CWS 315 2I en StudentManual 4 5 Days v02
CWS 315 2I en StudentManual 4 5 Days v02
CWS 315 2I en StudentManual 4 5 Days v02
ot
fo
rr
es
al
e
or
di
CWS-315-2I: Citrix Virtual Apps and Desktops 7 Advanced
s
tri
Administration
b
ut
io
n
(4-5 Days)
Table Of Contents
N
Module 2 - Create an OS Layer..............................................................................................................................................................49
ot
The OS Layer..............................................................................................................................................................................51
Module 3 - Create a Platform Layer........................................................................................................................................................72
fo
The Platform Layer......................................................................................................................................................................74
rr
Module 4 - Create an App Layer.............................................................................................................................................................91
es
The App Layers...........................................................................................................................................................................93
Module 5 - Elastic App and User Layers...............................................................................................................................................113
al
Elastic App Layering..................................................................................................................................................................115
e
User Layers...............................................................................................................................................................................126
or
Module 6 - Deploy a Layered Image Using Citrix Virtual Apps and Desktops......................................................................................156
Using Templates in Citrix App Layering....................................................................................................................................158
di
Using Layered Images in a Citrix Virtual Apps and Desktops Site............................................................................................175
s tri
Module 7 - Explore Layer Priority and Maintain an App Layering Environment....................................................................................194
Layer Priority.............................................................................................................................................................................196
b ut
Updating Layers........................................................................................................................................................................207
Maintaining and Updating the App Layering Environment .......................................................................................................215
io
Common Citrix App Layering Considerations and Additional Resources ................................................................................230
n
Module 8 - Introduction to Workspace Environment Management (WEM)...........................................................................................245
WEM Features and Benefits......................................................................................................................................................247
WEM On-Premises Components and Deployments.................................................................................................................252
WEM Service Components and Deployments..........................................................................................................................274
WEM Component Communication Workflows...........................................................................................................................286
Module 9 - WEM On-Premises and WEM Service Deployment Installation.........................................................................................303
WEM On-Premises Deployment Installation - Leading Practice Installation Prerequisites and Steps .....................................305
WEM On-Premises Deployment Installation - WEM ADMX Template Configuration................................................................312
WEM On-Premises Deployment Installation - Choosing a Security Principal to run the WEM Infrastructure
Service.......................................................................................................................................................................................316
WEM On-Premises Deployment Installation - Creating the WEM Database............................................................................325
WEM On-Premises Deployment Installation - Running the WEM Infrastructure Service Configuration Utility .........................335
N
WEM On-Premises Deployment Installation - WEM Agent Installation.....................................................................................348
ot
WEM Deployment Installation - WEM On-Premises vs WEM Service......................................................................................357
fo
WEM Service Deployment Installation - Leading Practice Installation Prerequisites and Steps...............................................361
rr
WEM Service Deployment Installation - WEM ADMX Template Configuration.........................................................................369
WEM Service Deployment Installation - WEM Agent Installation.............................................................................................374
es
Module 10 - WEM Administration Consoles and Initial Setup...............................................................................................................383
al
WEM Consoles..........................................................................................................................................................................385
e
WEM Initial Setup......................................................................................................................................................................394
Migrating GPO settings to WEM................................................................................................................................................411
or
Module 11 - WEM Centralized Management Features: System and Log On Optimization..................................................................421
di
WEM System Optimization Management Features...................................................................................................................423
s
WEM Logon Optimization Management Features.....................................................................................................................452
tri
WEM Assigned Actions.............................................................................................................................................................458
b
Citrix Profile Management in WEM............................................................................................................................................471
ut
Module 12 - WEM Centralized Management Features: Security & Lockdown......................................................................................483
io
WEM Security Management Features.......................................................................................................................................486
n
WEM Transformer.....................................................................................................................................................................502
WEM Monitoring and Reporting................................................................................................................................................523
Module 13 - The WEM Agent................................................................................................................................................................530
WEM Settings Processing and WEM Agent Caches.................................................................................................................532
WEM Agent integration with Citrix Virtual Apps and Desktops..................................................................................................551
Module 14 - Upgrading Workspace Environment Management (WEM) and Migration to WEM Service..............................................566
Upgrading Workspace Environment Management (WEM)........................................................................................................568
WEM on-premise Migration to WEM Service............................................................................................................................580
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Citrix App Layering and WEM
Administration
N
ot
Introduction to Citrix App Layering
fo
rr
es
al
e
Module 1
or
di
s
tri
b
ut
io
n
N
solution and purpose of each layer.
ot
• Identify the App Layering layer that each
fo
software component category is designed to
rr
be placed.
es
• Describe the role and the workflow of Citrix
al
App Layering
e
• Recognize how Elastic layers are mounted into
or
a layered image.
di
s
tri
b
ut
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
Management
Solution Elastic Layer
N
• App Layering is a process
ot
used to deliver a Application Layers
fo
complete virtual desktop
to an end-user.
rr
es
• We can create and Platform Layer
manage the following
al
Hypervisor Tools (example)
types of layers:
e
• Operating System Layer
or
• Platform Layers Operating System Layer
di
• Application Layers
• Elastic Layers
s tri
• User Layers
b ut
io
n
Key Notes:
• App Layering is an App and Image Management Solution; it is a process and a technology.
• Layering is a process that is used to deliver a complete virtual desktop, including the OS and apps which are needed for an end user.
• App Layering allows you to Individualize virtual machine components into layers:
• Takes Application Complexity - makes it Application Layers
• Takes Hypervisor Complexity – makes it Platform Layers
• Takes Operating System Complexity – makes it Operating System Layers
N
environment drivers, software, VDA, PVS target software, and et cetera.
ot
• Application Layers - Application Layers contain software programs that you can deploy to any desktop with the
fo
compatible operating system. A Layer can also include patches or plug-ins for programs.
• Layers you can enable on layered images
rr
• Elastic Layers - An App Layer that the administrator can deliver based on user entitlements when users log
es
onto sessions or standalone desktops. Elastic Layers allow administrators to give each user his/her own unique
al
set of applications, on top of the base Layered Image used across sessions (in the case of session hosts), and
across floating pools/shared groups (in the case of desktops). This can drastically reduce the number of base
e
Layered Images that administrators need to maintain
or
• User Layer - This layer contains a user's personalized data; applications, configuration settings, and data. When
di
you create a desktop, the software creates this layer. As users modify their desktop, the desktop stores all of
their changes in the User Layer associated with their desktop.
s tri
Additional Resources:
b ut
• Citrix App Layering: https://docs.citrix.com/en-us/citrix-app-layering/4.html
io
n
Corporate IT infrastructures can benefit from Application Layering technology in a variety of ways.
N
ot
• Simplifies application and image management.
fo
rr
• Faster application packaging.
es
• High Availability.
al
• Real-time application delivery.
e
• Deploy the app package on any infrastructure, Hypervisor, or cloud.
or
• Eliminate managing multiple golden images.
di
s
• Reduce overall app and desktop management cost up to 80%.
tri
b ut
33 © 2020 Citrix | Confidential
io
n
Key Notes:
• Application Layering:
• Offers an application packaging, application lifecycle management, and image management solution designed for modern
mobile workspaces, including VDI and traditional server-based computing (terminal server) - both on-premises and in the
cloud. For customers looking to the cloud, App layering simplifies the move, because images have the agility to be switched
between Hypervisors, on-premises/cloud without having to repackage or reimage.
• High Availability – App Layering uses the same Hypervisor APIs as the brokering management tools, and adds the ability to
N
experience without having to allocate a full virtual desktop for every user since each user's application layers and
ot
personal user layer can be attached at login to non-persistent desktops.
fo
• Elastic Layering also works with Citrix Virtual Apps, enabling users logging onto the same Citrix workload server to
have different apps delivered to their sessions. This unique innovation gives customers more options when
rr
choosing between traditionally published desktops (Server OS) or VDI desktops (Desktop OS).
es
• Provides simplified image management for Citrix Virtual Apps and Desktops.
al
• Packages every component of a Windows workspace - even the OS itself - as a virtual disk 'layer'. This unique
capability can be used to completely eliminate image management in Citrix silos or server configurations are
e
needed, Virtual Apps and Desktops environments.
or
• IT administrators can combine the same Windows OS layer with any combination of app layers to create standard
di
Windows images. Irrespective of number of images, the OS layer and all app layers only have to be managed,
patched, and updated once.
s tri
• It will automatically recompose the images with any new layer versions and update the Citrix Virtual Apps and
Desktops environment through integration with Citrix Provisioning (PVS) and Machine Creation Services (MCS).
b ut
• Application installs are easier with App Layering, because the install is very straight forward like a standard install,
eliminating the need to rely on agent-based software distribution tools; which also increases the stability of the
io
applications running in the environment and speeds up installation times.
n
• Through layering, Applications can be packaged separately from the OS, which results in eliminating the golden
image sprawl and eliminating the re-packaging or repetitive installation of the same apps on different hypervisors
or clouds.
• Application packaging is more than just installs, and it’s also maintenance. With App Layering keeping the OS and
the Apps in separate layers for installs, this also means that the OS can be patched independently of the app
N
computing experience.
ot
• IT will benefit from reduced operational and capital costs:
fo
• Faster application packaging.
• The elimination of golden image sprawl and related patching inefficiencies.
rr
• The elimination of service tickets caused by a failed application or OS patches.
es
• Faster service call remediation by being able to instantly "undo“ problematic patches and updates.
al
• Reduced server and storage costs by offer a persistent desktop experience with Citrix Virtual Desktop
non-persistent VDI or Citrix Virtual Apps shared hosted desktops.
e
• The agility to switch hypervisors without repackaging or reimaging.
or
• Easy on-ramp to the cloud.
di
• Reduction in unnecessary application licenses.
• End users will benefit from productivity gains and greater application availability:
s tri
• Real-time delivery of new applications and app updates.
• Instant remediation of problematic software updates.
but
• More personal, customizable workspaces.
• Faster provisioning and on-boarding of new employees.
io
• Citrix App Layering user layers provide a better experience for administrators and users in a virtual app and desktop
n
environment.
• Simplifies image management by allowing user-based customization to non-persistent virtual environments
• Solves the most difficult usability concerns in a virtual app and desktop environment: Outlook cache, OneDrive,
Windows search, user-installed apps, and so on
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
OS Machine Connector
ot
Packaging Disk Connector Configuration
fo
rr
Packaging Machine Directory Junction
es
Layer Directory Service
al
e
OS Layer Enterprise Layer Manager
or
App Layer Management Console
di
User Layer Compositing Engine
s tri
b ut
io
n
Key Notes:
• Layered Image - A bootable image composited from an OS Layer, a Platform Layer, and any number of App Layers. Layered Image(s)
are published using Image Templates where you save your layer selections for a particular use, usually provisioning servers in a
specific silo.
• Image Template - An Image Template saves the OS Layer, App Layer, and Platform Layer assignments you have chosen for a Layered
Image, allowing you to use any combination of layers to provision any number of servers.
• OS Disk - The virtual disk containing the Operating System that is imported to create an OS layer. To prepare the OS disk you will
N
and OS Layer Versions. The Packaging Machine is booted from a Packaging Disk using the credentials and location
ot
specified in the selected Connector Configuration.
fo
• Layer - A layer captures a Windows Operating System, a Windows Application, or the configuration settings and tools
required for Images to run on a particular platform in a virtual disk that can be combined with other layers to create a
rr
Layered Image. Layers are created from a simple install of the application or operating system. You can select any
es
combination of Layers for each Layered Image. You can reuse the same layers in any combination to provision a variety
al
of servers.
• OS Layer - A virtual disk containing the operating system. You can use an OS Layer with any compatible App Layers in any
e
number of Layered Images. You can create a new version of the OS Layer for every patch you need to roll out and
or
continue deploying every and all versions of the layer as you add patches.
di
• App Layer - A virtual disk containing one or more applications that you can use in any number of Layered Images. When
publishing a Layered Image, you can combine an App Layer with the OS Layer used to create it, other App Layers, and a
s tri
Platform Layer.
Platform Layer - A layer that includes configuration settings, tools, and other software required for Images to run on a
b
•
ut
particular platform. For example, a platform layer for vSphere would include VMTools. Platform Layers also remove
leftover software from other platforms from your image.
io
• Elastic Layer – An elastic layer can be delivered based on user entitlements when users log onto sessions or standalone
n
desktops. Elastic Layers allow administrators to give each user his/her own unique set of applications, on top of the
base Layered Image used across sessions. This can drastically reduce the number of base Layered Images that
administrators need to maintain
• User layer - Enabling user layers on a layered image allows you to persist a user’s data and settings, and any applications
that they install themselves. When enabled, a user layer is created for each user the first time they log on to an image.
N
• Connector - Connectors are the interfaces to environments where layers are created and images are published. The
ot
type of platform connector determines the information required to create a specific Connector Configuration.
fo
• Connector Configuration - A stored set of values for connecting to a specific environment. A configuration typically
includes credentials for authentication, a storage location, and any other information required to interface with the
rr
environment where you will be creating layers or publishing images.
es
• Directory Junction - A connection to a base Distinguished Name in a directory service (such as Microsoft Active
al
Directory). Adding a Directory Junction to the local tree allows you to assign Administrator privileges to users that are
defined in the directory service instead of in the Management Console.
e
• Directory Service - A hierarchical repository of information about users, devices, and services on a network server.
or
Microsoft Active Directory and LDAP are examples of directory services.
di
• Enterprise Layer Manager - A virtual appliance that coordinates communication in the Unidesk environment, and hosts
the Unidesk Management Console (UMC), the administrator interface for the Unidesk environment. The ELM also
s tri
manages copies of all Layers.
• Management Console - The Web-based management console that runs on the Unidesk Enterprise Layer Manager
b ut
(ELM). The UMC allows you to manage all of the components in the Unidesk environment. You can use is to create
Layers, publish Layered Images, and manage system settings.
io
n
Additional Resources:
• Citrix App Layering: https://docs.citrix.com/en-us/tech-zone/design/reference-architectures/app-layering.html
• A Technical Overview of Citrix Application Layering:
https://www.citrix.com/content/dam/citrix/en_us/documents/white-paper/citrix-application-layering-technical-
overview.pdf
N
• Configuration settings,
ot
printer settings, etc. Windows Server
fo
• Hypervisor tools (sole or 2008 R2, 2012 R2, 2016, and
rr
primary hypervisor 2019
es
platform)
al
Windows 7
• Applications such as
e
antivirus agents.
or
• The OS Layer is a Read-
di
Only image and can only
s
be updated/patched by
tri
an Administrator.
b ut
io
n
Key Notes:
• Typically there is one OS layer for all desktops making patches and updates easy to manage. However, you can have OS layers for
Desktop OS variants such as Windows 7, Windows 10 and Server OS variants such as Windows Server 2008 R2, 2012 R2, 2016, and
2019.
• Citrix App Layering only supports Windows virtual machines; there is no current support for other operating systems, such as Linux.
• The OS Layer is a Read-Only image and can only be patched or updated by IT.
• Applications such as anti-virus should be installed on the OS layer.
N
this point that even applications with drivers, services, kernel devices, etc., are all supported as Application Layers and
ot
(with very few exceptions) should not need to be put in the golden image.
fo
Additional Resources:
rr
• Create the OS layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-os-layer.html
es
• Prepare the OS for layering: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/prepare-os-for-layering.html
al
e
or
di
s tri
b ut
io
n
Citrix
Hypervisor
Hyper-V
The Platform Layer contains
N
• Configuration settings.
ot
• System tools.
fo
rr
• Other software required for images to run on
a particular platform.
es
The Platform Layer can integrate with many
al
hypervisors and environments.
e
Platform Layer
or
di
s tri
b ut
36 © 2020 Citrix | Confidential
io
n
Key Notes:
• Layering technology can be run on many Hypervisors and deploy images built with the OS and Application Layers in any environment.
Platform Layers are designed to support this.
• A Platform Layer containing your Hypervisor, Provisioning Service and connection broker software, isolates App and OS layers from
the infrastructure where they will be published.
• For example, if OS and Application Layers were originally built on a VMware vSphere hypervisor, but the organization wants to re-use
those layers with Citrix Hypervisor, a Platform Layer with Citrix VM Tools installed can be created to accomplish that.
N
• Common examples of Platform Layer install includes:
ot
• Hypervisor Tools.
fo
• Citrix VDA.
• Citrix PVS Target Device Software.
rr
• Domain join
es
• NVIDIA Drivers, if applicable
al
• Workspace App, for the Single Sign-on component
• Citrix Workspace Environment Management(WEM) agent
e
• Any software that impacts the logon stack, for example, Imprivata
or
• Citrix Provisioning on Hyper-V: Requires a Legacy Network Adapter to PXE boot.
di
• Microsoft System Center Configuration Manager (SCCM) software, if you are using it
s tri
Additional Resources:
• Create Platform layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-platform-layer.html
b ut
io
n
N
• Software programs, which can be deployed
ot
to any machine using a compatible OS
fo
Layer.
rr
• Patches or plugins for programs. Personal Apps
es
al
Corporate Apps
Are read-only and can only be updated by
e
administrators by adding an application layer
or
version.
di
A single application layer can contain multiple
s tri
applications.
b ut
37 © 2020 Citrix | Confidential
io
n
Key Notes:
• Application Layers can also include patches or plugins for programs.
• App Layer doesn’t have to be just single applications. A single application layer can contain multiple applications.
• Citrix App Layering has five types of layers, the story is told in the configuration order.
• The App Layer is a unique virtual disk for the applications that were installed.
• Application dependency software can also be layered, such as Flash or Java.
• Any application can be packaged as a layer even those which requires device drivers and boot-time services.
N
layer versions of the same application can be deployed to desktops.
ot
• The benefit of App Layering is that – If a user uninstalls an application or needs an application fixed, it can be repaired
fo
for an assigned application.
rr
Additional Resources:
es
• Create or clone an app layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-app-layer.html
al
e
or
di
s tri
b ut
io
n
An App Layer that an administrator can deliver SMB Share Secondary Share
dynamically based on user entitlements when Elastic App Layers User Layer Profile Settings and Data
N
ot
fo
• Allow administrators to give each user his/her
Session Host
own unique set of applications at logon.
rr
User 1 User 1
es
• Can drastically reduce the number of base
Layered Images that administrators need to
al
maintain.
e
User 2 User 2
or
• The User Layer provides persistence for user
profile settings, and other data, even when
di
connected to non-persistent VDI machines.
s tri
b ut
io
n
Key Notes:
• The Elastic layer is an App Layer.
• A copy of the Layer is stored in the appliance's Network File Share, and delivered to individual AD users and groups on-demand, in
addition to the Layers that they receive via the base image.
• To use this feature, you'll add Elastic Assignments specifying which users and groups should receive each of the App Layers
• Elastic layers do not become a part of the image like App Layers do, but are rather applied based on user entitlements.
• Elastic Layers can significantly reduce the number of “golden” images needed.
N
ot
Additional Resources:
fo
• Deploy App layers as elastic layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/assign-elastic-layers.html
• Deploy user layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/enable-user-layers.html
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
What are the six types of Layers that can be
fo
configured using App Layering?
rr
es
• Operating System Layer
al
• Platform Layers
e
• Application Layer
or
• Elastic Layer
di
s
• User Layer
tri
• Prerequisite Layer
b
ut
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
40 © 2020 Citrix | Confidential
io
n
Enterprise Layer
Manager Delivery Persistent
Controller
Domain Non-Persistent
N
Controller
ot
Repository
fo
Databases Session Host
rr
Layers Layered
es
Images License
Server
al
e
Hardware Layer
or
Network Wi-Fi Storage Processor Memory Graphics Hypervisor
di
s tri
b ut
io
n
Key Notes:
• The Enterprise Layer Manager (ELM) creates and manages layers which can be assigned to users or machines.
• Using ELM, administrators can create different layers like application layers, OS layers, and platform layers which will be kept in a
repository managed by ELM.
• Administrators can create a layered image with a combination of a specific OS layer and a few application layers as per the
requirement of the users. During the layered image creation process, these different layers are merged to form a single image.
• This process will create a virtual machine on the underlying Hypervisor and the same can be used as a master image for Citrix
Additional References:
N
• Citrix App Layering: https://docs.citrix.com/en-us/tech-zone/design/reference-architectures/app-layering.html
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
Persistent
resources available to end-
ot
Enterprise
users. Layer Manager
StoreFron
fo
Internal Users Non-
t
• Enterprise Layer Manager Layers Persistent
rr
creates and manages the Firewall
Domain Delivery
Controller Controller
layers which can be saved Session Host
es
Repository
as VMs or vDisks to be c
al
Firewall Citrix ADC
integrated as Master External
Users Gateway Databases License
e
Server
Machines for MCS and
or
vDisks for PVS.
• Delivery Controllers broker
di
connections to resources. Hardware Layer
stri
Network Wi-Fi Storage Processor Memory Graphics Hypervisor
b ut
io
n
Key Notes:
• Where does Layering fit in with Citrix Virtual Apps and Desktops?
• Enterprise Layer manager creates and manages the layers which can be published to users through Delivery Groups.
• Resources include the layers which has the OS and app layers made available through the layering concept with the help of
Enterprise Layer Manager:
• Session host – Server OS
• Desktop OS – Hosted VDI (persistent and non-persistent)
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• Coordinates communication in the App
ot
Layering environment.
fo
• Hosts the Management Console.
rr
• Manages copies of all Layers.
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Enterprise Layer Manager is a Linux CentOS system. Initially, it contains a 30GB boot disk and a 300GB Layer Repository disk. Both are
XFS file systems.
• The Enterprise Layer Manager is also known as the App Layering appliance.
• The following Hypervisors are supported for App Layering ELM Server:
• Citrix Hypervisor
N
• The ELM Server manages copies of all layers; providing the ability to:
ot
• Install and manage a single copy of your Windows operating system and a single copy of each of your apps in layers.
• Select any combination of layers to create layered Images that are deployable as session hosts.
fo
• Deploy those layered images to virtual machine session hosts, making the applications available to users.
rr
es
Additional Resources:
• System requirements: https://docs.citrix.com/en-us/citrix-app-layering/4/system-requirements.html
al
• Citrix Hypervisor: https://docs.citrix.com/en-us/citrix-app-layering/4/plan/citrix-hypervisor.html
e
• MS Azure or Azure Government: https://docs.citrix.com/en-us/citrix-app-layering/4/plan/ms-azure.html
or
• MS Hyper-V: https://docs.citrix.com/en-us/citrix-app-layering/4/plan/ms-hyper-v.html
• Nutanix AHV: https://docs.citrix.com/en-us/citrix-app-layering/4/plan/nutanix-ahv.html
di
• VMware vSphere: https://docs.citrix.com/en-us/citrix-app-layering/4/plan/vmware-vsphere.html
s
• VMware Horizon View in vSphere: https://docs.citrix.com/en-us/citrix-app-layering/4/plan/vmware-horizon-view.html
tri
b ut
io
n
1. An administrator
N
downloads the ELM Citrix.co
ot
Administrator
virtual appliance from m
Citrix.com. 2
fo
2. The appliance is imported CLI adjustments made to
rr
ELM password and
to the customer’s Network Settings, etc.
es
environment, and basic
al
configurations are Administrator
performed in the VM
e
console. 3
or
App Layer System
3. Additional system Configurations made
di
for SMB location, Base
configurations are DN, etc.
s
performed using the web-
tri
Administrator
based admin console.
utb
io
n
Key Notes:
• To install, configure/use the ELM Server:
1. Install the Enterprise Layer Manager VPX on a dedicated virtual machine (i.e. Citrix Hypervisor_4.5.0.1.2.ova file). Downloaded
from Citrix website.
2. Start the ELM Linux-based appliance from within the Hypervisor.
3. Log in to the console with the default Localhost login: administrator/Password: “Unidesk1”.
N
appliance.
ot
• The following options are then required for completing the network configuration:
• (S)tatic or (D)ynamic networking
fo
• IP Address: 192.168.x.x
rr
• Netmask: 255..x.x.x
es
• Gateway IP address [optional]: 192.168.x.x
• DNS 1 [optional]: 192.168.x.x
al
• DNS 2 [optional]:
e
• Then you have the available options to save or quit: (S)save settings, (R)edo, or (Q)uit: type S
or
• The network services will restart upon saving the configurations.
Note: These below are ALL the available CLI commands available:
di
• S is used to show the current configuration of the appliance.
s
• C is used to configure the network settings of the appliance.
tri
• P is used to change the appliance password.
b
• T is used to change the time zone.
ut
• N is used to define the NTP servers.
io
• Q is used to quit and logoff the administrator account.
n
5. Then, access the App Layering management console via web browser using the ELM Server IP address you
configured, i.e. http://192.XXX.XX.XX.
6. Login to the App Layering management console with default login: administrator/Password: “Unidesk1”.
7. Accept the Citrix License Agreement.
8. Change the App Layering web console password.
N
The following information is needed:
ot
Directory Junction Name: <Domain>
• Server Address: <AD Domain Server FQDN>
fo
• Port: <i.e.389>
rr
Then “Test Connection” to validate.
es
13. On the Authentication Details page, enter the following information:
• Bind Distinguished Name: <Domain\administrator>
al
• Bind Password: <Password>
e
Then “Test Authentication“ to validate.
or
14. On the Distinguished Name (DN) Details page, you would enter the following details:
• Base Distinguished Name: (i.e.) DC=workspacelab,DC=com
di
15. Then Confirm and Create the Directory Junction.
s
• The ELM Server (App Layering appliance) utilizes local storage on the Hypervisor, as well as network file storage
tri
locations.
b
• Storage Requirements:
ut
• 350–500 GB local storage space.
io
• The App Layering appliance uses local storage for temporary files and finalized layers. The more layers you create, the
n
more space you need.
• If needed, the current disk size can be expanded when additional local storage space is needed; or additional disks
can be added to the appliance.
• 40–100 GB network file share (SMB).
• The file share connected to the appliance is used for upgrades, Elastic Layers, and cross-platform publishing. You can
N
• Uses SMB/CIFS (only) file shares to store Elastic Layering.
ot
• Network Configuration:
fo
• A 10 GB connection is recommended between Layering service and the file share.
• Directory Service:
rr
• It requires an authentication service, such as Microsoft Active Directory.
es
• Storage:
al
• The ELM server starts with an expandable 300 GB local storage repository. This storage is used to store all OS,
Platform and App layers and versions.
e
• OS for Layered Images:
or
• To create layers, first, you need a VM configured with the OS setup, drivers, KMS licensing and not joined to the
di
domain.
• This VM becomes the golden image that is imported into the ELM server and saved as the OS Layer.
s tri
• All Platform, App and Elastic layers are then created from temporary packaging machines, built from the golden
Image import.
b ut
Additional References:
io
• Citrix App Layering: https://docs.citrix.com/en-us/citrix-app-layering/4.html
n
• Configure: https://docs.citrix.com/en-us/citrix-app-layering/4/configure.html
• Appliance settings: https://docs.citrix.com/en-us/citrix-app-layering/4/manage/appliance-settings.html
N
ot
3 4 5 ELM 5
fo
6 Packaging Machine Enterprise Layer Manager
Repository
rr
(Temporary VM) App
es
1
2 2 Platform
al
e
or
OS
di
s
Citrix Layering Management
Targeted Hypervisor Saved Layer
tri
utb
io
n
Key Notes:
• The ELM server creates layers by using the connector for the targeted Hypervisor to build a temporary virtual machine. This virtual
machine is then used to package the layer that you want to create.
• This temporary VM is called the Packaging Machine. The Packaging Machine is used to install the purpose of the process.
• For Example, If you wanted to create a new Application layer for MS Office, you would install the MS Office application on the
temporary VM to create the layer.
• How the ELM Server Creates Layers? (High-Level Steps):
N
ot
Additional References:
fo
• Layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer.html
rr
es
al
e
or
di
s tri
b ut
io
n
N
For Module 1
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.
ELM Repository
N
Clean OS Install
1 2 3 4
ot
1 ELM
fo
Repository
2 1
rr
Enterprise Layer Manager
es
Drivers, Hypervisor Tools,
etc. installed on Packaging
Machine 2
al
e
Final VM with
4 merged layers
3
or
3 4
di
s
App or Apps installed on
tri
Packaging Machine
Targeted Hypervisor
b ut
47 © 2020 Citrix | Confidential
io
n
Key Notes:
• Layering enables any app to be captured as a virtual disk container called a “Layer”.
• Layers are attached to virtual machines and combined with other layers using file system and registry virtualization so that they
appear locally installed.
• With Layering, you can create an OS Layer, Platform Layer, and App Layer once, and use it to create any number of images.
• Each App Layer can include one or more applications.
N
• For example, you can create different OS layers if you need both Windows Server 2012 R2 and Windows Server
ot
2016.
fo
• It is important to know that each app layer is only compatible with the OS layer used to create it. So if you are using
multiple OS layers, and users will require access to the same application, you need to create a compatible layer for
rr
each OS layer with which it will be used.
es
• A Platform Layer containing your hypervisor, provisioning service, and connection broker software isolates App and
al
OS Layers from the infrastructure where they will be published.
• The Process Overview:
e
1. The OS of a VM is captured as a virtual disk and saved as an OS Layer.
or
2. The drivers, hypervisor tools, and other environmental parameters are captured as a virtual disk and saved as a
di
Platform Layer.
3. The Apps, both individually or as groups are captured as a virtual disk and saved as App Layers.
s tri
4. Each virtual disk is created separately and stored in the ELM server repository as individual layers.
5. Using a template in the ELM Management Console, the administrator can choose to enable Elastic layering and
b ut
then selects at least one of each of the above layers to Publish.
6. Publishing merges these chosen layers and outputs to a VM for MCS or a vDisk for PVS.
io
7. The resultant VM merges the registry and file system from each layer so the Windows OS sees all captured apps
n
and utilities as locally installed.
8. The VM is called the Layered Image and it runs the Layering Service when Elastic layering is enabled.
Additional References:
• Citrix App Layering: https://docs.citrix.com/en-us/citrix-app-layering/4.html
N
powers on.
ot
2. The user starts to log
fo
in.
rr
(4)
3. The Elastic App Layer Elastic App Layers
es
(2)
disks are mounted to App Layers
al
the Layered Image. Platform Layer
e
OS Layer
4. The user completes
or
the login process and
di
(1)
accessed one
s
complete VM with the
tri
Layered
merged registry and Image
b
file system.
ut
io
n
Key Notes:
• The process flow of App Layering when a Layered Image boots is described below:
1. The Layered Image VM powers on.
2. The user starts to log in.
3. The Layering Service on the Layered Image reads the json files in the SMB share to locate the Elastic App layers that is published
to the user and mounts the virtual disks to the Layered Image. The resultant extra registry and file systems are merged with the
Layered Image.
N
The Process to boot, does not use the ELM server.
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
Layering Management
ot
Console, running on the
Enterprise Layer Manager
fo
(ELM) can be used to:
rr
es
• Create Layers.
al
• Publish Layered Images.
e
• Manage system settings.
or
di
s tri
b ut
io
n
Key Notes:
We can connect to the Management Console by connecting to the IP address of the ELM on a browser.
• The Management console supports the following browsers with Microsoft Silverlight 4.0 support.
• Internet Explorer v11.
• Firefox v45 and later versions that support Microsoft Silverlight 4.0.
There are two methods of management for the ELM console:
• On-Premises - The Citrix Layering Management console can be launched via browsing to the IP address of the ELM Server.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
One type of connector is used when the One type of connector is used when the ELM
N
ELM server creates layers. This type of server publishes images that are ready for
production.
ot
connector creates the VM that is used to ELM
package the layers. This type of connector is the target virtual
fo
Enterprise Layer Manager environment and provisioning engine aware.
rr
es
al
e
or
di
s tri
Citrix Hypervisor Microsoft Azure Microsoft Hyper-V Nutanix Acropolis Vmware vSphere
b
ut
50 © 2020 Citrix | Confidential
io
n
Key Notes:
There are two types of connectors:
1. One is used during the layer packaging process.
2. One is used during the image publishing process, after the layers are already built.
In order for the ELM server to build layers or provision an image to a targeted Hypervisor, a connector for the hypervisor has to be
configured.
• Connectors allow the ELM server to communicate with the target Hypervisor.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
ot
What Hypervisors are supported by App
fo
Layering?
rr
es
• Citrix Hypervisor
al
• Microsoft Azure
e
• Microsoft Hyper-V
or
• Nutanix AHV
di
s
• VMWare vSphere
tri
b
ut
io
n
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
• 1-2: Start the Citrix Layering Management
ot
Console
fo
rr
es
al
e
or
di
s
tri
utb
io
n
N
simpler, and more cost-efficient delivery for
ot
real-time application and image
management.
fo
rr
• The ELM Server is the primary component of
es
the App Layer architecture, coordinating all
communications, hosting the administrative
al
portal, and managing all created layers.
e
or
• The Citrix Layering Management Console
can be used to create layers, publish layered
di
images and configure various system
s
tri
settings.
b
ut
io
n
N
ot
Create an OS Layer
fo
rr
es
al
e
Module 2
or
di
s
tri
b
ut
io
n
N
creation.
ot
• Identify the software’s and components that
fo
should be part of OS layer.
rr
• Describe the considerations and benefits of
es
OS Layer.
al
e
or
di
s
tri
utb
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
ot
1. Create the gold image.
fo
rr
2. Run the create OS layer wizard.
es
3. The OS layer gets created.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Create the gold image.
• The gold image is a VM.
• Configure the OS and the configuration settings for virtual hardware such as disks, CPUs, network cards, the virtualization tools,
the layering tools and optionally a set of applications.
• Run the create OS layer wizard.
• During the OS layer wizard, the details for the OS layer are gathered and the gold image or VM is imported into the ELM server.
Additional Resources:
N
• Citrix App Layering 4.x: Best Practices: https://support.citrix.com/article/CTX225952
ot
• Create the OS layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-os-layer.html
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Layer
Admin Windows ISO
2
The Process of Preparing
N
the Operating System
ot
Admin Tools and Updates
fo
3
rr
es
Gold Image Tools Optimization and
al
Licensing
e
4
or
di
Image Preparation Utility
stri
utb
io
n
Key Notes:
Steps to create an OS layer:
• Step 1
• Install the Windows operating system from an ISO file.
• Step 2
• Verify Citrix VM Tools (or related hypervisor tools) are installed.
N
• Run the Citrix App Layering Image Preparation Utility.
ot
• While creating the OS layer the machine should not be domain joined (Verify within the system properties of the
fo
OS).
rr
• The Citrix App Layering Gold Image Tools contains optimization scripts, and an App Layering Image Preparation
Utility for the operating system of the machine used to create the OS layer.
es
al
Steps to create an OS layer: (DETAILED)
e
1. First prep the machine.
or
• Verify any system level operating system requirements, such as the machine name and its in workgroup.
• Then verify that the Citrix VM Tools are installed (if using XenServer).
di
• Remember: Before creating an OS layer:
s tri
• Install Windows from ISO
• Install hypervisor tools
but
• Fully update windows
• Run the citrix_app_layering_os_machine_tools_4.5.0.exe file.
io
• Then run the SetKMSVersion.hta file and confirm that the OS version is found, and then Save Script.
n
• From the command prompt window, run the following commands.
1. cd..
2. cd Microsoft.Net\Framework\v4.0.30319
3. ngen update
4. cd..\..
N
ot
2. Next, you will run the Citrix App Layering Image Preparation Utility. It is a file named like setup_x64.exe. You can
fo
complete the brief install usually with default settings (unless you wish to add a custom answer file).
rr
es
3. Then, shut down the machine.
al
4. Connect via launch Internet Explorer to the App Layering management console.
e
or
5. Then you select the layer menu on the top left and then select the OS Layers tab.
di
s
6. From the Actions menu on the right pane, select Create OS Layer.
tri
b
7. On the Layer Details page in the Create OS Layer Wizard, type the following information:
ut
• Layer Name: <Windows version>
io
• Layer Description: <OS Layer>
n
• Version: # (i.e.1)
• Version Description: i.e. “Windows 10 with Citrix VM Tools”
• Max Layer Size (GB): # (i.e. 30)
8. On the Connector page, click New and select the appropriate Hypervisor; i.e. Citrix Hypervisor, from the drop-down
9. Click New and you will be redirected to a new tab to mention Hypervisor details. Add the appropriate hypervisor
information, such as the Hypervisor IP address, username and password. You can then select CHECK CREDENTIALS
and validate username, and password is validated.
N
10. On the Virtual Machine Clone Settings, select the appropriate information from drop-down:
ot
• Example:
• Virtual Machine Template: NYC-DTP-TMP
fo
• Storage Repository: Local Storage
rr
• Layer Disk Cache Size in GB: <Leave Blank>
es
• Use HTTPS for File Transfers: Clear the check box
al
11. Click TEST to check that all is accurate.
e
or
12. Click SAVE, and then click CLOSE.
di
s
13. On the Connector page in Create OS Layer Wizard, select the appropriate Hypervisor, for example: “NYC-Citrix
tri
Hypervisor”.
b ut
14. On the OS Disk Details page, click Select Virtual Machine. This will redirect to a new tab to select the virtual machine
io
to use for importing OS. On the Specify the virtual machine to use for OS import by typing in the name or selecting it
n
from the list of suggested matches, click on the space below the Virtual Machine and it will give a drop-down menu.
Select the appropriate virtual machine
17. On the Icon Assignment page, select the appropriate icon (i.e. Windows 10) and click the Down Arrow to continue.
N
ot
19. You can then monitor the event progress on the task section at the bottom of the window; click the Up Arrow to
pull the event viewer.
fo
rr
20. Click the information icon next to the running task, or double-click anywhere in the task line for more details.
es
Monitor the task progress and wait for it to complete. Process can take 10 to 20 minutes.
al
e
21. Validate the status changes to Done, after the OS disk is imported.
or
22. Verify the new OS layer (i.e. Windows 10) icon is now labeled as Deployable.
di
s tri
Additional Resources:
• Create the OS layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-os-layer.html
b ut
• Prepare the OS for layering: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/prepare-os-for-layering.html
io
n
N
For Module 2
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.
Admin
ELM Console
N
(ELM) Preparation configuration)
ot
Admin
Hypervisor
fo
3
rr
Select Machine to
es
Use
al
Admin Virtual Machine
e
or
4
di
Create Layer
stri
Admin Layer
utb
io
n
Key Notes:
• Step 1:
• Log into the App Layering console.
• From the Layers menu, select the OS Layers tab.
• Select Create OS Layer from the Actions menu.
• Step 2:
N
• Choose a Connector Type, and enter the Hypervisor configuration and authentication information.
ot
• Select the required information from the Virtual Machine Clone Settings.
fo
• Example:
• Virtual Machine Template: NYC-DTP-TMP
rr
• Storage Repository: Local Storage
es
• Layer Disk Cache Size in GB: <Leave Blank>
al
• Step 3:
• Select the machine you want to use on the OS Disk Details page.
e
• Step 4:
or
• From the Icon Assignment page, go to Confirm and Complete page, and Create Layer.
di
• The OS Layer is then captured as a .VHD file “Layer” and saved to the ELM Repository by the ELM server.
s tri
Additional Resources:
• Create the OS layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-os-layer.html
b ut
• Prepare the OS for layering: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/prepare-os-for-layering.html
io
n
N
ot
Windows 10
ELM
fo
Enterprise Layer Manager Repository
rr
Windows Server 2012 R2
Win 10
es
Windows Server 2016
al
Win 2012 R2
e
Windows Server 2019
or
Win 2019
Win 2016
di
s
Targeted Hypervisor Citrix Layering Management
tri
utb
62 © 2020 Citrix | Confidential
io
n
Key Notes:
• Ideally, you can create one, generic OS layer and reuse it in all of the layered images you publish. This keeps layer maintenance to a
minimum, because App and Platform layers only work with the OS layer used to create them.
• This means if you want to have two published images, one for Windows Server 2016 and another for Windows 10, then you will
need two OS layers, one for each.
• You have no limit as to how many OS layers you CAN build, except for the ELM Repository storage limits.
• How many OS layers SHOULD you build? Typically, there is one OS layer per OS needed in the target environment.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• Update the OS by adding a version to the layer, not by creating a separate layer.
ot
• Ensure a minimum of 2GB of RAM in the packaging machine, 4GB is better.
fo
• Ensure Windows update is already done.
rr
• Disable Windows update again when patching is complete.
es
• If you use any Microsoft products that are updated by Windows Update, but don’t
al
have a separate section like Office does, include those in the OS layer as well.
e
or
• For example, Windows Defender.
• It is recommended to reboot one or more times more than the software installer asks
di
for.
s tri
b ut
io
n
Key Notes:
• Updating the OS should be done by adding a version to the layer, not by creating a separate layer. If you don’t version update, but
instead create a new layer, all Platform and App layers created on top of the original OS layer have to be recreated.
• Packaging machines are used to build the Platform and App layers. Ensure there is at least 2GB of RAM in the packaging machine,
4GB is preferred.
• Remember to disable the Windows update again when patching is complete.
• If in the OS layer, the OS says it is not activated, then it must be reactivated. Activation scripts are in the
N
Additional Considerations:
ot
• Fresh install of Windows Operating System only.
fo
• The machine should not be joined to a domain.
• Use DHCP for IP configuration.
rr
• Don’t use 3rd party Optimization scripts.
es
• Use MBR not GPT partition.
al
• Verify targeted Hypervisor console port
• Install ELM tools.
e
or
Additional Resources:
di
• App Layering 4.x: Best Practices: https://support.citrix.com/article/CTX225952
• Prepare the OS for layering: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/prepare-os-for-layering.html
s tri
b ut
io
n
N
session hosts and cloud platforms.
ot
• Undo bad patches in minutes to minimize Windows 10
fo
downtime. Windows Server 2008 R2
rr
• Images are slim “just Windows” with apps Windows Server 2012 R2
es
delivered separately as virtual disk layers.
Windows Server 2016
al
• One Windows OS layer for all platforms, no OS Layer
e
matter how many user customizations or Windows Server 2019
or
platform variations.
di
s tri
b ut
io
n
Key Notes:
• Task of patching Windows needs to be performed once
• Maintain a single OS layer for each major OS version.
• For an OS update, you add a version to the layer. You can then select a specific version of the layer for each image template, as
needed. The existing app and platform layers continue to run on each OS update.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
fo
What is the ELM Repository?
rr
es
The ELM server repository is a 300GB
expandable data disk used to store all layers; to
al
e
include OS layers, Platform layers, and App
layers VHD files.
or
di
s
tri
b
ut
io
n
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
Image
ot
• 2-2: Create an OS Layer
fo
rr
es
al
e
or
di
s
tri
utb
io
n
N
platforms when creating OS layers.
ot
• The OS layer is used to create other layers.
fo
• The App Layering Image Preparation Utility
rr
must be run as a final prep, before the Create
es
OS Layer wizard.
al
• When updating an OS layer, add a version to
e
the layer instead of creating a separate layer.
or
di
s
tri
b
ut
io
n
N
ot
Create a Platform Layer
fo
rr
es
al
e
Module 3
or
di
s
tri
b
ut
io
n
N
creation.
ot
• Identify the software component categories
fo
that should be placed on the App Layering
rr
Platform layers.
es
• Identify the considerations when creating an
al
App Layering Platform layer.
e
or
di
s
tri
b
ut
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
ot
1. Run the Platform Layer Wizard.
fo
2. Enter the details of the Platform types.
rr
es
3. Confirm to create the Platform layer.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Platform Layers have a special sub-tab in the layering section.
• Here you will have a Platform layer for each Hypervisor/provisioning service/broker service combination you have in your
environment.
• Citrix App Layering support is limited to virtual machines at this time; there is no current support for physical machines.
• The Platform layer is captured as .VHD file and then saved to the ELM Repository by the ELM Server as an available layer to be used.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
For Module 3
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.
Admin
App Layer Console
N
the Platform Layer Create Platform Layer Wizard
ot
(Layers Details)
Admin
Hypervisor
fo
rr
3 Install Virtual Delivery Agent
es
al
Admin Virtual Machine
e
or
4
di
Finalize Layer to make
s
“Deployable”
tri
Admin Layer
b ut
io
n
Key Notes:
• Step 1:
• Log on to App Layering Console from NYC-FSR-001. To access the ELM Console, open Internet Explorer and browse to:
http://192.168.10.77
• From the Layers menu, select the Platform Layers tab. Select the Create Platform Layer option.
• Step 2:
N
• Validate the required Windows 10-1 version is selected.
ot
• Select the required hypervisor on the Connector page. (Microsoft Hyper-V – NYC-Hyper-V).
fo
• Select the “This Platform Layer will be used for publishing Layered Images”.
• Microsoft Hyper-V.
rr
• Citrix MCS.
es
• Citrix Virtual Desktops.
al
• Enter the package Name (Default).
• Icon Assignment page, select Windows 10.
e
• Confirm the settings and Create Layer.
or
• Click the information icon next to the running task for more details. Monitor the task progress and wait for it to
di
complete. This step may take approximately 10-20 minutes.
s
• Wait for the status to change to Action Required.
tri
• Switch to the hypervisor and you will see a new Virtual Machine created with a name that looks like ,i.e. Citrix
b
Virtual Desktops MCS-B-YYYY-MM-DD_Time. Select the new VM.
ut
• Log onto the new Virtual Machine from the hypervisor and once in Windows check the System settings. Make
io
sure the machine is not joined to a domain, but is instead part of a workgroup.
n
• Step 3:
• Install the Virtual Delivery Agent for Windows, so that it can communicate and register with the Delivery Controller
and reboot (Citrix recommends installing VDA on the platform layer).
• Join the machine to the Domain.
• Step 4:
• Log on again to the App Layering management console, and go to the Platform Layers tab.
• Validate that the status of the Platform Layer now shows as “Deployable”.
N
Additional Resources:
ot
Create Platform layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-platform-layer.html
fo
rr
es
al
e
or
di
s tri
but
io
n
N
ot
ELM
Windows 10
fo
Enterprise Layer Manager Repository
rr
Windows Server 2012 R2
Win 10
es
Windows Server 2016
al
Win 2012 R2
e
Windows Server 2019
or
Win 2016
Win 2019
di
s
Citrix Layering Management
Targeted Hypervisor
tri
b ut
75 © 2020 Citrix | Confidential
io
n
Key Notes:
• Platform Layers are needed for two purposes.
• One is used when packaging App Layers on a new hypervisor.
• The other is used to publish a layered image because we have to ensure that the output from the ELM server can run on the
targeted environment parameters for provisioning and hypervisor.
• You have no limit as to how many Platform Layers you can build, except for the ELM Repository storage limits.
N
• Company ABC has an on-premises deployment of Citrix Hypervisor and a new location in Microsoft Azure.
ot
• In this scenario, the App Layering administrator has been instructed to deploy the same Windows 2016 image to
fo
both hypervisors.
• The App Layering administrator will create a single Windows Server 2016 OS Layer. The Citrix VM Tools were
rr
installed in the OS Layer, since that was the original hypervisor platform used.
es
• A Platform Layer can be created so that the existing OS and App Layers can be used with the new Microsoft Azure
al
deployment.
• Any necessary Azure integration tools can be installed in this Platform Layer. The Platform Layer configuration will
e
take precedence over the OS Layer, if there are any conflicts (this will be covered more in depth later in the
or
course).
di
Additional Resources:
s tri
• Citrix App Layering 4.x: Best Practices: https://support.citrix.com/article/CTX225952
b ut
io
n
Considerations
• Platform Layers are created for a particular provisioning
N
system and Hypervisor pair.
ot
fo
• Create separate Platform Layers for heterogeneous
rr
environments.
es
• No cross-platform pollution.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• App Layering is familiar with a wide variety of drivers and services associated with some of the most popular hypervisors,
provisioning services, and connection brokers.
• When an image is deployed with a Platform Layer, it will search for and disable drivers and services that have not been specified in
the create wizard.
• This ensures that no cross-platform pollution occurs.
• Common examples of Platform layer install includes:
N
• Any software that impacts the logon stack, for example, Imprivata
ot
• Citrix Provisioning on Hyper-V: Requires a Legacy Network Adapter to PXE boot.
fo
• Microsoft System Center Configuration Manager (SCCM) software, if you are using it
rr
Additional References:
es
• Create Platform Layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-platform-layer.html
al
e
or
di
s tri
b ut
io
n
N
• The Packaging Platform Layer is used only • The Publishing Platform Layer is used
ot
to create an App Layer. in image template which in turn publishes
fo
layered image.
rr
• Only required if the OS image originated in a
es
different hypervisor. • Required when publishing to a Provisioning
al
Service and using a connection broker.
e
or
• It has a very limited use case.
• Need to install Provisioning Service and
di
connection broker software and settings. If
s
• Need to install Hypervisor tools, when the
tri
publishing to a different hypervisor than the
OS originated on a different hypervisor. one where the OS originated, include the
b ut
77 © 2020 Citrix | Confidential hypervisor tools.
io
n
Key Notes:
• A Platform Layer includes the platform software and settings required for your layers and layered images to run flawlessly in your
environment.
• You can create Platform Layers for two purposes:
• For creating and packaging layers: When you’ve imported the OS from a different hypervisor than the one where you create your
layers, use this type of platform layer to create app layers.
• For publishing layered images: Use this type of Platform layer in your image template so that the published layered images run
• You don’t have to use a Packaging Platform Layer, instead, you can change the properties of a Publishing one, to
Packaging to make your updates, and then change the properties back to a Publishing one.
Additional Resources:
• Create Platform Layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-platform-layer.html
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
existing Windows Server 2016 OS Layer.
ot
Which two factors would require the creation
of a Platform layer, if the administrator wants
fo
to continue using the existing OS Layer?
rr
es
A new provisioning system or a new hypervisor
platform is introduced to the environment.
al
e
or
di
s
tri
b
ut
io
n
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
Server 2019
ot
• 3-2: Join the Domain and Install the Virtual
fo
Delivery Agent
rr
• 3-3: Finalize the Platform Layer Creation
es
al
e
or
di
s
tri
utb
io
n
N
provisioning systems and Hypervisor
ot
combinations.
fo
• When creating platform layers, create separate
rr
ones for each heterogeneous environment.
es
al
e
or
di
s
tri
utb
io
n
N
ot
Create an App Layer
fo
rr
es
al
e
Module 4
or
di
s
tri
b
ut
io
n
N
creation.
ot
• Identify the software component categories
fo
that should be placed on the App layers.
rr
• Identify the considerations when creating App
es
layers.
al
• Describe the benefits of App layers.
e
or
di
s
tri
b
ut
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
Wizard.
ot
fo
2. Install the application(s) on the Packaging
rr
Machine.
es
al
3. Finalize the App layer.
e
or
di
s tri
b ut
io
n
Key Notes:
1. Create an App layer with the Create Layer Wizard.
• Select the OS layer version which should be assigned to the installation machine, and if any Pre-requisite Layers needed like
Microsoft Office add-on which is available when the install machine boots up, then assign an icon for the App layer and create it.
2. Install the application(s) on the Packaging Machine.
• The ELM server clones the OS layer to create a Packaging Machine.
• Once the packaging machine is powered on, login and install the application(s).
N
Layer to be used.
ot
fo
Additional Resources:
• Create or clone an app layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-app-layer.html
rr
es
al
e
or
di
s tri
b ut
io
n
The Process 2
N
Create App Layer Wizard
ot
(Layers Details)
Admin Hypervisor
fo
rr
3
es
Install software /application
al
Packaging Virtual
e
Admin Machine
or
4
di
Finalize Layer to make
“Deployable”
s tri
Admin Layer
but
io
n
Key Notes:
• Step 1:
• Log on to App Layering Console.
• From the Layers menu, select the App Layers tab. Select the Create App Layer option.
• Step 2:
N
• Max Layer Size (GB): 10
ot
• Validate the required Windows version is selected.
fo
• Verify if any Prerequisites are needed.
rr
• Select the required hypervisor on the Connector page.
• Verify the Packaging Disk Filename is set and entered.
es
• Select the needed Icon Assignment.
al
• Confirm the settings and Create Layer.
e
or
• Step 3:
di
• Logon to the newly created Packaging Virtual Machine (VM) to install the software to be included in the Layer.
s
• The Packaging Machine is a temporary VM that will be deleted once the new Platform Layer has been finalized.
tri
• Install the required software/application on the Packaging VM.
b
• If a system restart is required, restart it manually. The packaging machine does not restart automatically. If the
ut
application you install affects boot-level components, restart the packaging machine as part of finalizing the Layer.
io
n
• Step 4:
• Run the Shutdown for Finalize icon on the desktop.
• From the App Layering Console, go to the App Layers tab and right-click the new application Layer and select Finalize.
• Validate that the status of the App Layer now shows as “Deployable”.
• Once the Platform Layer is finalized, the Virtual Machine created on hypervisor is destroyed and the Layer is saved in
Additional Resources:
• Create or clone an App layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-app-layer.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
For Module 4
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.
N
ot
MS Office and ELM
Adobe Acrobat
fo
Repository
Enterprise Layer Manager
rr
Chrome and Firefox Office and Acrobat
es
Notepad++ and
Browsers
al
WireShark
e
or
Tools
di
Targeted Hypervisor Citrix Layering Management
s tri
utb
88 © 2020 Citrix | Confidential
io
n
Key Notes:
• An App Layer does not have to be a single application. A single App Layer can have multiple applications, just make sure you confirm
the multiple applications are compatible both with each other and the targeted Layer Image OS and Platform Layers.
• You have no limit as to how many App Layers you can build, or how many Apps you include in each Layer; provided the ELM
Repository has enough storage. You could create a library of App Layers in the ELM Repository and then use this library to custom
tune your Layered images when the time to publish.
• This begs the question of how large an App Layer? When creating a new Layer, the default size is 10GB.
Additional Resources:
• Citrix App Layering 4.x: Best Practices: https://support.citrix.com/article/CTX225952
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
required.
ot
• Install application from a share or an ISO, instead of
fo
downloading to the packaging machine, to keep the
rr
layer size to a minimum.
es
• Turn off the automatic updates.
al
e
• Observe the Layer status in the Management
or
Console.
di
s tri
b ut
io
n
Key Notes:
• Only use prerequisite application Layers when necessary. Be sure they are available to select in the new Layer. Ensure they have been
deployed to desktops before deploying the new Layer.
• Prerequisite Layers can be required for several reasons:
• When installing the application on the current Layer requires the presence of another application. For example, when you install
an application that requires Java, and Java is located in a separate Layer.
• If automatic updates are left on, the updates will be put into the Personalization Layer.
• You can also add a “run once script” to an app Layer, to support those applications that need extra parameters when
N
running. For example, a Run Once Script can be run for apps that require license activation on first boot, for example,
ot
Microsoft Office.
fo
• There are three status types for a Layer:
rr
• Not Deployable – The Layer is not ready for assignment.
es
• Editing – The Layer is in the process of creating or changing, typically seen when installing or updating on a packaging
machine.
al
• Deployable – The Layer is ready for assignment.
e
or
• Citrix Leading Practices for App Layers:
• Install from an ISO or a share.
di
• Always install MS Office in an App Layer, and never in the OS Layer.
s tri
• Put your antivirus application in an App Layer using the instructions laid by Citrix.
• Note: Antivirus can be delivered in an App layer or the OS layer, neither approach is wrong.
b ut
• Turn off automatic updates.
• Observe the Layer status before publishing.
io
• Remember apps can cross-talk between Layers after publishing.
n
• 99.5% of all apps are compatible.
Additional Resources:
• Create or clone an app layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-app-layer.html
• Layer antivirus apps: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/layer-antivirus-apps.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• Works with 99.5% of applications. Personal Apps
ot
• Apps can cross-communicate.
fo
rr
Corporate Apps
es
al
App Layers
e
or
di
s tri
b ut
io
n
Key Notes:
• Layering can take less than 15 minutes in a production environment, which allows administrators to deploy any app quickly and
easily.
• Apps with system services and boot-time drivers (For example: antivirus, printers, scanners, etc.), homegrown apps and apps with
complex setup procedures can all be layered.
• Apps can cross-communicate
• Layered Apps are not isolated.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
• Using the ELM server Management Console, wizards and the packaging machine to update or add
N
new Layers.
ot
• Finalize the Layers.
fo
• Create a template to publish the Layers, which output into a VM or a vDisk.
rr
• For MCS use this new VM as a Master to update the catalog.
es
• For PVS use this new vDisk to update the Device Collection.
al
e
or
di
s tri
b ut
91 © 2020 Citrix | Confidential
io
n
Key Notes:
• To publish Layered Images to Machine Creation Services a Machine Creation Services Connector created for the hypervisor being
published to. The Connector configuration includes the service account credentials used to access the hypervisor, in addition to
hosts, storage locations, templates, and so forth.
• The connector is then used to publish a Layered image as a virtual machine “Master Image” to the hypervisor.
• The MCS connector starts the Master Image after it’s published and run any Layer scripts that have been defined in any Layers. After
all the scripts are run, the Master Image has to be shut down and the hypervisor will take a snapshot of the virtual machine.
Additional Resources:
N
• Citrix App Layering: https://docs.citrix.com/en-us/tech-zone/design/reference-architectures/app-layering.html
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
fo
What are the three status types for a Layer?
rr
es
Not Deployable
al
Editing
e
Deployable
or
di
s
tri
b
ut
io
n
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
• 4-2: Create an App Layer with Adobe PDF
ot
Reader
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
process initiated by the Create App Layer
ot
Wizard.
fo
• When installing an application on the
rr
packaging machine, it should be done from an
es
ISO or a file share.
al
• App Layers can cross-communicate and
e
appear to other apps as if they are natively
or
installed.
di
• App Layering works with most applications.
s
tri
b
ut
io
n
N
ot
Elastic App and User Layers
fo
rr
es
al
e
Module 5
or
di
s
tri
b
ut
io
n
N
Cases
ot
• Identify Elastic Layer Considerations
fo
• Describe User Layers
rr
• Identify types of User Layers
es
• Describe User Layer Requirements,
al
Limitations, and Considerations
e
or
di
s
tri
b
ut
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
• Are a Hot-Add feature used to deliver apps based on user
ot
entitlements.
fo
• Can be assigned to users and machines.
rr
• Consist of an App Layering Service that runs on the Layered
es
Image.
al
• Are assigned at the user logon by the App Layering Service.
e
or
• Are read from a .json file on the SMB share location.
di
s tri
b ut
io
n
Key Notes:
• Many organizations have learned to use Golden Images or standard templates to create multiple machines, but with user-specific
requirements oftentimes an organization may support dozens of these standard images, each one tuned to a specific set of users.
• Elastic Layering provides a resource-efficient approach to desktop deliveries, by sharing too many users, and providing the same
look and feel like the more resource-intensive persistent desktops, but without requiring a dedicated machine for every user.
• Then the user’s needed application layers and a persistent layer containing user information are attached whenever users log on
to their sessions or desktops.
N
the requested layers are already present on the VM. If the layer is found, that user is simply “authorized” to see the
ot
registry and file system data.
fo
• Once the user is logged in, they will see that application, just as other authorized users are. When a layer is not already
available on a session host, it is added during the logon process the same way it would be during a desktop logon.
rr
• When a user logs off from a session host, the applications associated with them are left on that host. The assumption is
es
that there could be other logged on users who are accessing that data.
al
• If for some reason a layer must be removed from a VM, the administrator will have to wait until all users are logged off
and the session host will have to be rebooted.
e
• Citrix App Layering Service:
or
• Once the OS, Platform, and App layers are built within the Enterprise Layer Manager (ELM), these layers can be
di
merged and used to build a complete VM or vDisk.
s
• In this case, the complete VM or vDisk is called the Layered Image.
tri
• When the Layer Image is published, you can choose to enable Elastic Layering; if enabled the App Layering Service
b
runs on the Layered Image.
ut
• Common Misunderstandings:
io
• The ELM server is contacted during the Elastic layer assignment. This is not true, instead, the ELM server is used to
n
create the layers that make up the Layered Image only.
• The App Layering Agent is needed for Layering. This is not true; the App Layering Agent is software that you load
on a PVS server.
• When the Layered Image output is a vDisk, the vDisk is stored in the ELM server’s repository. The App Layering
Agent on the PVS server is then used to connect to the ELM server and pull down the vDisk and save it to the
vDisk store.
Additional Resources:
• Deploy App layers as elastic layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/assign-elastic-
N
layers.html
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• Used when specific users need access to one or more
ot
applications that are not a part of the common application set for
fo
all users.
rr
• For Example:
es
• Those applications not installed on the App Layers that are merged into
al
the Layered Image.
e
or
di
s tri
b ut
io
n
Key Notes:
• How do users access Elastic layers assigned to them?
• When users log into their session or desktop, icons for their Elastic layers will appear as shortcuts on the desktop.
• A user receives an Elastic layer in the following cases:
• The user (an AD user in the management console) is assigned the layer
• An AD group that the user belongs to is assigned the layer.
• A machine that the user logs into is a member of an AD Group that receives the Elastic layer.
Additional Resources:
• Deploy App layers as elastic layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/assign-elastic-
layers.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
ELM
fo
rr
Select Apps for Select Apps for SMB or CIFS
Enterprise Layer Manager
UserGroup1 only UserGroup3 only Network Share
es
al
Select Apps Select Apps
e
or
Target:
di
Target:
UserGroup1 UserGroup3
s tri
Targeted Hypervisor Citrix Layering Management
utb
io
n
Key Notes:
• Elastic Layers are typically chosen for applications that only a few users or groups require. It helps to reduce large number of Golden
images.
• For Example:
• If there was a standard set of applications that everyone needed, but a select few apps that only a specific user group needed; a
single Layered Image could be built with the standard set of apps deployed via regular app layers.
• The selected few apps would be packaged as an Elastic Layer and stored in the network share.
• An App Layer does not have to be a single application. A single App layer can have multiple applications, just make sure
you confirm the multiple applications are compatible both with each other and the targeted Layer Image OS and
Platform layers.
N
• You have no limit as to how many Elastic Layers you can build, or how many Apps you include in each; provided the SMB
ot
share has enough storage, and the network has enough bandwidth for throughput.
fo
• Typically, elastic layers are only created for apps on specific use cases, relying instead on non-elastic app layers for the
majority of the application workloads.
rr
es
Additional Resources:
al
• Deploy App layers as elastic layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/assign-elastic-layers.html
e
or
di
s tri
b ut
io
n
N
ot
Elastic Layers
fo
rr
Configure
Ensure you
es
Set up a SMB the user
have a 10GB Elastic Layers
or CIFS entitlements
al
connection to require .NET
network share using groups in
e
the share
AD
Ensure
or
Limit Elastic If the share network
di
App Layering moves, you stability to the
s
to select use have to share prior to
tri
cases only re-publish using Elastic
b
Layers
ut
io
n
Key Notes:
• In order to use Elastic Layering, there are extra steps to consider and setup outside of the standard ELM server setup:
• You need a Network File Share, which must use either SMB or CIFS only.
• You need a 10GB connection between the Layering Service and the file share. Remember the Layering service runs on all layered
images that were published with Elastic Layering enabled.
• You must have an authentication service, such as Active Directory, to store the user entitlement records.
• Elastic Layers require .NET.
N
Additional Resources:
ot
• Deploy App layers as elastic layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/assign-elastic-
fo
layers.html
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
• What two Elastic Layering files are located
fo
on the SMB or CIFS share?
rr
es
• ElasticLayerAssignments.json and Layers.json
al
e
or
di
s
tri
b
ut
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
installed applications in a non-persistent VDI environment.
ot
• Stores all desktop settings and user customizations in a writable
fo
virtual disk (attached to the virtual machine at end-user logon).
rr
es
• Improve end-user login time performance up to 40%.
al
e
or
di
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Substantially Improves end-user login time performance.
• User Layers persist each user’s profile settings, user’s data and user-installed applications in a non-persistent VDI environment.
• All desktop settings, user customizations, and other changes are stored in a writable virtual disk that is attached to the virtual
machine when the end-user logs in.
• With User Layer IT administrators can provide a fully persistent environment to end users while utilizing floating pools, providing cost
savings.
Additional Resources:
• Create user layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/enable-user-layers.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
FULL OFFICE 365 SESSION OFFICE 365
ot
fo
All user data, settings, and
rr
local installed applications Only a user’s Outlook data Only a user’s Outlook data
and settings are stored on
es
are stored on their specific and settings are stored on
user layer. their user layer. their user layer.
al
e
or
di
s tri
but
© 2020 Citrix Authorized Content
io
n
Key Notes:
• When you enable user layers on an image template, systems provisioned using the resulting layered images provide every user with
a user layer.
• When a user logs on to a desktop that is user layer-enabled, a new Search index database is created. The index incorporates search
information from the user layer and any elastic layers.
• The Search feature is only available when the indexing is complete.
• You can enable the following types of user layers:
Additional Resources:
N
• Deploy user layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/enable-user-layers.html
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• Adequate Network Bandwidth
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Before enabling any user layers, you need to be sure to meet the requirements for storage and network bandwidth.
• User layer requirements for all user layers:
• Need to have adequate network bandwidth as all writes go over the network (Bandwidth and latency have a significant effect on
the user layer).
• Need to have enough storage space allocated for users’ data, configuration settings, and their locally installed apps. (The
appliance uses the main storage location for packaging layers, publishing layered images, and serving up Elastic layers).
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
With Profile Management Operating Systems: Publishing Platforms:
fo
(UPM) you must turn off the • Windows 7, 64-bit • Citrix Virtual Desktops
deletion of the user’s • Windows 10, 64-bit • VMware Horizon View
rr
information on logoff.
es
al
• These settings can be turned
off via a Group Policy Object
e
(GPO) or through the HDX
or
policy on the Delivery
Controller.
di
s tri
b
ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• There are specific requirements for implementing Full User layers:
• When using Profile Management (UPM) with a Full user layer, you must turn off the deletion of the user’s information on logoff
using GPO or HDX policies.
• There are compatibility requirements for Full user layers as well, to include:
• Operating systems:
• Windows 7, 64-bit
Additional Resources:
• Deploy user layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/enable-user-layers.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
• The Office layer must be in the image template and deployed in
the layered image.
fo
rr
• Is supported as an App layer in a published image only, not as an
es
Elastic Layer.
al
• Should be used with one desktop per user at a time (Single sign-
e
on).
or
di
s tri
b ut
io
n
Key Notes:
• You must use a profile manager, such as the Citrix User Profile Manager. Otherwise, Outlook assumes that every user who logs in is a
new user and creates OS files for them.
• The Office layer must be included in the image template and deployed in the layered image. However, you can use other Elastic
layers with an Office 365 user layer.
• Microsoft Office is supported as an App layer in a published image only, not as an Elastic Layer.
• Any change to the default location of the search index files is not be preserved in the Office 365 layer.
Additional Resources:
• Deploy user layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/enable-user-layers.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
• Applications with drivers that use the driver store: i.e. Printer
driver.
fo
rr
• Applications that modify the network stack or hardware: i.e. a
es
VPN client.
al
• Applications with boot level drivers: i.e. a virus scanner.
e
or
di
s tri
b ut
io
n
Key Notes:
• The following applications are not supported on the user layer, so users must not install these applications locally:
• Enterprise applications, such as MS Office and Visual Studio, must be installed in App layers. User layers are based on the same
technology as Elastic layers.
• As with Elastic layers, never use user layers for enterprise applications!
• Applications with drivers that use the driver store. Example: a printer driver.
• Applications that modify the network stack or hardware. Example: a VPN client.
Additional Resources:
• Deploy user layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/enable-user-layers.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
• Citrix Profile Management disables Store add-ins.
fo
• GPO-installed printers are supported for users on non-persistent
rr
Windows 10 desktops.
es
• With VMware Horizon View, you must configure it to refresh at
al
logoff with any non-persistent desktops.
e
or
di
s tri
b ut
io
n
Key Notes:
• User Layer Considerations:
• Windows updates must be disabled on the user layer.
• Citrix Profile Management disables Store add-ins (Outlook store add-ins).
• The first time Outlook starts, the Store/Add-ins icon on the ribbon displays a window with a long list of add-ins.
• During the initial login, if you install add-ins, they appear on the ribbon on subsequent logins. If you do not install the add-ins,
the Store/Add-ins icon displays a blank white window.
N
3. Create a group policy to deploy each network printer, and then assign it to the machine.
ot
4. When logged in as a domain user, verify that the printer is listed in Devices and Printers, Notepad, and device
fo
manager.
• VMware Horizon View:
rr
• The View must be configured for non-persistent desktops, and the desktop must be set to Refresh at logoff. Delete or
es
refresh the machine on logoff.
al
• User Layers can provide some of the same benefits as personal vDisk, which is now a deprecated product.
e
Additional Resources:
or
• Deploy user layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/enable-user-layers.html
di
s tri
b ut
io
n
Image templates with user layers enabled, consist of user data, settings and locally installed
applications that must be saved to a secure location.
N
User layers require you to add storage locations for the layers.
ot
You can assign groups of users to each storage location that you add.
fo
rr
es
al
e
or
di
s tri
User Layer Storage Location
b ut
io
n
Key Notes:
• When an image template has user layers enabled, the images you publish persist users’ data, settings, and locally installed apps.
• When user layers are enabled, you need to add storage locations for the layers.
• You should not allow user layers to be saved on the appliance’s main file share, as space can be depleted for:
• Upgrading the software.
• Serving up elastic layers to users.
• Saving files that you are moving to a Hypervisor for which there is no supported connector.
N
• How to specify the user layer file share location on a specific image:
ot
• You can support a user who needs to access two separate images at the same time, where both images:
fo
• Need the persistence of user layers.
• Were created using the same OS layer.
rr
• To configure user layer file share assignments:
es
• Add the following Registry key in one or more of your published images before any user logs in:
al
• [HKLM\Software\Unidesk\ULayer] “UserLayerSharePath”
• You can add the preceding key to the Platform layer, to an App layer, or as a machine group policy.
e
• If you add the UserLayerSharePath key to the image before a user logs in, the appliance ignores the user layer
or
share assignments. Instead, all users on the machine use the specified share for user layer VHDs.
di
The \Users subtree is appended to this key to locating the actual layers.
s tri
Additional Resources:
• Deployuser layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/enable-user-layers.html
b ut
io
n
N
For Module 5
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
If needed, please refer back to Module 0 for reference on how to access the Lab.
Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.
N
and maintained on the
ot
appliance’s network file
share. Users
fo
rr
es
workspacelab_jwright
al
e
or
123456_MyOSLayer
di
s
jwright.vhd
tri
but
io
n
Key Notes:
• User layers are created and maintained on the ELM appliances network file share, under the Users folder.
• For example: \MyServer\MyShare\Users
• Each user has their own directory within the Users directory, named as follows:
• Users\DomainName_username\OS-Layer-ID-in-hex_OS-Layer-name\username.vhd
• For example:
• User’s login name: jdoe
Additional Resources:
• Deploy user layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/enable-user-layers.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
from different locations C:User username Appdata local
ot
based on the type of User
layer being used.
fo
rr
• Full user layer
es
• Office 365 layer Office 365 Layer
al
e
or
di
C:User username Appdata local Microsoft Outlook
s tri
b ut
io
n
Key Notes:
• User access their files from different locations based on the type of User layer being used.
• When Full user layers are created, users can access the files in the following directory:
- C:\user\<username>\Appdata\local
• When Office 365 layers are created, the user layers directory is redirected to the Office 365 layer:
- C:\user\<username>\Appdata\local\Microsoft\Outlook
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
via the management console.
ot
• More than one storage location can be
fo
specified for user layers.
rr
• The first storage location added to the
es
appliance becomes the default location for
user layers.
al
e
• Security settings for user layers are edited
or
via the management console.
di
s tri
b ut
io
n
Key Notes:
• Storage Considerations:
• You can specify more than one storage location for your user layers if it is needed.
• For each storage location created (including the default location), you need to create a /Users subfolder and secure that location.
• The first storage location added to the appliance becomes the default location for user layers (any that are not already associated
with another storage location).
• When you add more storage locations, they are listed in priority order.
N
7. On the Confirm and Complete tab, select Add Storage Location.
ot
fo
Additional Resources:
• Deploy user layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/enable-user-layers.html
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
Owner Rights Modify Subfolders and Files only
fo
rr
Create Folder/Append Data;
es
Traverse Folder/Execute
Users or group: Selected Folder Only
File;List Folder/Read Data;
al
Read Attributes
e
or
Selected Folder, Subfolders
System Full Control
and Files
di
s
Domain Admins, and selected Selected Folder, Subfolders
tri
Full Control
Admin group and Files
b ut
io
n
Key Notes:
• After storage locations are added and configured, the next step is to set security on the user layer folders via the management
console.
• These user layer folder security settings must be set to by a domain administrator.
• To configure security on user layer folders:
1. Log in to the management console.
2. Click System >Storage Locations. The file shares displayed are the storage locations defined for user layers.
N
3. Create a \Users subdirectory under each file share:
ot
• \MyDefaultShare\UserLayerFolder\Users\
fo
• \MyGroup1Share\UserLayerFolder\Users\
• \MyGroup2Share\UserLayerFolder\Users\
rr
4. Apply the preceding list of security settings to each subdirectory under \Users.
es
al
Additional Resources:
• Deploy user layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/enable-user-layers.html
e
or
di
s tri
b ut
io
n
N
ot
• Which type(s) of user layer will store only
fo
Outlook data and settings?
rr
es
• Session Office 365 and Office 365
al
e
or
di
s
tri
b
ut
io
n
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
• 5-2: Create an Elastic App Layer for Server OS
ot
• 5-3: Configure the User Layer Repository
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
ot
• Either an SMB or CIFS network share location
is required when using Elastic layers.
fo
rr
• There are three types of user layers: Full,
es
Office365, SessionOffice365.
al
• There are specific limitations and
e
considerations to consider when utilizing User
or
layers.
di
• User layers require at least one storage
s
location.
tri
utb
io
n
N
ot
Deploy a Layered Image Using Citrix
fo
Virtual Apps and Desktops
rr
es
al
e
Module 6
or
di
s
tri
b
ut
io
n
N
various App Layering Layers
ot
• Describe image requirements
fo
• Identify approach when using Citrix Virtual
rr
Apps and Desktops with and without App
es
Layering
al
• Discuss MCS and PVS considerations with
e
App Layering
or
di
s
tri
utb
© 2020 Citrix Authorized Content
io
n
ot
Layering
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2020 Citrix Authorized Content
io
n
N
Template Wizard.
ot
2. Select the OS layer, Application
fo
assignments, Platform layer, and the
rr
connector.
es
3. Confirm and complete the creation.
al
4. The Template creates either a virtual
e
machine on the underlying Hypervisor or a
or
Citrix Provisioning vDisk.
di
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Templates are a compilation of various layers put together by the ELM server. For Example, multiple App Layers, a Platform Layer, and
an OS Layer compiled to create a unique Template. This is all initiated via the Citrix Layer Management console- Create Template
Wizard.
• Connectors are the interfaces to environments where layers are created and images are published. The type of platform connector
determines the information required to create a specific Connector Configuration.
Additional Resources:
• Create or clone an image template: https://docs.citrix.com/en-us/citrix-app-layering/4/publish/create-image-
template.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
2
The Process Overview
N
Create Template Wizard
(Template Details)
ot
Admin
Hypervisor
fo
rr
3
Publish Layered image
es
“Publishable”
al
Admin
e
Template
or
4
di
s
Windows10
tri
Admin
Hypervisor MCS-YYYY-MM-DD_TIME
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Step 1:
• Log on to App Layering Console.
• From the Images menu, from the Actions menu select Create Template.
• Step 2:
• Complete the Create Template Wizard, to include:
N
• Select the required Platform Layer.
ot
• Verify the settings made on the Layered Image Disk page.
fo
• Select to Create Template.
rr
• Step 3:
• Verify the new Windows template is labelled as “Publishable”.
es
• Right-click and select Publish Layered Image.
al
• Click Publish Layered Image.
e
• Step 4:
or
• Go to the Hypervisor used for this template and verify a new Virtual Machine was created; i.e. Windows10 MCS-
YYYY-MM-DD_TIME.
di
s tri
Additional Resources:
b
• Create or clone an image template: https://docs.citrix.com/en-us/citrix-app-layering/4/publish/create-image-
ut
template.html
io
n
N
• Do not delete the layered image when used
ot
for a Catalog.
fo
• When you update the Master Image, take a
rr
snapshot.
es
• Select the right connector based on the
al
platform layer.
e
or
di
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Further considerations:
• Do not move this VM across different hypervisor platforms as the connector and the platform layer does change when we move it
from one hypervisor to another.
N
ot
• App Layers are tied to the OS Layer they were
created on.
fo
rr
• Before a version or layer can be deleted, it
es
must not be in use.
al
• .NET is best delivered using the OS Layer.
e
or
di
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Further Considerations:
• To deploy Windows patches and updates, you can simply add a version to the layer. You can easily revert to the previous version of
the layer, if necessary.
• You can select any version of the layer to use in an image template, and therefore in the published images.
• You can update the OS using Windows Update, Windows Server Update Services (WSUS), or offline standalone update packages.
Additional Resources:
N
• Create the OS layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-os-layer.html
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• Citrix Layering support is limited to virtual
ot
machines at this time (no physical machine
fo
support).
rr
• Platform Layers are created for a particular
es
provisioning system and Hypervisor pair.
al
• There are two types of Platform Layers:
e
Packaging Platform Layer and Publishing
or
Platform Layer.
di
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• When an image is deployed with a Platform Layer, it will search for and disable drivers and services that have not been specified in
the create wizard - to ensure that no cross-platform pollution occurs.
• The two types of Platform layers:
• The Packaging Platform Layer - used only to update an App Layer.
• The Publishing Platform Layer - used every time, to publish.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
included in the same App Layer.
ot
• Do NOT reduce the Layer Size from the
fo
default value while creating App Layer.
rr
• Increase the default size while packaging a
es
large application.
al
• Create an Enterprise App Layer that holds the
e
most common components to be delivered to
or
users.
di
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• When creating a new layer, never adjust the Layer Size down from the default of 10 GB. You can increase the setting if you are
packaging a large application.
• All Layers are thin provisioned, so even if you are planning on a very small Layer, never adjust down.
• Create a Utility Layer or Enterprise Application Layer that holds the most common components to be delivered to users. For example,
if Flash, Adobe Reader, and Java are going to be delivered to all users, then put them into the same layer.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
• Elastic Layers require .NET Framework 4.5.
fo
• Changing the location of a network file share
rr
requires all Elastic layer-enabled images to
es
be re-published.
al
• A sustained outage can cause elastically
e
assigned layers to no longer be available.
or
di
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• An elastic layer is an app layer that you assign to individual users and groups for delivery on demand. Users receive the elastic layers
assigned to them in addition to the apps included in the base image.
• Based on user entitlements, elastic layers are delivered to users’ desktops upon login. You can assign elastic layers to users on
session hosts, and also on standalone desktops, as long as the images were published using App Layering.
• Elastic layers are a feature of App Layering. You cannot use elastic layers as published virtual apps in Citrix Virtual Apps and Desktops.
And, you cannot assign a Citrix Virtual App as an elastic layer.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• Consist of two formats: those that
ot
persist all user data and settings, and another
that persist only Office 365 data and settings.
fo
rr
• Must utilize a dedicated storage location for
es
these layers; multiple storage location for User
layers are supported.
al
e
• The default size is set to a maximum of 10GB
or
(maximum size can be modified via registry
settings).
di
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• User layers persist user profile settings, data, and user-installed applications in non-persistent VDI environments.
• The first time a user logs onto a system that is User layer-enabled, the User layer is created. After that, the user’s data and settings,
and any applications they install locally are saved in their User layer.
• You can enable the following types of User layers:
• Full - All of a user’s data, settings, and locally installed apps are stored on their User layer.
• Office 365 - (Desktop systems) Only the user’s Outlook data and settings are stored on their User layer.
N
the driver store, Applications that modify the network stack or hardware, and Applications that have boot level drivers.
ot
• Administrators need to disable Windows Updates that need to be disabled on the User layer.
fo
• When using multiple storage locations and a specific user belongs to more than one group, and those groups are
assigned to different storage locations, the person’s User layer is stored in the highest priority storage location.
rr
• Users will receive a notification message when they are unable to access their User layer for various reasons. These
es
notifications are customizable if needed via the management console.
al
Additional Resources:
e
• Deploy User layers: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/enable-user-layers.html
or
di
s tri
b ut
io
n
N
ot
What storage network share formats are
fo
supported when using Elastic layers?
rr
es
SMB and CIFS
al
e
or
di
s
tri
b
ut
© 2020 Citrix Authorized Content
io
n
ot
Virtual Apps and Desktops Site
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2020 Citrix Authorized Content
io
n
Company ABC
N
ot
1
fo
200 Total Users App1
rr
es
2
al
UserGroup1 Windows 10 Virtual Machine
150 Users
e
App2
or
UserGroup2
3
di
50 Users Citrix Hypervisor Microsoft Hyper-V
s tri
App3
b
ut
io
n
Key Notes:
• Company ABC:
• Mixed Hypervisor environment of Citrix Hypervisor and Microsoft Hyper-V
• The Citrix Virtual Apps and Desktops team has been instructed to evenly distribute the Session Host VMs across both Hypervisors.
• There are 200 users split across 2 core domain user groups, with 150 users in UserGroup1 and 50 users in UserGroup2.
• Citrix Virtual Apps and Desktops is used to deliver a Windows 10 Desktop to all users.
• There are 3 core apps that the users need, however, due to environmental constraints not everyone gets every app.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Company ABC
Summary of requirements:
N
• 150 Win10 VM Desktops with 1
ot
App1 and App2 installed. 200 Total Users App1
fo
rr
• 75 VMs for Citrix Hypervisor. 2
Windows 10 Virtual Machine
• 75 VMs for Microsoft Hyper-V. UserGroup1
es
150 Users App2
al
• 50 Win10 VM Desktops with
3
e
UserGroup2 Citrix Hypervisor Microsoft Hyper-V
App1 and App2 and App3 50 Users
or
App3
installed.
di
• 25 VMs for Citrix Hypervisor.
s
• 25 VMs for Microsoft Hyper-V.
tri
but
io
n
Key Notes:
• In this scenario, there is a need to create multiple images due to different user requirements. There are also multiple hypervisors
involved in the deployment. The combination of VMs needed to fulfill these requirements is summarized above.
• Each layered image also has a set of prerequisites that are needed, which include the following:
• Hypervisor:
• App layering supports all hypervisors and cloud solutions. Each hypervisor solution has its own prerequisites.
N
• It Requires an authentication service, such as Microsoft Active Directory.
ot
• Storage:
fo
• The ELM server starts with an expandable 300 GB local storage repository. This storage is used to store all OS,
Platform and App layers and versions.
rr
• OS for Layered Images:
es
• To create layers, first you need a VM configured with the OS setup, drivers, KMS licensing and not joined to the
al
domain.
• This VM becomes the golden Image that is imported into the ELM server and saved as the OS Layer.
e
• All Platform, App and Elastic layers are then created from temporary packaging machines, built from the golden
or
Image import.
di
s tri
b ut
io
n
• Using the Scenario for this lesson, what is the Golden Image approach?
Company ABC
4 Golden Images
N
ot
Golden Image #1 Golden Image #2 Golden Image #3 Golden Image #4
fo
rr
1 2 3 1 2 3 1 2 1 2
es
App1 App2 App3 App1 App2 App3 App1 App2 App1 App2
al
e
or
Windows 10 Virtual Windows 10 Virtual Windows 10 Virtual Windows 10 Virtual
di
Machine Machine Machine Machine
stri
b
Citrix Hypervisor Microsoft Hyper-V Citrix Hypervisor Microsoft Hyper-V
ut
io
n
Key Notes:
• The Citrix Virtual Apps and Desktops provisioning technologies - Machine Creation Services (MCS) and Citrix Provisioning - optimize
the solution by being able to manage catalogs of hundreds of like virtual machines from a single golden image. The key here is the
words “like virtual machines”.
• Our scenario in this lesson has several types of machines. How many to be exact? Four:
• Windows 10 with Citrix Hypervisor Tools running App1 and App2
• Windows 10 with Microsoft Hyper-V Tools running App1 and App2
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
For Module 6
ot
fo
rr
es
al
e
or
di
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.
Using the Scenario for this lesson, what is the Golden Image approach?
Company ABC
N
To get here:
ot
Golden Image #1 Golden Image #2 ELM • Install Windows 10 once using an OS
fo
Layer
1 2 3 1 2 3
rr
Enterprise Layer Manager • Install Citrix Hypervisor Tools once
App1 App2 App3 App1 App2 App3
es
using a Platform Layer
• Install Microsoft Hyper-V once using a
al
Platform Layer
e
• Install each app once, for App1 and
or
Windows 10 Virtual Machine Windows 10 Virtual Machine
App2 using an App Layer, for App3
using an Elastic App Layer entitled to
di
UserGroup2
s tri
b
Citrix Hypervisor Microsoft Hyper-V
ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• To Deploy Citrix App Layering within an Existing Citrix Virtual Apps and Virtual Desktops Site:
1. Import a VM into ELM to create the OS Layer.
2. Use the OS Layer to create Platform and App layers.
3. Create a template to select which layers to use and publish to merge the selected layers and creates a Layered Image output to
VM or vDisk.
N
• In both cases, the CSS or Customer Success Service must be current.
ot
• You can publish one or more Layered Images to Citrix Machine Creation Services in your Citrix Hypervisor environment.
fo
Publishing a template creates a Virtual Machine that can be used as a master image to create a Citrix Virtual Apps and
Desktops catalog.
rr
• Publishing a template to a PVS Store creates a vDisk within the store. You can then assign the vDisk to a targeted
es
device(s).
al
• Publishing a template to the NFS share creates a layered image on the NFS share. For example, you can populate a PVS
Store using the images stored in the NFS share.
e
or
Additional Resources:
di
• Plan your deployment: Citrix PVS: https://docs.citrix.com/en-us/citrix-app-layering/4/plan/citrix-pvs.html
• Plan your deployment: Citrix MCS in Citrix Hypervisor: https://docs.citrix.com/en-us/citrix-app-layering/4/plan/citrix-
s tri
mcs-in-Citrix Hypervisor.html
• Plan your deployment: Network File Share (other platforms): https://docs.citrix.com/en-us/citrix-app-
b ut
layering/4/plan/network-file-share.html
io
n
N
VDA
ot
ELM
fo
Packaging Machine Repository
Enterprise Layer Manager
rr
(Temporary VM)
es
al
e
or
Platform Layer
di
Create New or
Update Existing
s
Targeted Hypervisor Citrix Layering Management
tri
utb
© 2020 Citrix Authorized Content
io
n
Key Notes:
• When prepping the layer for Citrix Provisioning, you will need to install the Citrix Provisioning (PVS Tools) on the layer, in addition to
the Virtual Delivery Agent.
App Layering
Hypervisor
N
Read Cache Virtual Machine Virtual Machine Virtual Machine
ot
(Hypervisor dependent) Write Cache Write Cache
Write Cache
Repository
RAM
fo
rr
es
Storage Repository 1 Storage Repository 2
ELM
al
e
Enterprise Layer Manager
or
Master Image
di
Identity Disk Differencing Disk
s tri
b
ut
io
n
Key Notes:
• The Machine Creation Services or MCS process does not change, whether you use App Layering or not -there’s still a Master Image
used to create a catalog with differencing disks and identity disks. The key difference is the ease in which the Master Image is
provisioned and maintained.
• Using App Layering with Citrix Provisioning:
• The Provisioning Services or PVS process does not change, whether you use App Layering or not, there’s still a golden image in the
form of a bootable virtual disk called a vDisk.
N
the image is published, instead of a virtual machine the target environment can be a vDisk store, so the output is a
ot
vDisk.
fo
Additional Resources:
rr
• Publish layered images from template: https://docs.citrix.com/en-us/citrix-app-layering/4/publish/publish-layered-
es
images.html
al
• Citrix Provisioning (Citrix Hypervisor, VMware, Hyper-V, Nutanix): https://docs.citrix.com/en-us/citrix-app-
layering/4/connect/citrix-provisioning.html
e
or
di
s tri
b ut
io
n
ELM
N
ot
fo
Enterprise Layer Manager
rr
es
al
e
Install SSO Verify desired Install WEM
Test Login as
or
Install the VDA Join the Domain software if Workspace App Agent if needed
network user
needed version
di
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• MCS Considerations with App Layering:
• Prior to the Layering Stage:
• Review the Citrix online documentation via docs.citrix.com to verify the MCS parameters and detailed instructions that match
the targeted hypervisor platform.
• During the Layering stage:
• Install the VDA.
N
ot
• PVS Considerations with App Layering:
fo
• Prior to the Layering Stage:
• Review the Citrix online documentation via docs.citrix.com to verify the PVS parameters and detailed instructions
rr
that match the targeted hypervisor platform.
es
• During the Layering stage:
al
• Install PVS Tools.
• Install the VDA.
e
• Join the Domain.
or
• Log on as a network user, reboot and then logon as an administrator and delete the network user profile.
di
• Install any Single Sign On (SSO) software, if needed.
• Verify the desired version of the Receiver was installed with the VDA, if not install the version needed.
s tri
• Install the Workspace Environment Management (WEM) agent, if planning to use this feature.
• Reboot.
b ut
• Finalize.
io
Additional Resources:
n
• How to Create a Platform Layer in App Layering 4.x: https://support.citrix.com/article/CTX225997
N
requirements.
ot
What are the specifications for this storage
fo
location?
rr
es
The ELM server starts with an expandable 300
GB local storage repository used to store all
al
e
layers and versions.
or
di
s
tri
b
ut
© 2020 Citrix Authorized Content
io
n
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2020 Citrix Authorized Content
io
n
N
• 6-2: Create a Machine Catalog
ot
• 6-3: Create a Delivery Group
fo
rr
• 6-4: Test the Resources Located on the
Layered Image
es
• 6-5: Test the User Layer functioning
al
e
or
di
s
tri
utb
io
n
N
customize and create each template (or
ot
layered image).
fo
• Templates consist of an OS Layer, a Platform
rr
Layer, and one or more App Layers.
es
• When packaging the Platform layer, it is
al
necessary to install provisioning tools for use
e
with any non-MCS provisioning technology,
or
such as Citrix Provisioning.
di
s
tri
b
ut
© 2020 Citrix Authorized Content
io
n
N
ot
Explore Layer Priority and Maintain
fo
an App Layering Environment
rr
es
al
e
Module 7
or
di
s
tri
b
ut
io
n
N
• Describe ELM Server back-up and ELM Multi-
ot
location
fo
• Recognize Layer back-up considerations
rr
es
• Describe ELM Server Update procedure
al
• Identify considerations while deploying Anti-
e
Virus and Microsoft Office in a Layer
or
• Describe App Layering Labs
di
s
tri
b
ut
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
and registry.
CFS Composite File
ot
System
fo
• The Composite File
rr
System (CFS) runs on
es
the Layered Image and
C:\DIR\D.DAT
al
views the layers,
e
presenting a unified
C:\DIR\B.DAT
or
registry and data file
system to Windows. C:\DIR\A.DAT
di
C:\DIR\D.DAT
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Layer Priority refers to how the Windows operating system on the published desktop only reads the combined C: drive of the
underlying layers. In the example shown in the diagram, the underlying layers are the user layer, application layer and OS layer.
• As the desktop boots, it initially uses the Boot Image which contains the Windows Boot File, the composited registry and the
Windows Page File. When the layering filter driver is loaded milliseconds into the boot process, it virtualizes all of the
independent virtual disk files which makes up the layer for a desktop into the single C: drive Windows sees and uses on the
desktop.
• Layer priority manages the file system and registry in every layer before it is actually presented to the Windows OS on
the user session.
• Priority in an image starts from the bottom up, with the OS Layer, then the App Layers (by date/time), then the
N
Platform Layer, then the Elastic Layers with the User Layer on top.
ot
• Application layers are assembled in priority order based on the package creation date and time.
fo
• Let’s assume that we have an OS Layer, an App Layer and an User Layer and assume these layers only have one or
two files in each of them.
rr
• What the Composite File System does, is below NTFS, it grabs the layers, which are volumes and presents them,
es
merging the namespace as “C”, to Windows at the top. The user looks at the C – directory and sees the A, B and D
al
files. The A.DAT is coming from the OS Layer, the B.DAT is coming from the App Layer and the D.DAT is coming
e
from the User Layer.
• Why is D.DAT coming from the User Layer?
or
Because they are duplicate files but there was some changes by the user to that file, may be an application
di
changed it when the user ran the app, or may be the user created their own D.DAT file, but they changed it and
s
from Layer priority, the way the Layers are stacked, the user wins over the OS layer.
tri
• This priority mechanism begins at layer creation and is based on the order in which the layers are created. When
b
Windows views these layers, it is from a top-down model where the highest priority wins.
ut
• If a file (or registry entry) exists in two layers, but only one can be presented to an executing Windows
io
environment, the layer with highest priority “wins”.
n
• Before you dive into priority it is important to note that the Personalization is always “on top” or the highest
priority and the OS layer or layered image is always “on bottom” or the lowest priority. Application layers are what
receive specific priorities relative to each other and not to the OS or Personalization layer.
• Layer Priority can only be changed using an external utility or by deleting and adding layers.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
Composite File System (CSF) Logic File 1 File 2 File 3 File 4 File 5
ot
fo
Composite File System (CSF) Logic
rr
Elastic App Layer File 5
es
al
App Layer 2 File 4
e
or
App Layer 1 File 3
di
s tri
Windows OS Layer File 1 File 2
b
ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• A layer’s priority is determined by the layer type. Layers that are part of the layered image are applied in order, with the Platform
Layer always applied last, as the highest priority layer, apps being Medium and then OS Layer is lowest and applied first.
• When a published image boots, more layers can be applied during the boot process, if needed. The layers need to be enabled in the
image template for your layered image to do this. The two layers below are examples of what can be applied at boot:
• Elastic layers (App layers assigned to users as Elastic layers)
• User Layers
Additional Resources:
• Layer : https://docs.citrix.com/en-us/citrix-app-layering/4/layer.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
conflict between two app
ot
layers. Composite file System Logic
fo
• Layer Priority overrides
App 2 Layer
rr
are set by changing the File 4 File 5
es
Layer priority.
App1 Layer
al
File 3 File 4
e
or
File 1 File 2 Windows OS Layer
di
stri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• In the image above we see a total of 3 layers:
The OS layer, and 2 application layers.
• The conflict here is between App1 and App2 layers with regards to “File 4”, as the same file is present in both the layers. Now
there arises a conflict on which App Layer to be selected so as to present the “File 4” to Windows.
• In this scenario, “File 4” from App2 layer “wins” and is presented to Windows. Because by default, the layer at the highest priority
wins, hence in the above image, the App2 layer wins over App1 layer on File 4.
N
• Once any and all conflicts are resolved, the layers are compiled as a layered image, creating a single, unified composite
ot
file system.
fo
• Each layer contains unique registry and file system virtualizations. Once compiled into a layered image, it results in a
single registry and data file system on the image.
rr
• Layer priority is used in two different places. When we create an image layer priority is used both when creating the file
es
system and when creating the registry. The best way to think of it is that the layers are merged in this order for both file
al
system and registry:
e
or
Additional Resources:
• Layer Priority: https://docs.citrix.com/en-us/citrix-app-layering/4/layer.html#layer-priority
di
s tri
b ut
io
n
N
App1 and App2 layers.
ot
Composite file System Logic
fo
• Solved by using Layer App 1 Layer
rr
File 3 File 4
Priority Tool for changing
es
the Layer Priority.
File 4 File 5 App 2 Layer
al
e
or
File 1 File 2 Windows OS Layer
di
s
tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Lets assume there is a problem and we need to expose “File 4” from App1 to the Windows environment.
• This is where layer priority overrides come into play. The IT admin can adjust the priorities so App1 is a higher priority than App2.
(compared to previous slide 4 “Layer Priority” diagram). Thus “File 4” from App1 is presented to Windows.
• Why would you want to change the priority? You might want to change layer priority for many reasons. Normally it is because two
different layers use a common file or registry key, and you find by switching the order of the layers both applications will work when
originally only one did.
N
then store the OS layers to use whenever you open the utility.
ot
5. Then you select the appropriate OS layer that you want to change the priority on. The utility will load all the layers
fo
created with that OS layer with highest priority on top.
6. Then you just select “Set Start”.
rr
7. Then select the row to move the selected layer above and click “Set End”.
es
8. Review the selected layer information and if correct click the “Process” button.
al
9. The status of the job will be shown in the status area at the top.
10. The process will update the layering database with priority changes.
e
Note: These steps above will not update the json files located on the elastic layer share.
or
Note: Sometime a company may need the ability to change just the priority for a single layer. To change the
di
priority for a single layer click on the layer then click on “Change Priority Value”. This will set the start and end
rows at the bottom both to the selected layer. It will also expose the input field (3) for the new value. Enter a
s tri
value and Press the “Change” button (4). The status of the update will be shown in the status box and the table
will be updated and resorted.
b ut
Additional Resources:
io
• The priority change can only be done through a tool from Citrix App Layering 4: LayerPriority Utility:
n
https://support.citrix.com/article/CTX225934
• Layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer.html
N
ot
What is the default application order of layers
fo
that are part of the layered image?
rr
es
• OS Layer
al
• App Layers
e
• Platform Layer
or
• Elastic and User Layers (at logon)
di
s
tri
utb
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
3 6
3 5 5
ot
ELM Layered Image
Updates
1
fo
2 Enterprise Layer Manager Citrix Studio Delivery Controller
rr
Targeted Hypervisor
es
Packaging Machine
(Temporary VM)
4 1 PVS Deployments
al
2 6
e
PVS Farm Store
1
or
2 5
PVS Console PVS Server
di
Targeted Hypervisor New Version
Citrix Layering Management = Copy Win10.vhdx
s tri
b
ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• The Update layer process:
1. An administrator would use the Layering Management Console to create a new version of the specific layer, which is kept and
maintained within the ELM repository.
2. The ELM server then uses its hypervisor connector to create a temporary Packaging VM, which boots with the virtual disk layer in
question so the required changes can be made.
3. When all the required changes have been made, you can finish prep by “Finalizing” the update.
N
ot
Additional Resources:
fo
• Update layer: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/update-layer.html
rr
es
al
e
or
di
s tri
but
io
n
N
update application layers is a key feature in Layering.
ot
• The process for updating OS, Platform, or App layers is virtually
fo
the same.
rr
• Creating a new OS Layer would require all Platform, Apps and
es
Elastic App layers to be re-created that were built off that OS
al
Layer.
e
or
di
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Updating OS layers:
• Is a straight-forward operation, with built-in version control. When you create a new version of the OS layer, the latest version of
the layer is copied, and this copy is marked as read-write.
• A special virtual machine called a “Packaging Machine” is created on the infrastructure and the copy of the OS layer virtual disk is
attached. The machine is then booted with this new writable version of the OS and the admin can update the OS layer as needed.
• Once all of the changes are complete and any required reboots are finished, the OS version can be assigned to Image templates
N
and a path for the script. This is called a ‘Layer Script’.
ot
5. Confirm and complete. When prompted, install the new OS service pack or upgrade on the installation
fo
machine.
6. After installing the service pack or upgrade, select the OS Layer and select 'Finalize’.
rr
7. Create a new template using the new version of the OS Layer and select the respective App Layers; then
es
confirm and complete.
al
• The completion of the template creates a layered image which can be outputted to a VM on the hypervisor or a
e
vDisk stored on the ELM server repository.
or
• To update the Catalog of a Citrix Virtual Apps and Desktops site, roll out the changes using either the Studio (for MCS
di
created catalogs) or Citrix Provisioning Console (for PVS created catalogs).
s tri
• Updating APP layers:
• When updating an application layer, a copy of the existing layer is made. The virtual disk of the most current version
b ut
of the layer is copied and attached to a Packaging.
io
• The Admin would then update or patch the layer as needed. Once the update is complete the layer can be pushed
n
out to users or assigned to existing layered images.
• When applications are versioned in this way it also ensures that two different versions of the same application will
not be assigned to a virtual machine simultaneously.
• Note: on versioning layers: A new layer version can be created for a layer when IT needs to modify the existing app
install/configuration or the application needs to be upgraded. You can create a new application layer for a major
application version (such as moving from Office 2010 to Office 2013) but in most instances application layers are
N
ot
Additional Resources:
fo
• Update layer : https://docs.citrix.com/en-us/citrix-app-layering/4/layer/update-layer.html
rr
es
al
e
or
di
s tri
but
io
n
ELM Repository
N
ot
fo
App Layer App Layer ELM
rr
(V1) (V2)
es
Create a
new version
al
e
Platform Platform
Layer Layer
Enterprise Layer Manager Citrix Layering Management
or
di
s tri
OS Layer OS Layer
b
ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• The ELM Management Console gives an option, so as to delete the App Layer or just the App Layer version alone.
• After selecting the respective App Layer on the management console, we can click on Delete Version option which will give us the
wizard to delete the layers.
• Note: While deleting layers, be aware if you are deleting the layer version alone, or the entire underlying App Layer itself.
• App Layers once deleted, can not be recovered.
• If a version is referenced in an image template, the App Layer cannot be deleted.
N
ot
What object is used to install updates or new
fo
applications on an existing OS layer?
rr
es
A packaging virtual machine is temporarily
created and then deleted once the OS layer
al
e
update has been finalized.
or
di
s
tri
b
ut
io
n
ot
App Layering Environment
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
ELM
N
ot
fo
Enterprise Layer Manager Three Administrative User Accounts
rr
es
al
Management Appliance Appliance
e
Console (superuser)
or
• Username: administrator • Username: root • Username: administrator
di
• Password: Unidesk1 • Password: v9Yx*6uj • Password: Unidesk1
s tri
utb
© 2020 Citrix Authorized Content
io
n
Key Notes:
• The ELM server coordinates communication in the App Layering environment, hosts the management console and manages all of the
layers, and using connectors works with the hypervisor or hypervisors to create layers and to publish images.
• The appliance has three accounts that you can use to manage its features and settings.
• Management console “administrator” account - Lets you access the management console hosted on the appliance. There you can
create and manage layers, and publish layered images. The default password is Unidesk1.
• Appliance “administrator” account - Lets you access the appliance’s configuration utility where you can change the network
N
• The default Management Console password (Unidesk1) must be changed when the appliance is installed. Upon first log
ot
in, a tab is displayed where you must change the passwords for the administrator accounts that you use to manage the
fo
appliance.
• The root (superuser) account uses a case sensitive mixed character password.
rr
• The root (superuser) account is needed to change any of these administrative passwords.
es
• The Management Console is the primary account an administrator will use.. You can easily configure and use the App
al
Layering service without ever accessing the other two accounts.
e
Additional Resources:
or
• Change administrator passwords: https://docs.citrix.com/en-us/citrix-app-layering/4/configure/change-
di
administrator-passwords.html
s tri
b ut
io
n
Unidesk
N
where the layer library is stored. This library
ot
contains folders where all layers are stored. Layered Images
fo
• Backing up this appliance protects a large part Layers
rr
of the Layering infrastructure and greatly
es
improves disaster recovery chances.
App
al
• The ELM appliance should be backed up via
e
some type of virtual machine backup to
Repository OS
or
storage, or else made as a clone.
di
Platform
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• The App Layering appliance is a Centos based virtual appliance that hosts the App Layering console, all App Layering logic and the
App Layering database.
• The appliance is also where the layer library is stored. The layer library is a virtual disk partitioned into several folders where the OS,
App, and Platform Layers are kept.
• Everything about layers is stored in the appliance. If the appliance is backed up you have a significant part of the App Layering
infrastructure available for recovery.
N
Additional Resources:
ot
• App Layering 4.x availability and recovery concepts guide: https://www.citrix.com/products/citrix-virtual-apps-and-
fo
desktops/resources/app-layering-4x-availability-recovery-guide.html
rr
es
al
e
or
di
s tri
b ut
io
n
N
Import to ELM2
ot
User Layer VDA User Layer
fo
Application Layer Application Layer
rr
Platform Layer Platform Layer
es
al
Elastic layers OS Layer Image Elastic layers OS Layer
Template Export to
e
ELM fileserver ELM
or
File Server ELM Server1 File Server ELM Server2
di
stri
Hypervisor NYC SAN NYC DFS-R Hypervisor SFO
utb
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Layers can be shared across composite images (so long as the underlying OS is consistent). It is possible to export all your layers from
one ELM appliance to a Windows share, and then import them to another appliance. This process could be used to keep two
appliances in separate physical sites in sync.
• Elastic layers are attached to the OS layer they were created on. A new version of an OS layer is still the same OS layer, so it will still
work with the existing application layers. The reason is that Windows uses dynamic creation of some GUIDs, short folder names,
short file names, etc. Applications remember those, so we need to keep them consistent. Updating OS layers by creating a new
N
• It is also possible to use two ELM appliances, one in each site, and then use the import/export functionality added in
ot
App Layering 4.3 to keep those ELMs in sync from a layer perspective. Then you can treat DR separately and build
fo
images there from a local ELM.
• If two ELM appliances are being used, then the sync will transfer over the WAN to the SMB share defined in Settings and
rr
Configuration. Then the layers can be synchronized to the SMB share used in the second site using something like
es
Robocopy again using the /MIR switch.
al
• In the Dual ELM model connectors and permissions for elastic shares must be created on each side.
e
Additional Resources:
or
• Enterprise Architect TechTalk: Citrix App Layering FAQ: https://www.citrix.com/blogs/2017/08/07/enterprise-
di
architect-techtalk-citrix-app-layering-faq/
s tri
b ut
io
n
N
File Server cluster or multiple head NAS devices.
ot
• Backing up User Layers is more challenging than Elastic Layers,
fo
as the User Layer .vhd file is open and locked for writes whenever
rr
a user is logged on. Additionally, User Layers are large and change
es
constantly.
al
• To back up User Layers, it can be done at block-level using
e
SAN/NAS level replication (or NetApp’s SnapMirror) ,or when they
or
are not in use.
di
• Elastic Layer shares can be synchronized with a script tool, such
s
as a robocopy script using the /mir directive.
tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• By default, user layers are stored on the same share as normal elastic layers. Most organizations will likely use a different file share or
even file server for user layers, one that is optimized for writes.
• If the user layer share is different from the elastic layer share user assignment will be defined by AD user groups.
• All Elastic layers are stored on the ELM in the layer repository. It is possible to re-publish all the elastic layers to a new file share if the
share were to require recreating but it is not quick or easy.
• Elastic layers are just .vhd files stored on the share. They are opened as read only, so it is fairly easy to back them up using a file
N
• If you don’t have one of these advanced technologies it might work to spread the copy load over a couple of weeks so
ot
that there is not as much to copy every night. This could be scripted using PowerShell to ensure you get a backup at
fo
least one every x number of days.
rr
Additional Resources:
es
• Enterprise Architect TechTalk: Citrix App Layering FAQ: https://www.citrix.com/blogs/2017/08/07/enterprise-
al
architect-techtalk-citrix-app-layering-faq/
e
or
di
s tri
b ut
io
n
Layer Management
N
Update
ot
Package
ELM
Saved
fo
Update
rr
Package Enterprise Layer Manager Network Share
Download
es
Citrix.com/Downloads
al
e
or
Periodic
Updates
di
s tri
Citrix Layering Management
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• The App Layering upgrade process is partially automated. The appliance periodically checks for upgrades, and downloads available
packages to your appliance.
• When an administrator performs the next logon to the App Layering console, a message indicates that an upgrade is ready to install.
• As an administrator you can choose to:
• Start Upgrade: Run the App Layering appliance software upgrade.(Administrators only.)
• Remind Me Later: Wait seven days before reopening the message. Applies to individual users’ desktops.
N
• If an update is available, but there is no network file share configured: The user receives a message that there is an
ot
upgrade available and that the administrator needs to finish configuring a network file share before it can be
fo
downloaded and applied.
• If an update is available: A job is started to “Download Upgrade Media. Then, If extraction is successful, the next time
rr
any user logs in they will be notified that an upgrade is available.
es
• If another update is found before a previously downloaded one is installed - The new upgrade is downloaded, and once
al
successfully completed, becomes the “Upgrade Available.”
• If one upgrade is downloading when another is made available - The running download is aborted and a new download
e
is started. All files related to the in-progress download are deleted.
or
• Before and administrator performs an upgrade of the appliance, they should verify that a network file share has been
di
configured. This can be done via the App Layering console, navigating to System > Settings and Configuration, and
finding the network file share setting.
s tri
• An administrator should perform a back up the appliance first.
Periodic upgrades are usually adequate as they occur regularly, however, an administrator, can run the Upgrade
b
•
ut
“manually” by going to the System tab and selecting the Upgrade action as before. If an upgrade is available, the
Upgrade Disk appears.
io
n
Additional Resources:
• Upgrade: https://docs.citrix.com/en-us/citrix-app-layering/4/upgrade.html
N
ELM
ot
Updated PVS-1
fo
Enterprise Layer Manager App Layering
Agent
rr
Update the
es
App Layering
Agents
al
e
or
PVS-2
App Layering
di
Agent
Citrix Layering Management
s tri
utb
© 2020 Citrix Authorized Content
io
n
Key Notes:
• An administrator should upgrade the App Layering agent (if the app layering agent is being used).
• To upgrade the App Layering agent:
1. Make sure that you have copied the App Layering agent upgrade file to the server(s) where the agent is installed.
2. Double-click the agent upgrade file, and follow the instructions for upgrading the agent.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
What is the primary difference between
ot
standard layers compared to User or Elastic
layers when choosing a backup plan of
fo
action?
rr
es
The OS, App, and Platform Layers are kept in a
library folder structure on the ELM appliance
al
e
storage, whereas Elastic and User layers require
a File Server cluster or multiple head NAS
or
device.
di
s
tri
utb
io
n
N
For Module 7
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.
N
Considerations and Additional
ot
Resources
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
ot
save them does not change in a Citrix Virtual Apps and Desktops
environment when you integrate with App Layering.
fo
rr
es
• All layers are read only.
al
• App Layering creates the VM or vDisk used to build the catalogs.
e
or
di
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• The decision to use Anti-Virus does not change when integrating Citrix Virtual Apps and Desktops with App layering.
• The decision to enable Anti-Virus updates or the consideration of where to save them does not change when integrating Citrix
Virtual Apps and Desktops with App layering.
• Remember:
• All OS, Platform, App and Elastic layers are read only.
N
• Disable auto updates, and redeploy the layer for each update. This requires updating the layer whenever you install
ot
new updates.
fo
Additional Resources:
rr
• Layer antivirus apps: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/layer-antivirus-apps.html
es
al
e
or
di
s tri
b ut
io
n
N
ot
• Starting with Office 2013 both KMS and MAK activation for
Windows 7, as well as AD Activation are supported.
fo
rr
• Should be created with separate layers for each full set of Office
es
apps you use. If separate Office layers are used, include the
Base.separats
al
e
• Will require that you to run the ngen process, as Office requires
or
much use of .NET.
di
• Will need to be rearmed after installation completes and before
s
Finalizing. \Rearm off
tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Microsoft Office is generally easy to install into a layer, and, if it will be used by itself, there are not many complexities other than
activation.
• This information covers all versions of Office between Office 2010 and Office 365.
• If you use Office Add-ons, these should be included in the office layer, but can sometimes be installed in different layers with Office
checked as a prerequisite layer during layer creation.
• It is recommended to create separate layers for each full set of Office apps you will distribute: For example:
N
• If your company needs a smaller set of users to have access to Visio and Project then you must create a second layer
ot
for Office, Visio and Project, and include that on a separate Layered image.
fo
• Running Visio and Project as elastic layers will cause issues with broker sessions or a reconfigure when the
applications are run because of the way Office Apps update the windows store.
rr
• Alternatively, you can use Visio and Project as published apps on XenApp.
es
• Licensing Considerations:
al
• All of the Office products share a licensing file and the method of activation. For KMS licensing, Activation can be
automated or activation can be performed on first use.
e
• When the first Office application is run for the first time on a desktop it creates a CMID for the application on that
or
desktop that uniquely identifies the application instance for licensing. Therefore, when packaging Office for an image
di
installation as we do with App Layering, the best option is to rearm the office deployment before finalizing. This will
reset any licensing information to allow an image deployment.
s tri
• If you are using MAK keys and not KMS, then activation must be run on each desktop after the layer has been
deployed. You can activate on the desktop using the ospp.vbs script or using the Volume Activation Management
b ut
Tool (VAMT 2.0/3.0).
• Microsoft has changed activation with Office 2013 allowing KMS and MAK activation for Windows 7 , along with AD
io
Activation. When using the AD Activation it will tie the account to the machine it is activated on.
n
• In 4.x a layered image is created and then deployed using a provisioning system. For Citrix MCS and Horizon View
Linked clones the Master Image/Parent VM’s should have Office Applications activated before they are snapshotted
for deployment. The included Citrix activation scripts will activate Office when the Master Image/Parent VM is first
booted.
• Office Activation scripts have been included in conjunction with the Citrix optimizer for a long time. However they
N
activation, as KMS does not care how many times you reactivate a version of Office.
ot
• Installation:
fo
• To create application layers for Office, Visio and Project:
• To create the application layer for Office 2010, 2013, and 2016:
rr
1. You start the Create an Application layer wizard and enter all the required information, such as the name of the
es
layer.
al
2. Install desired Office Apps from ISO on the temp VM created.
3. Enable any Windows Updates and Patch Office then disable Windows Updates
e
4. Run ngen 32 bit and 64 bit (ngen update)
or
5. Reboot the machine.
di
6. Run the Optimizer tool using the RunOptimizer.cmd , and activate “MS Office via KMS" or "Process Office 365",
7. Rearm Office
s tri
8. Shutdown for Finalize.
• To create an layer using Office 365: Office 365 can be installed with a standalone downloader or using the Office
b ut
Deployment Toolkit. For Citrix App Layering Deployments, we require that the Office Deployment Toolkit is used
1. You start the Create an Application layer wizard and enter all the required information, such as the name of the
io
layer.
n
2. Download and install the Office Deployment Kit.
3. Create a configuration.xml to meet your needs.
4. Open an admin CMD prompt changed to the ODK folder and run
5. From the same CMD window run Setup.exe /configure configuration. - This will install o365.
6. Run ngen 32 bit and 64 bit (using ngen update see detail section below)
N
• If you choose not to activate using a script and the version of the Office product you want to deploy is different from
ot
the version your installer installs by default, you can change the version using the ospp.vbs script (Office Software
fo
Protection Platform).
• The Citrix Office Activation script (OfficeActivate.cmd) has all of these commands built in for all Office Products using
rr
Office 2010, Office 2013 and Office 2016. Use the appropriate command for your situation.
es
• If you are using these tools, just run the App Layering Optimization Builder utility and choose which Office
al
applications are installed in the layer. The script will handle entering the product key and activating all the Office
applications included in the layer.
e
• For Office 365:
or
1. To update Office 365, you can create a whole new Office Layer based on the current distribution or add a version
di
to your existing Office layer and update that.
2. When going from one version of Office to another (IE 2013 to 2016) it is highly recommended that a new Layer is
s tri
created rather than upgrading an existing layer inside of a version
• There are a few things to think about on Non-Persistent Desktops including activation, registration and GPO settings.
b ut
These are discussed in the sections below. Activation
• Registration-If you plan on deploying more than one office version to the same desktops and you receive this
io
message “Please wait while Windows Configures Microsoft Office” you should consider setting these registry options
n
in the default profile. The “NoReReg” tells windows to not re-register the office programs and their associations. This
is very important in a non-persistent environment because the users will see this warning every time they open an
Office application after logon. But it also pertains to persistent desktops when using multiple version of Office.
Additional Resources:
• How to Setup Office with App Layering (Recipe): https://support.citrix.com/article/CTX224566
N
ot
• Java
fo
rr
• MS Office, including Office 365
es
al
• Quickbooks
e
or
• vGPU in Vmware View
di
• And more …
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• In most cases, you can layer applications without any issues. However, there are some applications that require more detailed
instructions, and many of these are provided in the form of recipes, which provide step-by-step guidance on the specific installation
and configuration settings for the application so that it can be successful in a layered environment.
• These recipes apply to all App Layering 4 releases.
• Some of the primary applications that fall into this recipe category ( There are specific instructions for how to specialize install each
of these within CTX docs; see some examples under Additional Resources below).
N
• IBM SPSS 21 Licensing Server
ot
• Internet Explorer 10
fo
• Java
• MS Office, including Office 365
rr
• Print Server
es
• QuickBooks
al
• SAS Enterprise
• Sccm 2012 Client
e
• Solidworks
or
• Symantec Encryption Desktop Recipe
di
• USB Drivers With VMWARE Horizon View 5.X
• VMware Horizon View Agent
s tri
• VMware View dragging windows between monitors
vGPU in VMware View
b
•
ut
Additional Resources:
io
• App Layering Recipes: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/app-layering-recipes.html
n
• How to Setup Office with App Layering (Recipe): https://support.citrix.com/article/CTX224566
• Adobe Reader Recipe:: https://support.citrix.com/article/CTX223969
N
versions and are planned for
ot
future release.
fo
rr
es
al
e
or
di
s tri
but
© 2020 Citrix Authorized Content
io
n
Key Notes:
• App Layering Labs (also just known as “Labs “) are features of Citrix App Layering that are:
• In the early versions and are planned for future releases.
• These features are usually disabled by default with the release.
• It is always recommended to not enable and using any of these features in a production deployment.
• So what is the value of these features here?
• We can test the latest and greatest.
Additional Resources:
• Enable Labs features: https://docs.citrix.com/en-us/citrix-app-layering/4/configure/enable-labs-features.html
N
• What’s new in App Layering 4 2005: https://docs.citrix.com/en-us/citrix-app-layering/4/whats-new/20-5.html
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
Starting with Office 2013 what forms of
fo
license activation can be used?
rr
es
KMS, MAK, and AD
al
e
or
di
s
tri
utb
io
n
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2020 Citrix Authorized Content
io
n
N
• 7-2: Create a Conflicting Layers Template
ot
• 7-3: Update the MCS Catalog
fo
rr
• 7-4: Test the New Virtual Machine
es
• 7-5: Delete an App Layer
al
e
or
di
s
tri
utb
io
n
N
app layers sharing a file.
ot
• The process for updating all standard layers is
fo
very similar.
rr
• Backing up the layer library store on the virtual
es
appliance protects a large part of the layering
al
infrastructure.
e
• MS Office and Office 365 have special
or
considerations when used with app layering,
di
specifically as related to license activation and
s
installation.
tri
b
ut
io
n
N
ot
Introduction to Workspace
fo
Environment Management (WEM)
rr
es
al
e
Module 8
or
di
s
tri
b
ut
io
n
N
required for a WEM on-premises deployment and
ot
how the WEM Administration console is used for
fo
managing the deployment.
rr
• Describe the roles of each of the components
es
required for a WEM Service deployment and how
the WEM Service Manage console is used for
al
managing the deployment.
e
• Describe the communications workflow between
or
components in a WEM on-premise deployment.
di
• Describe the communications workflow between
s
components in a WEM Service deployment.
tri
b
ut
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
• A software solution that utilizes powerful Resource Management and User Environment Management
N
technologies for Citrix Virtual Apps and Desktops deployments, resulting in optimized performance
ot
and app response times, while helping to maintain the best possible logon performance for Users.
fo
• Available for on-premises Citrix Virtual Apps and Desktops deployments.
rr
• Citrix WEM Service is available for Citrix Cloud deployments, when used with Citrix Virtual Apps and
es
Desktops Service and Citrix Endpoint Management (CEM) deployments.
al
e
or
di
s
tri
but
181 © 2020 Citrix | Confidential
io
n
Key Notes:
• Citrix WEM is a software solution that utilizes powerful Resource Management and User Environment Management technologies for
Citrix Virtual Apps and Desktops deployments, resulting in optimized performance and app response times, while helping to maintain
the best possible logon performance for Users.
• Citrix WEM is available for on-premises Citrix Virtual Apps and Desktops deployments.
• Citrix WEM Service is available for Citrix Cloud deployments, when used with Citrix Virtual Apps and Desktops Service and Citrix
Endpoint Management (CEM) deployments.
Features Benefits
• Aggregate more user sessions on
• CPU optimization Windows multi-session OS VDAs.
System Optimization • Memory management • Improve HDX session user experience with
N
• Disk I/O optimization single-session OS and multi-session OS
ot
VDAs
• User Assigned Actions
fo
Logon Optimization • Reduce session logon durations
rr
• Citrix Profile Management
es
Security • AppLocker • Secure user access to apps & installs
al
• Provide web pages, apps & desktops in a • Turns physical machines into kiosks
Transformer
controlled kiosk environment accessed by multiple users
e
• WEM Administration Console (on-premise)
or
WEM Administration • Centralize environment management
• WEM Service Manage (Citrix Cloud)
di
• Daily Reports, User & Device Reports • Monitoring and reporting for users and
s
Monitoring and Reporting
WEM Agent machines
tri
• User Trends
b
ut
io
n
Key Notes:
• System Optimization:
• WEM System Optimization settings monitors user and application behavior in real-time, and then uses this information to pro-
actively adjust system resources, such as RAM, CPU, and disk I/O; to provide the most optimized overall experience for user; as
well as ensuring that each user does not consume more resources than needed.
• WEM analyzes each individual application process being used within a user session and determine if the RAM currently
allocated to that specific application is needed at that time. If not, it will “ask” Windows to re-allocate the RAM resource to
N
• User Assigned Actions
ot
• Citrix Profile Management configured through WEM
fo
• Security:
• Microsoft Windows AppLocker security is normally configured locally or through Group Policy. WEM enhances
rr
AppLocker security by centralizing configuration and the ability to bulk manage machines.
es
• Transformer:
al
• When the WEM Agent is installed and set to Transformer mode, it turns a physical machine into kiosks accessed
by multiple users.
e
• Once the user logs on, WEM can be configured to provide web pages, apps & desktops; all in a controlled kiosk
or
environment.
di
• WEM Administration:
• An on-premises WEM deployment is managed centrally using the WEM Administration Console.
s tri
• Similarly, a WEM Service deployment is managed centrally through the Citrix Cloud portal webpage, using the
WEM Service’s Manage tab.
b ut
• Monitoring and Reporting:
• Machines with a WEM Agent installed synchronize their user and logon statistics, Agent and device information,
io
and boot statistics with the WEM deployment database.
n
• The information can be displayed in the WEM Administration Console or the WEM Service Manage tab for
monitoring purposes, or exported as reports.
N
ot
List the two benefits of WEM System
fo
Optimization.
rr
es
Aggregate more user sessions on Windows
multi-session OS VDAs.
al
e
Improve HDX session user experience with
or
single-session OS and multi-session OS VDAs.
di
s
tri
b
ut
io
n
ot
and Deployments
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
Active
Directory
WEM Administration
Console
Overview:
N
• The WEM system
ot
Physical
components are marked Transformer
Kiosk
fo
in the diagram with a User
rr
green Citrix symbol.
Synchronization
es
WEM
• An on-premises WEM WEM Agent
Infrastructure
Servers SQL Transaction
deployment is used to
al
WEM
optimize and secure
e
Database on
VDA SQL Server
VDAs and kiosk Synchronization
or
machines in an on-
di
premises Citrix Virtual HDX Session
s
WEM Agent User/Endpoint
Apps and Desktops Site.
tri
with Citrix
Workspace
b
app
ut
io
n
Key Notes:
• The WEM system components are marked in the diagram with a green Citrix symbol. In addition to the WEM components, a WEM
deployment requires an Microsoft Active Directory domain and Microsoft SQL Server.
• An on-premises WEM deployment is used to optimize and secure VDAs and kiosk machines in an on-premises Citrix Virtual Apps and
Desktops Site.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
Active
Directory
WEM Administration
Console
WEM Agent:
N
• Applies the system
ot
Physical
Transformer
optimization, logon Kiosk
fo
optimization, security, and User
rr
user experience settings.
Synchronization
es
WEM
WEM Agent
• Settings are synchronized Infrastructure
Servers SQL Transaction
al
from the WEM WEM
e
Database on
Infrastructure Server. VDA SQL Server
Synchronization
or
• Web proxy is supported
di
and configured by GPO. HDX Session
s
WEM Agent User/Endpoint
• Agent installed on VDAs
tri
with Citrix
Workspace
or physical kiosk
b
app
ut
machines (Transformer)
io
n
Key Notes:
• WEM Agent: The WEM Agent applies the system optimization, logon optimization, security, and user experience WEM settings to the
WEM Agent machines and the users that access them.
• The WEM Agent applies WEM settings retrieved from the WEM Infrastructure Server, or from local caches.
• The WEM Agent maintains local caches to reduce logon times and as a failback if the Agent cannot connect to the WEM
Infrastructure Server.
• Web proxies are supported for communications between Agent and WEM Infrastructure Server. WEM proxy configuration is set
Additional Resources:
• Workspace Environment Management: https://docs.citrix.com/en-us/workspace-environment-management/current-
N
release.html
ot
• Agent: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-and-
fo
configure/agent-host.html
rr
es
al
e
or
di
s tri
but
io
n
Active
Directory
WEM Administration
Console
WEM Database:
N
• The WEM settings are
ot
Physical
Transformer
stored in the WEM Kiosk
fo
database, on a Microsoft User
rr
SQL Server instance.
Synchronization
es
WEM
WEM Agent
• For high-availability (HA), Infrastructure
Servers SQL Transaction
al
WEM supports SQL WEM
e
Database on
Always On availability VDA SQL Server
Synchronization
or
groups on Windows
Server failover Cluster
di
HDX Session
(WSFC) nodes.
s
WEM Agent User/Endpoint
tri
with Citrix
Workspace
b
app
ut
io
n
Key Notes:
• WEM Database: The WEM settings are stored in the WEM database, on a Microsoft SQL Server instance.
• For high-availability (HA), WEM supports SQL Always On availability groups on Windows Server failover Cluster (WSFC) nodes.
Additional Resources:
• Create a Workspace Environment Management Database: https://docs.citrix.com/en-us/workspace-environment-
management/2003/install-and-configure/infrastructure-services.html#create-a-workspace-environment-management-database
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Active
Directory
WEM Administration
Console
WEM Administration
N
Console:
ot
Physical
Transformer
• Also known as the WEM Kiosk
fo
Console. User
rr
• The WEM Console is a Synchronization
es
WEM
WEM Agent
management interface Infrastructure
Servers SQL Transaction
al
where all system WEM
e
Database on
optimization, logon VDA SQL Server
Synchronization
or
optimization, security, and
user experience WEM
di
HDX Session
settings are configured.
s
WEM Agent User/Endpoint
tri
with Citrix
Workspace
b
app
ut
io
n
Key Notes:
• WEM Administration Console: Also known as the WEM Console. The WEM Console is a management interface where all system
optimization, logon optimization, security, and user experience WEM settings are configured.
• The WEM Console accesses the WEM database by first connecting to the WEM Infrastructure Server. Once connected, the
WEM Console displays all configured WEM settings and any changes made to WEM settings are written to the WEM database
via the WEM Infrastructure Server.
• WEM Agents automatically synchronize their WEM settings but when needed, sSettings can be manually pushed to the Agent
Additional Resources:
• Workspace Environment Management: https://docs.citrix.com/en-us/workspace-environment-management/current-
release.html
• Administration console: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-
and-configure/admin-console.html
N
ot
fo
rr
es
al
e
or
di
s tri
utb
io
n
Active
Directory
WEM Administration
Active Directory (AD) Console
Integration (1/2):
N
All deployments must
ot
Physical
include an AD domain. Transformer
Kiosk
fo
User
• The computer accounts
rr
for the WEM Agent Synchronization
es
WEM
Windows OS machines WEM Agent
Infrastructure
Servers SQL Transaction
must be members of an
al
WEM
e
AD domain. VDA
Database on
SQL Server
Synchronization
or
• WEM Infrastructure
Server validates accounts
di
HDX Session
with AD and reads AD to
s
WEM Agent User/Endpoint
tri
with Citrix
push user WEM settings Workspace
b
app
out to users.
ut
io
n
Key Notes:
• Active Directory domain: All WEM deployments must include an Active Directory domain.
• The computer accounts for the Windows OS machines on which the WEM Agent has been installed, must be members of an
Active Directory domain within the same AD structure.
• The WEM Agents, WEM Infrastructure Servers, and the WEM Administration Console all need to communicate with Active
Directory.
• The WEM Infrastructure Server validates accounts with Active Directory and reads Active Directory user account information to
Additional Resources:
• Workspace Environment Management: https://docs.citrix.com/en-us/workspace-environment-management/current-
release.html
N
ot
fo
rr
es
al
e
or
di
stri
but
io
n
N
domain membership within
ot
the same AD structure.
fo
• WEM components contact
rr
AD frequently.
es
AD Global Catalog
• AD Global Catalog
al
WEM Servers (GCS)
Servers (GCS) are key to Deployment
e
optimized object lookups.
or
• Without GCSs, WEM
di
components fall back to
s tri
trawling through all domain WEM Infrastructure Servers WEM Administration Console WEM Agents
b
controllers.
ut
io
n
Key Notes:
• All machines on which WEM components are installed, must have membership in a domain within the AD structure and must be
able to traverse domains and forest trusts within the AD structure.
• All users that are part of the WEM deployment must also have their AD user account membership within the same AD structure.
• WEM components in a deployment contact AD frequently. To optimize AD lookups by WEM components, WEM is designed to
contact AD Global Catalog Servers (GCS).
• A GCS holds records and partial records of all domains within a single AD domain forest or multiple AD forests joined by two-
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Active
Directory
WEM Infrastructure Server: WEM Administration
Console
N
Broker.
ot
Physical
• Central component of any Transformer
Kiosk
fo
WEM deployment. User
rr
• Retrieves WEM settings Synchronization
es
WEM
WEM Agent
from the WEM database Infrastructure
Servers SQL Transaction
al
for the WEM Agents and WEM
e
the WEM Console. VDA
Database on
SQL Server
Synchronization
or
• Reads computer and user
accounts from AD.
di
HDX Session
s
WEM Agent User/Endpoint
• Manages the status of
tri
with Citrix
Workspace
WEM Agents.
b
app
ut
io
n
Key Notes:
• WEM Infrastructure Server: The WEM Infrastructure Server is also known as the WEM Broker.
• It is the central component of any WEM deployment.
• It communicates with the WEM database on SQL Server to retrieve and write WEM settings and WEM data for the WEM
Agents and the WEM Console.
• Neither the Console nor the Agents communicate directly with the WEM database instance on SQL.
• Only the WEM Infrastructure Server has direct access to the WEM database and performs SQL transactions on behalf of the
Additional Resources:
N
• Workspace Environment Management: https://docs.citrix.com/en-us/workspace-environment-management/current-
ot
release.html
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Active
Directory
WEM Administration
Console Citrix ADC
(load balancing)
WEM Infrastructure Server
N
High Availability (HA):
ot
Physical
Transformer
• Multiple WEM Kiosk
fo
Infrastructure Servers can User
rr
be accessed through a
Synchronization
es
Citrix ADC for load WEM Agent
WEM
Infrastructure
balancing or for failover Servers SQL Transaction
al
WEM
purposes.
e
Database on
VDA SQL Server
Synchronization
or
• The WEM Console and
WEM Agents would point
di
HDX Session
to the Citrix ADC, rather
s
WEM Agent User/Endpoint
tri
with Citrix
than to the WEM Broker Workspace
directly.
b
app
ut
io
n
Key Notes:
• WEM Infrastructure Server – High Availability:
• For high-availability (HA), multiple WEM Infrastructure Servers can be accessed through a Citrix ADC for load balancing or for
failover purposes.
• If a Citrix ADC is used for load balancing multiple WEM Infrastructure Servers, The WEM Console and WEM Agents would point
to the Citrix ADC, rather than to the WEM Broker directly.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Active
Directory
WEM Administration
Users: Console
N
a user experience that
ot
Physical
aligns with user Transformer
Kiosk
productivity requirements
fo
User
and an organization’s
rr
security requirements. Synchronization
es
WEM
WEM Agent
Infrastructure
• Launch apps and desktops Servers SQL Transaction
al
hosted by VDAs that have WEM
e
Database on
the WEM Agent installed. VDA
Synchronization
SQL Server
or
• Logon to a physical
di
Windows kiosk machine HDX Session
s
User/Endpoint
that has the WEM Agent WEM Agent
tri
with Citrix
installed and set to Workspace app
b
Transformer mode.
ut
io
n
Key Notes:
• Users: A major goal of a WEM deployment is the ability to create a user experience that aligns with both a user’s productivity
requirements and an organization’s security requirements.
• There are two ways users access resources optimized by a WEM deployment:
• Launching apps and desktops hosted by VDAs that have the WEM Agent installed.
• Logging on to a physical Windows kiosk machine that has the WEM Agent installed and set to Transformer mode.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
To manage an on-premise
ot
WEM deployment:
fo
• Add WEM Agent
rr
Machines
es
• Add users
al
• Create and Assign
e
Resources
or
• Manage Policies
di
s
• Delegate admin roles
tri
• Migrate Agents to WEM
b ut
Service
io
n
Key Notes:
• The WEM Administration Console is used to manage a WEM on-premises deployment. There are many WEM administrative tasks,
and the main ones are listed here:
• WEM settings are applied to machines with WEM Agents installed. The AD computer accounts for these machines, individually
or by OU are added to the WEM deployment using the console.
• WEM settings can also be applied to users. The AD user accounts or the AD Security Groups containing user accounts, are
added to the WEM deployment using the console.
N
• The WEM Administration Console can be installed on a Windows client or server operating system.
ot
• Initial use requires selecting a WEM Infrastructure Server to connect and the TCP communications port to use.
fo
• The default connection port is TCP 8288.
• These settings can be saved for auto-connection when launching the console again.
rr
• The Administration Console is currently the single point to manage a WEM infrastructure; there is no PowerShell
es
or command line capabilities at this time.
al
• Note: PowerShell commands can be used to create and upgrade the WEM database and perform tasks on the
Infrastructure service.
e
• Once the WEM Administration Console is connected to a WEM Broker, all changes are synchronized through the
or
WEM Broker and saved to the WEM database instance.
di
Additional Resources:
s tri
• Administration Console: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-
and-configure/admin-console.html
b ut
io
n
N
What are the roles of the WEM Infrastructure
ot
Server in a WEM on-premises deployment?
fo
rr
It is the central component of any WEM
deployment.
es
al
It retrieves WEM settings from the WEM
e
database for the WEM Agents and the WEM
Console.
or
It reads computer and user account information
di
from Active Directory.
s
tri
It manages the status of WEM Agents.
b
ut
io
n
ot
Deployments
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
Citrix Cloud-Managed
N
Customer-Managed
ot
Management
On-Premises
fo
rr
WEM Service
AD Integration
Manage Console
es
Active
Citrix Cloud Connectors
Directory
al
Connection
WEM Service
e
Details
Infrastructure
or
Services
User/Endpoint with
Citrix Workspace app VDA
di
SQL Transaction
s
WEM Database on
tri
HDX Session Synchronization
Citrix Cloud Azure SQL Server
over HTTPS
b
WEM Agent
ut
io
n
Key Notes:
• Customer-managed components of a WEM Service deployment:
• WEM Agents: For clarity, the Transformer kiosk machine is not shown in the diagram. However, just like a WEM Agent installed
on a VDA, a Transformer kiosk machine still synchronizes it WEM settings with the WEM database, through the WEM
Infrastructure Services in Citrix Cloud.
• Microsoft Active Directory Server:
• Typically this is an on-premises, corporate Active Directory domain: VDAs with WEM Agents installed, Transformer kiosk
N
• As mentioned earlier, a Citrix Cloud Connector is required to allow WEM Infrastructure Services to
ot
communicate with WEM Agents and customer-managed Active Directory.
fo
• You must install Citrix Cloud Connector on at least one machine in every resource location you are using.
• For continuous availability, install multiple Cloud Connectors in each of your resource locations.
rr
• Citrix recommends at least two Cloud Connectors in each resource location to ensure high availability. If one
es
Cloud Connector is unavailable for any period of time, the other Cloud Connectors can maintain the
al
connection.
• Note: Strictly speaking, Citrix Cloud Connectors are co-managed by the customer and by Citrix. Customers are
e
responsible for installing and managing the Cloud Connector machines, while Citrix is responsible for providing
or
the automatic Cloud Connector software updates.
di
• Citrix Cloud-managed components of a WEM Service deployment:
• WEM Infrastructure Services:
s tri
• Communicates with the WEM database on SQL Server to retrieve and write WEM settings and WEM data for
the WEM Agents and the WEM Console.
b ut
• This means that neither the Console nor the Agents communicate directly with the WEM database instance on
SQL – it is the WEM Infrastructure Server that performs the SQL transactions on their behalf when requested.
io
• Citrix ensures that sufficient infrastructure services are provided on Citrix Cloud.
n
• WEM Service Manage console:
• Used by WEM administrators to manage a WEM Service deployment.
• Azure SQL Database:
• The WEM Service database is stored in a Microsoft Azure SQL Database service, deployed in an elastic pool.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
• WEM Service is used with a Citrix Virtual Apps and Desktops Services Site.
• Can be deployed as US-based and EU-based instances in Citrix Cloud.
N
ot
• WEM Service provides the same resource and logon optimizations as an on-premises WEM
deployment.
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• A WEM Service deployment is used with a Citrix Virtual Apps and Desktops Services Site.
• Currently, a WEM Service can be deployed as US-based and EU-based instances in Citrix Cloud.
• A WEM Service deployment provides the same resource and logon optimizations as an on-premises WEM deployment.
Additional Resources:
• Workspace Environment Management Service: https://docs.citrix.com/en-us/workspace-environment-management/service.html
N
• Infrastructure Services, WEM database, and the WEM administration console are all managed by Citrix Cloud.
ot
• WEM Agents communicate with WEM Infrastructure Services over an internet connection using HTTPS.
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• From a component point-of-view, the differences between on-premises WEM and WEM Service deployments are that:
• The VDAs that WEM Agents are installed on are part of a Citrix Virtual Apps and Desktops Service deployment’s resource
location.
• WEM Service deployments require Citrix Cloud Connectors – on-premises WEM deployments do not.
• Infrastructure Services, WEM database, and the WEM administration or Manage console are all managed by Citrix Cloud. All
components in an on-premises WEM deployment are managed by customers.
Additional Resources:
• Workspace Environment Management Service: https://docs.citrix.com/en-us/workspace-environment-
N
management/service.html
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• This greatly reduces the administrative overhead.
ot
• Customers only need to manage the WEM Agents and Citrix Cloud Connectors.
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• The benefits of a WEM Service deployment over an on-premises WEM deployment are that:
• Citrix takes care of the maintenance, upgrading, availability, and security of the WEM Infrastructure Services, WEM Manage
console, and WEM database.
• This greatly reduces the administrative overhead when compared with on-premises WEM deployments.
• Customers only need to manage the WEM Agents and Citrix Cloud Connectors.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
console is used to manage
ot
a WEM Service
deployment:
fo
rr
• No delegated admins and
es
no migration functionality
al
• Add WEM Agent
e
Machines
or
• Add users
di
• Create and Assign
s
Resources
tri
b
• Manage Policies
ut
io
n
Key Notes:
• The WEM Service Manage console is used to manage a WEM Service deployment.
• There are only cosmetic differences between the on-premises WEM Administration Console and the WEM Service Manage console
in Citrix Cloud.
• Functionality is almost identical between the two consoles. However, the main differences are that:
• There is no facility in the WEM Service Manage console to migrate WEM Agents from a WEM Service deployment to an on-
premises WEM deployment.
N
• Creating and assigning resources to users and groups of users, such as printers and network drives, can be
ot
configured using the console.
fo
• Typical GPO user experience and Windows control settings are managed through policy settings in the console.
Citrix Profile Management can also be configured.
rr
• WEM full administrators can assign users, scope-based WEM administration roles, allowing these delegated
es
administrators to perform specific tasks using the console.
al
• The WEM Service Manage console is hosted on a Citrix Cloud-based Windows VDA.
• WEM administrators access the Manage console by first logging into the Citrix Cloud portal and seamlessly connect
e
using Citrix Workspace app for HTML5.
or
• The Manage console is pre-connected to the WEM Infrastructure Services, so there’s no need to choose an
di
Infrastructure Server or communications port number.
• The Manage console is the single point to manage a WEM infrastructure; there is no PowerShell or command line
s tri
capabilities at this time.
b ut
Additional Resources:
• Administration Console: https://docs.citrix.com/en-us/workspace-environment-management/service.html
io
n
N
Why are Citrix Cloud Connectors required for
ot
a WEM Service deployment?
fo
rr
The Cloud Connectors handle communications
between the WEM Infrastructure Services and
es
the corporate Active Directory.
al
e
The Cloud Connectors handle communications
between the WEM Infrastructure Services and
or
WEM Agents.
di
The Cloud Connectors provide connection details
s
tri
to WEM Agents so that they can connect to the
b
WEM Infrastructure Services.
ut
io
n
ot
Communication Workflows
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
• Communications between
ot
Physical
Transformer
WEM components based Kiosk
fo
a on WCF client/server User
rr
SQL Transaction
model. Synchronization
TCP port 1433
es
WEM
WEM Agent
• Only the WEM Infrastructure
Servers SQL Transaction
al
Infrastructure Server has WEM Database
e
direct access to the WEM VDA on SQL Server
Synchronization
or
database.
di
• The WEM Infrastructure HDX Session
s
Server is the central WEM Agent User/Endpoint
tri
with Citrix
component of a WEM Workspace app
b
deployment.
ut
io
n
Key Notes:
• All the communication amongst the WEM Agents, WEM Infrastructure Servers, and WEM Administration Console are based on the
Windows Communications Foundation (WCF).
• Depending on the direction of communications, components act as either a WCF server or WCF client.
• Only the WEM Infrastructure Server communicates with the WEM database directly, and so it is considered to be the centralizing
component of a WEM deployment.
• When an Agent or a WEM Admin Console requests data from the WEM database or has data to write to the WEM database, it is the
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
Infrastructure Servers,
ot
Physical
and the Administration Transformer
Kiosk
Console all need to
fo
communicate directly with
rr
Active Directory. Synchronization
es
WEM
WEM Agent Infrastructure
• Purpose is to retrieve AD Server SQL Transaction
al
WEM Database
objects when setting or
e
on SQL Server
deploying WEM settings. Synchronization
or
VDA
• Communications between
di
HDX Session
WEM components and
s
WEM Agent User/Endpoint
tri
AD is over TCP port 389. with Citrix
Workspace app
b ut
io
n
Key Notes:
• The WEM Agents, WEM Infrastructure Servers, and the WEM Administration Console all need to communicate directly with Active
Directory.
• As we saw earlier, AD object searches by WEM components are most efficient when queried against Global Catalog Servers.
• WEM components communicate to AD over TCP port 389.
N
WEM Infrastructure
ot
Server to synchronize
fo
with the WEM database.
rr
SQL Transaction
TCP port 1433
• Periodically “syncs” with
es
WEM
the Infrastructure service Infrastructure
Server
AgentBrokerSvc
al
to acquire updates TCP Port 8286
WEM Database
e
(AgentLocalCacheSyncServi on SQL Server
or
ce TCP port 8288) AgentLocalCacheSyncService
TCP Port 8288
• The Agent retrieves
di
machine/user WEM
s
WEM Agent
tri
settings at session launch
b
(AgentBrokerSvc TCP port
ut
8286)
io
n
Key Notes:
• The WEM Agent communicates with the WEM Infrastructure Server, primarily to synchronize with the WEM database.
• Most communications between the WEM Agent and the WEM Infrastructure Server are initiated by the WEM Agent. There are two
purposes for this Agent-initiated communications:
• Firstly, to synchronize the WEM Agent local cache database with the WEM Infrastructure Server:
• This task uses a WCF service called AgentLocalCacheSyncService and communication is over TCP port 8288 by default.
• AgentLocalCacheSyncService is the term that can be followed in WEM Agent logs, when troubleshooting cache sync issues.
N
• The Agent Service sync task is performed each time a user launches a session to the VDA, if the Agent has
ot
been configured to do so in the WEM Admin Console. Its purpose is to retrieve the machine-specific and user-
fo
specific WEM settings from the WEM Infrastructure Server at session start. If the Agent has not been
configured to retrieve the machine/user settings from the Infrastructure Server at session start, the Agent will
rr
rely on local caches for this information.
es
• The task is also initiated by the Agent to send monitoring, statistics, status updates to the WEM Infrastructure
al
Server.
• The WEM Infrastructure Server communicates with the WEM database instance over TCP port 1433, by default.
e
or
Additional Resources:
di
• Configure the Agent: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-and-
configure/agent-host.html
s tri
• How to enable/collect logs on WEM Agent machine: https://support.citrix.com/article/CTX220635
• How to enable/collect logs on WEM Broker: https://support.citrix.com/article/CTX228742
b ut
io
n
Management
WEM Administration TCP port 8284
Active
Directory
Console WEM
Administration
Console
• Connects to the WEM
N
Infrastructure Server over
ot
TCP port 8284.
fo
• Adds computer accounts
rr
SQL Transaction
TCP port 1433
(with Agents installed)
es
WEM
and user accounts. These Infrastructure
Server
al
are read from AD over WEM Database
e
TCP port 389. VDA on SQL Server
or
Synchronization (listening)
• Sync requests can be TCP port 49752
di
pushed to Agents. Agents
s
listen for requests on TCP WEM Agent
tri
port 49752.
b ut
io
n
Key Notes:
• In order to perform any WEM deployment configuration tasks, the WEM Console must first be connected to the WEM Infrastructure
Server. By default this uses TCP port 8284.
• The Console retrieves the WEM configuration from the WEM database using the WEM Infrastructure Server. The Infrastructure
Server retrieves the WEM settings from the WEM database over TCP port 1433, on behalf of the Console.
• For any WEM Agent to receive or synchronize WEM settings, they must first be added to the WEM deployment using the WEM
Administration Console. For this, the console retrieves the computer account information from Active Directory, over port 389.
N
ot
Additional Resources:
fo
• Administration Console: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-
and-configure/admin-console.html
rr
es
al
e
or
di
s tri
b ut
io
n
• WEM Agents in both an on-premises deployment and a WEM Service deployment need to
communicate with WEM Infrastructure Services.
N
• WEM Agents in a WEM Service deployment need to communicate over the internet and use Citrix
ot
Cloud Connectors.
fo
rr
es
al
e
or
di
s tri
but
io
n
Key Notes:
• Just like in an on-premises WEM deployment, WEM Agents need to synchronize their data with the WEM database through the
WEM Infrastructure Services.
• But unlike a on-premises WEM deployment, a WEM Service deployment Agents and Infrastructure Services must communicate over
an internet connection.
• Citrix Cloud Connectors are an integral part of a WEM Service deployment’s communications.
• WEM Agent requires either AgentLocalCacheSyncService or AgentBrokerSvc from the WEM Service.
• Step 1: Agent requests the WEM Service URL and a one-time service key from Cloud Connector.
N
ot
• Step 2: Agent communicates directly to WEM Service using URL and service key and completes
synchronization.
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• When a WEM Agent needs to synchronize its data, it must first know the public URL of the WEM Infrastructure Services in Citrix
Cloud.
• As with the on-premises WEM Agent, there are two services it can request from the WEM Infrastructure Services:
• The Agent Local Cache Sync Service (AgentLocalCacheSyncService): This service is requested by the Agent when it needs to
update its local cache database.
• The Agent Broker Service (AgentBrokerSvc): This service is requested by the Agent when a user launches a session, or the Agent
N
• The URL path includes the requested service: AgentLocalCacheSyncService or AgentBrokerSvc.
ot
• The service key is by validated by Citrix Cloud and synchronization can complete.
fo
• Communications are over HTTPS and protected by TLS 1.2.
• Note: Agent synchronization occurs fairly frequently, and an Agent must retrieve the WEM Service URL and service key
rr
from the Cloud Connector each time.
es
al
e
or
di
s tri
b ut
io
n
• Corporate AD infrastructure is typically on a private subnet and not accessible from the internet.
• Citrix Cloud Connectors facilitate access from Citrix Cloud services, to deployment components in
private, customer-managed networks.
N
ot
• For AD integration, WEM Service Infrastructure Services connect to the “Citrix Cloud Services AD
Provider” on a Citrix Cloud Connector.
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• In an on-premises WEM deployment, the WEM Infrastructure Server can communicate directly with Active Directory because they
are on the same local network.
• In a WEM Service deployment, the corporate Active Directory infrastructure is typically on a private subnet and not accessible from
the internet.
• One of the major roles of Citrix Cloud Connectors is to facilitate access from Citrix Cloud services, such as WEM Service, to
deployment components in private, customer-managed networks.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
• WEM Agents are typically on a private subnet, inaccessible from the public internet.
• Step 1: WEM administrator manually pushes synchronization requests to WEM Agents from the WEM Service
Manage console.
• Step 2: Infrastructure Services sends the Agent sync request to the “Citrix WEM Cloud Messaging Service” on
N
the Citrix Cloud Connector.
ot
• Step 3: WEM Agent listening on TCP port 49752 for sync request. The Agent then processes the sync request.
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• In a WEM Service deployment, WEM Agents are typically on a private subnet, inaccessible from the public internet. Again it is the
Citrix Cloud Connector that facilitates access from Citrix Cloud services to deployment components in private, customer-managed
networks.
• In Step 1, a WEM administrator manually pushes synchronization requests to WEM Agents from the WEM Service Manage console.
The request is sent to the WEM Infrastructure Services.
• In Step 2, Infrastructure Services sends the Agent sync request to the “Citrix WEM Cloud Messaging Service” on the Citrix Cloud
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
and on-premise components on private
ot
subnets?
fo
rr
Citrix Cloud Connectors
es
al
e
or
di
s
tri
b
ut
io
n
N
infrastructure consists of multiple WEM and
ot
Microsoft components.
fo
• The Infrastructure Service is the primary
rr
communication component within WEM.
es
• The Workspace Environment Management
al
infrastructure can be deployed on-premises or
e
as a Citrix Cloud service.
or
• The Administration Console is the single point
di
for managing a WEM infrastructure.
s
tri
b
ut
io
n
N
ot
WEM On-Premises and WEM
fo
Service Deployment Installation
rr
es
al
e
Module 9
or
di
s
tri
b
ut
io
n
N
Policy settings that are relevant to WEM on-
ot
premises and WEM Service deployments.
fo
• Describe the settings and account
rr
requirements when setting up WEM on-
es
premises infrastructure components.
al
• Describe the purpose and requirements of the
e
settings when installing the WEM Agent in a
or
WEM on-premises or WEM Service
deployment.
di
s
• Discuss the differences between WEM on-
tri
premises and WEM Service deployment
b
components and capabilities.
ut
io
n
ot
Installation
fo
rr
Leading Practice Installation Prerequisites and
es
Steps
al
e
or
di
s
tri
b
ut
io
n
N
There are three WEM on-premises deployment components to install:
ot
• WEM Infrastructure Server
fo
• WEM Administration Console
• WEM Agents
rr
es
All require .NET Framework 4.7.1 (or later) and the Microsoft Sync Framework 2.1 to be pre-installed.
al
• WEM installers will install these software, if not already present.
e
• Recommended to pre-install .NET version before WEM component install to avoid lengthy installation time and
reboots.
or
di
The WEM database is created as a follow-up task to the WEM Infrastructure Server install.
s
• Microsoft SQL Server 2008 R2 (or later) required.
tri
b ut
217 © 2020 Citrix | Confidential
io
n
Key Notes:
There are three WEM on-premises deployment components to install as part of a WEM on-premises deployment:
• WEM Infrastructure Server
• WEM Administration Console
• WEM Agent
All require that the .NET Framework 4.7.1 (or later) and the Microsoft Sync Framework 2.1 to be pre-installed.
Strictly speaking, the WEM database is a WEM component but not an installed component. The WEM database is created
as a follow-up task to the WEM Infrastructure Server install.
Microsoft SQL Server 2008 R2 or later is required.
N
ot
Additional Resources:
fo
• WEM System requirements: https://docs.citrix.com/en-us/workspace-environment-management/current-
release/system-requirements.html
rr
es
al
e
or
di
s tri
but
io
n
N
WEM Agent machines it
ot
is leading practice to
setup the WEM
fo
environment first.
rr
es
• Allows immediate
al
synchronization of WEM
e
settings and populating
or
WEM Agent local
caches.
di
s tri
b ut
218
© 2020 Citrix | Confidential
io
n
Key Notes:
• Before rolling out the WEM Agent machines it is leading practice to setup the WEM environment first.
• This is so WEM Agent machines can immediately synchronize their WEM settings and populate them into WEM Agent local caches,
at first start up.
N
Step 1. Add the WEM ADMX GPO template to the AD domain controller and configure WEM environment settings.
ot
fo
Step 2. Install and configure the WEM Infrastructure Services.
rr
Create the WEM database.
Run and complete the WEM Infrastructure Service Configuration utility.
es
al
Step 3. Install the WEM Administration Console.
e
or
Step 4. Perform initial WEM deployment configuration tasks.
Configure WEM settings to apply to WEM Agents and users.
di
s
Step 5. Install WEM Agent on master image, Layer, or machine (varies depending on provisioning methods).
tri
b
Step 6. Test and verify WEM Agent registration and synchronization.
ut
io
n
Key Notes:
• The high-level steps to deploy a WEM on-premises deployment are:
• Step 1. Add the WEM ADMX GPO template to the AD domain controller and configure WEM environment settings. This is an
optional step as the parameter values in the GPO can be configured as part of the WEM Agent install.
• Step 2. Install and configure the WEM Infrastructure Services. Create the WEM database. Run and complete the WEM
Infrastructure Service Configuration utility.
• Step 3. Install the WEM Administration Console.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
be installed and configured prior to installing
ot
WEM Agents on machines?
fo
To allow WEM Agents to immediately
rr
synchronize themselves on first start up.
es
al
e
or
di
s
tri
b
ut
220 © 2020 Citrix | Confidential
io
n
ot
Installation
fo
rr
WEM ADMX Template Configuration
es
al
e
or
di
s
tri
b
ut
io
n
N
• The Infrastructure server setting is only
ot
enabled and configured for on-premises WEM
fo
deployments. Value will be of the WEM Broker
rr
or WEM Broker load balancer.
es
• WEM Agent version 1912 and later supports
both the Cached synchronization and the
al
Cached data synchronization for updating its
e
local cache with the WEM Broker.
or
• All port-related settings can be left unspecified if
di
WEM deployment uses default port values.
s tri
b ut
222 © 2020 Citrix | Confidential
io
n
Key Notes:
• The most convenient method of centrally applying WEM Agent configuration to all WEM Agents in a deployment; whether an on-
premises or WEM Service deployment is using the WEM ADMX template in a Group Policy Object (GPO).
• The Infrastructure server setting is only enabled and configured for on-premises WEM deployments.
• If WEM Infrastructure Server load balancing is used, the FQDN or IP address will be of the load balancer – usually a Citrix ADC.
• As mentioned earlier, currently the WEM Agent supports two methods of synchronizing it’s local WEM settings cache with the WEM
Broker.
N
release/install-and-configure/agent-host.html
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
Service Group Policy setting if WEM
ot
Infrastructure Servers are to be load
balanced?
fo
The FQDN or IP address of the load balancer
rr
itself and not the address of a WEM
es
Infrastructure Server.
al
e
or
di
s
tri
b
ut
223 © 2020 Citrix | Confidential
io
n
ot
Installation
fo
rr
Choosing a Security Principal to run the WEM
es
Infrastructure Service
al
e
or
di
s
tri
b
ut
io
n
N
Service.
ot
• There is no need to manually configure the
fo
service’s Log On properties as shown in the
rr
image.
es
• The final post-installation task uses a
al
configuration UI utility that handles this for you.
e
• The following slides explain how to choose an
or
appropriate security principal.
di
s tri
b ut
225 © 2020 Citrix | Confidential
io
n
Key Notes:
• Before installing the WEM Infrastructure Server, it is important to decide on the security principal that will be used to run the
Norskale Infrastructure Service.
• There is no need to manually configure the service’s Log On properties as shown in the image.
• After installing the WEM Infrastructure Server, the final post-installation task uses a configuration UI utility that handles this for you.
• The goal of the following slides is to allow you to be aware of the considerations and to be able to choose an appropriate security
principal.
N
• Using LocalSystem means that the Norskale Infrastructure
ot
Service will present the computer’s credentials to remote
fo
servers and will use the vuemUser account for connection
rr
to the WEM database on SQL.
es
Advantages:
al
• Easy WEM Broker setup.
e
• No password expiration issues.
or
Disadvantages:
di
• Security vulnerability – LocalSystem has almost unlimited privileges
on a Windows machine.
s tri
• Cannot use when load balancing WEM Brokers.
utb
226 © 2020 Citrix | Confidential
io
n
Key Notes:
• During installation, the service always adds LocalSystem as the service’s Log On account. This can be changed to an AD user account
or an AD Group Managed Service Account (gMSA) in accordance with your organization’s security policies.
• Using LocalSystem means that the Norskale Infrastructure Service will present the computer’s machine account credentials to
remote servers and will use the vuemUser account for connection to the WEM database on SQL.
• The vuemUser account is a SQL account created on the SQL Server during the WEM database creation task.
Additional Resources:
• Install and configure: Infrastructure services: https://docs.citrix.com/en-us/workspace-environment-
management/current-release/install-and-configure/infrastructure-services.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
Administrators group on the WEM
ot
Infrastructure Services machine.
fo
Advantages:
rr
• A single AD User Account is used to allow WEM
es
Infrastructure Servers to be load balanced.
al
Disadvantages:
e
• Typically, an AD User account password expires, and
will have to be periodically updated in the service’s
or
properties and Infrastructure Services Configuration
di
utility.
s tri
but
227 © 2020 Citrix | Confidential
io
n
Key Notes:
• Some organizations require the granular security of using an AD user account principal so they can restrict access just to the
requirements of running the Norskale Infrastructure Service.
• The account must be a member of the local Administrators group on the machine where the WEM Infrastructure Services has been
installed.
• The advantage of using a single AD User Account to run the service is that it allows for the load balancing of WEM Infrastructure
servers.
Additional Resources:
• Install and configure: Infrastructure services: https://docs.citrix.com/en-us/workspace-environment-
management/current-release/install-and-configure/infrastructure-services.html
N
• Configure load balancing: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-
ot
and-configure/infrastructure-services.html#configure-load-balancing
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
• Automatic password account management by
Windows.
fo
• A single gMSA is used to run the Norskale
rr
Infrastructure Service across multiple WEM
Infrastructure Servers and allows these servers to
es
function in a load balanced configuration.
al
Disadvantages:
e
• Requires the skills to create and manage a gMSA
or
solution.
• Machines within a failover cluster do not support
di
gMSAs.
s
tri
b
ut
228 © 2020 Citrix | Confidential
io
n
Key Notes:
• The Norskale Infrastructure Service can also run using a group Managed Service Account (gMSA).
• Advantages:
• When a gMSA is used as a service principal, Windows manages the password for the account instead of relying on
administrators to manage it.
• A single gMSA be used to run the Norskale Infrastructure Service on multiple WEM Infrastructure Servers and allows these
servers to function in a load balanced configuration.
Additional Resources:
• Install and configure: Infrastructure services: https://docs.citrix.com/en-us/workspace-environment-
management/current-release/install-and-configure/infrastructure-services.html
N
• Configure load balancing: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-
ot
and-configure/infrastructure-services.html#configure-load-balancing
fo
• Group Managed Service Accounts (gMSAs)Overview: https://docs.microsoft.com/en-us/windows-
server/security/group-managed-service-accounts/group-managed-service-accounts-overview
rr
es
al
e
or
di
s tri
b
ut
io
n
N
administrators do not want to have to deal
ot
with expired passwords. Which security
principal will you use?
fo
A Group Managed Security Account (gMSA).
rr
es
al
e
or
di
s
tri
b
ut
229 © 2020 Citrix | Confidential
io
n
ot
Installation
fo
rr
Creating the WEM Database
es
al
e
or
di
s
tri
b
ut
io
n
N
Infrastructure Services from the
ot
installer UI, the next task is to
create the WEM database.
fo
rr
• This lesson covers the creation of
the WEM database using the
es
Database Management Utility;
al
focusing on the accounts used.
e
• A WEM database can also be
or
created using the WEM SDK in
di
PowerShell. Check the Additional
Resources on the slide for further
s tri
details.
but
231 © 2020 Citrix | Confidential
io
n
Key Notes:
• After installing the WEM Infrastructure Services from the installer UI, the next task is to create the WEM database.
• This lesson covers the creation of the WEM database using the Database Management Utility; focusing on the accounts used.
• A WEM database can also be created using the WEM SDK in PowerShell. Check the Additional Resources on the slide for further
details.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
will hold the WEM database.
ot
• WEM database to be created on
fo
SQL Server.
rr
es
• The Data File and Log File
locations will populate
al
automatically using the default
e
SQL file locations.
or
di
s tri
b ut
232 © 2020 Citrix | Confidential
io
n
Key Notes:
• The “Server and instance name” is the host name of the SQL Server that will hold the WEM database.
• The “Database name” is the WEM database to be created on SQL Server.
• The “Data file” and Log file” are populated automatically using the default SQL file locations.
• There is no need to change this unless the location of these files has been changed on the SQL Server.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
using the credentials of the user
ot
currently logged onto the machine
running the wizard.
fo
rr
• Username and password of an
es
account that has the SysAdmin
role on the SQL Server.
al
e
or
di
s tri
b ut
233 © 2020 Citrix | Confidential
io
n
Key Notes:
• The “Database Server Credentials” specify which account will be used to create the WEM database on the SQL Server.
• Creating the WEM database requires an account that has the SysAdmin role on the SQL Server.
• Checking the “Use integrated connection” means that the database will be created using the credentials of the user currently logged
onto the machine running the wizard.
• This user account must already have the SysAdmin role on the SQL Server.
• If the logged in user does not have the SysAdmin role, uncheck the box and provide the credentials of an account that has the
Additional Resources:
• Install and configure: Infrastructure services: https://docs.citrix.com/en-us/workspace-environment-
management/current-release/install-and-configure/infrastructure-services.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
the WEM Administration Console.
ot
• Box unchecked when
fo
LocalSystem runs the WEM
rr
Infrastructure Service. Box is
es
checked when providing AD User
Account or gMSA to run the
al
service.
e
or
• Set a vuemUser password if SQL
Server Always On Availability
di
Groups will be used or if the SQL
s tri
password policy is more
stringent.
b ut
234 © 2020 Citrix | Confidential
io
n
Key Notes:
• The “Initial administrator group” is not required for creating the WEM database. Instead it is the AD Security Group that is given full
admin permissions in the WEM Administration Console.
• The “Database Security” section deals specifically with the security principal that will run the Norskale Infrastructure Service.
• When the “Use Windows authentication…” box is unchecked, it means you’ve decided to run the Norskale Infrastructure
Service as LocalSystem.
• Recall that if the service will run as LocalSystem, the WEM Infrastructure Service’s connection to the WEM database
N
the WEM database.
ot
• When the box is checked, Windows Authentication on SQL will be used for the WEM database.
fo
• The “Set vuemUser SQL user account password” box needs to be checked if using SQL Server Always On Availability
Groups – which is used for database high availability.
rr
• A vuemUser password needs to be created because it must be known, and provided when adding the database
es
to the availability group.
al
• A suitable vuemUser password will also need to be specified if the WEM auto-generated password does not
meet a more stringent SQL password policy.
e
or
Additional Resources:
di
• Install and configure: Infrastructure services: https://docs.citrix.com/en-us/workspace-environment-
management/current-release/install-and-configure/infrastructure-services.html
s tri
b ut
io
n
N
ot
Server. What permissions do you need to
have?
fo
Your account must have the SysAdmin role on
rr
the SQL Server.
es
al
e
or
di
s
tri
b
ut
235 © 2020 Citrix | Confidential
io
n
ot
Installation
fo
rr
Running the WEM Infrastructure Service
es
Configuration Utility
al
e
or
di
s
tri
utb
io
n
•TheThe
finalfinal post-installation
post-installation task istask is and
to run to run
complete the
N
and complete the WEM Services
WEM Services Infrastructure Configuration utility.
ot
Infrastructure
Alternatively, Configuration
use the WEM SDK inutility.
PowerShell. Check the
Additional Resources on the slide for further details.
fo
•Main
Alternatively, use the WEM SDK in
purpose is to write the WEM Infrastructure Services
rr
PowerShell.
setup Checkduring
values configured the Additional
install, to the WEM
es
Resources on the slide
database and local registry. for further details.
The Database Settings
is totab specifies the location and
al
• Main purpose write the WEM
name of the WEM database.
e
Infrastructure Services setup values
or
configured during install, to the WEM
database and local registry.
di
s
• The Database Settings tab specifies the
tri
location and name of the WEM database.
b ut
237 © 2020 Citrix | Confidential
io
n
Key Notes:
• After creating the WEM database, the final task for completing the installation of the WEM Infrastructure Server is to run the WEM
Infrastructure Service Configuration utility.
• Alternatively, use the WEM SDK in PowerShell. Check the Additional Resources on the slide for further details.
• There are several purposes for the UI utility:
• The main purpose of the utility is to write all of the WEM Infrastructure Services setup values that were configured during
installation, to the WEM database and local registry.
Additional Resources:
• Configure the infrastructure service: https://docs.citrix.com/en-us/workspace-environment-management/current-
release/install-and-configure/infrastructure-services.html#configure-the-infrastructure-service
• Citrix Workspace Environment Management 1912 SDK: https://developer-docs.citrix.com/projects/workspace-
N
environment-management-sdk/en/latest/
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
that the WEM Infrastructure Services will listen
ot
to requests from other WEM components.
fo
• Must match the TCP ports configured on each
rr
of the other WEM components otherwise
es
communications between the Broker and the
component will fail for that service.
al
e
• The image shows the default pre-set values.
or
• No reason to change the default WEM port
di
values unless there are security or other
s
environmental justifications.
tri
but
238 © 2020 Citrix | Confidential
io
n
Key Notes:
• The Network Settings tab specifies the TCP port numbers that the WEM Infrastructure Services will listen to requests from other
WEM components.
• These must match the TCP ports configured on each of the other WEM components otherwise communications between the Broker
and the component will fail for that service.
• The Administration port used when launching the WEM Administration Console must match the Administration port specified on
this Network Settings tab.
N
justifications.
ot
fo
Additional Resources:
Configure the infrastructure service: https://docs.citrix.com/en-us/workspace-environment-management/current-
rr
release/install-and-configure/infrastructure-services.html#configure-the-infrastructure-service
es
al
e
or
di
s tri
b ut
io
n
N
record the account information.
ot
• Match the account values with those used
fo
when configuring the WEM Infrastructure
rr
Service and WEM database connection
es
information.
al
• If the Norskale Infrastructure Service has
e
been configured to run using a gMSA
or
solution:
• Enter any password in to the “Infrastructure
di
service account password” box.
s
• The Norskale Infrastructure Service will be
tri
correctly configured and the password will be
b
ignored.
ut
239 © 2020 Citrix | Confidential
io
n
Key Notes:
• The Advanced Settings tab is where you record the account information. Again, it is important to match these values with the values
used when configuring the WEM Infrastructure Service and WEM database connection information.
• The Infrastructure service account and password entered here are written to the Norskale Infrastructure Service Log On properties.
• The exception is if the Norskale Infrastructure Service has been configured to run using a group Managed Service Account (gMSA)
solution:
• If a gMSA has been configured to run the Norskale Infrastructure Service, enter the account and just enter any password in to
Additional Resources:
Configure the infrastructure service: https://docs.citrix.com/en-us/workspace-environment-management/current-
N
release/install-and-configure/infrastructure-services.html#configure-the-infrastructure-service
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
you configure WEM database connection
ot
and WEM database caching settings.
fo
• Local WEM database cache is updated as
rr
per frequency settings and can be used
es
when SQL Server connection is unreliable.
al
• Enabling performance tuning should only
e
be done if server performance optimization
or
is required or if WEM component
disconnection issues.
di
s
• Worker threads and asynchronous I/O
tri
thread values set to equal the number of
b
WEM Agents in the deployment.
ut
240 © 2020 Citrix | Confidential
io
n
Key Notes:
• The Advanced Settings tab is also where you configure WEM database connection and WEM database caching settings.
• The WEM Broker maintains a local cache of the WEM database that it can use to retrieve WEM settings and statistics if the
connection between the Broker and the SQL Server is lost.
• The cache synchronization refresh frequency can be set and well as the WEM database connection attempt timeout value.
• You can set to always use the local WEM database cache, for example if the connection to the SQL Server is sometimes unreliable –
the cache itself will continue to be updated as per the refresh frequency.
N
• Setting too high a value can cause performance issues on the WEM Broker.
ot
• Be sure to refer to the Additional Resources links for this slide before changing performance tuning values.
fo
Additional Resources:
rr
• Configure the infrastructure service: https://docs.citrix.com/en-us/workspace-environment-management/current-
es
release/install-and-configure/infrastructure-services.html#configure-the-infrastructure-service
al
e
or
di
s tri
but
io
n
N
ot
• On the Database Maintenance tab,
fo
scheduled data maintenance can be
rr
enabled to run, as per the values set.
es
• Default values are provided but can be
al
changed to suit needs.
e
or
• If the Enable box is not checked, no
database maintenance will occur.
di
s tri
b ut
241 © 2020 Citrix | Confidential
io
n
Key Notes:
• On the Database Maintenance tab, scheduled data maintenance can be enabled to run, as per the values set.
• Default values are provided but can be changed to suit your needs.
• If the Enable box is not checked, no database maintenance will occur.
Additional Resources:
Configure the infrastructure service: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-and-
configure/infrastructure-services.html#configure-the-infrastructure-service
344 © 2021 Citrix Authorized Content
WEM Infrastructure Server post-installation tasks
WEM Infrastructure Service Configuration (6/6)
N
Server host name or IP address, and
ot
License Server port can be specified.
fo
• When then Global License Server
rr
override box is checked, the values are
es
used by WEM Administration Consoles at
each launch.
al
e
• If the Global License Server override box
or
is not checked, the admin will need to
provide Citrix License Server details on
di
first launch of the Admin Console.
s tri
b ut
242 © 2020 Citrix | Confidential
io
n
Key Notes:
• On the Licensing tab, the Citrix License Server host name or IP address, and License Server port can be specified.
• When then Global License Server override box is checked, the values are used by WEM Administration Consoles at each launch.
• If the Global License Server override box is not checked, the admin will need to provide Citrix License Server details on first launch of
the Admin Console.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
WEM components but none of them match the
ot
default WEM ports. You configure the
fo
assigned ports, but what will you need to do
rr
when setting up and configuring the other
es
WEM components?
al
You must ensure that the ports configured during
e
the rollout of the WEM Administration Console
or
and WEM Agent machines match the assigned
TCP port numbers.
di
s
tri
b
ut
243 © 2020 Citrix | Confidential
io
n
ot
Installation
fo
rr
WEM Agent Installation
es
al
e
or
di
s
tri
b
ut
io
n
• The WEM Agent installer for on-premises WEM deployments: Available from the Citrix website Downloads page.
N
• The WEM Agent installer for WEM Service deployments: Available from the Citrix Cloud portal’s Workspace
ot
Environment Management page.
fo
• Both versions of the WEM Agent can be installed and configured using the WEM PowerShell SDK, which is added
rr
automatically during Agent installation.
es
• Both installers are universal but the versions may be different because the WEM Agent installer for WEM Service
deployments is on a more frequent release cycle than the quarterly release cycle of the on-premises WEM Agent:
al
e
• Installing a WEM Service WEM Agent on a machine that is part of a WEM on-premise deployment is not
or
recommended.
di
• Using an on-premises WEM Agent version in a WEM Service deployment is supported, as long as the WEM Agent
version meets Citrix product lifecycle requirements. The scenario would occur after an on-premises WEM
stri
deployment is migrated to a WEM Service deployment.
b ut
245 © 2020 Citrix | Confidential
io
n
Key Notes:
• The WEM Agent installer for on-premises deployments is available for download from the Citrix website Downloads page.
• The WEM Agent installer for WEM Service deployments is available for download from the Citrix Cloud portal’s Workspace
Environment Management page.
• Both versions of the WEM Agent can be installed and configured using the WEM PowerShell SDK, which is added automatically
during Agent installation.
• Both installers are universal in that they are the same installer but at any one time, the versions will be different.
N
is not recommended.
ot
• Using an on-premises WEM Agent version as part of a WEM Service deployment is supported because
fo
backwards compatibility is supported, as long as the WEM Agent version meets Citrix product lifecycle
requirements. The scenario would occur after an on-premises WEM deployment is migrated to a WEM Service
rr
deployment.
es
al
Additional Resources:
• Install and configure the Agent: https://docs.citrix.com/en-us/workspace-environment-management/current-
e
release/install-and-configure/agent-host.html
or
• Citrix Product Lifecycle matrix: https://www.citrix.com/support/product-lifecycle/product-matrix.html
di
• WEM Service management on Citrix Cloud: https://wem-production-ui.wem.cloud.com/
s tri
b ut
io
n
N
on-premises WEM deployment.
ot
• It is not recommended to use the WEM
fo
Service WEM Agent installer as part of an on-
rr
premises WEM deployment.
es
al
e
or
di
s tri
b ut
246
© 2020 Citrix | Confidential
io
n
Key Notes:
• Choose to install the WEM Agent as part of an on-premises WEM deployment.
• Recall that it is not recommended to use the WEM Service WEM Agent installer as part of an on-premises WEM deployment.
Additional Resources:
• Install and configure the agent: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-and-
configure/agent-host.html
N
GPOs.
ot
• Configure the Infrastructure Service value and
fo
port values so that the Agent can
rr
communicate with the WEM Broker without
need for the values provided by GPO.
es
al
• Both port values specified must match the
e
same port values set during the WEM
or
Infrastructure Server installation and
configuration.
di
s tri
b ut
247
© 2020 Citrix | Confidential
io
n
Key Notes:
• When using App Layering, the WEM Agent is installed on the Platform Layer. At that time, the machine is not usually subject to any
AD GPOs.
• So to ensure that the Platform Layer WEM Agent is able to communicate with the WEM Broker immediately after Agent installation,
configure the Infrastructure Service FQDN or IP address, rather than choosing “Skip configuration”, even if the WEM GPO has been
configured.
• For the same reason, ensure that the Agent service port and Cached Data synchronization ports are configured on this page.
Additional Resources:
• Install and configure the agent: https://docs.citrix.com/en-us/workspace-environment-management/current-
release/install-and-configure/agent-host.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• Recommended to specify the Alternative
ot
Cache Location to persist these two
caches between restarts on non-
fo
persistent VDAs.
rr
es
• VUEMAppCmd Extra Sync Delay: Delay
the published app launch until all WEM
al
settings have been applied.
e
or
• Only applies when The VUEMAppCmd
executable is used to control the launch
di
timing of published applications in a
s tri
Delivery Group.
b ut
248
© 2020 Citrix | Confidential
io
n
Key Notes:
• The WEM Agent uses four local caches. Two of them can be moved from the local drive to, most commonly, the cache data drive
used by Citrix Provisioning and Citrix Machine Creation Services (MCS).
• It is recommended to specify the Alternative Cache Location to persist these two caches between restarts on non-persistent VDAs.
• The VUEMAppCmd executable is used to control the launch timing of published applications in a Delivery Group. It is not mandatory
to use VUEMAppCmd but it can resolve issues where some WEM settings are not applying intermittently.
• The purpose of the Extra Sync Delay is to delay the published app launch until all WEM settings have been applied. 100 to 200
N
citrix-studio
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
and the WEM Agent from the WEM Service
ot
download page on the Citrix portal. He asks
fo
you which one he should use. What do you
rr
advise them?
es
In an on-premise WEM deployment, only install
al
the on-premise WEM Agent.
e
If it’s an on-premise WEM deployment that is
or
about to be migrated to a WEM Service
di
deployment, they may continue to use the on-
s
premises WEM Agent and upgrade to the latest
tri
WEM Service Agent a part of the next
b
maintenance cycle.
ut
io
n
fo
rr
WEM On-Premises vs WEM Service
es
al
e
or
di
s
tri
b
ut
io
n
• All Active Directory infrastructure maintained • All Active Directory infrastructure maintained on
N
on local premises. local premises.
ot
• All Workspace Environment Management • A Citrix Cloud Service subscription is required to
fo
components (including Infrastructure use the WEM Service infrastructure.
rr
Service) maintained on local premises. • WEM Infrastructure Service and administration
es
• Microsoft SQL Server maintained on local Manage console maintained in the Citrix Cloud.
al
premises. • Single or multiple resource locations.
e
• All physical and virtual machine with WEM
or
• Multiple (recommended) Cloud Connectors
Agent maintained on local premises. maintained on local premises.
di
s
• Microsoft SQL Server maintained in Citrix Cloud.
tri
• All physical and virtual machines with WEM Agent
b ut
251 © 2020 Citrix | Confidential
maintained on local premises.
io
n
Key Notes:
• In both on-premises WEM and WEM Service, all Active Directory infrastructure maintained on local premises and managed by the
customer.
• In on-premises WEM deployments, all WEM components are installed locally, customer-managed, must comply with AD
requirements, and usually all on the same network to support the communication requirements.
• In a WEM Service deployment, all WEM infrastructure components are managed and maintained by Citrix Cloud.
• WEM Service supports multiple separate resource locations containing VDAs with WEM Agent installed. This frees WEM Agents to be
N
Additional Resources:
ot
• Workspace Environment Management service: https://docs.citrix.com/en-us/workspace-environment-
fo
management/service.html
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
Describe the benefits of a using WEM
Service rather than WEM on-premises.
fo
All WEM infrastructure components are
rr
managed and maintained by Citrix Cloud,
es
removing the admin burden.
al
Supports multiple resource locations in a single
e
WEM Service deployment.
or
di
s
tri
b
ut
252 © 2020 Citrix | Confidential
io
n
ot
Installation
fo
rr
Leading Practice Installation Prerequisites and
es
Steps
al
e
or
di
s
tri
b
ut
io
n
N
• WEM Agents
ot
fo
Cloud Connectors require .NET Framework 4.7.2 (or later).
rr
• Citrix strongly recommends installing at least two Cloud Connectors in each resource location to
es
ensure high availability.
al
• Refer to the Citrix Cloud Connector Technical Details page on Citrix Product Documentation.
e
WEM Agent requires .NET Framework 4.7.1 (or later) and the Microsoft Sync Framework 2.1 to be
or
pre-installed.
di
• WEM installer will install these software, if not already present.
s
• Recommended to pre-install .NET version before WEM component install to avoid lengthy
tri
installation time and reboots.
b ut
254 © 2020 Citrix | Confidential
io
n
Key Notes:
There are two WEM Service deployment components to install:
• Citrix Cloud Connectors
• WEM Agents
WEM Agent require that the .NET Framework 4.7.1 (or later) and the Microsoft Sync Framework 2.1 to be pre-installed.
• Each WEM component installer will automatically install these required software before the installation of the WEM
components starts, but it is recommended to install WEM components on machines that already have .NET Framework
4.7.1 (or later) installed.
N
• Doing so will avoid lengthy .NET installation time and reboots.
ot
fo
Additional Resources:
• Install and configure the agent: https://docs.citrix.com/en-us/workspace-environment-management/service/install-
rr
and-configure.html
es
• Citrix Cloud Connector Technical Details: https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-
al
locations/citrix-cloud-connector/technical-details.html
• CXD-250 - Moving to the Citrix Virtual Apps and Desktops Service on Citrix Cloud:
e
https://training.citrix.com/learning/course?courseId=1746
or
• CXD-252 - Moving to the Citrix Virtual Apps and Desktops Service on Citrix Cloud with Microsoft Azure:
di
https://training.citrix.com/learning/course?courseId=1854
s tri
b ut
io
n
N
(CVAD Service), Citrix Cloud
ot
deployment.
fo
• The VDAs are contained in a
rr
Citrix Cloud resource location
es
and each resource location
al
will contain at least two Citrix
e
Cloud Connectors.
or
• The setup and configuration
di
of CVAD Service, Resource
s
Locations, and WEM Service
tri
are all managed through the
b
Citrix Cloud portal.
ut
255
© 2020 Citrix | Confidential
io
n
Key Notes:
• WEM Service is most commonly used with VDAs that are in a Citrix Virtual Apps and Desktops Service (CVAD Service), Citrix Cloud
deployment.
• The VDAs on which the WEM Agents are installed are contained in a Citrix Cloud resource location and each resource location will
contain at least two Citrix Cloud Connectors.
• The setup and configuration of CVAD Service, Resource Locations, and WEM Service are all managed through the Citrix Cloud portal.
N
practice to setup the WEM
ot
Service environment first.
fo
• This is so WEM Agent
rr
machines can immediately
es
synchronize their WEM
al
settings and populate them
e
into WEM Agent local
or
caches, at first start up.
di
s tri
but
256
© 2020 Citrix | Confidential
io
n
Key Notes:
• Just as with a WEM on-premises deployment, before rolling out the WEM Agent machines it is leading practice to setup the WEM
Service environment first.
• This is so WEM Agent machines can immediately synchronize their WEM settings and populate them into WEM Agent local caches,
at first start up.
N
Add the WEM ADMX GPO template to the AD domain controller and
ot
Step 1 configure WEM environment settings.
fo
rr
Install and configure the Citrix Cloud Connectors (if not already
Step 2
existing)
es
al
Step 3 Create Resource Locations (if not already existing)
e
Perform initial WEM deployment configuration tasks. Configure WEM
or
Step 4
settings to apply to WEM Agents and users.
di
Install WEM Agent on master image, Layer, or machine (varies
s
Step 5
depending on provisioning methods).
tri
b
Step 6 Test and verify WEM Agent registration and synchronization.
ut
io
n
Key Notes:
• Before rolling out the WEM Agent machines it is leading practice to setup the WEM environment first.
• This is so WEM Agent machines can immediately synchronize their WEM settings and populate them into WEM Agent local caches,
at first start up.
• The broad steps to deploy a WEM on-premises deployment are:
• Step 1. Add the WEM ADMX GPO template to the on-premises, customer-managed AD domain controller and configure WEM
environment settings. This is an optional step as the parameter values in the GPO can be configured as part of the WEM Agent
N
• Step 6. Test and verify WEM Agent registration and synchronization.
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
over three separate resource locations. The
ot
resource locations each have two Citrix
Cloud Connectors. Are additional Cloud
fo
Connectors required to support WEM
rr
Service?
es
No, WEM Service incorporates seamlessly into
al
an existing CVAD Service environment.
e
or
di
s
tri
b
ut
258 © 2020 Citrix | Confidential
io
n
ot
Installation
fo
rr
WEM ADMX Template Configuration
es
al
e
or
di
s
tri
b
ut
io
n
N
using the WEM ADMX template in a Group Policy
ot
Object (GPO).
fo
• For WEM Service deployments, only the Citrix
rr
Cloud Connectors setting, Agent proxy setting,
es
and VUEMAppCmd extra sync delay setting are
al
used.
e
• The Agent proxy configuration setting:
or
• WEM Agents in a WEM Service deployment, must be
di
able to communicate over the internet to the WEM
s
Infrastructure Services in Citrix Cloud.
tri
• To facilitate this requirement, a proxy server can be used
but
where security policies block internet access for VDAs.
260 © 2020 Citrix | Confidential
io
n
Key Notes:
• Just like with on-premises WEM deployments, the most convenient method of centrally applying WEM Agent configuration to all
WEM Agents in a deployment is using the WEM ADMX template in a Group Policy Object (GPO).
• For WEM Service deployments, only the Cloud Connector setting, Agent proxy setting, and VUEMAppCmd extra sync delay setting
are used.
• The Agent proxy configuration setting: In some Citrix Virtual Apps and Desktops deployments, whether on-premise or part of a Citrix
Cloud resource location, VDAs are denied internet access for security reasons.
Additional Resources:
• Install and configure the agent: https://docs.citrix.com/en-us/workspace-environment-management/service/install-
and-configure.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
infrastructure. You ask the admin which
ot
WEM ADMX Group Policy settings he
configured. You are told that the
fo
Infrastructure server setting was enabled
rr
and configured. Which settings do you tell
es
him are relevant?
al
• Citrix Cloud Connectors
e
or
• Agent proxy configuration
di
• VUEMAppCmd extra sync delay
s
tri
b
ut
261 © 2020 Citrix | Confidential
io
n
N
For Module 9
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.
ot
Installation
fo
rr
WEM Agent Installation
es
al
e
or
di
s
tri
b
ut
io
n
N
installed and configured using the WEM
ot
PowerShell SDK.
fo
• When using the installer UI, choose to
rr
install the WEM Agent as part of a Cloud
es
Service deployment.
al
e
or
di
s tri
b ut
264 © 2020 Citrix | Confidential
io
n
Key Notes:
• Recall that the WEM Agent can be installed and configured using the WEM PowerShell SDK.
• When using the installer UI, choose to install the WEM Agent as part of a Cloud Service deployment.
Additional Resources:
• Install and configure the agent: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-and-
configure/agent-host.html
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
At that time, the machine is not usually
ot
subject to any AD GPOs.
fo
• Configure the Citrix Cloud Connectors so
rr
that the Agent can communicate with the
es
WEM Broker without need for the values
al
provided by GPO.
e
• The WEM Agent installer does not require
or
port numbers to be configured as Agent
di
communications to the WEM
s
Infrastructure Services in Citrix Cloud
tri
uses HTTPS over port 443.
b ut
265 © 2020 Citrix | Confidential
io
n
Key Notes:
• When using App Layering, the WEM Agent is installed on the Platform Layer. At that time, the machine is not usually subject to any
AD GPOs.
• So to ensure that the Platform Layer WEM Agent is able to communicate with the Citrix Cloud WEM Infrastructure Services
immediately after Agent installation, configure the Infrastructure Service FQDN or IP address, rather than choosing “Skip
configuration”, even if the WEM GPO has been configured.
• The WEM Agent installer does not require port numbers to be configured as Agent communications to the WEM Infrastructure
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
the Citrix Downloads page and the WEM
ot
Agent from the WEM Service download page
on the Citrix portal. He asks you which one
fo
he should use. What do you advise them?
rr
es
• In a WEM Service deployment, install the latest
WEM Agent from the Citrix Cloud portal.
al
e
• If it’s an on-premise WEM deployment that is
or
about to be migrated to a WEM Service
deployment, they may continue to use the on-
di
premises WEM Agent and upgrade to the
s
tri
latest WEM Service Agent a part of the next
maintenance cycle.
b
ut
266 © 2020 Citrix | Confidential
io
n
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
267 © 2020 Citrix | Confidential
io
n
N
Server and WEM Database.
ot
• Exercise 9-2: Install the WEM Administration
fo
Console.
rr
• Exercise 9-3: Install the WEM Agent on the App
es
Layers Platform Layer.
al
e
or
di
s
tri
b
ut
io
n
N
WEM on-premises and WEM Service deployments and
ot
includes specific setting for each.
fo
• An WEM on-premise deployment requires the
rr
installation and configuration of WEM infrastructure
components that require attention and planning.
es
• The WEM Agent for WEM on-premise deployments is
al
supported for use in a WEM Service deployment.
e
or
• It is not supported to use a WEM Service WEM Agent
version in a WEM on-premises deployment.
di
s
• The main difference between WEM on-premises and
tri
WEM Service deployments is that the WEM
b
infrastructure components in WEM Service are all
ut
managed and maintained by Citrix Cloud.
io
n
N
ot
WEM Administration Consoles and
fo
Initial Setup
rr
es
al
e
Module 10
or
di
s
tri
b
ut
io
n
N
roles.
ot
• Identify the differences between WEM user
fo
settings and WEM machine settings and
rr
describe the capabilities of the Configuration
Set backup and restore process.
es
al
• Describe the process and capabilities of WEM
e
Group Policy Object (GPO) import and
or
migration features.
di
s
tri
b
ut
io
n
fo
rr
WEM On-premises and WEM Service
es
al
e
or
di
s
tri
b
ut
io
n
N
• Default connection port is TCP 8288.
ot
• Connection settings can be saved for auto-
fo
connection. Multiple WEM
rr
Administration Consoles
es
• Single point to manage a WEM infrastructure can be created.
- no PowerShell or command line capabilities
al
at this time.
e
or
• Changes are synchronized through the WEM
Broker and saved to the WEM database
di
instance.
s tri
• Multiple Consoles can be created.
b ut
© 2020 Citrix | Confidential
273
io
n
Key Notes:
• Initial use requires selecting a WEM Infrastructure Server to connect and the TCP communications port to use.
• The default connection port is TCP 8288.
• These settings can be saved for auto-connection when launching the console again.
• The WEM Administration Console is currently the single point to manage a WEM infrastructure; there is no PowerShell or command
line capabilities at this time.
• Note: PowerShell commands can be used to create and upgrade the WEM database, and perform tasks on the Infrastructure
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
console by first logging into the Citrix Cloud
ot
portal and seamlessly connect using Citrix
fo
Workspace app for HTML5.
rr
• Pre-connected to the WEM Infrastructure
es
Services - no need to choose an WEM Service provides a
al
Infrastructure Server or communications port single console to administer
e
number. a WEM Service deployment.
or
• Single point to manage a WEM infrastructure
di
- no PowerShell or command line capabilities
s
at this time.
tri
b ut
© 2020 Citrix | Confidential
274
io
n
Key Notes:
• The WEM Service Manage console is hosted on a Citrix Cloud-based Windows VDA.
• WEM administrators access the Manage console by first logging into the Citrix Cloud portal and seamlessly connect using Citrix
Workspace app for HTML5.
• The Manage console is pre-connected to the WEM Infrastructure Services, so there’s no need to choose an Infrastructure Server or
communications port number.
• The Manage console is the single point to manage a WEM infrastructure; there is no PowerShell or command line capabilities at this
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
Administrators with the
ot
ability to:
fo
• Configure and manage
rr
Delegated Administrators.
es
• Maintain better control of the
infrastructure.
al
e
• By default, all new users are created with read-
only permissions
or
• WEM Service does not support Delegated
di
Administrators.
s
tri
• All users accessing the WEM Manage console
b
do so with full administrator rights.
ut
io
n
Key Notes:
• The WEM Administration Console (on-premises) provides
Administrators with the
ability to:
• Configure and manage
Delegated Administrators.
• Maintain better control of the
Additional Resources:
• Delegated Administrators (on-premises only): https://docs.citrix.com/en-us/workspace-environment-
N
management/current-release/user-interface-description/administration.html#administrators
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
permissions that can be used. Transformer Managers
ot
• An Administration Log is maintained that Advanced Settings Manager
fo
records all changes made to all Filter Managers
rr
Configuration Sets.
es
System Utilities Managers
• Only WEM Full Access admins have
al
Action Managers
access.
e
or
Action Creators
• The log can be exported.
di
Assignment Managers
s tri
Read Only
b ut
276
© 2020 Citrix | Confidential
io
n
Key Notes:
• Administrators can be created by adding a user to the Configured Administrator List. Then, the Edit Administrator dialog is used to
adjust each Administrators specific delegated permissions.
• There are 11 Delegated Administrator permissions that can be used:
• Full Access - have full control over every aspect of the specified Configuration set (s).
• Policies and Profiles Managers - can manage Policies and Profiles settings.
N
• Advanced Settings Managers - can manage advanced settings (enabling or disabling action processing, cleanup
ot
actions, etc.)
• Filter Managers- can create and manage conditions and rules. Rules that are in use on assigned applications
fo
cannot be edited or deleted by Filter Managers.
rr
• System Utilities Managers - can manage the System Utilities settings (CPU, RAM and process management).
es
• Action Managers - can create and manage actions; as well as control their assignment.
• Action Creators - can create and manage actions.
al
• Assignment Managers - can only assign resources to users or groups.
e
• Read Only - can view the entire console, but cannot modify any settings.
or
• There is an Administration Log maintained that lists all changes made to your WEM settings in all Configuration Sets.
di
• The log is empty by default, and requires a manual refresh to display initial data.
s
• There are 3 main options that can be used to manage and review the log data.
tri
1. Export Log - This button will export the log into XLS format.
b
2. Refresh Log - This can be used to refresh the log.
ut
3. Clear Log - This flushes the log. This applies for all users, and cannot be undone
io
• The log is only available to Global Full Access Administrators
N
which you want to apply the same or
ot
similar WEM settings.
fo
• WEM settings are divided into those
rr
that apply to WEM Agent machines
and those which apply to users
es
logging onto those machines. WEM Service Manage Console (Citrix Cloud)
al
• A WEM Agent machine can be a
e
member of only one Configuration
or
Set.
• Users can be added to more than
di
one Configuration Set.
s
• There is no difference between
tri
WEM on-premises and WEM
b
Service Configuration Sets.
ut
279 © 2020 Citrix | Confidential
io
n
Key Notes:
• A WEM Configuration Set is a logical grouping of WEM Agent machines to which you want to apply the same or similar WEM
settings.
• WEM settings are divided into those that apply to WEM Agent machines and those which apply to users logging onto those WEM
Agent machines.
• A WEM Agent machine can be a member of only one Configuration Set.
• Users can be added to more than one Configuration Set.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• Security settings (AppLocker and process management)
• System optimization settings (CPU spikes protection, memory and I/O optimization)
ot
• Settings that control the operation of user settings (toggles for Action items)
fo
• Settings that control the operation and behaviour of WEM Agents
rr
• Agent launch behaviour
• Cache usage modes
es
• Applying/reapplying settings behavior
al
• Active Directory Objects
e
• Users and Machines
• Transformer kiosk
or
• Monitoring and statistics
di
s tri
but
io
n
N
• Citrix provides a set of XML files, that when restored to a Configuration Set, enable and configure settings that will be
ot
common to most WEM environments.
fo
• Administrators can enable and configure the WEM optimization, WEM security, and WEM user environment control
settings.
rr
es
• In the set of WEM install media, Citrix provides 3 sets of XML files:
al
• Default Recommended Settings
e
• Environment Lockdown Sample
or
• Sample Applications
di
• Start off configuring an empty Configuration Set by restoring the Default Recommended Settings.
s tri
• Configuration Sets can be backed up to recover from accidental changes.
b ut
281 © 2020 Citrix | Confidential
io
n
Key Notes:
• To make initial configuration easier, Citrix provides a set of XML files, that when restored to a Configuration Set, enable and configure
setting that will be common to most WEM environments.
• Administrators can then focus on enabling and configuring the WEM optimization, WEM security, and WEM user environment
control settings they have planned to rollout.
• In the set of WEM install media, Citrix provides 3 sets of XML files:
• Default Recommended Settings
N
Additional Resources:
ot
• Configure configuration sets: https://docs.citrix.com/en-us/workspace-environment-management/current-
fo
release/quick-start-guide.html#step-5-configure-configuration-sets
rr
es
al
e
or
di
s tri
b ut
io
n
• The WEM consoles provide backup and restore facilities for individual Configuration Sets.
• Entire Configuration sets can be backed up and restored.
N
• Groups of settings can be selectively backed up and restored.
ot
Typical Usage Scenarios Supported For
fo
Create initial settings for a new WEM deployment by loading WEM On-
rr
WEM Service
recommended default settings provided by Citrix. Premises
es
Create a definitive backup of WEM settings to restore when WEM On-
WEM Service
al
required or when testing. Premises
e
WEM On-
Migrate WEM settings from one WEM deployment to another.
or
Premises
di
Adding additional WEM Administration Consoles - backup the WEM On-
Configuration Set and restore to the new Consoles. Premises
s tri
Migrate WEM settings from WEM on-premises to WEM Service. WEM On-
WEM Service
b
(consider a full WEM on-premises to WEM Service migration) Premises
ut
282 © 2020 Citrix | Confidential
io
n
Key Notes:
• The WEM consoles provide backup and restore facilities for individual Configuration Sets.
• Entire Configuration sets can be backed up and restored.
• Groups of settings can be selectively backed up and restored.
There are several scenarios in which WEM’s backup and restore feature is useful:
• Create initial settings for a new WEM deployment by loading recommended default settings provided by Citrix. Supported for both
N
WEM on-premises to WEM Service migration is the better option.
ot
fo
Additional Resources:
Configuration Set, backup/restore: https://docs.citrix.com/en-us/workspace-environment-management/current-
rr
release/user-interface-description/ribbon.html
es
al
e
or
di
s tri
but
io
n
WEM
Configuration Set
Session
N
ot
• WEM machine-specific
fo
settings are global settings: WEM Agents WEM Machine Machine Settings
they apply uniformly to all
rr
(AD Computers) Settings Apply Always
WEM Agent machines that
es
are part of the same
WEM
al
Configuration Set. WEM Active
Directory Objects Agent
e
User
or
Logon
WEM User
Users Settings User Settings Apply
di
(AD Users) Conditionally
s
Rules &
tri
Users
Conditions
utb
283 © 2020 Citrix | Confidential
io
n
Key Notes:
• WEM machine-specific settings are global settings, in that they apply uniformly to all WEM Agent machines that are part of the same
Configuration Set.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
WEM Users and WEM Machines.
ot
WEM Users are added so that Actions
fo
can be assigned to them. Users can be Single AD User Account AD Security Group
rr
added to more than one Configuration
es
Set.
WEM Machines
al
WEM Machines hold the Active
e
Directory computer accounts of WEM
or
Agent machines in a Configuration Set.
Single AD
di
Computer
Any one WEM Agent machine’s AD Account
s tri
computer account can belong to only AD Security Group Organizational Unit (OU)
one Configuration Set.
b ut
287 © 2020 Citrix | Confidential
io
n
Key Notes:
• The WEM Active Directory Objects section in the WEM Console holds WEM Users and WEM Machines.
• WEM Users are added so that Actions can be assigned to them. Recall that users can be added to more than one Configuration Set.
• WEM Machines hold the Active Directory computer accounts of WEM Agent machines in a Configuration Set. Any one WEM Agent
machine’s AD computer account can belong to only one Configuration Set.
• On the right, you can see that AD user accounts and AD computer accounts can be added in several ways:
• Users can be added individually or as part of an Active Directory Security Group.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
For Module 10
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.
• WEM’s Migrate feature and Group Policy Settings feature solves the most time-consuming task of rolling out
a WEM deployment: Migrating Group Policy Objects (GPOs) from the AD domain controller to the WEM
N
console.
ot
• Migrate – extracts Group Policy • Group Policy Settings – imports an entire
fo
Preferences (GPPs) from a GPO Group Policy as a WEM Action, which can
rr
and applies them to a WEM then be assigned to users or machines in a
es
Configuration Set. WEM Configuration Set.
al
e
or
di
s tri
b ut
291 © 2020 Citrix | Confidential
io
n
Key Notes:
• WEM’s Migrate feature and Group Policy Settings feature solves the most time-consuming task of rolling out a WEM deployment:
• Migrating Group Policy Objects (GPOs) from the AD domain controller to the WEM console.
• There are two methods for importing AD GPOs. The method you choose depends on the type of GPO settings.
• Migrate – extracts Group Policy Preferences (GPPs) from a GPO and applies them to a WEM Configuration Set.
• Group Policy Settings – imports an entire Group Policy as a WEM Action, which can then be assigned to users or machines in a
WEM Configuration Set.
The GPO Migrate Utility is available for WEM on-premises and WEM Service deployments
N
• GPP settings extracted from GPO can be converted into WEM settings automatically prior to import, giving
ot
administrators full granular control over which WEM setting types to import.
• Computer Configuration settings are converted to WEM machine settings ready for import.
fo
• User Configuration settings are converted to WEM user settings, known as Actions. The imported WEM
rr
Actions are then ready to assign to users.
es
• GPP settings imported using the Migrate feature automatically configure UI checkboxes.
al
e
or
di
s tri
but
292 © 2020 Citrix | Confidential
io
n
Key Notes:
• The GPO Migrate Utility is available for WEM on-premises and WEM Service deployments.
• GPP settings extracted from GPO can be converted into WEM settings automatically prior to import, giving administrators full
granular control over which WEM setting types to import.
• Computer Configuration settings are converted to WEM machine settings ready for import.
• User Configuration settings are converted to WEM user settings, known as Actions. The imported WEM Actions are then ready to
assign to users.
Additional Resources:
• Migrate GPOs (on-premises): https://docs.citrix.com/en-us/workspace-environment-management/current-
release/user-interface-description/ribbon.html
• Migrate GPOs (WEM Service): https://docs.citrix.com/en-us/workspace-environment-management/service/user-
N
interface-description/ribbon.html
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
ot
• For WEM Service, upload the zip file to the WEM Manage
console using the HTML5 Upload function.
fo
• Import the zip file into the WEM Administration Console (on-
rr
premises) or WEM Service Manage console (Citrix Cloud)
es
using the GPO Migrate option.
al
• Choose whether to import everything (The Overwrite option)
e
or to first convert the zip file into a WEM compatible format
or
(Convert option).
• To give control over the import tasks, it’s recommended
di
to always choose the Convert option.
s tri
• Import the Actions and/or other WEM settings.
b
• Assign the Actions to users.
ut
293 © 2020 Citrix | Confidential
io
n
Key Notes:
• Using the Microsoft Group Policy Management Console, backup your existing GPO or GPP objects into a zip file.
• For WEM Service, upload the zip file to the WEM Manage console using the HTML5 Upload function.
• Import the zip file into the WEM Administration Console (on-premises) or WEM Service Manage console (Citrix Cloud) using the GPO
Migrate option.
• Choose whether to import everything (The Overwrite option) or to first convert the zip file into a WEM compatible format (Convert
option).
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
The Group Policy Settings feature is available for WEM on-premises and WEM Service deployments.
N
The Group Policy Settings feature takes a different approach than the Migrate feature.
ot
fo
• The Migrate import method only takes a GPOs GPP settings.
rr
• The Group Policy Settings method imports entire GPOs.
• All of a GPO’s registry-based settings can be imported using this feature.
es
• Unlike the Migrate method, imported GPOs using the Group Policy Settings method do not populate WEM
al
setting checkboxes in the WEM Console UI.
e
• The GPO is imported as an Action item. Actions are user-based WEM settings – in that they apply to the
or
users that have been assigned the Action item.
• For example: Assigning a printer Action item or network drive Action item to a group of users.
di
• GPO settings though, can either be Computer Configuration or User Configuration settings.
s
• So how can a GPO’s Computer Configuration settings be assigned when they are user-based Actions?
tri
b ut
294 © 2020 Citrix | Confidential
io
n
Key Notes:
• The Group Policy Settings feature takes a different approach than the Migrate feature.
• The Migrate import method only takes a GPOs GPP settings.
• The Group Policy Settings method imports entire GPOs.
• All of a GPO’s registry-based settings can be imported using this feature.
• Unlike the Migrate method, imported GPOs using the Group Policy Settings method do not populate WEM setting checkboxes in the
WEM Console UI.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
• Assigning the User Configuration part of an imported GPO to WEM users is intuitive because Actions are
designed to be assigned to users or AD Security Group of users.
N
Action: Group Policy Setting
ot
Assigned to:
fo
Imported GPO:
rr
User Configuration
settings Users
Users or AD Security Group of users
es
• Assigning the Computer Configuration part of an imported GPO is not as intuitive. It requires that the imported
al
GPO is assigned to an AD Security Group containing computers.
e
Action: Group Policy Setting
or
Assigned to:
di
Imported GPO:
s
Computer
tri
Configuration settings
b
AD Security Group of computers
ut
295 © 2020 Citrix | Confidential
io
n
Key Notes:
In the previous slide, we asked how we can assign an imported GPO’s Computer Configuration
• Assigning the User Configuration part of an imported GPO to WEM users is intuitive because Actions are designed to be assigned to
users or an AD Security group of users.
• Assigning the Computer Configuration part of an imported GPO is not as intuitive. It requires that the imported GPO is assigned to an
AD Security Group containing computers.
• The non-intuitive part is that the AD Security Group containing computers, must be first added to the Users section in WEM’s Active
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
Settings
ot
• Exercise 10-2: Import a Microsoft Group Policy
fo
Object (GPO) into a WEM Configuration Set
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
Agent machines on which they log onto are divided
ot
into WEM user-specific settings and WEM machine-
fo
specific settings.
rr
• Configuration Sets are unconfigured initially but WEM
es
admins can restore pre-configured initial WEM
settings suitable for most environments. The backup
al
and restore feature can be used to migrate settings
e
between WEM on-premises deployments, or as a
or
method of recovering from unintentional changes.
di
• The WEM Migrate and WEM Group Policy Settings
s
features allow WEM admins to import AD Group
tri
Policy Objects; thereby solving the most time-
b
consuming task of rolling out a WEM deployment.
ut
io
n
Key Takeaways:
• Delegated administrators can be created to give WEM admin users different levels of permissions and control when working in the
WEM Administration Console. Delegated administrators cannot be created in the WEM Service Manage console.
• There are many WEM settings but those for controlling users and the WEM Agent machines on which they log onto are divided into
WEM user-specific settings and WEM machine-specific settings.
• Configuration Sets are unconfigured initially but WEM admins can restore pre-configured initial WEM settings as a starting point for
most environments. The backup and restore feature can also be used to migrate settings between WEM on-premises deployments,
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
WEM Centralized Management
fo
Features: System and Log On
rr
Optimization
es
al
e
Module 11
or
di
s
tri
b
ut
io
n
N
options are used to benefit the user experience
ot
during sessions.
fo
• Describe the role of WEM Assigned Actions in
rr
reducing session logon times.
es
• Describe how WEM logon optimization
al
settings are used to benefit the user
e
experience during sessions.
or
• Recognise the benefits of applying Citrix
di
Profile Management through a WEM
s
deployment.
tri
utb
io
n
ot
Management Features
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
sessions on single-user and multi-user Windows machines.
ot
fo
• Used correctly, these features could potentially increase user
density on Citrix Virtual Apps and Desktops VDAs (on-premises
rr
and Citrix Cloud), saving money on infrastructure costs.
es
• There 5 WEM System Optimization features:
al
e
• CPU Management
or
• Memory Management
di
• I/O Management
s tri
• Fast Logoff
b
• Citrix Optimizer
ut
303 © 2020 Citrix | Confidential
io
n
Key Notes:
• The WEM System Optimization feature is a group of settings designed to dramatically improve user experience during user sessions
on single-user and multi-user Windows machines.
• WEM System Optimization settings are identical and their benefits are identical whether your WEM deployment is on-premises or in
Citrix Cloud.
• Used correctly, these features could potentially increase user density on Citrix Virtual Apps and Desktops multi-user VDAs (on-
premises and Citrix Cloud), saving money on infrastructure costs.
N
• Citrix Optimizer
ot
fo
Additional Resources:
• WEM System Optimization: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
rr
interface-description/system-optimization.html
es
• WEM System Optimization – The best kept secret at Citrix! : https://www.citrix.com/blogs/2018/07/03/the-best-kept-
al
secret-at-citrix/
e
or
di
s tri
b ut
io
n
N
by improving application responsiveness.
ot
• This is achieved not by lowering CPU usage in a
fo
session, but by reducing the CPU Priority of
rr
troublesome processes that excessively consume
es
CPU time.
al
• When a troublesome process exceeds a given
e
percentage CPU usage for a period of time, CPU
or
Spikes Protection is triggered and lowers the CPU
Priority of the troublesome process.
di
s
• The default CPU Spikes Protection configuration is
tri
suitable for most machines to optimize CPU usage.
b ut
304 © 2020 Citrix | Confidential
io
n
Key Notes:
• CPU Spike Protection improves the user experience by improving application responsiveness.
• This is achieved not by lowering CPU usage in a session, but by reducing the CPU Priority of troublesome processes that excessively
consume CPU time.
• When a troublesome process exceeds a given percentage CPU usage, CPU Spikes Protection is triggered and lowers the CPU Priority
of the troublesome process.
• The default CPU Spike Protection configuration is suitable for most machines to optimize CPU usage. The default settings are enabled
N
ot
Additional Resources:
fo
• CPU Management: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
description/system-optimization/cpu-management.html
rr
• WEM System Optimization – The best kept secret at Citrix! : https://www.citrix.com/blogs/2018/07/03/the-best-kept-
es
secret-at-citrix/
al
e
or
di
s tri
b ut
io
n
N
• The percentage CPU usage that triggers the lowering of a
ot
troublesome process’s CPU Priority is not fixed.
fo
• It differs depending on the total number of a machine’s
rr
logical CPU cores.
es
• This means that machines with differing numbers of CPU
al
cores can be effectively optimized within the same
e
Configuration Set.
or
di
s
tri
but
305 © 2020 Citrix | Confidential
io
n
Key Notes:
• Auto Prevent CPU Spikes:
• With Auto Prevent CPU Spikes enabled, the percentage CPU usage that triggers the lowering of a troublesome process’s CPU
Priority is not fixed.
• It differs depending on the total number of a machine’s logical CPU cores.
• This means that machines with differing numbers of CPU cores can be effectively optimized within the same Configuration Set.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
• Auto Prevent CPU Spikes example: The machines from both Machine Catalogs can be
part of the same Configuration Set because Auto
N
• Machine Catalog of Windows 2019 VDAs built on 4 Prevent CPU Spikes can adapt to different numbers
ot
CPU core VMs: of cores.
• When overall CPU usage exceeds 23%, the CPU
fo
priority of processes that consume more than 15% of If Customize CPU Spike Protection was enabled
rr
the overall CPU resources reduces automatically. instead, the CPU Usage Limit is fixed:
es
• Machine Catalog of Windows 2019 VDAs built on 8 Each Machine Catalog could be part of different
Configuration Sets – each with a different CPU Usage
al
CPU core VMs:
Limit (%) value.
e
• When overall CPU usage exceeds 11%, the CPU
priority of processes that consume more than 8% of the
or
CPU resources reduces automatically.
di
s
tri
b ut
306 © 2020 Citrix | Confidential
io
n
Key Notes:
• Auto Prevent CPU Spikes:
• For example:
• You have a Machine Catalog of Windows 2019 VDAs built on 4 CPU core VMs.
• If the overall CPU usage exceeds 23%, the CPU priority of processes that consume more than 15% of the overall CPU
resources reduces automatically.
• You have another Machine Catalog of Windows 2019 VDAs built on 8 CPU core VMs.
N
• In cases where customizing individual CPU Spikes Protection values produces better results, the Customize CPU Spike
ot
Protection would be selected over Auto Prevent CPU Spikes.
fo
• But as stated earlier, the default CPU Spike Protection settings are very effective in most situations.
• For maximum CPU optimization effectiveness, always test and compare the results.
rr
es
Additional Resources:
al
• CPU Management: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
description/system-optimization/cpu-management.html
e
• WEM System Optimization – The best kept secret at Citrix! : https://www.citrix.com/blogs/2018/07/03/the-best-kept-
or
secret-at-citrix/
di
s tri
b ut
io
n
N
CPU Spike Protection changes a troublesome
ot
process’s CPU Priority to low, just for a few minutes.
fo
• Enable Intelligent CPU Optimization keeps track
rr
of each time a process has triggered CPU Spike
es
Protection until eventually, the process will always
run with a CPU Priority of low.
al
e
• The CPU Spike Protection triggers are remembered
or
for each process on each machine and for each
user.
di
s
• So when a user launches a session to a machine
tri
that they have logged onto previously, CPU usage
b
will already be optimized.
ut
307 © 2020 Citrix | Confidential
io
n
Key Notes:
• Without Enabling Intelligent CPU Optimization, CPU Spike Protection changes a troublesome process’s CPU Priority to low for a few
minutes.
• It will continue to do this every time the process triggers CPU Spike Protection without prejudice, and so without learning that the
process is in fact troublesome.
• By Enabling Intelligent CPU Optimization, WEM will keep track of each time a process has triggered CPU Spike Protection until
eventually, the process will always run with a CPU Priority of low.
Additional Resources:
• CPU Management: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
description/system-optimization/cpu-management.html
N
• WEM System Optimization – The best kept secret at Citrix! : https://www.citrix.com/blogs/2018/07/03/the-best-kept-
ot
secret-at-citrix/
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
same principals as Intelligent CPU Optimization by
ot
lowering the I/O Priority of processes when
required.
fo
rr
• Similarly, the triggering of I/O Optimization is
es
remembered for each process, for user, and on
each machine.
al
e
• Neither Intelligent CPU Optimization nor Intelligent
or
I/O Optimization is operational without first
enabling CPU Spike Protection
di
s tri
b ut
308 © 2020 Citrix | Confidential
io
n
Key Notes:
• Intelligent I/O Optimization adopts the same principals as Intelligent CPU Optimization by lowering the I/O Priority of processes
when required.
• Similarly, the triggering of I/O Optimization is remembered for each process, for user, and on each machine.
• Neither Intelligent CPU Optimization nor Intelligent I/O Optimization is operational without first enabling CPU Spike Protection.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
• Though default CPU Management settings are • CPU Affinity: Specify a process and set how
effective, there maybe particular processes that many logical cores the process can use.
N
need individual attention. • Limiting a troublesome process to use just a single
ot
logical core can improve performance.
• All of the settings listed here require a solid
fo
understanding of the underlying principals:
rr
• CPU Priority: Specify a process and set it’s CPU
es
Priority to a fixed base level. The options are:
al
• Realtime (not recommended)
e
• High
or
• Above Normal
• Normal
• CPU Clamping: Specify a process and set the
di
• Below Normal
maximum percentage of a processor’s resources that
s
• Low
tri
that process can use.
• It’s a brute force approach that is computationally
b ut
309 © 2020 Citrix | Confidential
expensive.
io
n
Key Notes:
• Though default CPU Management settings are effective, there maybe particular processes that need individual attention.
• All of the settings listed here require a solid understanding of the underlying principals.
• CPU Priority: Specify a process and set it’s CPU Priority to a fixed base level. The options are:
• Realtime (not recommended as this can make a process completely hog CPU time. Even mouse and keyboard activity will appear
slow)
• High
N
• WEM admins have been known to add processes like iexplore.exe or Chome.exe (Internet Explorer & Chrome) to the
ot
CPU Clamping list.
fo
• It’s a brute force approach that is computationally expensive. CPU clamping is more for processes that are perform
their resource management tasks poorly.
rr
• IE and Chrome are more easily controlled using default CPU Spike Protection settings, perhaps adding CPU Affinity to
es
limit their impact further.
al
Additional Resources:
e
• CPU Management: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
or
description/system-optimization/cpu-management.html
di
• WEM System Optimization – The best kept secret at Citrix! : https://www.citrix.com/blogs/2018/07/03/the-best-kept-
secret-at-citrix/
s tri
b ut
io
n
N
WEM analyzes running applications and
ot
determines:
• How much RAM the application is using
fo
• The minimum amount of RAM that the application
rr
needs to run in a stable manner.
es
• The difference is considered to be excess RAM
al
and is released when the application goes into an
e
idle state.
or
• Greatly reduces the amount of RAM used in a
di
session and contributes to increasing overall user
s
density.
tri
b ut
310 © 2020 Citrix | Confidential
io
n
Key Notes:
• The next WEM System Optimization feature is that of Memory Management.
• When enabled, WEM analyzes running applications and determines:
• How much RAM the application is using
• The minimum amount of RAM that the application needs to run in a stable manner.
• The difference is considered to be excess RAM and can be released to the pagefile when the application goes into an idle state.
• Working Set Optimization greatly reduces the amount of RAM used in a session and contributes to increasing overall user density on
Additional Resources:
• Memory Management: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/system-optimization/memory-management.html
• WEM System Optimization – The best kept secret at Citrix! : https://www.citrix.com/blogs/2018/07/03/the-best-kept-
secret-at-citrix/
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
1. A user opens Chrome browser, navigates to YouTube. Chrome will use as much RAM as it needs.
N
2. Over the sampling period [Idle Sample Time: 30 minutes default], WEM determines the amount of
ot
RAM Chrome has used and also determines the least amount of RAM required.
fo
3. Then the user is finished with Chrome and it becomes idle.
rr
4. Chrome’s CPU usage drops to the value set by the Idle State Limit value [1% default].
es
5. WEM forces the Chrome to release the excess RAM to the pagefile.
al
e
6. When Chrome is used again, it will initially run in its optimized state but can still go on to consume
or
additional RAM as needed.
7. When considering how this affects multiple processes over multiple user sessions, the result is that
di
all of that RAM freed up is available for other processes and will increase user density by supporting
s tri
a greater amount of users on the same server.
b ut
311 © 2020 Citrix | Confidential
io
n
Key Notes:
• A user opens Chrome browser, navigates to YouTube, and plays some videos. Chrome will use as much RAM as it needs.
• In the background, and over the sampling period [the Idle Sample Time setting], WEM determines the amount of RAM Chrome has
used and also determines the least amount of RAM required, while still maintaining stability.
• Then the user is finished with Chrome and it becomes idle (this could be done by simply working with another app or minimizing
Chrome to the Task Bar).
• When the Chrome’s percentage CPU usage drops to the value set by the Idle State Limit value, WEM then forces the process to
N
Additional Resources:
ot
• Memory Management: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
fo
interface-description/system-optimization/memory-management.html
• WEM System Optimization – The best kept secret at Citrix! : https://www.citrix.com/blogs/2018/07/03/the-best-kept-
rr
secret-at-citrix/
es
al
e
or
di
s tri
b ut
io
n
N
that processes which are contending for network
ot
and disk I/O access do not cause performance
bottlenecks.
fo
rr
• Establishes the "base priority" for all of the threads
es
in the process. The actual, or "current," priority of a
thread may be higher, but is never lower than the
al
base.
e
or
• In general, Windows gives access to threads of
higher priority before threads of lower priority.
di
s tri
b ut
312 © 2020 Citrix | Confidential
io
n
Key Notes:
• These settings allow you to optimize the I/O priority of specific processes, so that processes which are contending for network and
disk I/O access do not cause performance bottlenecks.
• The process priority you set here establishes the "base priority" for all of the threads in the process. The actual, or "current," priority
of a thread may be higher, but is never lower than the base.
• In general, Windows gives access to threads of higher priority before threads of lower priority.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• A purely visual option that will end the HDX
ot
connection to a app's session, giving the
impression that the session has immediately
fo
closed.
rr
es
• The session itself continues to progress through
the app session logoff phases on the VDA.
al
e
• Specified AD Security Groups can be excluded
or
di
s tri
b ut
313 © 2020 Citrix | Confidential
io
n
Key Notes:
• A purely visual option that will end the HDX connection to a apps session, giving the impression that the session has immediately
closed.
• The session itself continues to progress through the app session logoff phases on the VDA.
• You can specify particular AD Security Groups that Fast Logoff won’t apply to.
Additional Resources:
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
For Module 11
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.
• Citrix Optimizer optimizes Windows machines to improve performance and can increase user density.
N
• It applies a pre-created optimization template to machines in WEM’s Active Directory Objects list (one
ot
template per OS version).
fo
• Optimizations are performed on several categories, which you can choose to apply or not apply.
rr
• A Preview button displays the details of the optimization changes that the template will apply.
es
al
• A Configuration Set contains
e
Server 2019 WEM Agent
or
machines and Server 2016
WEM Agent machines.
di
s
• The relevant template will apply
tri
only to the matching machines.
b ut
315 © 2020 Citrix | Confidential
io
n
Key Notes:
• Citrix Optimizer optimizes Windows machines to improve performance and can increase user density.
• Citrix Optimizer applies a pre-created Windows OS optimization template to machines in WEM’s Active Directory Objects list.
• It applies only one Windows version template to the matching Windows version WEM Agent machine.
• Optimizations are performed on several categories, called Groups, which you can choose to apply or not apply.
• A Preview button displays the details of the optimization changes that the template will apply.
Additional Resources:
• Citrix optimizer: https://docs.citrix.com/en-us/workspace-environment-management/service/user-interface-
description/system-optimization/citrix-optimizer.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
There is also another Machine Catalog of Windows 10
based on 4 core VMs. The admin is considering added
fo
these machines into the same Configuration Set. Is this a
good idea?
rr
es
While the default CPU Optimization WEM settings will
probably suit all Machine Catalogs, there are other WEM
al
machine-based settings that will need to be configured for the
e
multi-session Server 2016 VDAs - such as user lockdown
or
settings.
The single-session Windows 10 machines most likely need to
di
be configured with different user environment lockdown
s
settings. So in most cases, this is not a good idea.
tri
utb
io
n
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
• Exercise 11-2: Configure CPU Management
ot
• Exercise 11-3: Test CPU Management
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
ot
Management Features
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
ot
fo
rr
• The Windows logon process contains
es
several phases which are processed
al
synchronously:
e
• WEM logon optimization addresses the most
or
time-consuming phases: User Profile and
GPO/GPP processing.
di
• The WEM logon optimization settings when
s
configured, are processed by the WEM Agent
tri
to give a far shorter logon duration.
b ut
320 © 2020 Citrix | Confidential
io
n
Key Notes:
• The Windows logon process contains several phases which are processed synchronously:
• Session Initialization
• Authentication
• User Profile
• GPO/GPP
• User Initialization
Additional Resources:
N
• WEM Logon Optimization – Engage computers. Prepare for warp speed! :
ot
https://www.citrix.com/blogs/2018/11/19/part-2-wem-logon-optimization-engage-computers-prepare-for-warp-
fo
speed/
rr
es
al
e
or
di
s tri
b ut
io
n
• Unlike WEM’s System Optimization, there’s no checkbox that simply enables logon optimization –
N
rather WEM groups these setting under different sections:
ot
• Actions: Settings that are assigned to users according to rules.*
fo
• Environmental Settings: Machine lockdown settings that apply to machines only – and so affect all
rr
users that logon to the machine.
es
• Citrix Profile Management Settings: Centrally manage an environment’s profile settings using the
al
WEM console’s intuitive user interface (UI).
e
or
• Microsoft USV Settings: For configuring Microsoft Roaming Profiles and Folder Redirection.
di
*Imported Group Policies that have GPO Computer Configuration settings are Actions assigned to AD computer
s
groups, rather than users.
tri
b ut
321 © 2020 Citrix | Confidential
io
n
Key Notes:
• Unlike WEM’s System Optimization, there’s no checkbox that simply enables logon optimization – rather WEM groups these setting
under different sections:
• Actions: Settings that are assigned to users according to rules. Though if you recall, imported Group Policies that have GPO
Computer Configuration settings are Actions that are assigned to AD computer groups.
• Environmental Settings: Machine lockdown settings that apply to machines only – and so affect all users that logon to the machine.
Administrators though, can be excluded.
Additional Resources:
N
WEM Logon Optimization – Engage computers. Prepare for warp speed! : https://www.citrix.com/blogs/2018/11/19/part-
ot
2-wem-logon-optimization-engage-computers-prepare-for-warp-speed/
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
fo
Which two Windows logon phases does WEM optimize
processing for?
rr
es
User Profile processing and Group Policy Object and Group
Policy Preferences processing.
al
e
or
di
s
tri
b
ut
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
Policy Object settings or provided though scripts.
ot
• Actions are WEM user-based settings, so they apply for a
fo
user when they launch a session.
rr
• There are many types of Actions, but the most common
es
ones configured by WEM admins are:
al
e
• Applications: These could be installed applications or Citrix
or
Virtual Apps and Desktops published applications.
• Printers: UNC path to network printers.
di
• Network Drives: Shared folders on the network that are
s tri
mapped to a drive letter.
b
• Group Policy Settings: GPOs imported into WEM.
ut
324 © 2020 Citrix | Confidential
io
n
Key Notes:
• WEM Actions replace settings commonly found in Group Policy Object settings or provided though scripts.
• Actions are WEM user-based settings, so they apply for a user when they launch a session to a WEM Agent Machine.
• From the screenshot on the right you can see that there are many types of Actions that can be assigned to users, but the most
common ones configured by WEM admins are:
• Applications: These could be installed applications or Citrix Virtual Apps and Desktops published applications.
• Printers: UNC path to network printers.
Additional Resources:
• WEM Actions: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
description/actions.html
• Each additional Action type has a dedicated page in the same documentation section as the above URL.
N
ot
Additional Information:
fo
Complete list of Action types, with descriptions:
• Group Policy Settings.
rr
• The Applications section controls the creation of application shortcuts, as well as various settings pertaining to
es
application presentation. This includes both applications within a desktop, as well as seamless published apps.
al
• If Applications settings need to be applied to published apps, use Citrix Studio to edit the application settings and
add an executable file path that points to VUEMAppCmd.exe (located in the agent installation directory).
e
• VUEMAppCmd.exe ensures that Workspace Environment Management agent has finished processing an
or
environment before Citrix Virtual Apps and Desktops published applications are started.
di
• Printer mapping can be managed with the Printers option. The primary use case for this is to map network printers
within the corporate network.
s tri
• The Network Drives section can be used to map network drives to users or groups. In contrast, the Virtual Drives section
is used to map Windows virtual drives or MS-DOX device names which map local file paths to drive letters.
b ut
• Registry Entries allows for the deployment of registry entries using WEM. Similarly, Environment Variables are managed
using the section with that name.
io
• The Ports feature allows client COM and LPT port mapping.
n
• If you use the Ports feature to manually control the mapping of each port, remember to enable the Client COM port
redirection or the Client LPT port redirection policies in Citrix Studio. By default, COM port redirection and LPT port
redirection are prohibited.
• Ini Files controls the creation of .ini file operations, which allow for the modification of .ini files.
• External Tasks can be used to control the execution of external tasks such as running .vbs or .cmd scripts.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• Rules, defined by these conditions
ot
determine who or how Actions apply (Rules
fo
are only used for Actions).
rr
• Rules are made up of conditions:
es
al
• A Condition is just a parameter that matches a
specified value.
e
• When creating a Rule, Conditions can be
or
ANDed together (OR is not supported).
• There are over 60 different conditions.
di
s
• If no rules have been created, the default
tri
Always true rule will be used.
b ut
325 © 2020 Citrix | Confidential
io
n
Key Notes:
• Filters contain Rules and Conditions.
• Filter rules can only be applied to Actions. Other settings, such as Citrix Profile Management, WEM Transformer, System
Optimization, and Environmental Settings, will automatically be applied to all Agents that are a part of the configuration set.
• Rules are made up of conditions:
• A Condition is just a parameter that matches a specified value.
• When creating a Rule, Conditions can be ANDed together (OR is not supported).
Additional Resources:
• WEM Filters: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
description/filters.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• Since Actions only apply to users or groups of users, you
ot
need to first add WEM Active Directory Objects (Users).
fo
• Once added, they automatically appear in the list of
rr
Users.
es
• A User or a group of Users is selected, an Action is
al
selected, and a Rule is selected.
e
• This can get repetitive – so create Action Groups to make
or
it easy.
• Action Groups are a collection of Actions that can be
di
assigned in one step.
s tri
• The Modeling Wizard section displays the resultant
b
actions for a given user only (it does not work for groups).
ut
326 © 2020 Citrix | Confidential
io
n
Key Notes:
• Assignments are where Actions are assigned to users and apply according to a Rule.
• Since Actions only apply to users or groups of users, you need to first add WEM Active Directory Objects (Users) section in the WEM
Console.
• Once added, they automatically appear in the list of Users.
• To create an Assignment: First select a User or a group of Users, select an Action, and select a Rule.
• When you have a lot of Actions and a lot of users, this can get repetitive – so create Action Groups to make it easy.
Additional Resources:
• WEM Assignments: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/assignments.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
A WEM admin wants to have a shared folder that’s only used by the Human Resources (HR)
department, mapped to a drive letter. The drive letter is only needed to be accessed when HR are
N
saving work from published app sessions. It’s not needed for Desktop sessions.
ot
fo
Add Active Directory Objects Domain Users
rr
(Users)
Create Action (Network Path = \\NYC-FSR-001\HR Resources\
es
Drive) Drive Letter = R
al
Create Conditions Condition 1 = Active Directory Attribute Match
e
Value = HR Security Group
Condition 2 = User SBC Resource
or
Value = Application
Create Rule Name = Network drive for HR
di
Value = Condition 1 AND Condition 2
s tri
Create Assignment Assign Network Drive (Action) to Domain Users (Active Directory
Objects) using Network drive for HR (Rule)
b ut
327 © 2020 Citrix | Confidential
io
n
Key Notes:
A WEM admin wants to have a shared folder that’s only used by the Human Resources (HR) department mapped to a drive letter.
The drive letter is only needed to be accessed when HR are saving work from published app sessions. It’s not needed for Desktop
sessions.
So what would be the process to set this up?
• First, add an Active Directory Group to WEM Active Directory Objects. It doesn’t need to be the HR Group but does need to include
the HR Group. Adding a broader AD Group is ok because the Rule we create will narrow it down to HR. So we can add Domain Users
N
are launching an app session.
ot
• Finally, we create the Assignment. In this task, you select the users (Domain Users Group), then select the Network
fo
Drive Action for them and select the “Network drive for HR” Rule we created.
rr
Note: We could have simply added the HR Security Group to Active Directory Objects. That would mean we wouldn’t need
es
to create Condition 1 – the condition that narrows down to the HR group. But adding the larger parent group to WEM
al
Active Directory Objects may be less work in the end; especially if you will be assigning Actions to many different groups in
a specific Configuration Set. Really, it’s what works best for you.
e
or
Additional Resources:
di
• WEM Filters: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
description/filters.html
s tri
b ut
io
n
N
Configuration: Settings which relate to Assigned
ot
Actions.
fo
• No Assigned Actions will apply unless the
rr
corresponding Action Agent checkbox is enabled.
es
• Restoring the Default Recommended Settings
al
enables all of the baseline settings, such as these
e
Agent Actions checkboxes.
or
• WEM admins often customize their own WEM baseline
settings, taken from the Default Recommended
di
Settings and restore them to any newly created
s tri
Configuration Set.
b ut
328 © 2020 Citrix | Confidential
io
n
Key Notes:
• There are a group of settings in the Advanced Settings section, under Main Configuration, which are related specifically to Assigned
Actions.
• None of the Assigned Actions you create will apply at all unless the corresponding Action Agent checkbox is enabled.
• So for instance, users won’t get their mapped network drive Assigned Action unless the corresponding “Process Network Drives” box
is enabled.
• Restoring the “Default Recommended Settings” enables all of the baseline settings, such as these Agent Actions checkboxes.
Additional Resources:
• WEM Advanced Settings: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/advanced-settings.html
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
A Citrix Administrator needs to map a network drive into
ot
user sessions, but only if the user endpoint is part of the
corporate network.
fo
How can this be accomplished using WEM?
rr
es
1. Create a Condition based on client IP.
al
2. Set IP range specific to the corporate network.
e
3. Add the Condition to a filter rule.
or
4. Create the Action to map the network drive.
di
5. Assign the Action to users with the filter rule attached.
s
tri
b
ut
io
n
ot
WEM
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
• Runs as a Windows service using settings that reside in the HKLM registry.
ot
• Without WEM, CPM settings are written to the registry from one of three choices:
fo
• AD Group Policy Object (GPO)
rr
es
• HDX Policy
• Local .ini file
al
e
• If WEM is used to configure CPM, the WEM Agent writes CPM settings to the registry from CPM
or
settings configured in the WEM Console.
di
• The benefit to logon optimization that WEM brings is that CPM settings don’t have to be read and
s
processed from a HDX policy or AD GPO during the logon phase.
tri
• WEM does not affect the operation of CPM, it only provides the settings in HKLM that CPM uses.
b ut
331 © 2020 Citrix | Confidential
io
n
Key Notes:
• Citrix Profile Management (CPM) is a roaming profile solution that is typically installed as part of the VDA.
• CPM runs as a Windows service using settings that reside in the HKLM registry.
• Without WEM, CPM settings are written to the registry from one of three choices:
• AD GPO
• HDX Policy
• Local .ini file
N
Additional Resources:
ot
• Citrix Profile Management - Decide on a configuration: https://docs.citrix.com/en-us/profile-management/current-
fo
release/plan/configuration.html
• WEM - Citrix Profile Management Settings: https://docs.citrix.com/en-us/workspace-environment-
rr
management/current-release/user-interface-description/policies-and-profiles/citrix-upm-settings.html
es
al
e
or
di
s tri
b ut
io
n
N
centrally configuring Citrix Profile
ot
Management.
fo
• CPM settings are intuitively arranged and
rr
divided in sections.
es
• Keep your WEM deployment version up-to-
al
date: CPM settings in the WEM Console
e
always match the settings of the latest
or
CPM version.
• Microsoft User State Virtualization (USV)
di
and VMware Persona settings can also be
s tri
managed by WEM.
b ut
332 © 2020 Citrix | Confidential
io
n
Key Notes:
• The other benefit that WEM provides is that it is by far the easiest method of centrally configuring Citrix Profile Management.
• All the CPM settings are intuitively arranged and divided in sections.
• It’s good practice to keep your WEM deployment version up-to-date. One reason is so the CPM settings in the WEM Console always
match the settings of the latest CPM version.
• Microsoft User State Virtualization (USV) and VMware Persona settings can also be managed by WEM.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
Management in the deployment can
ot
be viewed.
fo
• Go to Administration > Agents > Suboptimal settings may affect the user
rr
Statistics to view health status.
experience.
es
al
Profile Management is configured
e
incorrectly and is not functioning
or
properly.
di
Profile Management is not found, not
s tri
enabled, or WEM agent version is not
b
high enough.
ut
333 © 2020 Citrix | Confidential
io
n
Key Resources:
• The Citrix Profile Management health status feature is available in the form of a Profile Management Health Status column on the
Statistics tab of the Agents section.
• Profile Management health status performs automated status checks on your agent hosts to determine whether Profile
Management is configured optimally.
• You can view the results of these checks to identify specific issues from the output file on each agent host. (%systemroot%\temp
\UpmConfigCheckOutput.xml)
Additional Resources:
• Administration – Agents: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/administration.html#agents
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
fo
What considerations change when deploying Citrix
Profile Management using WEM?
rr
es
None; all Citrix Profile Management considerations stay the
same, and all profile settings available via HDX or GPO policy
al
are also available in the equivalent version of WEM.
e
or
di
s
tri
utb
io
n
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
Users
ot
• Exercise 11-5: Configure Citrix Profile
fo
Management from the WEM Console
rr
• Exercise 11-6: Test Profile Management and
es
Assigned Actions
al
e
or
di
s
tri
b
ut
io
n
N
used by idle processes.
ot
• Both CPU Management and Memory Management
fo
can increase user density on multi-session VDAs.
rr
• WEM Assigned Actions replace GPO, GPP, and
es
script settings so that they don’t contribute to logon
al
duration.
e
• WEM Assigned Actions can be applied using rules
or
and conditions, making it a very versatile feature.
di
• Deploying Citrix Profile Management (CPM) settings
s
through the WEM Console provides the easiest and
tri
most intuitive method of CPM configuration.
b ut
io
n
Key Takeaways:
• WEM CPU Management improves user experience by greatly reducing the impact of applications that use a high percentage of CPU
time
• WEM Memory Management improves user experience by greatly reducing the amount of RAM used by idle processes.
• Both CPU Management and Memory Management can increase user density on multi-session VDAs.
• WEM Assigned Actions replace GPO, GPP, and script settings so that they don’t contribute to logon duration.
• WEM Assigned Actions can be applied using rules and conditions, making it a very versatile feature.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
ot
WEM Centralized Management
fo
Features: Security & Lockdown
rr
es
al
e
Module 12
or
di
s
tri
b
ut
io
n
N
• Describe how to configure the WEM Process
ot
Management feature.
fo
• Describe how WEM Environment Settings is
rr
used to lock down the Windows user interface
es
features.
al
• Describe the purpose and benefits of creating
e
a WEM Transformer kiosk machine.
or
• Describe the purpose and capabilities of WEM
di
monitoring and reporting features.
s
tri
b
ut
io
n
N
For Module 12
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercises.
ot
Features
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
provides settings that can apply security and
ot
restrictions to a session:
fo
• Application Security
rr
• Process Management
es
• Environmental Settings
al
e
or
di
s tri
b ut
© 2020 Citrix | Confidential
342
io
n
Key Notes:
• WEM can lock down and secure an environment with settings such as, disabling user access to the registry or command line, hiding
specific elements in Windows Explorer, hiding or blocking access to drives, and the ability to exclude Administrators from security
settings that are applied to user sessions.
• Some security settings are processed at logon and others are refreshed by the Agent while the session is active.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
feature.
ot
• AppLocker control the
fo
application executables,
rr
scripts, installer
es
packages, and even
al
DLLs that users are
e
permitted to run on a
or
machine.
• WEM Application Security
di
adds useful centralized
s tri
management features.
b ut
io
n
Key Notes:
• WEM Application Security is based on the Windows AppLocker security feature.
• Windows AppLocker allows administrators to control the application executables, scripts, installer packages, and even DLLs that
users are permitted to run on a machine.
• The AppLocker rules and operations in WEM are identical to that of Windows AppLocker but WEM Application Security adds useful
centralized management features.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
• Bulk operations:
• Apply Application
Security Rules to all
N
WEM Agent Machines in
ot
the Configuration Set.
fo
• Bulk assign or unassign
rr
Rules.
es
• Select multiple Rules
al
and edit settings.
e
• Import AppLocker Rules
or
from exported GPO:
di
• Export the GPO as an
s
XML file and import to
tri
the WEM Console.
b ut
io
n
Key Notes:
• Bulk operations:
• Apply Application Security Rules to all WEM Agent Machines in the Configuration Set.
• Bulk assign or unassign Rules.
• Select multiple Rules and edit settings for all selected.
• Import AppLocker Rules from exported GPO:
• Export the GPO as an XML file and import to the WEM Console.
Additional Resources:
• WEM Application Security: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/security.html#application-security
N
Additional Information:
ot
• AppLocker configuration for any Windows machine can be viewed using the Local Security Policy on that machine.
fo
• When you migrate an AD GPO to WEM, you disable, unlink, or delete the original AD GPO – to avoid conflicts.
• This does not need to be done for AppLocker settings in the Local Security Policy.
rr
• This is because the Local Security Policy will always display the machine’s AppLocker settings that are retrieved from
es
WEM.
al
• After configuring AppLocker through the WEM Console, each WEM Agent machine’s Local Security Policy AppLocker
settings will match those configured in the WEM Console’s Application Security
e
or
di
s tri
b ut
io
n
N
• For testing Rules without
ot
affecting users, set a
fo
Rule to Audit mode.
rr
Rule violations are
es
written to the AppLocker
event log.
al
e
• AppLocker runs using
or
the Application
Management Windows
di
Service on each
s tri
machine. Check the
b
service if there are
ut
AppLocker issues.
io
n
Key Notes:
• There is a separate checkbox for enabling the processing of AppLocker DLL Rules.
• Enabling DLL Rules may affect machine performance. This is because AppLocker checks each DLL that an app loads before it’s
allowed to run.
• AppLocker Rules can be set to Audit. Rules set to audit are inactive. This means the rule runs without affecting the app but the
details about the rule violations is added to the AppLocker event log.
• AppLocker runs using the Application Management Windows Service on each machine. If there are problems with the operation of
Additional Resources:
• WEM Application Security: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/security.html#application-security
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
• Process Management
provides the ability to
whitelist or blacklist
N
specific processes.
ot
• If a process is added to
fo
the blacklist, then it can
rr
not be launched.
es
• Processes that are
al
added to the whitelist
e
can always be
or
launched.
di
• There’s the option to
s
exclude local admins
tri
and/or specific groups.
but
io
n
Key Notes:
• An alternative to WEM’s Application Security Rules is Process Management. This controls app executables only and operates on a
blacklist/whitelist basis.
• If a process is added to the blacklist, then it can not be launched.
• Processes that are added to the whitelist can always be launched.
• There’s the option to exclude local admins and/or specific groups.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
Policies and Profiles section of the WEM
ot
Console. Primarily, these settings are for locking
down the Windows UI.
fo
rr
• WEM machine-based settings: Applies to all users
es
(admins can be excluded).
al
• The Environmental Settings categories are:
e
• Start Menu
• Desktop
or
• Windows Explorer
di
• Control Panel
• Known Folders Management
s tri
• SBC/HVD Tuning
b ut
io
n
Key Notes:
• WEM’s Environmental Settings are found in the Policies and Profiles section of the WEM Console. Primarily, these settings are for
locking down the Windows UI.
• Since they are WEM machine-based settings, they will affect all users that logon to the WEM Agent machines part of the
Configuration Set – but administrators can be excluded.
• Start Menu: These options modify the user’s Start Menu.
• Desktop: These settings control which desktop elements are disabled by the Agent, and allow you to disable aspects of the Windows
N
• Although it appears simply as “SBC/HVD Tuning” in the WEM console, this option is referring to “server-based
ot
computing/hosted virtual desktops”, and includes settings that can improve performance on server-OS machines
fo
that can host multiple concurrent sessions.
rr
Additional Resources:
es
• Environmental Settings: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
al
interface-description/policies-and-profiles/environmental-settings.html
e
or
di
s tri
b ut
io
n
N
ot
What is the difference between WEM
application security settings and Windows
fo
AppLocker?
rr
es
Both features use the same AppLocker settings;
the difference is where they are configured and
al
e
managed (WEM vs. Local Security Settings or
GPO).
or
di
s
tri
b
ut
io
n
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
Environment
ot
• Exercise 12-2: Configure Environment
fo
Lockdowns
rr
• Exercise 12-3: Manage the VDA Processes
es
• Exercise 12-4: Log on to Test the Newly
al
Configured Environment
e
or
di
s
tri
utb
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
access in a kiosk-only mode.
ot
• In kiosk mode, users are provided access only
fo
to the resources they have been granted and
rr
typically users are not given access to the
es
Windows desktop and Start Menu.
al
• Only Windows Desktop OS are supported by
e
WEM Transformer.
or
di
s tri
b ut
© 2020 Citrix | Confidential
352
io
n
Key Notes:
• The purpose of the WEM Transformer is to provide users with a locked down, physical Windows Desktop OS machine that they
access in a kiosk-only mode.
• In kiosk mode, users are provided access only to the resources they have been granted and typically users are not given access to the
Windows desktop and Start Menu.
• Only Windows Desktop operating systems are supported by WEM Transformer.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• CVAD or CVAD Service published apps and
ot
desktops.
fo
• A whitelist of websites they can access.
• A list of printers.
rr
• Items on the kiosk panel that haven’t been locked
es
down. For example: Shutdown, Restart, log off,
system clock.
al
• Tools such as the Command Prompt.
e
• Users can only access these resources and
or
items using the WEM Transformer kiosk panel.
di
s tri
but
© 2020 Citrix | Confidential
353
io
n
Key Notes:
• The WEM administrator can provide the kiosk user access to:
• Locally installed applications.
• Citrix Virtual Apps and Desktops or Citrix Virtual Apps and Desktops Service published apps and desktops.
• All apps on the Applications tab, whether they are local or CVAD published are Application Actions added in the WEM Console.
• A whitelist of websites they can access.
• A list of printers, which are Printer Actions added in the WEM Console.
Additional Resources:
• Transformer settings: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/transformer-settings.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
• There are two methods:
fo
1. Through the Transformer Applications tab.
rr
This requires:
es
• StoreFront-based Application Actions assigned to
users.
al
• Users to log onto the physical WEM Transformer
e
kiosk machine using their own company
or
credentials.
• Citrix Workspace app for Windows to be installed
di
and configured for pass-through authentication.
s tri
b ut
© 2020 Citrix | Confidential
354
io
n
Key Notes:
• WEM Transformer can be configured to provide a user’s assigned Citrix Virtual Apps and Desktops or Citrix Virtual Apps and Desktops
Service published apps and desktops.
• There are two methods to choose from:
1. Users are provided access to CVAD or CVAD Service published resources through the Applications tab.
• This requires:
• StoreFront-based Application Actions assigned to users.
Additional Resources:
• Transformer settings: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/transformer-settings.html
N
Additional Information:
ot
1. The user logs onto the physical WEM Transformer kiosk machine using their own company credentials:
fo
• This case is used when access to CVAD or CVAD Service published app resources will be automatically provided
through the Applications tab.
rr
• Having users logon to the machine allows Citrix Workspace app for Windows to pass-through their authentication
es
for automatic enumeration and display of their CVAD or CVAD Service published apps (Note: CVAD published
al
resources are supported. CVAD Service published resources are supported but only using Citrix Workspace in Citrix
Cloud – local StoreFront is not supported).
e
or
di
s tri
but
io
n
N
logon. WEM Transformer can perform an auto-
ot
Windows logon using a generic account.
fo
• Users must enter their own credentials to the Citrix
Gateway/ADC or StoreFront page (CVAD on-
rr
premises). Or to Citrix Cloud’s Citrix Gateway
es
Service or Workspace page (CVAD Service).
al
• Citrix Workspace app for Windows is not
e
mandatory. App and desktops can be launched
or
using the browser-based Citrix Workspace app for
HTML5.
di
stri
b ut
355
© 2020 Citrix | Confidential
io
n
Key Notes:
2. Users are provided access to Citrix Virtual Apps and Desktops or Citrix Virtual Apps and Desktops Service published resources through
the Web Browser tab.
• User are not required to provide their own credentials at Windows logon. WEM Transformer can perform an auto-Windows logon
using a generic account.
• To access their published resources, users must enter their own credentials to the Citrix Gateway/ADC or StoreFront page (CVAD
on-premises). Or to Citrix Cloud’s Citrix Gateway Service or Workspace page (CVAD Service).
Additional Resources:
• Transformer settings: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/transformer-settings.html
N
Additional Information:
ot
2. The user starts the physical WEM Transformer kiosk machine and is automatically logged on to Windows using a
fo
generic account.
• This case is typical when users need access only to locally installed apps and whitelisted web pages.
rr
• If users need access to CVAD or CVAD Service published app resources, they must enter their own credentials to
es
the Citrix Gateway/ADC or StoreFront. Or Citrix Cloud’s Workspace browser page (Note: both CVAD and CVAD
al
Service published resources are supported).
For access to other resources configured for the user, such as printers, locally installed apps, whitelisted web sites, it
e
doesn’t matter whether Transformer is configured for Windows auto-logon or user account logon.
or
di
s tri
b ut
io
n
N
Transformer.
ot
• Enable Transformer, when
fo
enabled, puts all agents in
rr
the Configuration Set into
kiosk mode.
es
• Web Interface URL Only
al
required if published
e
resources will be provided
or
through the Web Browser
di
tab.
s tri
b ut
© 2020 Citrix | Confidential
356
io
n
Key Notes
• The General Settings tab controls the appearance and basic settings for the Transformer.
• Enable Transformer turns on the Transformer kiosk mode for every WEM Agent machine in the Configuration Set’s Active Directory
Objects (Machines) list.
• If users are to be provided to their CVAD or CVAD Service published apps and desktops through the kiosk’s Web Browser tab, the
Web Interface URL needs to be populated with the Citrix Gateway/Gateway service, StoreFront, or Citrix Workspace URL.
• The Appearance of the kiosk panel can be customized with, for instance, a company label. Also, don’t forget to enable the
Additional Resources:
• Transformer settings – General: https://docs.citrix.com/en-us/workspace-environment-management/current-
release/user-interface-description/transformer-settings.html#general
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
URLs and tools that can be
ot
accessed by end users.
fo
• Site settings: A whitelist of
web sites that can be
rr
accessed directly via the
es
kiosk’s Sites button.
al
• Tool Settings: A list of tools
e
such as the Command
or
Prompt. Accessed via the
kiosk’s Tool Settings tab.
di
s tri
b ut
© 2020 Citrix | Confidential
357
io
n
Key Notes
• Site Settings and Tool Settings allow for the addition of permitted web URLs and tools that can be accessed by end users.
• Site settings are essentially a white list of web sites that can be accessed directly via the kiosk’s Sites button. Note that the
Transformer on its own will not prevent all access to URLs not on the list if the end user clicks hyperlinks within the permitted web
sites.
• Tool settings allow for the inclusion of executables on the Transformer endpoint that would otherwise be inaccessible in kiosk
mode. Any local executable path could be included, based on the needs of the user base.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
feature allows for the
ot
Transformer agent to serve
as a process launcher
fo
rather than presenting a
rr
kiosk interface.
es
• This can be used to
al
facilitate integration with
non-web-based access for
e
clients.
or
di
s tri
b ut
© 2020 Citrix | Confidential
358
io
n
Key Notes:
• We said earlier that users can only access resources and other items using the WEM Transformer kiosk panel. However there is an
exception.
• The Process Launcher feature when enabled, runs a specified process and arguments will automatically launch when the session
starts.
• The kiosk mode/web interface view will no longer appear.
• If the process is terminated, it is automatically relaunched.
N
ot
Additional Resources:
fo
• Transformer settings – Advanced: https://docs.citrix.com/en-us/workspace-environment-management/current-
release/user-interface-description/transformer-settings.html#advanced
rr
es
al
e
or
di
s tri
b ut
io
n
N
Administration Settings
ot
allow for more
customization of the user-
fo
facing Transformer UI.
rr
• Most settings are self-
es
explanatory, and preferred
al
settings will depend on
user requirements.
e
or
di
s tri
b ut
© 2020 Citrix | Confidential
359
io
n
Key Notes:
• The Advanced Settings and Administration Settings allow for more customization of the user-facing Transformer kiosk UI.
• Most settings are self-explanatory, and preferred settings will depend on user requirements.
Additional Resources:
• Transformer settings – Advanced: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-
interface-description/transformer-settings.html#advanced
N
auto-logon for all users.
ot
• Have each user logon to the
fo
Windows machine using their
rr
own credentials.
es
• Only Enable Autologon Mode
if you plan to use the same
al
generic account to auto-
e
logon every user.
or
• The Desktop Mode Options
di
and End Of Session Options
s
sections control session
tri
start/end behaviour.
b ut
© 2020 Citrix | Confidential
360
io
n
Key Notes:
• Recall that WEM admins can design their Transformer kiosk solution to:
• Have the Windows machine auto-logon for all users.
• Have each user logon to the Windows machine using their own credentials.
• Only Enable Autologon Mode if you’ve planned to use the same generic account to auto-logon every user.
• The Desktop Mode Options and End Of Session Options sections control the behavior for when a remote session launch starts and
ends a Transformer machine.
Additional Resources:
• Transformer settings – Advanced: https://docs.citrix.com/en-us/workspace-environment-management/current-
release/user-interface-description/transformer-settings.html#advanced
N
ot
fo
rr
es
al
e
or
di
s tri
b
ut
io
n
N
ot
On which Citrix Virtual Apps and Desktops
component should WEM Transformer settings
fo
be applied?
rr
es
WEM Transformer is intended for user endpoints
that should behave as a thin client, or
al
e
automatically launch a particular process.
or
di
s
tri
utb
io
n
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
machine to be used as a Transformer Kiosk.
ot
• Exercise 12-6: Create Transformer
fo
Configuration Set and StoreFront Application
rr
Actions for Marketing Users.
es
• Exercise 12-7: Configure WEM Transformer
al
• Exercise 12-8: Test WEM Transformer
e
or
di
s
tri
b
ut
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
The Citrix Workspace Environment Management can display User and Agent Statistics.
N
• Displays a count of total Agents who have
ot
• Displays a count of total users who have
reserved a WEM license, for both the current reserved a WEM license, for both the current
fo
Configuration set and all Configuration sets. Configuration set and all Configuration sets.
rr
• Displays a count of new users in the last 24 • Displays a count of new Agent in the last 24
hours, as well as within the last month. hours and in the last month.
es
• Users History • Agents History
al
• Displays connection information for all the • Displays connection information for all the
e
User’s Hosts associated with this Configuration Agents associated with this Configuration set.
or
set. • Displays the last connection time, the name of
• Displays the last connection time, the name of the device from which they last connected, and
di
the device from which they last connected, and the Agent version.
s
tri
the Agent version.
but
365 © 2020 Citrix | Confidential
io
n
N
Monitoring option allows for user and
ot
machine reporting statistics to be captured
and displayed.
fo
rr
es
Reports include:
al
• Daily Reports
e
• User Trends
or
• User & Device Reports
di
s tri
b ut
io
n
Key Notes:
• The Workspace Environment Management Monitoring reports include options for Daily, User and Device, as well a the ability to
control the reporting time period and work days.
• Daily Reports:
• Daily Login Report. A daily summary of login times across all users connected to this site. You can double-click a category for a
detailed view showing individual logon times for each user on each device.
• Daily Boot Report. A daily summary of boot times across all devices connected to this site. You can double-click a category for a
N
to this site. You can double-click each device type for a detailed view.
ot
• User & Device Reports
fo
• User Report. This report allows you to view login trends for a single user over the selected period. You can double-
click each data point for a detailed view.
rr
• Device Report. This report allows you to view boot trends for a single device over the selected period. You can
es
double-click each data point for a detailed view.
al
• Configuration
• Report Options: These options allow you to control the reporting period and work days. You can also specify
e
minimum Boot Time and Login Time (in seconds) below which values are not reported.
or
di
Additional Resources:
• Monitoring: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
s tri
description/monitoring.html#daily-reports
b ut
io
n
N
devices connected to your WEM on-premises
ot
or WEM Service deployment?
fo
Is it possible to export the data to a file?
rr
es
The Daily Boot Report in the Daily Reports
section.
al
e
Yes, you can export the data to, for example, an
or
Excel format.
di
s
tri
b
ut
io
n
N
takes a more simplified approach than AppLocker
ot
and uses thee blacklist/whitelist method to control
application security.
fo
• WEM Environmental Settings are machine-based
rr
settings that control the user’s operation of Windows
es
user interface features.
al
• WEM Transformer turns WEM Agent machines into
e
kiosks; providing only the resources granted to the
or
user and isolating them from the underlying
Windows operating system.
di
• WEM’s Monitoring and Reporting features keep a
s tri
running record of Agent, user, and device usage
b
statistics which can be displayed, and exported if
ut
needed.
io
n
Key Takeaways:
• WEM takes the existing Windows AppLocker security feature and adds centralized management, bulk rule
assignment/unassignment, bulk rule editing, and AppLocker rules importing.
• The WEM Process Management security feature takes a more simplified approach than AppLocker and uses thee blacklist/whitelist
method to control application security.
• WEM Environmental Settings are machine-based settings that control the user’s operation of Windows user interface features.
• WEM Transformer turns WEM Agent machines into kiosks; providing only the resources granted to the user and isolating them from
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
The WEM Agent
fo
rr
es
al
e
Module 13
or
di
s
tri
b
ut
io
n
N
WEM Agent machine start-up and during
ot
session launch.
fo
• Identify the purpose of WEM Agent local
rr
caches and describe how they are refreshed.
es
• Describe how to integrate the WEM Agent into
al
Citrix Provisioning, Machine Creation Services,
e
Citrix App Layering and published app launch.
or
di
s
tri
utb
io
n
ot
WEM Agent Caches
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
ot
WEM User Agent
Norskale Agent Host Service Norskale Agent Host Service
fo
Actions:
Environmental Settings
rr
Environmental Settings • Environmental variables
(Machine lock-down settings) (Administrators can be excluded)
• Applications
es
Citrix Profile Management & Application Security (AppLocker): • Registry Values
• Evaluated and applied on a user-
al
Microsoft USV • Network Drives
by-user basis • Virtual Drives
e
System Optimization settings • Service creates AppLocker rules • Printers
or
(CPU, RAM, I/O)
• Ports
Optimization & Monitoring starts • Filesystem Operations
di
• Ini Files
s
• DSN Files
tri
• External Tasks
but
io
n
Key Notes:
• When it comes to applying WEM settings to a WEM Agent machine, there are two components:
• The Norskale Agent Host Service and the WEM User Agent.
• The Norskale Agent Host Service handles the WEM machine-based settings that are processed at WEM Agent machine boot.
• These are the WEM Environmental Settings, Citrix Profile Management (CPM), WEM System Optimization, and statistics collection
for monitoring.
N
ot
WEM User Agent
Norskale Agent Host Service Norskale Agent Host Service
fo
Actions:
Environmental Settings
rr
Environmental Settings • Environmental variables
(Machine lock-down settings) (Administrators can be excluded)
• Applications
es
Citrix Profile Management & Application Security (AppLocker): • Registry Values
• Evaluated and applied on a user-
al
Microsoft USV • Network Drives
by-user basis • Virtual Drives
e
System Optimization settings • Service creates AppLocker rules • Printers
or
(CPU, RAM, I/O)
• Ports
Optimization & Monitoring starts • Filesystem Operations
di
• Ini Files
s
• DSN Files
tri
• External Tasks
b ut
io
n
Key Notes:
• At some point, a use will launch an app or desktop session.
• The Norskale Agent Host Service is still needed at user session logon because some WEM machine-based settings needs to
determine who is logging on before deciding whether or not to apply its settings.
• For example, some Environmental settings can be excluded for administrators. Also, how WEM Application Security settings
(AppLocker) apply depends on who is logging on.
N
ot
WEM User Agent
Norskale Agent Host Service Norskale Agent Host Service
fo
Actions:
Environmental Settings
rr
Environmental Settings • Environmental variables
(Machine lock-down settings) (Administrators can be excluded)
• Applications
es
Citrix Profile Management & Application Security (AppLocker): • Registry Values
• Evaluated and applied on a user-
al
Microsoft USV • Network Drives
by-user basis • Virtual Drives
e
System Optimization settings • Service creates AppLocker rules • Printers
or
(CPU, RAM, I/O)
• Ports
Optimization & Monitoring starts • Filesystem Operations
di
• Ini Files
s
• DSN Files
tri
• External Tasks
b ut
io
n
Key Notes:
• The WEM User Agent runs when a user logs onto a WEM Agent machine. It is at this point that Actions assigned to the user will
apply.
N
ot
WEM User Agent
Norskale Agent Host Service
Norskale Agent Host Service
fo
Actions:
Environmental Settings
rr
Environmental Settings • Environmental variables
(Administrators can be excluded) VUEMUIAgent.exe
(Machine lock-down settings) • Applications
es
Citrix Profile Management & Application Security (AppLocker): • Registry Values
• Evaluated and applied on a user-
al
Microsoft USV • Network Drives
VUEMCmdAgent.exe
by-user basis • Virtual Drives
e
System Optimization settings • Service creates AppLocker rules • Printers
or
(CPU, RAM, I/O)
• Ports
Optimization & Monitoring starts • Filesystem Operations
di
• Ini Files
s
• DSN Files
tri
• External Tasks
b ut
io
n
Key Notes:
• There are two WEM User Agents that WEM admins can configure for WEM Agent machine usage:
• The first is VUEMUIAgent.exe, which provides a user interface (UI) such as a WEM Agent splash screen and WEM icon that comes
with a context menu.
• The second is VUEMCmdAgent.exe, which is the non-UI version. Similar commands to the UI version can be run, but only from a
command prompt.
• Selecting to use either the UI or non-UI WEM User Agent version is done using a checkbox in the WEM Console.
WEM
Database on
SQL Server
SQL
Transaction
• WEM settings are mainly applied to the
N
system registry or user’s registry hive (in the
ot
case of WEM assigned Actions).
fo
• The WEM Agent retrieves WEM settings and
rr
applies them to the machine. The Agent WEM
Infrastructure
es
retrieves WEM settings from: Services
• The WEM database, through the WEM WEM Settings
al
Retrieval
Infrastructure Services (on-premise or WEM
e
WEM
Cloud). Agent
or
• WEM local caches (updated regularly).
WEM Settings
di
Retrieval
s tri
WEM Agent
b
Caches
ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Almost all of these WEM machine-based and WEM user-based settings are applied to the WEM Agent Machine’s system registry, or
user’s registry hive; in the case of WEM assigned Actions.
• The WEM Agent performs this task of retrieving WEM settings and applying them to the machine. The WEM can retrieve WEM
settings from:
• The WEM database, through the WEM Infrastructure Services (on-premises or WEM Cloud).
• WEM local caches on the WEM Agent machine. These are updated regularly.
WEM
Database on
SQL Server
SQL
Transaction
• Local cache retrieval is preferred because:
• WEM Agent cache data helps to reduce session
N
logon times.
ot
• It can greatly reduce internet traffic in WEM
Service deployments.
fo
• They provide WEM settings when the WEM
rr
Broker is unavailable. WEM
Infrastructure
es
Services
• Through the WEM Console you can configure WEM Settings
al
Retrieval
how the WEM Agent retrieves settings:
e
WEM
• Enable Offline Mode: Only retrieve settings from Agent
or
the cache when the WEM Infrastructure Services
are unavailable. WEM Settings
di
• Use Cache Even When Online. Retrieval
s
• Use Cache to Accelerate Action Processing.
tri
Can be enabled with or without Enable Offline WEM Agent
b
Caches
Mode.
ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Configuring the Agent to retrieve WEM settings from local caches is preferred because:
• WEM Agent cache data helps to reduce session logon times.
• In WEM Service deployments, using the local cache for WEM Actions greatly reduces the Agent to WEM Infrastructure Services
traffic over the internet.
• They provide WEM settings when the WEM Broker is unavailable.
• Through the WEM Console you can configure how the WEM Agent retrieves settings:
Additional Resources:
Agent Options: https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-
N
description/advanced-settings.html#configuration
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Location on Agent
N
Cache Name Cache Description Purpose
machine
ot
User’s Roaming Profile
Assigned Actions & User’s registry Prevent previously applied
fo
(Microsoft or Citrix Profile
Printers Hive (HKCU) settings from being re-applied.
Management)
rr
Allows the Agent Host service to
es
Profile Management & Machine registry
read and apply UPM/USV settings System registry (HKLM)
Microsoft USV (HKLM)
al
early in the machine boot process.
e
All WEM config settings Holds all WEM user and machine Database file on the local
LocalAgentCache
database settings. disk
or
Tracks WEM Intelligent
Intelligent Optimization Database file on the local
di
LocalAgentDatabase Optimization history for each user
history database disk
s
per machine.
tri
b ut
io
n
Key Notes:
There are four WEM local caches.
• Assigned Actions and Printers:
• The cache that stores WEM Actions, including printers that have been assigned are kept in each user’s NTUSER.DAT profile. When
a centralized roaming profile solution has been configured, such as Citrix Profile Management, this means that the record of a
user’s assigned Actions and printers travels with them from machine to machine.
• The cache is read by the WEM Agent at user logon and prevents previously applied settings from being re-applied. This helps to
N
• The Local Agent Cache:
ot
• This is a database file that, by default, resides in the Program Files (x86) WEM folder.
fo
• The database holds all the WEM settings of the Configuration Set that the machine is a member of.
• How this cache is used by the Agent depends on the mode configured (as we saw on the previous slide – Enable
rr
Offline Mode, Use Cache Even When Online, or Use Cache to Accelerate Action Processing.
es
• The Local Agent Database:
al
• This database file also resides in the Program Files (x86) WEM folder.
• It doesn’t have a particularly intuitive file name considering its purpose. And its purpose is to keep track of the
e
number of times a process has triggered CPU Spikes Protection on a user-by-user, process-by-process basis. If a user
or
logs off their session to this VDA, and then logs back on, all those CPU Spikes Protection triggers have been
di
remembered, and so WEM CPU Intelligent Optimization for that user on that machine doesn’t have to be
recalculated from scratch.
s tri
Additional Resources:
b ut
• WEM System Optimization: https://www.citrix.com/blogs/2018/07/03/the-best-kept-secret-at-citrix/
io
Additional Information:
n
WEM Agent cache locations:
• Assigned Actions & Printers: HKEY_CURRENT_USER\SOFTWARE\VirtuAll Solutions\VirtuAll User Environment
Manager\Agent\Tasks Exec Cache\
• Profile Management: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Norskale\Agent
Host\UpmConfigurationSettings\
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
Microsoft USV cache, and Local Agent Cache.
ot
• When WEM System Optimization settings have been enabled, the Local Database Cache is
fo
populated and updated as users work in their sessions.
rr
• There are two situations where you would want to force the Agent to update its WEM Settings
es
immediately:
al
1. Applying WEM settings just configured.
e
or
2. “Baking” in WEM settings to a golden image or App Layering layer.
di
• Perform this task because each time a non-persistent, provisioned machine reboots, it will revert to its
s
initial state.
tri
b ut
io
n
Key Notes:
• All WEM local caches are automatically updated, either by periodic schedule in the case of Action & Printers cache, Citrix Profile
Management & Microsoft USV cache, and Local Agent Cache.
• The Local Database Cache is populated and updated as users work in their sessions when WEM System Optimization settings have
been enabled.
• There are two situations where you would want to force the Agent to update its WEM Settings immediately:
1. Applying WEM settings just configured. Perhaps if you are testing a new Configuration Set.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
refresh its own settings, from the WEM
ot
Consoles.
fo
• Refresh Cache updates the Local Agent
rr
Cache.
es
• Refresh Agent Host Settings updates the
al
advanced settings, optimization settings,
e
transformer settings, and other non-user
or
assigned settings.
di
• Refresh Workspace Agents applies the
s
user-assigned WEM Actions.
tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• From the WEM Administration Console or WEM Service’s Manage console, you can initiate requests to the WEM Agent to refresh its
own settings.
• You’ll find these in the Administration section under Agents => Agent History. By right-clicking on any WEM Agent machine brings up
the menu shown.
• Refresh Cache updates the Local Agent Cache.
• Refresh Agent Host Settings updates the advanced settings, optimization settings, transformer settings, and other non-user assigned
Additional Resources:
• Refreshing Agent settings from the WEM Consoles: https://docs.citrix.com/en-us/workspace-environment-
management/current-release/user-interface-description/administration.html#agents
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
ot
fo
rr
es
al
e
• Refresh the Local Agent Cache using the AgentCacheUtility.exe program.
or
• Syntax: AgentCacheUtility.exe –RefreshCache. Adding –Debug to the command writes detailed
di
results to the Windows Event logs.
s tri
• This is the command you’ll use to pre-populate or “bake” the WEM settings and cache on master images
b
and App Layering layers that have the WEM Agent installed.
ut
io
n
Key Notes:
• You can also refresh the Local Agent Cache using the AgentCacheUtility.exe program.
• The syntax is AgentCacheUtility.exe –RefreshCache. Adding –Debug to the command writes detailed results to the Windows Event
logs.
• This is the command you’ll use to pre-populate the WEM settings and cache on master images and App Layering layers that have the
WEM Agent installed.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
populate Citrix Profile Management &
ot
Microsoft USV WEM settings into a master
image or App Layering layer. What about the
fo
other WEM local caches?
rr
es
WEM’s Actions and Printer settings are stored in
the user’s CPM roaming profile, and won’t be lost
al
e
on VDA restarts.
or
The Local Agent Cache and Local Database
Cache can both be offloaded to a persistent
di
attached drive using the
s
tri
AgentCacheAlternateLocation registry key.
utb
io
n
N
For Module 13
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer back to Module 0 for reference on how to access the Lab.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.
ot
Citrix Virtual Apps and Desktops
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
formatted write cache disk.
ot
• This can persist the LocalAgentCache and
fo
LocalAgentDatabase files, using the
rr
AgentCacheAlternateLocation HKLM
es
registry key pre-configured in your image.
al
• The Profile Management & Microsoft USV
e
cache can’t be saved to the write cache
or
disk- the solution is to “bake” those settings
into the Citrix Provisioning master image
di
before rollout.
s tri
but
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Starting with Citrix Provisioning:
• Citrix Provisioning can use a persistent disk in the form of a formatted write cache disk.
• This can persist the LocalAgentCache and LocalAgentDatabase files, using the AgentCacheAlternateLocation HKLM registry key
pre-configured in your master image.
• There is no cache redirection registry key for the “Profile Management/Microsoft USV” cache and so it can’t be saved to the write
cache disk.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• Use the AgentCacheAlternateLocation
ot
registry key to redirect the LocalAgentCache
fo
and LocalAgentDatabase files to the VDA’s
rr
formatted write cache disk.
es
• “Bake” the Profile Management & Microsoft
al
USV cache into the MCS master image
e
before rollout.
or
di
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Next we have Machine Creation Services (MCS).
• Just like Citrix Provisioning, MCS includes formatted write cache disk capabilities.
• Just like in the PVS scenario, we use the AgentCacheAlternateLocation registry key to redirect the LocalAgentCache and
LocalAgentDatabase files to the VDA’s formatted write cache disk.
• Also just like PVS, customers should “bake” the “Profile Management/Microsoft USV” cache into the MCS master image before
rollout.
N
your image.
ot
• If using Citrix Provisioning, the WEM Agent needs to
fo
be installed on an App Layering platform layer
rr
(Netlogon dependencies).
es
• If using MCS, the WEM Agent can be installed on the
al
OS layer, Platform layer, or App layer.
e
• The “baking” of the Profile Management & Microsoft
or
USV cache is done in App Layering layers.
di
• Then pass the Finalized layered image to Citrix
s
Provisioning or MCS.
tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
And finally App Layering…
• App layering isn’t a provisioning method of course, but it is used to layer the different parts of your image prior to passing over the
results to a provisioning method.
• If using Citrix Provisioning for provisioning, the WEM Agent needs to be installed on an App Layering Platform Layer.
• The reason for this would need some detailed explanation but in short it’s because both the PVS Target Device Software and the
Norskale Agent Host Service make changes to Netlogon dependencies.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
settings to finish applying before app launch
ot
completes.
fo
• WEM provides the VUEMAppCMD.exe
rr
program to control the launch delay of
es
published apps (100ms – 200ms is
sufficient.
al
e
• Configuration is performed in the Application
or
Properties, in the Delivery Group.
di
• VUEMAppCMD.exe resides on the WEM
s
Agent.
tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• In certain use cases, where a published app depends on WEM settings such as drive mappings or printer mappings to be applied
before the app launch completes, you want to be sure that WEM has applied its settings.
• To facilitate this, WEM provides the VUEMAppCMD.exe program to control the launch delay of published apps.
• The delay is miniscule, around 100 to 200 milliseconds – but sufficient to achieve its purpose.
• Configuration is performed in Citrix Studio; in the Application’s Properties, in the Delivery Group.
• The VUEMAppCMD.exe program runs on the WEM Agent, where is was installed.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
is done usually though the WEM GPO
ot
ADMX template.
fo
• Can also specify the value when installing
rr
the Agent.
es
al
e
or
di
s
tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Configuring the amount of app launch delay is done usually though the WEM GPO ADMX template, but you can also specify the
value when installing the Agent.
Additional Resources:
• Install and configure the agent: https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-and-
configure/agent-host.html#install-and-configure-the-agent
N
configured a WEM Configuration Set for an
ot
existing Machine Catalog of 100 MCS-based
non-persistent VDAs. The WEM GPO has also
fo
been added to the OU containing the
rr
machines.
es
They tell the CVAD admin to update the
al
master image by installing the WEM Agent.
e
What else should the CVAD admin do on the
or
master image machine to get it ready for the
di
WEM deployment?
s
tri
b
ut
io
n
N
have WEM GPO apply and so that it points to
ot
the WEM Infrastructure Services (or to Citrix
fo
Cloud Connectors if WEM Service deployment).
rr
• Then run the AgentCacheUtility.exe program to
es
populate the WEM settings and local WEM
al
caches.
e
• Finally, Update the Machine Catalog.
or
di
s
tri
b
ut
io
n
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
Environment
ot
• Exercise 13-2: Configure Environment
fo
Lockdowns
rr
• Exercise 13-3: Manage the VDA Processes
es
al
e
or
di
s
tri
utb
io
n
N
Actions for the user during session launch.
ot
• There are four WEM caches:
• The Actions and Printers cache, which resides in the
fo
user’s registry hive.
rr
• The Citrix Profile Management & Microsoft USV
es
cache, which resides in the system registry.
• The Local Agent Cache, which is stored in a
al
database file.
e
• The Local Database Cache, which is stored in a
database file.
or
• Only the Citrix Profile Management & Microsoft USV
di
cache cannot be offloaded from the WEM Agent
s
machine; so should be “baked” into master images
tri
when provisioning VDAs using Citrix Provisioning,
b
Machine Creation Services, and Citrix App Layering.
ut
io
n
Key Takeaways:
• There are two WEM Agent components:
• The Norskale Agent Host Service, which processes WEM machine-based settings at machine start up and during session launch.
• The WEM User Agent, which processes only WEM Actions for the user during session launch.
• There are four WEM caches:
• The Actions and Printers cache, which resides in the user’s registry hive.
• The Citrix Profile Management & Microsoft USV cache, which resides in the system registry.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
Upgrading Workspace Environment Management
fo
(WEM) and Migration to WEM Service
rr
es
al
e
Module 14
or
di
s
tri
b
ut
io
n
N
WEM on-premises and WEM Service
ot
deployments.
fo
• Identify important tips that lead to the
rr
successful migration of a WEM on-premises
es
deployment to WEM Service.
al
e
or
di
s
tri
b
ut
io
n
ot
Environment Management (WEM)
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
no code-level fixes.
ot
Upgrade 3 months
Window
End of Life (EoL):
fo
The product version reaches end
rr
6 months 12 months
of life 18 months after version
es
release. From this point, version
is no longer supported.
al
e
or
• A good leading practice is to upgrade to the latest WEM on-premises version during an
organization’s Citrix system maintenance cycle:
di
• Sometime in the (approx) 3 months between the release date of the new WEM version and the End of
s tri
Maintenance date for the previous version.
b
ut
io
n
Key Notes:
• The WEM on-premises product release cycle follows that of other Citrix products used in on-premises deployments.
• End of Maintenance (EoM): 6 months after the version release date, Citrix no longer performs code maintenance updates.
• End of Life (EoL): The product version reaches end of life 18 months after version release. At that point, technical support and
product downloads for that version will no longer be available.
• In the 12 months between End of Maintenance and End of Life, Citrix will still continue to provide technical support; say for
configuration issues, but code-level fixes may not be available.
N
Additional Resources:
ot
• Citrix product lifecycle dates: https://www.citrix.com/support/product-lifecycle/product-matrix.html
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
must be upgraded in the following order:
ot
1. WEM Infrastructure Servers
fo
2. WEM Database
rr
3. WEM Administration Console
es
4. WEM Agents
al
e
or
di
s
tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• WEM on-premises deployment components must be upgraded in the following order:
• WEM Infrastructure Server
• WEM Database.
• Don’t forget to upgrade the database. Citrix support do get cases from customers who say that the upgrade failed, and the
cause is that the WEM database wasn’t upgraded.
• WEM Administration Console
Additional Resources:
• Upgrade a deployment: https://docs.citrix.com/en-us/workspace-environment-management/current-
release/upgrade.html
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
• In place upgrades are supported for all WEM • WEM Administration Console
N
components: Can upgrade from WEM version • All WEM settings stored in the database and
ot
4.7 to the latest WEM on-premises version. are preserved during upgrade.
• WEM Agents
fo
• Component upgrades: Run the relevant
• Upgrade the WEM Agent on Citrix Provisioning
rr
component installer on the component machine or MCS master images, or App Layering layer.
es
(except for the WEM database). • Ensure all users are logged off the WEM Agent
machine.
al
• WEM Infrastructure Server & WEM Database
• The WEM Agent version should be at the same
e
• After upgrade, you must run and reconfigure using
the WEM Infrastructure Service Configuration utility. version as the WEM Infrastructure Server.
or
• From the WEM Infrastructure Server, run the WEM • One version lower is supported but its always
best to keep the Agent current – to make the
di
Database Management Utility but select the
most of the newer WEM features.
s
“Upgrade Database” option.
tri
b
ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• In place upgrades are supported for all WEM components. You can upgrade from WEM version 4.7 to the latest WEM on-premises
version.
• v4.7 is the lowest version you can upgrade to the latest WEM version from.
• Apart from upgrading the WEM database, which uses the Database utility, all component upgrades consist of running the relevant
component installer on the component machine.
• WEM Infrastructure Server
N
• WEM Agents
ot
• Upgrade the WEM Agent to the latest version on Citrix Provisioning or MCS master images, or App Layering layer.
fo
Update the Machine Catalog with the new image as the final step.
• If you’re not using a provisioning method, ensure all users are logged off the WEM Agent machine so that all files
rr
can be changed during the upgrade process.
es
• The WEM Agent version should be at the same version or one version lower than the WEM Infrastructure Server.
al
• One version lower is supported but its always best to keep the Agent current – to make the most of the newer
WEM features.
e
or
Additional Resources:
di
• Upgrade a deployment: https://docs.citrix.com/en-us/workspace-environment-management/current-
release/upgrade.html
s tri
but
io
n
• Installing the WEM Infrastructure Server also installs the Citrix Workspace Environment Management
N
SDK.
ot
• WEM SDK PowerShell modules allow you to:
fo
• Create a new WEM database or upgrade existing to a new version during deployment upgrade.
rr
es
• Retrieve WEM Infrastructure Service configuration and make configuration changes.
al
• Export a Configuration Set and import to another WEM deployment.
e
• Export WEM Active Directory Objects, and import to another WEM deployment.
or
• Many WEM SDK module cmdlets available for building PowerShell scripts.
di
• Instructions, guidance, and examples are provided on the Citrix Developer Docs website.
s tri
but
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Installing the WEM Infrastructure Server also installs the WEM software development kit (SDK).
• WEM SDK PowerShell modules allow you to:
• Create a new WEM database or upgrade existing to a new version during deployment upgrade.
• Retrieve WEM Infrastructure Service configuration and make configuration changes.
• Export a Configuration Set and import to another WEM deployment.
• Export WEM Active Directory Objects, and import to another WEM deployment.
Additional Resources:
• Citrix Workspace Environment Management 1912 SDK: https://developer-docs.citrix.com/projects/workspace-
environment-management-sdk/en/latest/
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
On-Premises
N
ot
WEM Service
Manage Console
fo
Active
Citrix Cloud Connectors
rr
Directory
es
WEM Service
Infrastructure Services
al
e
VDA
or
WEM Database on
di
Azure SQL Server
s
WEM Agent
Citrix Cloud
tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Upgrading WEM Service deployments is a far easier task than an on-premises because Citrix Cloud manages all of the backend WEM
Infrastructure Services.
• An organization’s WEM administrators only need to upgrade the WEM Agents – a task made a lot simpler when Citrix Provisioning,
MCS, or App Layering is used in a Citrix Virtual Apps and Desktops Service deployment.
• The Agent installation instructions are the same between WEM on-premises and WEM Cloud except that the latest WEM Agent
installer is downloaded from the Citrix Cloud portal.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
ot
What are the benefits of a WEM Service
deployment over a WEM on-premises
fo
deployment when is comes to upgrading?
rr
es
In a WEM on-premises deployment upgrade, The
WEM Infrastructure Server, WEM database,
al
e
WEM Console, and WEM Agents must all be
upgraded.
or
In a WEM Service deployment, Citrix takes care
di
of the WEM Service infrastructure upgrading,
s
tri
leaving only the responsibility of upgrading the
b
WEM Agents to the organization’s administrator.
ut
io
n
ot
WEM Service
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
Cloud, the process of migrating your WEM on-
ot
premises deployment to WEM Service is
straightforward.
fo
rr
• The Migrate section in the WEM Service
es
Product Documentation is clear and guides
you through the process.
al
e
or
di
s tri
but
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Once you’ve decided to transition to Citrix Cloud, the process of migrating your WEM on-premises deployment to WEM Service is
straightforward.
• The Migrate section in the WEM Service Product Documentation is clear and guides you through the process.
Additional Resources:
• Upgrade a deployment: https://docs.citrix.com/en-us/workspace-environment-management/current-release/upgrade.html
Useful Tips:
N
• Check that the Workspace Environment
ot
Management Service tile is active.
fo
• The WEM Infrastructure Services, WEM
rr
Database, and WEM Service Manage console
es
are already available.
al
e
or
di
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• The Migrate Product Docs are great but experience also helps - so here are some very useful tips:
• In your Citrix Cloud account, check that the Workspace Environment Management Service tile is active. You’ll see the Manage
button if it is.
• This means that the WEM Infrastructure Services, WEM Database, and WEM Service Manage console are already available and
running in Citrix Cloud.
• Your WEM Service deployment now exists, but empty of WEM settings, users, and machines.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
Citrix Cloud Connectors.
ot
• The WEM Agents do not get confused by
fo
having both the on-premises Infrastructure
rr
server and Citrix Cloud Connectors settings,
configured and enabled at the same time.
es
• Later in the migration, the WEM Agent
al
e
undergoes a switching process to make it part
of the WEM Service deployment.
or
• The Citrix Cloud Connectors GPO setting will
di
come into effect then.
s tri
but
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Configure your WEM GPO ahead of time by entering the FQDNs or IP addresses of your Citrix Cloud Connectors.
• Don’t worry, the on-premises WEM Agents do not get confused by having both the on-premises “Infrastructure server” and “Citrix
Cloud Connectors” settings, configured and enabled at the same time.
• It’s not until later in the migration, that the WEM Agent undergoes a switching process to make it part of the WEM Service
deployment.
• The “Citrix Cloud Connectors” GPO setting will come into effect then.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
• When running the Wizard, also open the WEM
Infrastructure Service Configuration utility.
fo
rr
• You’ll see the correct SQL Server and WEM
es
database information to enter into the Wizard.
al
• Check the Use integrated connection box if
e
you have sufficient permissions. Otherwise
or
enter the credentials of an account that does.
di
• Not recommended to enable the Export logs
s
checkbox.
tri
but
© 2020 Citrix Authorized Content
io
n
Key Notes:
• The migration tool runs as UI called the Database Migration Wizard.
• Its purpose is to extract all of the relevant WEM database settings to a new SQL file which is then compressed.
• When running the Wizard, also open the WEM Infrastructure Service Configuration utility.
• You’ll see the correct SQL Server and WEM database information to enter into the Wizard.
• If the logged on user has sufficient permissions to access the WEM database, check the “Use integrated connection” box.
Otherwise enter the credentials of an account that does.
Additional Resources:
• Migration to WEM Service: https://docs.citrix.com/en-us/workspace-environment-management/service/migrate.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• In the Advanced Settings > Agent Switch
ot
section on the on-premises WEM
Administration Console.
fo
rr
• All Agents in the current Configuration Set are
es
switched in bulk.
al
• Note: Explicitly specify the Cloud Connector
e
addresses.
or
• This is so the on-premises Agents can pickup the
settings immediately on the next Agent sync, and
di
not wait until the WEM GPO settings apply.
s tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• After uploading the extracted on-premises WEM database to Citrix Cloud, it can take a few hours before you receive the migration
completion notification in the Citrix Cloud portal.
• At that point, go back to the on-premises WEM Administration Console to perform the step of switching your on-premises WEM
Agent machines to WEM Service mode.
• This is in the Advanced Settings > Agent Switch section.
• All Agents in the current Configuration Set are switched in bulk. Complete the switching task for all Configuration Sets in your on-
Additional Resources:
N
• After migration: https://docs.citrix.com/en-us/workspace-environment-management/service/migrate.html#after-
ot
migration
fo
rr
es
al
e
or
di
s tri
but
io
n
N
ot
• Agents connect to the on-premise WEM
Broker to retrieve and apply their new settings.
fo
rr
• Three things will happen automatically:
es
• The WEM Agent machines will now point to the
Cloud Connectors.
al
• The WEM Agent will delete its LocalAgentCache
e
database and restart the Norskale Agent Host
or
Service (Agent reset).
di
• The Agent will synchronize it’s LocalAgentCache
s
with the WEM service Broker.
tri
b ut
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Agent switch settings are written to the on-premise WEM database.
• At this stage, the WEM Agents are still part of the on-premises deployment. Agents connect to the on-premise WEM Broker to
retrieve and apply their new settings.
• In the Agent “switching” process, three things will happen automatically:
• The WEM Agent machines will now point to the Cloud Connectors.
• The WEM Agent will delete its LocalAgentCache database and restart the Norskale Agent Host Service (Agent reset).
Additional Resources:
• After migration: https://docs.citrix.com/en-us/workspace-environment-management/service/migrate.html#after-
migration
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
• After migration, it is still supported to continue
to use the on-premises WEM Agent version
fo
installed.
rr
• Citrix recommends to download and install the
es
WEM Agent version from the Citrix Cloud
al
porta.
e
or
• This is because the migrated deployment is
now a WEM Service deployment, and you
di
need to keep the WEM Agent versions in line
s
with the WEM Service release cycle.
tri
but
© 2020 Citrix Authorized Content
io
n
Key Notes:
• Since the pre-migration WEM deployment was on-premises, the WEM Agents were originally installed from the Citrix Download
page.
• After migration, Citrix still supports the use of the on-premises WEM Agent in the WEM Service deployment.
• Citrix does recommend though, to download the WEM Agent version from the Citrix Cloud portal and install it as part of your regular
software maintenance cycle.
• This is because the migrated deployment is now a WEM Service deployment, and you need to keep the WEM Agent versions in line
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
Cloud Connector addresses in the Agent
ot
switching section of the WEM Console, even
though the WEM already has the same
fo
information configured?
rr
es
A WEM Agent will usually pick up and apply the
WEM settings more quickly than the machine
al
e
account will read and apply the GPO.
or
di
s
tri
b
ut
io
n
N
upgrades, backups, and restores.
ot
• WEM Service deployments are much easier to upgrade as
fo
Citrix Cloud is responsible for the upgrade and
rr
management of all of the WEM Service backend
infrastructure components.
es
• When it’s time to migrate WEM to the Citrix Cloud, use the
al
migration tool to extract the on-premises WEM database
e
and upload to Citrix Cloud. There are several migration
tips to ensure the migration process is smooth. These
or
include:
di
• Check first that WEM Service is active.
• Add the Citrix Cloud Connectors to the WEM GPO.
s
• You can continue to use the on-premises WEM Agent in WEM
tri
Service, and upgrade to the Service version of the Agent later.
utb
io
n
Key Takeaways:
• WEM on-premises upgrades carries the administrative overhead of having to upgrade all WEM components.
• On-premises deployments can take advantage of the WEM SDK, a set of PowerShell cmdlets that allow scripted upgrades, backups,
and restores.
• WEM Service deployments are much easier to upgrade as Citrix Cloud is responsible for the upgrade and management of all of the
WEM Service backend infrastructure components.
• When it’s time to migrate WEM to the Citrix Cloud, use the migration tool to extract the on-premises WEM database and upload to
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n