|Read more about this book|
(For more resources related to this subject, see here.)
Understanding Citrix policies
In the Active Directory, a Group Policy contains two categories (also called nodes): Computer Configuration and User Configuration settings.
- The Computer Configuration node contains policy settings applied to computers, XenApp servers, when we use GPO to manage servers
- The User Configuration node contains settings applied to users accessing the machine, the XenApp server in our case, regardless of where they log on
Citrix policies also have same categories: computer and user.
- Computer policy settings in Citrix applied to XenApp servers. When the server is rebooted, these policies are applied to the server.
- User policy settings are used for the duration of the session and are applied to user sessions. Policy settings changes can also take effect when XenApp re-evaluates policies every 90 minutes.
Citrix policies are the preferred way to manage session settings or user access and the most effective method of controlling connection, security, and bandwidth settings on XenApp farms.
We can create and assign Citrix policies to users, groups, machines, or connection types and each policy can contain one or several settings. Using policies allows us to turn on/off settings like:
- ICA session settings, like Auto Client Reconnect, Keep Alive, Session Reliability, or Multimedia configuration
- Licensing configuration, like license server hostname or port
- Mapping of local drivers, printer, and ports
- Server settings, like Connections Settings, Reboot Behavior, Memory/CPU Management
- Shadowing options and permissions
Working with Citrix policies
A policy is basically a collection of settings or rules. Citrix policies include the user, server, and environment settings that will affect XenApp sessions when the policy is enforced. Policy settings can be enabled, disabled, or not configured.
For some policy settings, we can enter a value or we can choose a value from a list when we add the setting to a policy.
We can set some policies to one of the following conditions to enable or permit a policy setting: Enabled or Allowed and we can use Disabled or Prohibited to turn off or disallow a policy setting.
Also, we can limit configuration of the setting by selecting Use default value. Selecting this option disables configuration of the setting and allows only the setting's default value to be used when the policy is enforced.
If we create more than one policy in our environment, we need to prioritize the policies. The best way to track applied settings is to run a Resulting Set of Policies Logging report from the Group Policy Management Console or the Citrix Policy Modeling Wizard.
These reports will show all Citrix settings configured via a policy, and which Group Policy Object, including the farm GPO, has actually won the merging calculation. We are going to talk about this in detail later.
Usually, Citrix policies will override the same or similar settings applied to the farm, specific XenApp servers, or on the client machine, except for the highest encryption setting and the most restrictive shadowing setting, which always overrides other rules or settings.
Best practices for creating Citrix policies
The following is a list of recommendations when configuring policy settings:
- Reduce the amount of policies: Avoid creating multiple policies for different groups of users. Create one policy and apply filters to it.
- Disable unused policies: Unused policies waste processing resources. If we are using Active Directory Group Policies, we can disable the unused part of the policy (Computer or User part).
- Assign policies to groups: If we assign policies to groups rather than a user, management is easy and can reduce processing time.
- Remote Desktop Session Host Configuration settings are similar to Citrix policy settings in a few ways. We need to avoid using Remote Desktop Session Host Configuration to reduce overlapping of settings.
We can use Remote Desktop Session Host Configuration (formerly known as Terminal Services Configuration on Windows Server 2003) to configure settings for new connections, modify the settings of existing connections, and delete connections. We can configure settings on a per connection basis or for the server as a whole.
Guidelines for working with policies
The process for configuring policies is as follows:
- Create and give a name to the policy: We need to create and provide a name for the new policy.
- Configure policy settings: We need to choose if we are going to create a User Configuration or Computer Configuration policy and then set the policies.
- Apply the policy to connections using filters: Using filters we can choose to apply the policy to a specific group of users or computers.
- Prioritize the policy: In the final (and optional) step, we will assign priority so that policies will override or take precedence over other policies.
Working with management consoles
In previous versions of Citrix XenApp, Citrix Presentation Server and Citrix MetaFrame policies were stored on the IMA and we managed Citrix policies from the Citrix Management Console.
Starting with XenApp 6, policies are stored on the Active Directory and we can manage Citrix policies through the Group Policy Management Console or Local Group Policy Editor in Windows or the Delivery Services Console in XenApp servers. Choosing the right console depends on our network environment and permissions.
Using the Group Policy Management Console
The Group Policy Management Console (shown in the following screenshot) allows us to view or create Active Directory policies. It also enables us to view the resulting policies applied to users or computers, which is very useful for troubleshooting (more about this is discussed later).
If our network environment is based on the Active Directory and we have the appropriate permissions to manage Group Policies (GPO), using the Group Policy Management Console to create policies for our farm is the preferred option.
The main reason to use the Group Policy Management Console over the Citrix Delivery Service Console is because Active Directory GPOs take precedence over the farm GPO (also known as IMA GPO).
Using the Delivery Services Console
The Citrix Delivery Services Console (shown in the following screenshot), formerly known as the Citrix Access Management Console, is a tool that integrates into the Microsoft Management Console (MMC) and enables us to execute management tasks, including creating and viewing Citrix Policies.
If we don't have permissions to manage the Active Directory of our company or if our environment doesn't use the Active Directory, we need to use the Citrix Delivery Services Console to create policies for our farm. Policies are stored in a farm GPO in the Citrix data store.
In the Citrix Delivery Services Console, we can view the policies configuration by clicking on the Policies node, then select either the Computer or User tabs in the middle pane.
When we click on one of these two tabs, three more tabs will be displayed, as shown in the following screenshot.
- Summary: Shows the settings and filters configured for the selected policy
- Settings: Shows available and configured settings by category for the selected policy
- Filters: Shows the available and configured filters applied to the selected policy
Using the Local Group Policy Editor
If we don't want to use the Citrix Delivery Services Console, we don't have permissions to modify or create a GPO in the Active Directory, or we don't have an Active Directory domain (a NetWare network or workgroup, for example), we have another option. We can create a local GPO using the Local Group Policy Editor (shown in the following screenshot).
If we type GPEDIT.MSC, from Start | Run, the Local Group Policy Editor will open. We can modify the local policy of a single server, so it is useful to create or edit a policy in one or maybe a couple of servers, for example, silos or test servers, but it is not useful for medium to large farms. The Local Group Policy will affect everyone who logs onto this machine—including users accessing via Citrix and administrators.
We can access policies and their settings in the Local Group Policy Editor, by clicking the Citrix Policies node under User Configuration or the Computer Configuration in the tree pane, located on the left.
Active Directory Group policies take precedence over farm GPO; and farm GPO takes precedence over Local Group policies.
|Read more about this book|
(For more resources related to this subject, see here.)
Creating Citrix policies
William Empire from Brick Unit Construction is planning to use Citrix policies to manage the XenApp farm (Refer to Designing a XenApp 6 Farm). He needs to decide which group of users, servers, or machines he wants to affect, before he creates the policy.
Because Brick Unit Construction network infrastructure uses Active Directory, he can use existing Active Directory OU structure to create the Citrix policies.
Commonly, policies are based on geographic location (HQ, remote sites, and so on), connection type (local or remote users), user role (IT, financial, and so on), and client machines (laptops, thin clients, and so on.)
Creating a policy using consoles
From the Citrix Delivery Services Console, he selects the Policies node on the left pane and then selects the Computer or User tab and clicks New. These policies are stored on the IMA datastore.
William also can use the Local Group Policy Editor to create or modify local policies. He needs to select the Computer Configuration or User Configuration node, then Citrix Policies. He clicks the New option to add a new policy. As we mentioned before, the policy is stored in local machine policy and can be used to add specific policies to a few servers.
The last and preferred console is the Group Policy Management Console. William needs to select the container for the policy, Group Policy Objects, in this case. He right-clicks over the container and selects New. Finally, he gives the new GPO a name and clicks the OK button.
Starting in this step, the following process is common to all consoles.
After he gives the policy a name, he needs to select the ,b>Computer Configuration or User Configuration node, and then under Policies, clicks Citrix Policies. Next, he clicks New to add a new policy.
After the New Policy wizard appears, William adds a Name and Description, and clicks the Next button. In this example, he is going to create a policy to manage multimedia policies.
He needs to choose the policy settings he wants to setup. In this case, he will enable the HDX MediaStream Multimedia Acceleration using the Add button.
He chooses the Allowed option to enable HDX MediaStream Multimedia Acceleration.
Then he needs to choose the filters he wants to apply to the policy. Here, he applies the multimedia policy to the Training Devices worker group, so all users using XenApp Servers in the training room (members of the Training Devices worker group) will improve the multimedia performance.
In the final step, William selects the Enable this policy checkbox to leave the policy enabled; enabling the policy allows it to be applied immediately to users logging on to the farm. Also, he can clear the Enable this policy checkbox to disable the policy; disabling the policy prevents it from being applied.
XenApp installs the Citrix Group policy engine, when the Citrix Delivery Services console is installed (on a XenApp 6 server or standalone machine). The Citrix group engine provides integration between Active Directory group policies and Citrix policies.
Applying policies to sessions
When William creates a policy, their settings are applied to sessions. By default, the policy is applied to all sessions, if no filter is added.
He can use filters to apply a policy to a target group (users, groups, or computers, for example).
When a user logs in to the farm, XenApp recognizes the policies that match the filters for the connection and applies them based on the priority ranking of the policy.
Some filters depend on whether we are applying a Computer or a User policy. The following list shows the available filters:
- Access control: The policy is applied based on a connection Citrix Secure Gateway. This filter applies only to User policies.
- Client IP address: The policy is applied based on the client's IP address (IPv4 or IPv6 address) used to connect to the XenApp farm. This filter applies only to User policies.
- Client name: The policy is applied based on the name of the client machine used to connect to the XenApp farm. This filter applies only to User policies.
- User: The policy is applied based on the user or group membership of the user. This policy can apply to local or Active Directory users. This filter applies only to User policies.
- Worker group: The policy is applied based on the worker group membership of the XenApp server hosting the session. This filter applies to either User policies or Computer policies.
Disabled policy settings take precedence over a lower-ranked setting that is enabled and policy settings that are not configured are ignored.
By default, XenApp provides Unfiltered policies for Computer and User policy settings. The settings added to this policy apply to all connections.
William will use the Group Policy Management Console to manage Citrix policies, and settings heading to the Unfiltered policy are applied to all farm servers and connections that are within the scope of the Group Policy Objects (GPOs) that contain the policy.
If he uses the Citrix Delivery Services Console to manage Citrix policies, settings we add to the Unfiltered policy are applied to all servers and connections in the farm.
Now we are going to help William apply policies. He creates a test policy which he will apply to his account so that he can test it. From the policy wizard, he needs to select the User filter and click the Add button.
From the New User Filter dialog box, he selects his account and clicks the Add button.
Now, he can see all filters applied to the policy.
The policy is applied the next time William logs on to the XenApp farm.
Using multiple policies
We can use multiple policies to provide access to users based on their job functions, geographic locations, or connection types.
For example, William can create a policy that prevents remote users from mapping printers and local hard drives.
However, there is a group of project managers at Brick Unit Construction who are working from home and need access to their local drives and printers. So, William can create another policy and assign it to this group. Then he needs to prioritize the two policies to control which one takes precedence.
After William creates both policies, he needs to change the priority of policies.
From the console tree, he chooses to view Citrix Computer Policies or Citrix User Policies.
He created two policies: One called "Block Mapping Local Disks and Printers" is applied to all remote users. The second one, called "Enable Mapping Local Disks and Printers Project Manager", is applied to the project manager group.
From the middle pane, he selects the policy he wants to prioritize.
He needs to click on the Increase Priority or Decrease Priority buttons until the policy has the preferred rank. He needs to give more priority to the project manager policy.
In general, policies override similar settings configured for the entire XenApp farm, for specific servers, or on the client machine. The exception is security. The highest encryption setting in our environment, including the operating system and the most restrictive shadowing setting, always overrides other settings and policies.
|Read more about this book|
(For more resources related to this subject, see here.)
Occasionally, a connection does not respond as expected because multiple policies are applied to the session. If a higher priority policy also applies to a session, it can override the settings we configured in the original policy. As we saw before, we can determine how the final policy settings are merged for a connection by calculating the Resultant Set of Policy.
We can calculate the Resultant Set of Policy in the following ways:
- We can use the Citrix Policy Modeling Wizard to simulate a connection scenario and discern how Citrix policies might be applied.
- We can use Group Policy Results to produce a report describing the Citrix policies in effect for a given user and server.
- We can launch both tools from the Group Policy Management Console in Windows. If our XenApp environment doesn't use the Active Directory, we can launch the Citrix Group Policy Modeling Wizard from the Actions pane of the Citrix Delivery Services Console.
Using the Citrix Policy Modeling Wizard
The Citrix Group Policy Modeling Wizard generates a report of Citrix policies applied to a particular environment such as domain controller, users, Citrix policy filter evidence values, and simulated environment settings such as slow network connection.
Results of the wizard will be based on the user account we use and where we run it.
If we are logged on to the server with a domain account and our environment includes Active Directory, the wizard result will include Active Directory GPOs. If we run the wizard from the Citrix Delivery Services Console, the farm GPO is included in the result too. However, if we are logged on to the server as a local user account and run the wizard from the Citrix Delivery Services Console, the wizard calculates the Resultant Set of Policy using only the farm GPO.
Simulate connection scenarios with Citrix policies
Depending on our XenApp environment, we can use the Citrix Group Policy Modeling Wizard from the Citrix Delivery Services Console or the Microsoft Group Policy Management Console.
From the Citrix Delivery Services Console, we need to click the Policies node in the console tree and then click on Run the modeling wizard from the Actions pane.
Now we are going to help William run the Citrix Group Policy Modeling Wizard from the Group Policy Management Console. He needs to right-click the Citrix Group Policy Modeling node in the console tree and then select Citrix Group Policy Modeling Wizard.
The wizard starts with the welcome page. He then clicks on the Next button. He follows the wizard and selects the domain controller; users, computers, environment settings, and Citrix filter criteria he wants to use in the simulation.
He selects his user and selects the computer container.
In the Advanced Simulation Options page, he keeps the default options.
In the Alternate Active Directory Paths page, he selects OU for the User location.
In the Filter Evidence Selections page, he enters the Client IP address.
In the Summary of Selections page, William clicks on the Run button.
When he clicks on the Close button, the wizard produces a report of the modeling results. In the Citrix Delivery Services Console, the report appears as a node in the console tree, underneath the Policies node. The Modeling Results tab in the middle pane displays the report, grouping effective Citrix policy settings under the User Configuration and Computer Configuration headings.
Citrix settings precedence over Windows settings
In a XenApp environment, Citrix settings override the same settings configured in an Active Directory policy or using Remote Desktop Session Host Configuration. This applies to settings that are related to Remote Desktop Protocol (RDP) client connection settings such as desktop wallpaper, menu animation, and so on.
Exceptions to this rule are settings for encryption and shadowing where the most restrictive settings are configured by Remote Desktop Session Host Configuration, Active Directory settings, application configuration, and Citrix settings applies.
Searching policies and settings
From the Citrix Delivery Services Console, we can search the policies and their settings and filters. Now we are going to help William Empire from Brick Unit Construction to search policies.
All searches find items by name as he types the policy name. He can perform searches from the following places:
- For searching policies, he can use the search box over the list of Citrix policies:
- William can use the search tool on the Settings tab to search policy settings. He types license and all policies matching the word license are displayed.
- For searching filters, he can use the search tool on the Filters tab.
When managing policies through the Delivery Services Console, we need to avoid making frequent changes. It can adversely impact server performance. When we modify a policy, the XenApp server synchronizes its copy of the farm Group Policy Object (GPO) with the data store, propagating the change to other servers in the farm. For example, if we make changes to five policies, the server synchronizes the farm GPO five times. In a large farm with multiple policies, this frequent synchronization can result in delayed server responses to user requests.
To ensure server performance is not impacted by needed policy changes, arrange to make these changes during off-peak usage periods.
Importing and migrating existing policies
We can use the, Citrix XenApp 6 Migration Tool to migrate settings (including Citrix policies) from XenApp 5.0 farms to XenApp 6.0 farms.
The Citrix XenApp 6 Migration Tool is available for download at http://support.citrix.com/article/CTX125471.
We can migrate our Citrix policies from farm GPOs to Active Directory GPOs using a PowerShell script available at http://community.citrix.com/x/GQDPC.
In this article, we have learned about managing policies on XenApp 6. Specifically:
- Understanding Citrix policies
- Using the Group Policy Management Console, Citrix Delivery Services
- Console, and Local Group Policy Editor to manage Citrix policies
- Creating, managing, applying, and troubleshooting Citrix policies
- Designing a XenApp 6 Farm [article]
- Microsoft Forefront UAG Building Blocks [article]
- FAQ on Virtualization and Microsoft App-V [article]