced which blocks necessary Controller-VDA communications.

• VDA time synchronization not set to use domain NTP server, causing it to become out of sync with the Delivery
Controller(s).
• Domain membership problems (for the VDA) can cause problems with the secure communication between the VDA
and the Controller.
• Leftover components, files, and/or registry values after a VDA version upgrade could prevent registration.
• A Delivery Controller may also become unavailable for VDA registration requests, thus causing VDA registration failures
to take place.
• Some possible causes include:
• The Delivery Controller receives too many registration requests and becomes overloaded and unresponsive.
• The Delivery Controller has failed for another reason, such as a technical problem with the machine.
• The Delivery Controller has been taken offline for maintenance.
• The first cause (excessive registration requests) would typically only happen if the Delivery Controllers were not sized
appropriately for the environment. Using the “N+1” principle, each Delivery Controller should be sized to accommodate
the expected registration load even if another Delivery Controller goes offline.
• Virtual Delivery Agent (VDA) Registration Troubleshooting Tips and Flowchart:
• Troubleshooting Virtual Desktop Agent Registration with Controllers in Virtual Desktops:

Troubleshooting Methods
• XDPing: Command-line based application
used to check for causes of common
configuration issues on controllers and VDA
machines.
These are some of the primary tools that can be • Event Log Entries: Windows Event logs will
used to troubleshoot VDA issues, such as virtual display entries for controller or VDA issues; for
desktop registration. example, registration or configuration
problems.
• CDFControl: Event trace tool that can be used
to capture information in real time and then
output captured data for log review.
• Citrix Health Assistant: Windows or CLI tool
for troubleshooting configuration issues in a
Citrix environment, to include VDA issues.
Results are reported both in a GUI and log file.
Key Notes:
• XDPING can be used for the following:
• Validate network settings and connections.
• DNS lookups (including reverse lookups).
• Provide details on time synchronization and Kerberos Authentication time checks.
• User logon information.
• Machine information, such as the operating system and computer name.

• Information on the Citrix Virtual Desktops services.
• Windows firewall and port configuration information.
• Citrix Virtual Desktops -related event entries.
• Client bandwidth and response time (between the end user machine and the VDA).
• WCF Tracing can be enabled to review system events, operation calls, and fault/exceptions, to assist with diagnosing
data for the registration process.
• When using an XDPing, make sure to run it two ways – VDA -> VDC as well as VDC -> VDA.
• The Citrix Health Assistant is a Windows (or CLI ) tool helping administrators troubleshoot configuration issues in a Citrix
environment. The tool conducts the following health checks on a VDA and reports check results in the GUI and in the log
file:
• VDA registration:
• VDA Software Installation
• VDA Machine Domain Membership
• VDA Communication Port Availability
• VDA Services Status
• Windows Firewall Configuration
• Communication with Controller
• Time Sync with Controller
• VDA Registration Status
• Session Launch:
• Session Launch Communication Port Availability
• Session Launch Services Status
• Session Launch Windows Firewall configuration
• VDA Remote Desktop Services Client Access Licenses
• VDA Application Launch Path
• To use and start the tool from the command line, run:
• “Citrix Health Assistant.exe" –start.
• Windows Event Viewer will list various registration warnings or failures related to the Delivery Controller or VDA. The
VDA and Delivery Controller components both generate event log messages for successful and unsuccessful

registrations, which can be used to validate registration or narrow down the cause of a registration issue.
• CDF Control (Remote tracing) can be used to capture trace messages that are output from the various Citrix tracing
providers. These traces can be analyzed to see detailed communication details for the selected process(es).
• Additional resources to assist with troubleshooting and investigation VDA registration issues:
• Citrix Studio or Citrix Director can be used to verify VDA registration status, as well as determine whether the issue is
specific to an individual VDA, or more widespread.
• PowerShell/Command Prompt or the Command Prompt can be used to verify communications between the
Controller and VDA, as well as investigate potential time synchronization issues.
• The Citrix Policy Reporter Tool can be used to validate how Citrix and Microsoft Group Policy are being applied to a
VDA, which can be used to validate the ListOfDDCs setting.
• VDA Cleanup Utility is designed to assist with the following scenarios:
• When errors occur during upgrade from an earlier version of VDA.
• When unexpected behavior or performance is experienced after upgrade from an earlier VDA.
• If VDA upgrade is not possible due to feature incompatibility and/or a clean uninstall is required.
• The VDA Clean-Up Utility removes components, files, and registry values of VDA 5.6 afterwards.
• How to troubleshoot Virtual Delivery Agent (VDA) Registration issues: https://support.citrix.com/article/CTX136668
• XDPing Tool: http://support.citrix.com/article/CTX123278
• Citrix Health Assistant - Troubleshoot VDA Registration and Session Launch:
• VDA Health Check Now Available on Smart Check: https://www.citrix.com/blogs/2017/08/30/vda-health-check-now-
available-on-smart-check/
• Citrix Supportability Pack (bundles many useful tools): https://support.citrix.com/article/CTX203082
• Citrix Policy Reporter - RSOP CtxCseUtil Tool: https://support.citrix.com/article/CTX138533
• VDA Cleanup Utility: https://support.citrix.com/article/CTX209255
• CDF Control: https://support.citrix.com/article/CTX111961

VDA Registration with FMA Zones
New York City (NYC)

(6) (5) Resources
Users Citrix StoreFront Active License Delivery Controller SQL

(2)
End User
Device
Resources
Resources
Citrix Gateway
Delivery Controller
StoreFront Desktops Apps Desktops Apps
(3) (1) (4) (7)
Key Notes:
• (1) If Auto-Update is enabled, VDA gathers list of available Delivery Controllers. If Auto-Update is not enabled, VDA checks registry
entry for ListOfDDCs (manually or GPO populated).
• If this setting is configured manually, care should be taken to keep it up to date to prevent issues later. Also remember that a
setting configured via Group Policy will override a locally configured setting.
• In addition to the ListOfDDCs, the ListOfSIDs indicates which machine Security IDs (SIDs) the VDA allows to contact it as a
Controller. The ListOfSIDs can be used to decrease the load on Active Directory or to avoid possible security threats from a

compromised DNS server.
• (2) VDA confirms Delivery Controller validity by DNS entry, then obtains a Kerberos ticket from AD for each Controller.
• For Virtual Desktops users who have upgraded from versions earlier than 7.0, the auto-update feature replaces the
CNAME function from the earlier version. You can manually re-enable the CNAME function, if desired; however, for
DNS aliasing to work consistently, you cannot use both the auto-update feature and the CNAME function. In general,
Citrix recommends using the newer auto-update feature.
• (3) VDA makes a call for registration from a Controller in its local zone (if available).
• When auto-update is enabled for VDA discovery of Controllers, and you specify a list of Controller addresses during
VDA installation, a Controller is randomly selected from that list for initial registration (regardless of which zone the
Controller resides in). After the machine with that VDA is restarted, the VDA will start to prefer registering with a
Controller in its local zone.
• (4) For Satellite zone VDAs, if a local Delivery Controller is unavailable in the local zone, it will attempt to contact a
Controller in the primary zone for registration.
• At a minimum, implement redundant Delivery Controllers in the primary zone. VDAs in the primary zone will not
attempt to register to a satellite zone’s Controller(s), even if no Controllers are available in the primary zone.
Additionally, the primary zone serves as a failover option for satellite zone VDAs.
• (5) After initial contact is made, the Delivery Controller validates the VDA identity and functionality level with the Site
database.
• Remember that A Delivery Controller may become unavailable for VDA registrations. Some possible causes
include:
• The Delivery Controller receives too many registration requests and becomes unresponsive.
• The Delivery Controller has failed for another reason.
• The Delivery Controller has been taken offline for maintenance.
• (6) The Delivery Controller validates Kerberos ticket and VDA details from AD.
• Ensure that communications between the Delivery Controllers and AD Domain Controllers are allowed in the
firewalls of your environment.
• (7) A two-way test between the Controller and VDA is made to confirm a successful registration.
• The process could fail here if the appropriate firewall ports are not permitted between the Controller and the VDA.
Additionally, ensure that the FQDN of each component can be resolved successfully from its counterpart.

• Best Practices for Virtual Desktops Registry-Based DDC Registration: https://support.citrix.com/article/CTX133384
• Delivery Controllers: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/manage-deployment/delivery-
controllers.html
• Zones: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/manage-deployment/zones.html

What is the default port used by the VDA for

registration?
Port 80

Lab Exercise Prep

For Module 10
Key Notes:
exercise.

Lab Exercise
• 10-1: Troubleshooting VDA Registration issue

using tools Citrix Health Assistant and CDF
Tracing
• 10-2: Verifying and Resolving Time
Synchronization Issues on a Machine
• 10-3: Verifying and Resolving Network
Connectivity Issues between VDA and Delivery
Controller
• 10-4: Troubleshooting Name Resolution Issues

Key Takeaways
• VDA registration is a multi-step process

involving VDA, Delivery Controller(s) and
Active Directory.
• Active Directory Kerberos is required for both
the VDA(s) and Controller(s) during the
registration process, to securely validate their
identity to one another.
• There are a number of network, domain, VDA
or Delivery Controller issues that can result in
VDA registration failures.
• There are key Windows and command line
tools available to assist with investigating and
troubleshooting registration issues.

Troubleshoot HDX Connection Issues
Module 11

Learning Objectives
Identify the common causes of HDX session

launch failures and discuss the troubleshooting
methods and tools to resolve common HDX
session launch failure causes.

Troubleshooting HDX
Connections

Lesson Learning Objectives
• Describe the HDX session launch sequence.

• Identify the common causes of HDX session
launch failures.
• Identify the troubleshooting methods and tools
to resolve common HDX session launch failure
causes.

Troubleshooting HDX Connections (Overview)
1
End User PC
Connection issues

StoreFront ( VDC ) Controller VDA
Site Database License Server


Lab Exercise Prep

For Module 11
Key Notes:
exercise.

Registration Communication Process
1
• You can review recent • When connecting via • An .ICA file can be
connections and brokering StoreFront, you can downloaded and parsed to
attempts using specific automatically download an view all connection specific
cmdlets that output to log file .ica file to the local client details, for example:
for review: machine by setting the • IP or DNS address of worker
• Get-BrokerConnectionLog LogICAFile string value to • Application settings
“true” on the workstation. • Proxy information
• Session connection log • HKLM\SOFTWARE\Citrix\ICA
contains information for all Client\Engine\Configuration\Adv
brokered connection, or anced\Modules\Logging
reconnection, attempts to
sessions within the site.
Key Notes:
• The Get-BrokerConnectionLog command:
• Gets connection log entries matching the specified criteria. If no parameters are specified all connection log entries are returned.
• Creates a log with each entry describing a single connection brokering attempt to a new or existing session within the site. A
single session can have multiple entries in the connection log.
• By default ,connection log entries are removed after 48 hours.
To enable the automatic creation of ICA files to an end-user workstation, when using StoreFront, set the following String values in the

[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\Configuration\Advanced\Modules\Logging ] registry path.
(Use the Wow6432Node\Citrix\ICA Client\Engine\Configuration\Advanced\Modules\Logging on 64-bit machines.)
1. LogFile=<path to the log file, use following format C:\ica\ica.log>
2. LogICAFile=true
• How to Save the Launch.ica File to a Client Computer: http://support.citrix.com/article/CTX115304
• Driving the Citrix Receiver Self-Service Plug-in Programmatically: http://support.citrix.com/article/CTX200337
• Get-Brokerconnectionlog: https://developer-docs.citrix.com/projects/delivery-controller-sdk/en/latest/Broker/Get-
BrokerConnectionLog/

Load Management
• User sessions connecting to either desktops or applications are distributed evenly across all VDA
within a given Delivery Group.
• Session distribution is driven by a load index that is reported by each VDA to the Controller.
• To customize session load balancing, load management can be configured via Citrix or GPO policies.
Delivery
Session 1
Group
Session 3
Published Desktop
4 HDX Session Requests
End Users Delivery Controller Session 2
Session 4 Published Application
Key Notes:
Load balancing can be customized using policies.
HDX Policy Load Management settings include the following parameters that can be set based on specific infrastructures requirements:
• Concurrent logons tolerance
• CPU usage
• CPU usage excluded process priority
• Disk usage

• Maximum number of sessions (default value of 250)
• Memory usage
• Memory usage base load
• Session distribution is driven by a load index, reported by each VDA:
• Range from 0 to 10000 (full load)
• Report 20000 for licensing issues
• Report a full server load at 250 sessions (default)
• You can query load index using cmdlet Get-BrokerMachine
• Get-BrokerMachine -SessionSupport MultiSession -Property DnsName, LoadIndex, SessionCount
• How to Calculate the Load Evaluator Index on XDC: http://support.citrix.com/article/CTX202150

Session Launch: HDX Communication
New York City (NYC)

Resources
(10a) (8) (9) (3) (14)
(10b) (2)
(1a) (7) Citrix StoreFront License (12) Delivery Controller SQL

Users Active
Gateway (4) (5) Directory Server Site DB
Desktops Desktops Apps Apps
(11) (13)
(6)
(1b)
End User Device

Resources Resources
Citrix
Gateway
Delivery Controller
Internal User StoreFront
298External User
Key Notes:
• (1a) External: The user clicks on a published resource and Citrix ADC transmits this launch request to StoreFront.
• When using Native Receiver (e.g. the Receiver desktop client), StoreFront beacons are used to determine whether the
endpoint is on the internal or external network. Based on this, Receiver will attempt to connect either to Citrix
Gateway or directly to StoreFront. Typically the Citrix Gateway URL is the default external beacon, and the StoreFront
URL is the internal beacon. However, in single URL scenarios (where NSG and SF URLs match) this coul d lead to issues
when endpoints move inside or outside of the network (such as laptops that users take home with them). In these

situations, the internal beacon (which is checked first) should be changed to an alternate URL.
• (1b) Internal: The user clicks on the published resource, which is transmitted to StoreFront directly.
• Keep in mind that auto-launch settings could initiate the launch process for a single published desktop
even without a user clicking on an icon. This could be beneficial or detrimental depending on the us e
case. This setting can be modified via the Receiver for Web settings in the StoreFront console.
• (2) StoreFront forwards the request to the Delivery Controller.
• Since StoreFront and the Controller have already communicated during the resource enumeration proces s,
this step would most likely not be the cause of any issues. However, it is possible that a communication
issue could occur if the Controller(s) experience an issue between the time that a user logs in and then
later clicks on a published resource.
• (3) The Delivery Controller chooses the appropriate VDA to host the session using load-balancing rules and
returns the session information to StoreFront.
• If all registered VDAs are fully loaded, in maintenance mode or otherwise unresponsive, the user will
receive an error message and the resource launch will fail. Capacity monitoring and management should
be a part of the regular operations of a production Site.
• (4) External only: StoreFront buffers the session information in the STA service of the Delivery Controller and
receives a STA ticket in return.
• The Delivery Controllers selected by StoreFront to generate STA tickets depends on the Controller URLs
specified in the remote access settings of the StoreFront store. For redundancy, at least two Controller
URLs should be included if possible.
• (5) StoreFront generates a launch file. If using HDX proxy, the STA ticket is included in the launch file.
• This is the .ICA file that Receiver will use to access the VDA.
• (6) StoreFront sends the launch file to the endpoint device, either directly or proxied via Citrix ADC.
• Ensure that the .ica file type is permitted for download on any managed endpoints.
• (7) External only: Citrix Receiver processes the launch file and presents the STA ticket to Citrix ADC.
• This process should occur automatically for most endpoints and Receiver clients. However, if Receiver for
Web is used via the Google Chrome browser, the .ICA may not launch automatically. See Additional
Resources for a list of steps that can be taken to remediate the issue.
• (8) External only: Citrix ADC validates the STA ticket with the STA on the Delivery Controller.

• The list of STAs configured in Citrix Gateway should match those in StoreFront. Additionally, the format
(FQDNs or IP addresses) should match in both locations.
• (9) External only: If validation is successful, the STA returns the session information to Citrix ADC.
• If for any reason, Citrix ADC does not receive validation from the STA service, the resource launch will fail.
The most common reason for this is a mismatch in STA settings between the StoreFront and Citrix ADC
instances used for this process.
• (10a) External: Citrix ADC uses the session information to establish a session to the VDA.
• Ensure that the firewall between the public Internet and the internal network allows port 2598 or 1494
(depending on whether Session Reliability is enabled).
• (10b) Internal: Citrix Receiver on the endpoint processes the launch file received in Step 5, and establishes a
session with the VDA.
• Issues occurring at this stage could be caused by a faulty Receiver installation, causing the resource launch
to fail even if the Citrix Virtual Apps and Desktops infrastructure is functioning normally. If the issue is
isolated to an individual endpoint, start troubleshooting by examining the endpoint’s Receiver.
• (11) VDA verifies license file with the Delivery Controller.
• This is different from the IMA structure used with Citrix Virtual Apps 6.5 and earlier, where each Session
Host would check in with the Citrix License server directly. Now, licensing communications are centralized
to the Delivery Controllers.
• (12) The Delivery Controller queries Citrix License Server to verify that the end user has a valid ticket.
• Normally, the built-in grace period will provide coverage in the event that the Citrix License Server is
offline. However, if all available licenses have been consumed, overdraft licenses equal to 10% of the
purchased license amount are assigned. If those are used, users will not be able to establish new sessions.
Issues could also occur if communications between the Controller(s) and Citrix License Server are blocked
or otherwise fail.
• Although not called out as an individual step, Microsoft Remote Desktop Services (RDS) client access
licenses (CALs) are also verified when launching resources from Server OS VDAs. Ensure that RDS license
servers are accessible to the VDAs. Specifying these servers should be enabled via Microsoft Group Policy.
• (13) The Delivery Controller passes session policies to the VDA, which then applies session policies to the virtual
machine.

• Policies can greatly impact the user experience within a session. Citrix policies, WEM, and Group Policy
should be used to fine-tune session settings.
• (14) Citrix Receiver displays the selected resource to the end user.
• Many factors can impact the quality of the connection to the VDA once it has been established. Products such as
Citrix Application Delivery Management, Citrix ADC SD-WAN, and Citrix Director can be used to investigate and
optimize it.
• Additionally, many user-reported issues occur after the HDX session launch has already completed. These issues are
application-specific, and many involve missing application dependencies, application backend issues, compatibility
issues with a seamless app window, or other issues that would occur even if the application were accessed directly
on the VDA. When troubleshooting, it is important to understand the timing of the issue, as well as whether it occurs
with only a specific published resource.
• Create a single Fully Qualified Domain Name (FQDN) to access a store internally and externally:
https://docs.citrix.com/en-us/storefront/current-release/advanced-configurations/configure-single-fqdn.html
• Users Prompted to Download, Run, Open Launch.ica File, Instead of Launching Connection:
• Error: You Cannot Access this Session Because no Licenses are Available. Event ID 1163:
• FAQ: Citrix Virtual Apps and Desktops 7.x Licensing: https://support.citrix.com/article/CTX128013

Session Launch: HDX Communication 1

• All VDAs hosting the published resource are • Windows Event Logs
fully loaded, unregistered, offline, or in
• Citrix Studio
maintenance mode.
• Citrix Director
• No Citrix licenses are available due to
unplanned increase in users. • PowerShell/Command Utility
• Secure Ticket Authority (STA) issues when • Receiver Clean-Up Utility
launching via Citrix Gateway • Citrix Health Assistant
• Unexpected behavior or performance is • CPUStress Tool
experienced after an upgrade from an
earlier version of Receiver. • Resource Monitor
• Process Explorer

• AutoRuns utility
Key Notes:
• Other potential causes of resource launch issues:
• StoreFront beacon settings are misconfigured, which could impact application launches from Native Receiver.
• Individual application is missing dependencies.
• Required DLLs blocked by a security policy.
• The Citrix Delivery Services view within the Windows Event Logs on the StoreFront server is extremely helpful for troubleshooting

common resource launch issues.
• Citrix Studio can be used to check the load index on individual VDAs, as well as confirm the Machine Catalog and
Delivery Group membership of a VDA.
• Citrix Director can assist with identifying whether resource launch issues are widespread or limited to a certain set of
users or resources. It can also be used to analyze the cause of long logon times.
• The Receiver Clean-up Utility can help in situations where leftover registry entries or files from an earlier version of
Receiver cause errors to occur on an individual endpoint. However, it is not recommended to use this tool with Receiver
4.3 or later.
• The Citrix Health Assistant tool is an application with a GUI which automates the process of checking for the causes of
common configuration issues in a Citrix Virtual Apps and Desktops environment. The tool can be used to verify
configuration settings on both the Delivery Controller and VDA machines, both from the console and remotely.
Additionally, the XDPing tool has additional functionality for checking Delivery Controller settings.
• CPU Stress is a tool from Microsoft (part of Windows Sysinternals suite). This utility can be used to simulate high CPU
usage by a user mode process.
• The AutoRuns utility can help detect which programs are configured to run during system startup and/or logon.
• Citrix Supportability Pack (bundles many useful tools): https://support.citrix.com/article/CTX203082
• Secure Ticket Authority (STA) Status is Marked as DOWN on Citrix ADC-Gateway:
https://support.citrix.com/article/CTX132334/
• FAQ: Citrix Secure Gateway/Citrix Gateway Secure Ticket Authority: https://support.citrix.com/article/CTX101997
• Receiver Clean-Up Utility: https://support.citrix.com/article/CTX137494
• XDPing Tool: https://support.citrix.com/article/CTX123278
• Tools To Simulate CPU / Memory / Disk Load (includes CPUStress Tool):
https://blogs.msdn.microsoft.com/vijaysk/2012/10/26/tools-to-simulate-cpu-memory-disk-load/
• Autoruns for Windows v13.7: https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

How do Delivery Controllers manage session

distribution?
Based on load index reported to them from each

VDA.

Lab Exercise Prep

For Module 11
Key Notes:
exercise.

Lab Exercise
• 11-1: Configure Graceful App Session Logoff

for Ghost Sessions
• 11-2: Troubleshooting Published App Launch
Failures Caused by a Missing Dependency

Key Takeaways
• An .ICA file or CLI commands such as Get-

BrokerConnectionLog can be used to review
HDX connection details or session activity.
• Session distribution is driven by a load index
maintained on the VDA, which is then reported
to each Delivery Controller.
• There are various tools and logs that can be
used to review and investigate HDX
communication problems.


CWS 315 2I en StudentManual 1 3 Days v03

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CWS 315 2I en StudentManual 1 3 Days v03

Uploaded by

Copyright:

Available Formats

CWS-315-2I: Citrix Virtual Apps and Desktops 7 Advanced

Module 0 - Course Overview.....................................................................................................................................................................2

CWS-315-2I: September 27, 2021

2 © 2020 Citrix Authorized Content

• Explain how to implement redundancy for core Citrix

3 © 2020 Citrix Authorized Content

• Introduce core troubleshooting methodology for a

4 © 2020 Citrix Authorized Content

• Introduce App Layering.

5 © 2020 Citrix Authorized Content

• Introduce Citrix Workspace Environment

6 © 2020 Citrix Authorized Content

Drive digital transformation

7 © 2020 Citrix Authorized Content

8 © 2020 Citrix Authorized Content

• Introduce yourself to the class.

9 © 2020 Citrix Authorized Content

• Parking and transportation information

10 © 2020 Citrix Authorized Content

• Basic knowledge of:

11 © 2020 Citrix Authorized Content

• Module 0: Course Overview

12 © 2020 Citrix Authorized Content

• Module 4: Implement Advanced Authentication

13 © 2020 Citrix Authorized Content

• Module 8: Troubleshoot Access Issues

14 © 2020 Citrix Authorized Content

• Module 12: Introduction to App Layering

15 © 2020 Citrix Authorized Content

• Module 19: Introduction to Workspace Environment

16 © 2020 Citrix Authorized Content

• This course has the following material:

17 © 2020 Citrix Authorized Content

All lab exercises are grouped and performed together

18 © 2020 Citrix Authorized Content

1. Login with your MyCitrix

© 2020 Citrix Authorized Content

19 © 2020 Citrix Authorized Content

3. After clicking on a specific module, verify the

4. On the next page, click START LAB.

© 2020 Citrix Authorized Content

20 © 2020 Citrix Authorized Content

Take notice of the Lab Time counter, this

5. Verify the 5-minute countdown timer starts and

© 2020 Citrix Authorized Content

21 © 2020 Citrix Authorized Content

8. Once the lab exercises are complete, click END

© 2020 Citrix Authorized Content

22 © 2020 Citrix Authorized Content

User Layer Access Layer Control Layer Resource Layer

• Check connectivity to the lab Firewall

environment and report to

are also provided in the lab Citrix ADM File Server

Network Wifi Storage Processor Memory Graphics Hypervisor

© 2020 Citrix Authorized Content

23 © 2020 Citrix Authorized Content

• Remote Desktop Connection

© 2020 Citrix Authorized Content

24 © 2020 Citrix Authorized Content

• Use the Remote Desktop

© 2020 Citrix Authorized Content

25 © 2020 Citrix Authorized Content

• Manage virtual machines