Managing Citrix Policies

Exclusive offer: get 50% off this eBook here
Getting Started with Citrix XenApp 6

Getting Started with Citrix XenApp 6 — Save 50%

Design and implement Citrix farms based on XenApp 6 with this book and eBook

$35.99    $18.00
by Guillermo Musumeci | June 2011 | Enterprise Articles

XenApp 6 is the leader in application hosting and virtualization delivery, allowing users from different platforms such as Windows, Mac, Linux, and mobile devices to connect to their business applications. It reduces resources and costs for application distribution and management. Using Citrix XenApp 6, you can deploy secure applications quickly to thousands of users.

In this article by Guillermo Musumeci, author of Getting Started with Citrix XenApp 6, we will cover:

  • Understanding Citrix policies
  • Using the Group Policy Management Console, Citrix Delivery Services
  • Console, and Local Group Policy Editor to manage Citrix Policies
  • How to create, manage, and apply Citrix policies
  • Troubleshooting Citrix policies

 

Getting Started with Citrix XenApp 6

Getting Started with Citrix XenApp 6

Design and implement Citrix farms based on XenApp 6

        Read more about this book      

(For more resources related to this subject, see here.)

Understanding Citrix policies

In the Active Directory, a Group Policy contains two categories (also called nodes): Computer Configuration and User Configuration settings.

  • The Computer Configuration node contains policy settings applied to computers, XenApp servers, when we use GPO to manage servers
  • The User Configuration node contains settings applied to users accessing the machine, the XenApp server in our case, regardless of where they log on

Citrix policies also have same categories: computer and user.

  • Computer policy settings in Citrix applied to XenApp servers. When the server is rebooted, these policies are applied to the server.
  • User policy settings are used for the duration of the session and are applied to user sessions. Policy settings changes can also take effect when XenApp re-evaluates policies every 90 minutes.

Citrix policies are the preferred way to manage session settings or user access and the most effective method of controlling connection, security, and bandwidth settings on XenApp farms.

We can create and assign Citrix policies to users, groups, machines, or connection types and each policy can contain one or several settings. Using policies allows us to turn on/off settings like:

  • ICA session settings, like Auto Client Reconnect, Keep Alive, Session Reliability, or Multimedia configuration
  • Licensing configuration, like license server hostname or port
  • Mapping of local drivers, printer, and ports
  • Server settings, like Connections Settings, Reboot Behavior, Memory/CPU Management
  • Shadowing options and permissions

Working with Citrix policies

A policy is basically a collection of settings or rules. Citrix policies include the user, server, and environment settings that will affect XenApp sessions when the policy is enforced. Policy settings can be enabled, disabled, or not configured.

For some policy settings, we can enter a value or we can choose a value from a list when we add the setting to a policy.

We can set some policies to one of the following conditions to enable or permit a policy setting: Enabled or Allowed and we can use Disabled or Prohibited to turn off or disallow a policy setting.

Also, we can limit configuration of the setting by selecting Use default value. Selecting this option disables configuration of the setting and allows only the setting's default value to be used when the policy is enforced.

If we create more than one policy in our environment, we need to prioritize the policies. The best way to track applied settings is to run a Resulting Set of Policies Logging report from the Group Policy Management Console or the Citrix Policy Modeling Wizard.

These reports will show all Citrix settings configured via a policy, and which Group Policy Object, including the farm GPO, has actually won the merging calculation. We are going to talk about this in detail later.

Usually, Citrix policies will override the same or similar settings applied to the farm, specific XenApp servers, or on the client machine, except for the highest encryption setting and the most restrictive shadowing setting, which always overrides other rules or settings.

Best practices for creating Citrix policies

The following is a list of recommendations when configuring policy settings:

  • Reduce the amount of policies: Avoid creating multiple policies for different groups of users. Create one policy and apply filters to it.
  • Disable unused policies: Unused policies waste processing resources. If we are using Active Directory Group Policies, we can disable the unused part of the policy (Computer or User part).
  • Assign policies to groups: If we assign policies to groups rather than a user, management is easy and can reduce processing time.
  • Remote Desktop Session Host Configuration settings are similar to Citrix policy settings in a few ways. We need to avoid using Remote Desktop Session Host Configuration to reduce overlapping of settings.

We can use Remote Desktop Session Host Configuration (formerly known as Terminal Services Configuration on Windows Server 2003) to configure settings for new connections, modify the settings of existing connections, and delete connections. We can configure settings on a per connection basis or for the server as a whole.

Guidelines for working with policies

The process for configuring policies is as follows:

  • Create and give a name to the policy: We need to create and provide a name for the new policy.
  • Configure policy settings: We need to choose if we are going to create a User Configuration or Computer Configuration policy and then set the policies.
  • Apply the policy to connections using filters: Using filters we can choose to apply the policy to a specific group of users or computers.
  • Prioritize the policy: In the final (and optional) step, we will assign priority so that policies will override or take precedence over other policies.

Working with management consoles

In previous versions of Citrix XenApp, Citrix Presentation Server and Citrix MetaFrame policies were stored on the IMA and we managed Citrix policies from the Citrix Management Console.

Starting with XenApp 6, policies are stored on the Active Directory and we can manage Citrix policies through the Group Policy Management Console or Local Group Policy Editor in Windows or the Delivery Services Console in XenApp servers. Choosing the right console depends on our network environment and permissions.

Using the Group Policy Management Console

The Group Policy Management Console (shown in the following screenshot) allows us to view or create Active Directory policies. It also enables us to view the resulting policies applied to users or computers, which is very useful for troubleshooting (more about this is discussed later).

Managing Citrix Policies

If our network environment is based on the Active Directory and we have the appropriate permissions to manage Group Policies (GPO), using the Group Policy Management Console to create policies for our farm is the preferred option.

The main reason to use the Group Policy Management Console over the Citrix Delivery Service Console is because Active Directory GPOs take precedence over the farm GPO (also known as IMA GPO).

Using the Delivery Services Console

The Citrix Delivery Services Console (shown in the following screenshot), formerly known as the Citrix Access Management Console, is a tool that integrates into the Microsoft Management Console (MMC) and enables us to execute management tasks, including creating and viewing Citrix Policies.

If we don't have permissions to manage the Active Directory of our company or if our environment doesn't use the Active Directory, we need to use the Citrix Delivery Services Console to create policies for our farm. Policies are stored in a farm GPO in the Citrix data store.

Managing Citrix Policies

In the Citrix Delivery Services Console, we can view the policies configuration by clicking on the Policies node, then select either the Computer or User tabs in the middle pane.

When we click on one of these two tabs, three more tabs will be displayed, as shown in the following screenshot.

  • Summary: Shows the settings and filters configured for the selected policy
  • Settings: Shows available and configured settings by category for the selected policy
  • Filters: Shows the available and configured filters applied to the selected policy

    Managing Citrix Policies

Using the Local Group Policy Editor

If we don't want to use the Citrix Delivery Services Console, we don't have permissions to modify or create a GPO in the Active Directory, or we don't have an Active Directory domain (a NetWare network or workgroup, for example), we have another option. We can create a local GPO using the Local Group Policy Editor (shown in the following screenshot).

If we type GPEDIT.MSC, from Start | Run, the Local Group Policy Editor will open. We can modify the local policy of a single server, so it is useful to create or edit a policy in one or maybe a couple of servers, for example, silos or test servers, but it is not useful for medium to large farms. The Local Group Policy will affect everyone who logs onto this machine—including users accessing via Citrix and administrators.

Managing Citrix Policies

We can access policies and their settings in the Local Group Policy Editor, by clicking the Citrix Policies node under User Configuration or the Computer Configuration in the tree pane, located on the left.

Managing Citrix Policies

Active Directory Group policies take precedence over farm GPO; and farm GPO takes precedence over Local Group policies.

Getting Started with Citrix XenApp 6 Design and implement Citrix farms based on XenApp 6 with this book and eBook
Published: June 2011
eBook Price: $35.99
Book Price: $59.99
See more
Select your format and quantity:
        Read more about this book      

(For more resources related to this subject, see here.)

Creating Citrix policies

William Empire from Brick Unit Construction is planning to use Citrix policies to manage the XenApp farm (Refer to Designing a XenApp 6 Farm). He needs to decide which group of users, servers, or machines he wants to affect, before he creates the policy.

Because Brick Unit Construction network infrastructure uses Active Directory, he can use existing Active Directory OU structure to create the Citrix policies.

Commonly, policies are based on geographic location (HQ, remote sites, and so on), connection type (local or remote users), user role (IT, financial, and so on), and client machines (laptops, thin clients, and so on.)

Creating a policy using consoles

From the Citrix Delivery Services Console, he selects the Policies node on the left pane and then selects the Computer or User tab and clicks New. These policies are stored on the IMA datastore.

Managing Citrix Policies

William also can use the Local Group Policy Editor to create or modify local policies. He needs to select the Computer Configuration or User Configuration node, then Citrix Policies. He clicks the New option to add a new policy. As we mentioned before, the policy is stored in local machine policy and can be used to add specific policies to a few servers.

Managing Citrix Policies

The last and preferred console is the Group Policy Management Console. William needs to select the container for the policy, Group Policy Objects, in this case. He right-clicks over the container and selects New. Finally, he gives the new GPO a name and clicks the OK button.

Starting in this step, the following process is common to all consoles.

Managing Citrix Policies

After he gives the policy a name, he needs to select the ,b>Computer Configuration or User Configuration node, and then under Policies, clicks Citrix Policies. Next, he clicks New to add a new policy.

Managing Citrix Policies

After the New Policy wizard appears, William adds a Name and Description, and clicks the Next button. In this example, he is going to create a policy to manage multimedia policies.

Managing Citrix Policies

He needs to choose the policy settings he wants to setup. In this case, he will enable the HDX MediaStream Multimedia Acceleration using the Add button.

Managing Citrix Policies

He chooses the Allowed option to enable HDX MediaStream Multimedia Acceleration.

Managing Citrix Policies

Then he needs to choose the filters he wants to apply to the policy. Here, he applies the multimedia policy to the Training Devices worker group, so all users using XenApp Servers in the training room (members of the Training Devices worker group) will improve the multimedia performance.

Managing Citrix Policies

In the final step, William selects the Enable this policy checkbox to leave the policy enabled; enabling the policy allows it to be applied immediately to users logging on to the farm. Also, he can clear the Enable this policy checkbox to disable the policy; disabling the policy prevents it from being applied.

XenApp installs the Citrix Group policy engine, when the Citrix Delivery Services console is installed (on a XenApp 6 server or standalone machine). The Citrix group engine provides integration between Active Directory group policies and Citrix policies.

Applying policies to sessions

When William creates a policy, their settings are applied to sessions. By default, the policy is applied to all sessions, if no filter is added.

He can use filters to apply a policy to a target group (users, groups, or computers, for example).

When a user logs in to the farm, XenApp recognizes the policies that match the filters for the connection and applies them based on the priority ranking of the policy.

Some filters depend on whether we are applying a Computer or a User policy. The following list shows the available filters:

  • Access control: The policy is applied based on a connection Citrix Secure Gateway. This filter applies only to User policies.
  • Client IP address: The policy is applied based on the client's IP address (IPv4 or IPv6 address) used to connect to the XenApp farm. This filter applies only to User policies.
  • Client name: The policy is applied based on the name of the client machine used to connect to the XenApp farm. This filter applies only to User policies.
  • User: The policy is applied based on the user or group membership of the user. This policy can apply to local or Active Directory users. This filter applies only to User policies.
  • Worker group: The policy is applied based on the worker group membership of the XenApp server hosting the session. This filter applies to either User policies or Computer policies.

Disabled policy settings take precedence over a lower-ranked setting that is enabled and policy settings that are not configured are ignored.

Unfiltered policies

By default, XenApp provides Unfiltered policies for Computer and User policy settings. The settings added to this policy apply to all connections.

William will use the Group Policy Management Console to manage Citrix policies, and settings heading to the Unfiltered policy are applied to all farm servers and connections that are within the scope of the Group Policy Objects (GPOs) that contain the policy.

If he uses the Citrix Delivery Services Console to manage Citrix policies, settings we add to the Unfiltered policy are applied to all servers and connections in the farm.

Now we are going to help William apply policies. He creates a test policy which he will apply to his account so that he can test it. From the policy wizard, he needs to select the User filter and click the Add button.

Managing Citrix Policies

From the New User Filter dialog box, he selects his account and clicks the Add button.

Managing Citrix Policies

Now, he can see all filters applied to the policy.

Managing Citrix Policies

The policy is applied the next time William logs on to the XenApp farm.

Using multiple policies

We can use multiple policies to provide access to users based on their job functions, geographic locations, or connection types.

For example, William can create a policy that prevents remote users from mapping printers and local hard drives.

However, there is a group of project managers at Brick Unit Construction who are working from home and need access to their local drives and printers. So, William can create another policy and assign it to this group. Then he needs to prioritize the two policies to control which one takes precedence.

After William creates both policies, he needs to change the priority of policies.

From the console tree, he chooses to view Citrix Computer Policies or Citrix User Policies.

He created two policies: One called "Block Mapping Local Disks and Printers" is applied to all remote users. The second one, called "Enable Mapping Local Disks and Printers Project Manager", is applied to the project manager group.

From the middle pane, he selects the policy he wants to prioritize.

He needs to click on the Increase Priority or Decrease Priority buttons until the policy has the preferred rank. He needs to give more priority to the project manager policy.

Managing Citrix Policies

In general, policies override similar settings configured for the entire XenApp farm, for specific servers, or on the client machine. The exception is security. The highest encryption setting in our environment, including the operating system and the most restrictive shadowing setting, always overrides other settings and policies.

Getting Started with Citrix XenApp 6 Design and implement Citrix farms based on XenApp 6 with this book and eBook
Published: June 2011
eBook Price: $35.99
Book Price: $59.99
See more
Select your format and quantity:
        Read more about this book      

(For more resources related to this subject, see here.)

Troubleshooting policies

Occasionally, a connection does not respond as expected because multiple policies are applied to the session. If a higher priority policy also applies to a session, it can override the settings we configured in the original policy. As we saw before, we can determine how the final policy settings are merged for a connection by calculating the Resultant Set of Policy.

We can calculate the Resultant Set of Policy in the following ways:

  • We can use the Citrix Policy Modeling Wizard to simulate a connection scenario and discern how Citrix policies might be applied.
  • We can use Group Policy Results to produce a report describing the Citrix policies in effect for a given user and server.
  • We can launch both tools from the Group Policy Management Console in Windows. If our XenApp environment doesn't use the Active Directory, we can launch the Citrix Group Policy Modeling Wizard from the Actions pane of the Citrix Delivery Services Console.

Using the Citrix Policy Modeling Wizard

The Citrix Group Policy Modeling Wizard generates a report of Citrix policies applied to a particular environment such as domain controller, users, Citrix policy filter evidence values, and simulated environment settings such as slow network connection.

Results of the wizard will be based on the user account we use and where we run it.

If we are logged on to the server with a domain account and our environment includes Active Directory, the wizard result will include Active Directory GPOs. If we run the wizard from the Citrix Delivery Services Console, the farm GPO is included in the result too. However, if we are logged on to the server as a local user account and run the wizard from the Citrix Delivery Services Console, the wizard calculates the Resultant Set of Policy using only the farm GPO.

Simulate connection scenarios with Citrix policies

Depending on our XenApp environment, we can use the Citrix Group Policy Modeling Wizard from the Citrix Delivery Services Console or the Microsoft Group Policy Management Console.

From the Citrix Delivery Services Console, we need to click the Policies node in the console tree and then click on Run the modeling wizard from the Actions pane.

Managing Citrix Policies

Now we are going to help William run the Citrix Group Policy Modeling Wizard from the Group Policy Management Console. He needs to right-click the Citrix Group Policy Modeling node in the console tree and then select Citrix Group Policy Modeling Wizard.

Managing Citrix Policies

The wizard starts with the welcome page. He then clicks on the Next button. He follows the wizard and selects the domain controller; users, computers, environment settings, and Citrix filter criteria he wants to use in the simulation.

Managing Citrix Policies

He selects his user and selects the computer container.

Managing Citrix Policies

In the Advanced Simulation Options page, he keeps the default options.

In the Alternate Active Directory Paths page, he selects OU for the User location.

Managing Citrix Policies

In the Filter Evidence Selections page, he enters the Client IP address.

Managing Citrix Policies

In the Summary of Selections page, William clicks on the Run button.

Managing Citrix Policies

When he clicks on the Close button, the wizard produces a report of the modeling results. In the Citrix Delivery Services Console, the report appears as a node in the console tree, underneath the Policies node. The Modeling Results tab in the middle pane displays the report, grouping effective Citrix policy settings under the User Configuration and Computer Configuration headings.

Managing Citrix Policies

Citrix settings precedence over Windows settings

In a XenApp environment, Citrix settings override the same settings configured in an Active Directory policy or using Remote Desktop Session Host Configuration. This applies to settings that are related to Remote Desktop Protocol (RDP) client connection settings such as desktop wallpaper, menu animation, and so on.

Exceptions to this rule are settings for encryption and shadowing where the most restrictive settings are configured by Remote Desktop Session Host Configuration, Active Directory settings, application configuration, and Citrix settings applies.

Searching policies and settings

From the Citrix Delivery Services Console, we can search the policies and their settings and filters. Now we are going to help William Empire from Brick Unit Construction to search policies.

All searches find items by name as he types the policy name. He can perform searches from the following places:

  • For searching policies, he can use the search box over the list of Citrix policies:

    Managing Citrix Policies

  • William can use the search tool on the Settings tab to search policy settings. He types license and all policies matching the word license are displayed.

    Managing Citrix Policies

  • For searching filters, he can use the search tool on the Filters tab.

    Managing Citrix Policies

When managing policies through the Delivery Services Console, we need to avoid making frequent changes. It can adversely impact server performance. When we modify a policy, the XenApp server synchronizes its copy of the farm Group Policy Object (GPO) with the data store, propagating the change to other servers in the farm. For example, if we make changes to five policies, the server synchronizes the farm GPO five times. In a large farm with multiple policies, this frequent synchronization can result in delayed server responses to user requests.
To ensure server performance is not impacted by needed policy changes, arrange to make these changes during off-peak usage periods.

Importing and migrating existing policies

We can use the, Citrix XenApp 6 Migration Tool to migrate settings (including Citrix policies) from XenApp 5.0 farms to XenApp 6.0 farms.

The Citrix XenApp 6 Migration Tool is available for download at http://support.citrix.com/article/CTX125471.

We can migrate our Citrix policies from farm GPOs to Active Directory GPOs using a PowerShell script available at http://community.citrix.com/x/GQDPC.

Summary

In this article, we have learned about managing policies on XenApp 6. Specifically:

  • Understanding Citrix policies
  • Using the Group Policy Management Console, Citrix Delivery Services
  • Console, and Local Group Policy Editor to manage Citrix policies
  • Creating, managing, applying, and troubleshooting Citrix policies

Further resources on this subject:


About the Author :


Guillermo Musumeci

Guillermo Musumeci is a Windows Infrastructure Architect specialized in Citrix and virtualization with 16 years of experience. He has a passion for designing, building, deploying, and supporting enterprise architectures using Citrix, Microsoft, and VMware products.

He worked as Project Manager and Senior Consultant in medium to large Citrix and virtualization projects in America, Europe, and recently he relocated to Asia, where he lives with his wife and two children.

Guillermo is also the founder and developer of the popular site CtxAdmTools, which provides free tools to manage Citrix environments, Active Directory, and more.

He holds more than 25 Citrix, Microsoft, and VMware certifications.

Books From Packt


Getting Started with Microsoft Application Virtualization 4.6
Getting Started with Microsoft Application Virtualization 4.6

Xen Virtualization
Xen Virtualization

VirtualBox 3.1: Beginner's Guide
VirtualBox 3.1: Beginner's Guide

Microsoft SQL Server 2008 R2 Administration Cookbook
Microsoft SQL Server 2008 R2 Administration Cookbook

Microsoft Data Protection Manager 2010
Microsoft Data Protection Manager 2010

Oracle JRockit: The Definitive Guide
Oracle JRockit: The Definitive Guide

Microsoft Dynamics NAV Administration
Microsoft Dynamics NAV Administration

Oracle VM Manager 2.1.2
Oracle VM Manager 2.1.2


Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software